Syslog parser drop invalid #3565
Conversation
|
Build FAILURE |
|
This pull request introduces 2 alerts when merging 6f67a4cb2c1f65ab7d4dbe86c486f64670d59464 into 975d950 - view on LGTM.com new alerts:
|
bazsi
force-pushed
the
syslog-parser-drop-invalid
branch
from
6f67a4c
to
108a383
Compare
|
Build FAILURE |
bazsi
force-pushed
the
syslog-parser-drop-invalid
branch
from
108a383
to
35480bb
Compare
|
dropping "WIP", this should be good enough for review. The changes are not complex, however there's a series of them. I'd recommend going patch-by-patch. The motiviation behind all the changes, the feature itself is trivial, once all the preparation is there. |
bazsi
force-pushed
the
syslog-parser-drop-invalid
branch
from
35480bb
to
880f3a4
Compare
|
Build FAILURE |
|
@kira-syslogng test this please; |
|
Build FAILURE |
|
looking forward to having this in the toolbox |
bazsi
force-pushed
the
syslog-parser-drop-invalid
branch
from
880f3a4
to
58afacd
Compare
|
Build FAILURE |
bazsi
force-pushed
the
syslog-parser-drop-invalid
branch
2 times, most recently
from
e63a217
to
bd9d626
Compare
|
Build FAILURE |
|
@kira-syslogng retest this please; |
|
Build FAILURE |
1 similar comment
|
Build FAILURE |
|
@kira-syslogng retest this please branch=syslog-parser-update-wrong-format-test; |
|
Build SUCCESS |
|
I haven't checked why does the |
bazsi
force-pushed
the
syslog-parser-drop-invalid
branch
from
1747ca3
to
8e72c8a
Compare
|
Build FAILURE |
|
@kira-syslogng retest this please branch=syslog-parser-update-wrong-format-test; |
|
Build FAILURE |
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
This makes it easier for me the read the argument list, "LogMessage *msg" becomes the first one right after the "self"-style argument, while the input and the error indication come last. Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
msg_format_parse() might be called outside of the normal parsing (ie. syslog-parser), so move the message to log_msg_new() where it indeed happens. Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
This function would return if it was successful instead of simply handling the error itself. Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
msg_format_inject_parse_error() uses the string before that error position, which can read from buf[-1] in case position is zero, potentially leaking the byte in front of the data buffer, or if that address is unmapped, can also cause a SIGSEGV. In reality, that byte is part of the heap allocation header, so it shouldn't be unmapped, so SIGSEGV is not very probable, at least on common platforms. This patch also changes to using a dynamic buffer instead of a statically sized one, avoiding the truncation of the message at 2048 bytes. Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
Previously we retained flags like "mark" or "internal" which means that these values leak through a log_msg_clear(), but if we consider log_msg_clear() to be a function that gives us an empty slate, we should get rid of those flags too. Same as if we created a new LogMessage instance. Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
The condition to use "kernel" as program name depended on
LogMessage->flags set prior to the message being parsed.
Since the location where these flags were set is pretty far from
the syslog message parser code, this dependency was not easy to
recognize and the previous set of refactoring steps even broke the
assumption.
I've decided to make the dependency clearer while retaining the workaround
where it is today:
* LF_INTERNAL check is removed, the syslog parser is never invoked on
internal() logs (historically it probably was...)
* the check on LF_LOCAL was converted to a parse_options->flags check
on LP_LOCAL. Parse_options clearly affects how the message is parsed and is
used in a number of different locations within the same function.
* the check on <pri> value is retained, as parsing the pri value is logically
in the same location.
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
…t test Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
| MsgFormatOptions template_parse_options = {0}; | ||
| msg_format_options_defaults(&template_parse_options); | ||
| syslog_format_handler(&template_parse_options, (const guchar *)raw_msg, strlen(raw_msg), msg); | ||
| LogMessage *msg = log_msg_new(raw_msg, strlen(raw_msg), &parse_options); |
There was a problem hiding this comment.
I would prefer this UT not using syslogformat in the first place. But this was not introduced by this PR, so I am okay with the follow up.
|
Also if possible please write a news entry under |
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
bazsi
force-pushed
the
syslog-parser-drop-invalid
branch
from
b07566e
to
dba4f98
Compare
|
added news file + rebased |
|
Build FAILURE |
|
@kira-syslogng retest this please branch=syslog-parser-update-wrong-format-test; |
|
Build SUCCESS |
|
I've created an internal doc update ticket about the new option and the changed behaviour of msg-format flags (i.e. from now on if "no-parse" flag is used additional flags e.g. "no-multi-line" can be used as well.) |
|
@bazsi I wonder: did we intentionally not document the injected error message?
I would mention the details of the error message (rewritten program and message fields, modified facility and severity values). |
|
There was no intention, it just happened this way.
Documenting the error handling might indeed be useful, as well as the
drop-invalid option in the context of syslog-parser ().
…On Fri, Mar 19, 2021, 16:25 Gábor Nagy ***@***.***> wrote:
@bazsi <https://github.com/bazsi> I wonder: did we intentionally not
document the injected error message?
This is the only thing in the documentation:
If syslog-ng OSE cannot parse a message, it results in an error
I would mention the details of the error message (rewritten program and
message fields, modified facility and severity values).
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3565 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAFOK5XAMP52MBS76KXMZP3TENUH7ANCNFSM4XGJJW2Q>
.
|
|
Thanks, I've submitted a ticket to the doc team. |
This PR contains a combination of a long-needed msg-format related refactor (moving common code out of format modules into the msg-format layer) and the ability for syslog-parser() to drop incorrectly formatted messages (right now it is only RFC5424 that can indicate invalid messages, RFC3164 consumes everything).
The motivation behind this feature is that more and more rfc5424 style messages are actually incorrectly formatted, while still containing the initial "1 " version indicator right after the priority field. Instead of making the parser less strict, the drop-invalid() setting allows the easy identification of these messages, so that an alternative parser can be applied, like this:
This was a long requested feature by the https://github.com/splunk/splunk-connect-for-syslog team @rfaircloth-splunk