New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Syslog parser drop invalid #3565
Syslog parser drop invalid #3565
Conversation
Build FAILURE |
This pull request introduces 2 alerts when merging 6f67a4cb2c1f65ab7d4dbe86c486f64670d59464 into 975d950 - view on LGTM.com new alerts:
|
6f67a4c
to
108a383
Compare
Build FAILURE |
108a383
to
35480bb
Compare
dropping "WIP", this should be good enough for review. The changes are not complex, however there's a series of them. I'd recommend going patch-by-patch. The motiviation behind all the changes, the feature itself is trivial, once all the preparation is there. |
35480bb
to
880f3a4
Compare
Build FAILURE |
@kira-syslogng test this please; |
Build FAILURE |
looking forward to having this in the toolbox |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I only have some questions/comments.
The new feature looks good to me!
880f3a4
to
58afacd
Compare
Build FAILURE |
e63a217
to
bd9d626
Compare
Build FAILURE |
@kira-syslogng retest this please; |
Build FAILURE |
1 similar comment
Build FAILURE |
@kira-syslogng retest this please branch=syslog-parser-update-wrong-format-test; |
Build SUCCESS |
I haven't checked why does the |
1747ca3
to
8e72c8a
Compare
Build FAILURE |
@kira-syslogng retest this please branch=syslog-parser-update-wrong-format-test; |
Build FAILURE |
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
This makes it easier for me the read the argument list, "LogMessage *msg" becomes the first one right after the "self"-style argument, while the input and the error indication come last. Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
msg_format_parse() might be called outside of the normal parsing (ie. syslog-parser), so move the message to log_msg_new() where it indeed happens. Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
This function would return if it was successful instead of simply handling the error itself. Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
msg_format_inject_parse_error() uses the string before that error position, which can read from buf[-1] in case position is zero, potentially leaking the byte in front of the data buffer, or if that address is unmapped, can also cause a SIGSEGV. In reality, that byte is part of the heap allocation header, so it shouldn't be unmapped, so SIGSEGV is not very probable, at least on common platforms. This patch also changes to using a dynamic buffer instead of a statically sized one, avoiding the truncation of the message at 2048 bytes. Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
Previously we retained flags like "mark" or "internal" which means that these values leak through a log_msg_clear(), but if we consider log_msg_clear() to be a function that gives us an empty slate, we should get rid of those flags too. Same as if we created a new LogMessage instance. Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
The condition to use "kernel" as program name depended on LogMessage->flags set prior to the message being parsed. Since the location where these flags were set is pretty far from the syslog message parser code, this dependency was not easy to recognize and the previous set of refactoring steps even broke the assumption. I've decided to make the dependency clearer while retaining the workaround where it is today: * LF_INTERNAL check is removed, the syslog parser is never invoked on internal() logs (historically it probably was...) * the check on LF_LOCAL was converted to a parse_options->flags check on LP_LOCAL. Parse_options clearly affects how the message is parsed and is used in a number of different locations within the same function. * the check on <pri> value is retained, as parsing the pri value is logically in the same location. Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
…t test Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
MsgFormatOptions template_parse_options = {0}; | ||
msg_format_options_defaults(&template_parse_options); | ||
syslog_format_handler(&template_parse_options, (const guchar *)raw_msg, strlen(raw_msg), msg); | ||
LogMessage *msg = log_msg_new(raw_msg, strlen(raw_msg), &parse_options); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would prefer this UT not using syslogformat in the first place. But this was not introduced by this PR, so I am okay with the follow up.
Also if possible please write a news entry under |
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
b07566e
to
dba4f98
Compare
added news file + rebased |
Build FAILURE |
@kira-syslogng retest this please branch=syslog-parser-update-wrong-format-test; |
Build SUCCESS |
I've created an internal doc update ticket about the new option and the changed behaviour of msg-format flags (i.e. from now on if "no-parse" flag is used additional flags e.g. "no-multi-line" can be used as well.) |
@bazsi I wonder: did we intentionally not document the injected error message?
I would mention the details of the error message (rewritten program and message fields, modified facility and severity values). |
There was no intention, it just happened this way.
Documenting the error handling might indeed be useful, as well as the
drop-invalid option in the context of syslog-parser ().
…On Fri, Mar 19, 2021, 16:25 Gábor Nagy ***@***.***> wrote:
@bazsi <https://github.com/bazsi> I wonder: did we intentionally not
document the injected error message?
This is the only thing in the documentation:
If syslog-ng OSE cannot parse a message, it results in an error
I would mention the details of the error message (rewritten program and
message fields, modified facility and severity values).
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3565 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAFOK5XAMP52MBS76KXMZP3TENUH7ANCNFSM4XGJJW2Q>
.
|
Thanks, I've submitted a ticket to the doc team. |
This PR contains a combination of a long-needed msg-format related refactor (moving common code out of format modules into the msg-format layer) and the ability for syslog-parser() to drop incorrectly formatted messages (right now it is only RFC5424 that can indicate invalid messages, RFC3164 consumes everything).
The motivation behind this feature is that more and more rfc5424 style messages are actually incorrectly formatted, while still containing the initial "1 " version indicator right after the priority field. Instead of making the parser less strict, the drop-invalid() setting allows the easy identification of these messages, so that an alternative parser can be applied, like this:
This was a long requested feature by the https://github.com/splunk/splunk-connect-for-syslog team @rfaircloth-splunk