Skip to content

Commit ec35354

Browse files
HofiOneHofiOne
authored
Merge pull request syslog-ng#5114 from HofiOne/RFC3164-PRI-errors-as-piggyback-ones
syslog-format: get rid off RFC3164 error case in favour of setting error
2 parents 1c49d03 + a5f9fb9 commit ec35354

File tree

5 files changed

+94
-15
lines changed

5 files changed

+94
-15
lines changed

lib/logmsg/logmsg.c

+1-2
Original file line numberDiff line numberDiff line change
@@ -2011,14 +2011,13 @@ void
20112011
log_msg_tags_init(void)
20122012
{
20132013
log_tags_register_predefined_tag("message.utf8_sanitized", LM_T_MSG_UTF8_SANITIZED);
2014-
log_tags_register_predefined_tag("message.parse_error", LM_T_MSG_PARSE_ERROR);
20152014

2015+
log_tags_register_predefined_tag("syslog.invalid_pri", LM_T_SYSLOG_INVALID_PRI);
20162016
log_tags_register_predefined_tag("syslog.missing_pri", LM_T_SYSLOG_MISSING_PRI);
20172017
log_tags_register_predefined_tag("syslog.missing_timestamp", LM_T_SYSLOG_MISSING_TIMESTAMP);
20182018
log_tags_register_predefined_tag("syslog.invalid_hostname", LM_T_SYSLOG_INVALID_HOSTNAME);
20192019
log_tags_register_predefined_tag("syslog.unexpected_framing", LM_T_SYSLOG_UNEXPECTED_FRAMING);
20202020
log_tags_register_predefined_tag("syslog.rfc3164_missing_header", LM_T_SYSLOG_RFC3164_MISSING_HEADER);
2021-
log_tags_register_predefined_tag("syslog.rfc5424_unquoted_sdata_value", LM_T_SYSLOG_RFC5424_UNQUOTED_SDATA_VALUE);
20222021

20232022
log_tags_register_predefined_tag("syslog.rfc5424_missing_hostname", LM_T_SYSLOG_RFC5424_MISSING_HOSTNAME);
20242023
log_tags_register_predefined_tag("syslog.rfc5424_missing_app_name", LM_T_SYSLOG_RFC5424_MISSING_APP_NAME);

lib/logmsg/logmsg.h

+2-4
Original file line numberDiff line numberDiff line change
@@ -106,10 +106,10 @@ enum
106106
{
107107
/* means that the message is not valid utf8 */
108108
LM_T_MSG_UTF8_SANITIZED,
109-
/* msg-format parsing failed, "Error parsing ..." */
110-
LM_T_MSG_PARSE_ERROR,
111109
/* missing <pri> value */
112110
LM_T_SYSLOG_MISSING_PRI,
111+
/* invalid <pri> value */
112+
LM_T_SYSLOG_INVALID_PRI,
113113
/* no timestamp present in the original message */
114114
LM_T_SYSLOG_MISSING_TIMESTAMP,
115115
/* hostname field does not seem valid, check-hostname(yes) failed */
@@ -118,8 +118,6 @@ enum
118118
LM_T_SYSLOG_UNEXPECTED_FRAMING,
119119
/* no date & host information in the syslog message */
120120
LM_T_SYSLOG_RFC3164_MISSING_HEADER,
121-
/* incorrectly quoted RFC5424 SDATA */
122-
LM_T_SYSLOG_RFC5424_UNQUOTED_SDATA_VALUE,
123121
/* hostname field missing */
124122
LM_T_SYSLOG_RFC5424_MISSING_HOSTNAME,
125123
/* program field missing */

lib/msg-format.c

+2-1
Original file line numberDiff line numberDiff line change
@@ -181,9 +181,10 @@ msg_format_parse_into(MsgFormatOptions *options, LogMessage *msg,
181181

182182
if (!msg_format_try_parse_into(options, msg, data, length, &problem_position))
183183
{
184-
log_msg_set_tag_by_id(msg, LM_T_MSG_PARSE_ERROR);
185184
if (options->flags & LP_PIGGYBACK_ERRORS)
186185
msg_format_inject_parse_error(options, msg, data, _rstripped_message_length(data, length), problem_position);
186+
else
187+
log_msg_set_value(msg, LM_V_MESSAGE, (gchar *) data, length);
187188

188189
/* the injected error message needs to be postprocessed too */
189190
msg_format_postprocess_message(options, msg, data, length);

modules/syslogformat/syslog-format.c

+19-8
Original file line numberDiff line numberDiff line change
@@ -1005,6 +1005,9 @@ _syslog_format_parse_legacy_message(LogMessage *msg,
10051005
*
10061006
* Parse an RFC3164 formatted log message and store the parsed information
10071007
* in @msg. Parsing is affected by the bits set @flags argument.
1008+
*
1009+
* This parser is _very_ forgiving, it basically accepts anything any device
1010+
* would barf on the line.
10081011
**/
10091012
static gboolean
10101013
_syslog_format_parse_legacy(const MsgFormatOptions *parse_options,
@@ -1020,19 +1023,27 @@ _syslog_format_parse_legacy(const MsgFormatOptions *parse_options,
10201023
_syslog_format_check_framing(msg, &src, &left);
10211024
if (!_syslog_format_parse_pri(msg, &src, &left, parse_options->flags, parse_options->default_pri))
10221025
{
1023-
goto error;
1026+
/* invalid <pri> value, that's really difficult to do, as it needs to
1027+
* start with an opening bracket and then no number OR no closing bracket
1028+
* follows. A missing <pri> value would be accepted.
1029+
*
1030+
* This is a very rare case, but it's best handled like all the other
1031+
* formatting errors, accept it and shove the entire line into $MSG.
1032+
* This basically disables error piggybacking for RFC3164 inputs. */
1033+
1034+
log_msg_set_tag_by_id(msg, LM_T_SYSLOG_INVALID_PRI);
1035+
_syslog_format_parse_legacy_message(msg, &src, &left, parse_options);
10241036
}
1037+
else
1038+
{
1039+
if ((parse_options->flags & LP_NO_HEADER) == 0)
1040+
_syslog_format_parse_legacy_header(msg, &src, &left, parse_options);
10251041

1026-
if ((parse_options->flags & LP_NO_HEADER) == 0)
1027-
_syslog_format_parse_legacy_header(msg, &src, &left, parse_options);
1028-
1029-
_syslog_format_parse_legacy_message(msg, &src, &left, parse_options);
1042+
_syslog_format_parse_legacy_message(msg, &src, &left, parse_options);
1043+
}
10301044

10311045
log_msg_set_value_to_string(msg, LM_V_MSGFORMAT, "rfc3164");
10321046
return TRUE;
1033-
error:
1034-
*position = src - data;
1035-
return FALSE;
10361047
}
10371048

10381049
/**

modules/syslogformat/tests/test_syslog_format.c

+70
Original file line numberDiff line numberDiff line change
@@ -86,6 +86,76 @@ Test(syslog_format, cisco_sequence_id_non_zero_termination)
8686
log_msg_unref(msg);
8787
}
8888

89+
Test(syslog_format, rfc3164_error_invalid_pri)
90+
{
91+
/* incorrect pri value */
92+
const gchar *data = "<189 Feb 3 12:34:56 host program[pid]: message";
93+
gsize data_length = strlen(data);
94+
95+
LogMessage *msg = log_msg_new_empty();
96+
97+
gsize problem_position;
98+
cr_assert(syslog_format_handler(&parse_options, msg, (const guchar *) data, data_length, &problem_position));
99+
assert_log_message_value_by_name(msg, "MSG", "<189 Feb 3 12:34:56 host program[pid]: message");
100+
assert_log_message_has_tag(msg, "syslog.invalid_pri");
101+
102+
log_msg_unref(msg);
103+
}
104+
105+
Test(syslog_format, rfc3164_error_missing_timestamp)
106+
{
107+
/* incorrect pri value */
108+
const gchar *data = "<189> program[pid]: message";
109+
gsize data_length = strlen(data);
110+
111+
LogMessage *msg = log_msg_new_empty();
112+
113+
gsize problem_position;
114+
cr_assert(syslog_format_handler(&parse_options, msg, (const guchar *) data, data_length, &problem_position));
115+
/* without timestamp, host is not expected */
116+
assert_log_message_value_by_name(msg, "HOST", "");
117+
assert_log_message_value_by_name(msg, "PROGRAM", "program");
118+
assert_log_message_value_by_name(msg, "PID", "pid");
119+
assert_log_message_value_by_name(msg, "MSG", "message");
120+
assert_log_message_value_by_name(msg, "MSGFORMAT", "rfc3164");
121+
assert_log_message_has_tag(msg, "syslog.missing_timestamp");
122+
assert_log_message_has_tag(msg, "syslog.rfc3164_missing_header");
123+
124+
log_msg_unref(msg);
125+
}
126+
127+
Test(syslog_format, rfc5424_error_invalid_timestamp)
128+
{
129+
const gchar *data = "<189>1 2024-09-16Q11:22:33+02:00 host program pid msgid [foo bar=baz] message";
130+
gsize data_length = strlen(data);
131+
132+
parse_options.flags |= LP_SYSLOG_PROTOCOL;
133+
LogMessage *msg = log_msg_new_empty();
134+
135+
gsize problem_position;
136+
cr_assert_not(syslog_format_handler(&parse_options, msg, (const guchar *) data, data_length, &problem_position));
137+
assert_log_message_value_by_name(msg, "MSGFORMAT", "");
138+
assert_log_message_has_tag(msg, "syslog.missing_timestamp");
139+
140+
log_msg_unref(msg);
141+
}
142+
143+
Test(syslog_format, rfc5424_error_invalid_sdata)
144+
{
145+
const gchar *data = "<189>1 2024-09-16T11:22:33+02:00 host program pid msgid [foo bar=baz message";
146+
gsize data_length = strlen(data);
147+
148+
parse_options.flags |= LP_SYSLOG_PROTOCOL;
149+
LogMessage *msg = log_msg_new_empty();
150+
151+
gsize problem_position;
152+
cr_assert_not(syslog_format_handler(&parse_options, msg, (const guchar *) data, data_length, &problem_position));
153+
assert_log_message_value_by_name(msg, "MSGFORMAT", "");
154+
assert_log_message_has_tag(msg, "syslog.rfc5424_invalid_sdata");
155+
156+
log_msg_unref(msg);
157+
}
158+
89159
Test(syslog_format, rfc3164_style_message_when_parsed_as_rfc5424_is_marked_as_such_in_msgformat)
90160
{
91161
const gchar *data = "<189>Feb 3 12:34:56 host program[pid]: message";

0 commit comments

Comments
 (0)