Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

App parser kill switch #1788

Merged
merged 7 commits into from Dec 4, 2017
Merged

App parser kill switch #1788

merged 7 commits into from Dec 4, 2017

Conversation

bazsi
Copy link
Collaborator

@bazsi bazsi commented Dec 1, 2017

This patch implements auto-parse(yes/no) option into

  • the app-paser()
  • and through the use of VARARGS system() and default-network-drivers()

this was requested by @czanik

@bazsi
cfg-parser: add cfg_process_yesno function
fc445b3 
The role of this function is to mimic the yes/no parsing as done
in the configuration file, from non-grammar contexts. (e.g. anywhere
we get this parameter as a string).

Signed-off-by: Balazs Scheidler <balazs.scheidler@balabit.com>
@bazsi
cfg-args: add extract __VARARGS__ formatting into cfg-args
cf96879 
This patch extracts the code that formats the __VARARGS__ special variable
from cfg-block into cfg-args, making it possible to use from other
contexts.


Signed-off-by: Balazs Scheidler <balazs.scheidler@balabit.com>
@bazsi
appmodel: add auto-parse(yes/no) option to app-parser()
dfeb84b 
This argument is a kill-switch, e.g. app-parser(auto-parse(no)) would
disable all applications automatically.

Signed-off-by: Balazs Scheidler <balazs.scheidler@balabit.com>
@bazsi
system-source: pass along all input parameters to app-parser()
8ce006a 
This makes it possible to disable app-parser() using:

source { system(auto-parse(no)); };

Signed-off-by: Balazs Scheidler <balazs.scheidler@balabit.com>
@bazsi
default-network-drivers: add __VARARGS__ to app-parser()
b63ac9b 
Signed-off-by: Balazs Scheidler <balazs.scheidler@balabit.com>
@kira-syslogng
Copy link
Contributor

Build SUCCESS, the tests were executed on test branch: master and test suite: functions

@bazsi
appmodel: refactor test_app_parser_generator to be less verbose
8f5e541 
Signed-off-by: Balazs Scheidler <balazs.scheidler@balabit.com>
@bazsi
appmodel: add exclude/include options to app-parser()
3ef7c6d 
Signed-off-by: Balazs Scheidler <balazs.scheidler@balabit.com>
@bazsi
Copy link
Collaborator Author

bazsi commented Dec 1, 2017

With these patches it is not possible to control which applications are processed by auto-parser:

# disable completely
system(auto-parse(no));

# all parsers enabled, except a few
system(auto-parse-exclude("foo,bar,baz"));

# only a few specific are enabled
system(auto-parse-include("foo,bar,baz"));

The same options should work with the default-network-drivers() stuff as well.

@bazsi
Copy link
Collaborator Author

bazsi commented Dec 1, 2017

@czanik feedback and testing would be welcome, as always.

@kira-syslogng
Copy link
Contributor

Build SUCCESS, the tests were executed on test branch: master and test suite: functions

@czanik
Copy link
Contributor

czanik commented Dec 4, 2017

I have tried:

system(auto-parse-exclude("iptables"));

And iptables logs were no more parsed, but sudo logs were still parsed.

@czanik
Copy link
Contributor

czanik commented Dec 4, 2017 

system(auto-parse-include("iptables"));

also worked fine.

@czanik
Copy link
Contributor

czanik commented Dec 4, 2017 

system(auto-parse(no));

also worked fine.

I also did a very basic performance test with the above setting: no measurable difference with the system source. My suspicion is, that the journal() source is the bottleneck here.

@lbudai
Copy link
Collaborator

lbudai commented Dec 4, 2017

@czanik : thx for feedbacks.

@lbudai lbudai merged commit c166d10 into master Dec 4, 2017
@MrAnno MrAnno deleted the app-parser-kill-switch branch April 15, 2018 21:43
@szemere szemere mentioned this pull request Jul 12, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lbudai lbudai lbudai approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@bazsi @kira-syslogng @czanik @lbudai @MrAnno