Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for rsyslog lumberjack mechanism #92

Closed
wants to merge 4 commits into from
Closed

Add support for rsyslog lumberjack mechanism #92

wants to merge 4 commits into from

Conversation

leophys
Copy link

@leophys leophys commented Aug 15, 2022

Hi! Thanks for this software!

I am opening this PR to add a functionality I am interested in to better integrate the auditd machinery together with rsyslog. The juice of the feature regards the ability for rsyslog to be able to recognize the beginning of a json structure in a log line. This is achieved prepending a cookie (@cee:) before the log line. In the case of laurel as an auditd plugin, this means that such cookie should be present at the beginning of each line. I thought first of implementing a custom serde serializer, but this is impossible as a serializer has no notion of level and cannot tell when an object is at the beginning of a line. The approach I took here is to use a custom Writer (an implementation of std::io::Write) that mimics a BufWriter, buffering in an internal buffer per line instead of using the byte size as measure.
To enable this mechanism, I added a new section in the configuration file, with a single boolean option

[out_format]

lumberjack = true

that defaults to false (the current behavior).

You will notice that there are A LOT of lines in the PR diff. This is because I use (neo)vim and rust-analyzer in the language server machinery. It is not feasible for me to work without it and this machinery autoformats the code at each save. I run cargo fmt on the whole code base and saved it as first commit. The remaining commits in the PR implement what I described above. I beg you to accept this not as a disrespectful act, but rather as a way for you and me to foster public collaboration 😇

@hillu
Copy link
Collaborator

hillu commented Aug 16, 2022

Thank you for your pull request. I won't have time to properly review your changes until next week, so please have a little patience.

One question that came to my mind right away: Would it not be easier to add a configurable prefix parameter to the existing code?

@leophys
Copy link
Author

leophys commented Aug 16, 2022 via email

@hillu
Copy link
Collaborator

hillu commented Aug 19, 2022

I think something like

--- a/src/config.rs
+++ b/src/config.rs
@@ -12,6 +12,8 @@ pub struct Logfile {
     pub users: Option<Vec<String>>,
     pub size: Option<u64>,
     pub generations: Option<u64>,
+    #[serde(rename="line-prefix")]
+    pub line_prefix: Option<String>,
 }
 
 #[derive(Clone,Debug,Default,Serialize,Deserialize,PartialEq)]

plus corresponding changes in FileRotate should suffice.

@leophys
Copy link
Author

leophys commented Aug 25, 2022
edited

Hi, sorry for the long silence!

I think something like

--- a/src/config.rs
+++ b/src/config.rs
@@ -12,6 +12,8 @@ pub struct Logfile {
     pub users: Option<Vec<String>>,
     pub size: Option<u64>,
     pub generations: Option<u64>,
+    #[serde(rename="line-prefix")]
+    pub line_prefix: Option<String>,
 }
 
 #[derive(Clone,Debug,Default,Serialize,Deserialize,PartialEq)]

plus corresponding changes in FileRotate should suffice.

I did not understand your proposed solutions. As a matter of fact, I plugged this capability in the LumberjackWriter only, using the new section of the config I already added. What do you think?

I saw there are a bunch of conflicts, probably because you merged another PR and the cargo fmt is broken. I will try to open a new PR, just for the code formatting and then a second PR for this feature, but I am taking a small leave from the laptop and will be mostly AFK. Meanwhile, would you mind to review and comment the proposed changes here, so that I can backport your observation to the new PR?

Thanks!

EDIT: I just saw that the conflict comes from the fact that you applied cargo fmt yourself (and also added a validation step). I suppose I just have to rebase this PR!

EDIT 2: I rebased without conflicts (:heart:); seems too good to be true. So I guess this is again the main PR.

@blallo
Add LumberjackWriter
1478918 
This commit introduces a custom writer that prepends the lumberjack
cookie "@Cee:" to each line being written. It does so in a buffered
manner, where the buffer size is given by line number, mimicking the
BufWriter.
@blallo
Plug LumberjackWriter configurably
25d2aa9 
This commit adds a new config section with a single parameter, the
boolean "lumberjack", to enable the use of LumberjackWriter as writer
for the laurel logs.
@blallo
Add configurable prefix to LumberjackWriter
5d515fa
@blallo
Plug configurable prefix into laurel
3cc2f33
@hillu hillu self-assigned this Sep 2, 2022
@hillu
Copy link
Collaborator

hillu commented Sep 6, 2022

@leophys Sorry if I had not stated clearly enough what I was going for.

Please have a look at https://github.com/hillu/laurel/tree/feature/lumberjack – here the line prefix is just added to the Logger in main.rs, without the need for implementing a separate rotating file backend.

Does this do what you originally intended?

@leophys
Copy link
Author

leophys commented Sep 7, 2022

Ahahahahah, nice! It is so much cleaner than my current PR! It seems to me that it is exactly what I meant it to do.

@hillu
Copy link
Collaborator

hillu commented Sep 7, 2022

Ahahahahah, nice! It is so much cleaner than my current PR! It seems to me that it is exactly what I meant it to do.

Great, I'm going to push my change then.

I would like to give credit to you in the commit message and in the changelog for the next release. What name should I use?

@leophys
Copy link
Author

leophys commented Sep 7, 2022

Ahahahahah, nice! It is so much cleaner than my current PR! It seems to me that it is exactly what I meant it to do.

Great, I'm going to push my change then.

Yes please!

I would like to give credit to you in the commit message and in the changelog for the next release. What name should I use?

Thanks! You can use my github handle :)

@leophys leophys closed this Sep 7, 2022
hillu added a commit that referenced this pull request Sep 7, 2022
@hillu
Add option to prefixx log lines with a fixed string
662cada 
Based on a discussion following PR #92 by @leophys
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@hillu hillu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@leophys @hillu @blallo