fluent-plugin-newsyslog 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: b2f88ad81aa87528440228c6f20196250b0e3ba1
+  data.tar.gz: 5ff2e7de0a8b987e692667f98fc206d235315655
+SHA512:
+  metadata.gz: 0d0db0f3ec65e44cf136f4d95b83d51343db8794b62afd659265b15029d5de2c9cef76e1c080759101dee423ee6172481b7f696093786f353f777f0dc8de2b59
+  data.tar.gz: c8a934ca856137097371aa02f2e5948b9ede3f028142384f2bab7863b4e2c849c365516676259c0d3ea6514652aa850b5cc1c699b4cf0489ce97f9e1b7677170

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/.idea/

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.ruby-version

@@ -0,0 +1 @@
+2.1.5@fluent-plugin-newsyslog

data/.travis.yml

@@ -0,0 +1,3 @@
+language: ruby
+rvm:
+  - 2.1.5

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in fluent-plugin-newsyslog.gemspec
+gemspec

data/README.md

@@ -0,0 +1,96 @@
+# Fluent::Plugin::NewSyslog
+
+This is a new syslog input and parser plugins for Fluentd.
+It supports the newer rfc5424 syslog format along with the older rfc3164 format.
+It also automatically parse the time formats using the build in 
+ruby time parser rather than specifying the expected format from the syslog message.
+The parser plugin is backwards compatible with the built in syslog parser.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'fluent-plugin-newsyslog'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install fluent-plugin-newsyslog
+
+## Usage
+
+### `in_newsyslog` Input plugin
+
+The `in_newsyslog` Input plugin enables Fluentd to retrieve records via the syslog protocol on UDP or TCP.
+The default parser is the `parser_newsyslog` plugin.
+
+#### Example Configuration
+```
+<source>
+  type newsyslog
+  port 5140
+  bind 0.0.0.0
+  tag system
+</source>
+```
+#### Parameters
+**type (required)**
+The value must be newsyslog.
+
+**port**
+The port to listen to. Default Value = 5140
+
+**bind**
+The bind address to listen to. Default Value = 0.0.0.0 (all addresses)
+
+**protocol_type**
+The transport protocol used to receive logs. “udp” and “tcp” are supported. “udp” by default.
+
+**tag (required)**
+The prefix of the tag. The tag itself is generated by the tag prefix, facility level, and priority.
+
+### `parser_newsyslog` Parser plugin
+
+The `parser_newsyslog` Parser plugin enables Fluentd to parse syslog records in either rfc5424 or rfc3164 format.
+
+#### Example Configuration
+This is an example to use this parser with the syslog plugin.
+```
+<source>
+  type syslog
+  port 5140
+  bind 0.0.0.0
+  format newsyslog
+  tag system
+</source>
+```
+#### Parameters
+
+**payload_message**
+When set to true, it will output the entire syslog message into the message field rather than the parsed message field.
+Default Value = false, send the parsed syslog message field.
+ 
+## Development
+
+After checking out the repo, run `bundle` to install dependencies.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `fluent-plugin-newsyslog.gemspec`, and then run `bundle exec rake release` to create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+### Running unit tests
+This gem is using both rspec and test::unit
+
+execute `bundle exec rspec` to run the rspec tests
+execute `bundle exec rake test` to run test::unit tests 
+
+## Contributing
+
+1. Fork it ( https://github.com/athenahealth/fluent-plugin-newsyslog/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,26 @@
+require 'bundler/gem_tasks'
+
+require 'rake/testtask'
+require 'rake/clean'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+desc 'Run test_unit based test'
+Rake::TestTask.new(:test) do |t|
+  # To run test for only one file (or file path pattern)
+  #  $ bundle exec rake base_test TEST=test/test_specified_path.rb
+  #  $ bundle exec rake base_test TEST=test/test_*.rb
+  t.libs << "test"
+  t.test_files = Dir["test/**/test_*.rb"].sort
+  t.verbose = true
+  #t.warning = true
+end
+
+desc 'Run test with simplecov'
+task :coverage do |t|
+  ENV['SIMPLE_COV'] = '1'
+  Rake::Task["test"].invoke
+end
+
+task :default => [:test, :build]

data/fluent-plugin-newsyslog.gemspec

@@ -0,0 +1,39 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+Gem::Specification.new do |spec|
+  spec.name          = "fluent-plugin-newsyslog"
+  spec.version       = "0.1.0"
+  spec.authors       = ["Kevin Scheunemann"]
+  spec.email         = ["kscheunemann@athenahealth.com"]
+
+  spec.summary       = %q{A better fluentd syslog input and parser}
+  spec.description   = %q{A fluentd syslog parser that handles multiple formats }
+  spec.homepage      = "https://github.com/athenahealth/fluent-plugin-newsyslog"
+
+  # Prevent pushing this gem to RubyGems.org by setting 'allowed_push_host', or
+  # delete this section to allow pushing this gem to any host.
+  # if spec.respond_to?(:metadata)
+  #   spec.metadata['allowed_push_host'] = "TODO: Set to 'http://mygemserver.com'"
+  # else
+  #   raise "RubyGems 2.0 or newer is required to protect against public gem pushes."
+  # end
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_runtime_dependency 'fluentd', '>= 0.10.59'
+  spec.add_development_dependency 'bundler', '~> 1.9'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'flexmock'
+  spec.add_development_dependency 'simplecov', '~> 0.6.4'
+  spec.add_development_dependency 'rr', '>= 1.0.0'
+  spec.add_development_dependency 'timecop', '>= 0.3.0'
+  spec.add_development_dependency 'test-unit', '~> 3.0.2'
+  spec.add_development_dependency 'test-unit-rr', '~> 1.0.3'
+
+end

data/lib/fluent/plugin/in_newsyslog.rb

@@ -0,0 +1,139 @@
+module Fluent
+  class NewSyslogInput < Input
+    Plugin.register_input('newsyslog', self)
+
+    FACILITY_MAP = {
+        0   => 'kern',
+        1   => 'user',
+        2   => 'mail',
+        3   => 'daemon',
+        4   => 'auth',
+        5   => 'syslog',
+        6   => 'lpr',
+        7   => 'news',
+        8   => 'uucp',
+        9   => 'cron',
+        10  => 'authpriv',
+        11  => 'ftp',
+        12  => 'ntp',
+        13  => 'audit',
+        14  => 'alert',
+        15  => 'at',
+        16  => 'local0',
+        17  => 'local1',
+        18  => 'local2',
+        19  => 'local3',
+        20  => 'local4',
+        21  => 'local5',
+        22  => 'local6',
+        23  => 'local7'
+    }
+
+    PRIORITY_MAP = {
+        0  => 'emerg',
+        1  => 'alert',
+        2  => 'crit',
+        3  => 'err',
+        4  => 'warn',
+        5  => 'notice',
+        6  => 'info',
+        7  => 'debug'
+    }
+
+    def initialize
+      super
+      require 'cool.io'
+      require 'fluent/plugin/socket_util'
+    end
+
+    config_param :port, :integer, :default => 5140
+    config_param :bind, :string, :default => '0.0.0.0'
+    config_param :tag, :string
+    config_param :protocol_type, :default => :udp do |val|
+      case val.downcase
+        when 'tcp'
+          :tcp
+        when 'udp'
+          :udp
+        else
+          raise ConfigError, "syslog input protocol type should be 'tcp' or 'udp'"
+      end
+    end
+    config_param :include_source_host, :bool, :default => false
+    config_param :source_host_key, :string, :default => 'source_host'.freeze
+    config_param :blocking_timeout, :time, :default => 0.5
+
+    def configure(conf)
+      super
+      conf['with_priority'] = true
+      @parser = TextParser::NewSyslogParser.new
+      @parser.configure(conf)
+    end
+
+    def start
+      @loop = Coolio::Loop.new
+      @handler = listen(method(:receive_data))
+      @loop.attach(@handler)
+
+      @thread = Thread.new(&method(:run))
+    end
+
+    def shutdown
+      @loop.watchers.each {|w| w.detach }
+      @loop.stop
+      @handler.close
+      @thread.join
+    end
+
+    def run
+      @loop.run(@blocking_timeout)
+    rescue
+      log.error "unexpected error", :error=>$!.to_s
+      log.error_backtrace
+    end
+
+    private
+
+    def receive_data(data, addr)
+      @parser.parse(data) { |time, record|
+        unless time && record
+          log.warn "invalid syslog message", :data => data
+          return
+        end
+
+        pri = record.delete('pri')
+        record[@source_host_key] = addr[2] if @include_source_host
+        emit(pri, time, record)
+      }
+    rescue => e
+      log.error data.dump, :error => e.to_s
+      log.error_backtrace
+    end
+
+    private
+
+    def listen(callback)
+      log.debug "listening syslog socket on #{@bind}:#{@port} with #{@protocol_type}"
+      if @protocol_type == :udp
+        @usock = SocketUtil.create_udp_socket(@bind)
+        @usock.bind(@bind, @port)
+        SocketUtil::UdpHandler.new(@usock, log, 2048, callback)
+      else
+        # syslog family add "\n" to each message and this seems only way to split messages in tcp stream
+        Coolio::TCPServer.new(@bind, @port, SocketUtil::TcpHandler, log, "\n", callback)
+      end
+    end
+
+    def emit(pri, time, record)
+      facility = FACILITY_MAP[pri >> 3]
+      priority = PRIORITY_MAP[pri & 0b111]
+
+      tag = "#{@tag}.#{facility}.#{priority}"
+
+      router.emit(tag, time, record)
+    rescue => e
+      log.error "syslog failed to emit", :error => e.to_s, :error_class => e.class.to_s, :tag => tag, :record => Yajl.dump(record)
+    end
+
+  end
+end

data/lib/fluent/plugin/parser_newsyslog.rb

@@ -0,0 +1,88 @@
+require 'fluent/parser'
+
+module Fluent
+  class TextParser
+    class NewSyslogParser < Parser
+      # register as newsyslog parser
+      Plugin.register_parser("newsyslog", self)
+
+      # default to using the built in ruby time parser rather than specifying a time format
+      config_param :time_format, :string, :default => nil #"%b %d %H:%M:%S"
+      config_param :payload_message, :bool, :default => false
+      config_param :with_priority, :bool, :default => false
+
+      def initialize
+        super
+        @mutex = Mutex.new
+      end
+
+      def configure(conf)
+        super
+        @time_parser = TimeParser.new(@time_format)
+      end
+
+      def parse(text)
+
+        if @with_priority
+          if /^\<.*\>\d/.match(text)
+            #match rfc5424 syslog format
+            regex = /^\<(?<pri>[0-9]+)\>(1)(?<time>[^ ]* {1,2}[^ ]*) (?<host>[^ ]*) (?<ident>[^ ]*) (?<pid>[^ ]*) (?<msgid>[^ ]*) (-|) *(?<message>.*)$/
+          elsif /^\<.*>/.match(text)
+            #match rfc3164 syslog format
+            regex = /^\<(?<pri>[0-9]+)\>(?<time>[^ ]* {1,2}[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[a-zA-Z0-9_\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$/
+          else
+            #set an impossible regex match if not matching a the start of a syslog message above
+            regex = /a^/
+          end
+        else
+          # with_priorty = false to support in_syslog plugin
+          regex = /^(?<time>[^ ]*\s*[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[a-zA-Z0-9_\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$/
+        end
+
+
+        m = regex.match(text)
+        unless m
+          if block_given?
+            yield nil, nil
+            return
+          else
+            return nil, nil
+          end
+        end
+
+        Regexp.union
+
+        time = nil
+        record = {}
+
+        m.names.each { |name|
+          if value = m[name]
+            case name
+              when 'pri'
+                record['pri'] = value.to_i
+              when 'time'
+                time = @mutex.synchronize { @time_parser.parse(value.gsub(/ +/, ' ')) }
+              when 'message'
+                record['message'] = @payload_message? text : value
+              else
+                record[name] = value
+            end
+          end
+        }
+
+        if @estimate_current_event
+          time ||= Engine.now
+        end
+
+        if block_given?
+          yield time, record
+        else
+          return time, record
+        end
+
+
+      end
+
+    end
+  end
+end

metadata

@@ -0,0 +1,193 @@
+--- !ruby/object:Gem::Specification
+name: fluent-plugin-newsyslog
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Kevin Scheunemann
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2015-05-05 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: fluentd
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.10.59
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.10.59
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: flexmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.6.4
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.6.4
+- !ruby/object:Gem::Dependency
+  name: rr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.0
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.3.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.3.0
+- !ruby/object:Gem::Dependency
+  name: test-unit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.0.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.0.2
+- !ruby/object:Gem::Dependency
+  name: test-unit-rr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.0.3
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.0.3
+description: 'A fluentd syslog parser that handles multiple formats '
+email:
+- kscheunemann@athenahealth.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".ruby-version"
+- ".travis.yml"
+- Gemfile
+- README.md
+- Rakefile
+- fluent-plugin-newsyslog.gemspec
+- lib/fluent/plugin/in_newsyslog.rb
+- lib/fluent/plugin/parser_newsyslog.rb
+homepage: https://github.com/athenahealth/fluent-plugin-newsyslog
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.3
+signing_key: 
+specification_version: 4
+summary: A better fluentd syslog input and parser
+test_files: []