logstash-input-syslog 0.1.0

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    NzBiZWYwNjJjMDFmYjY4Mjc2YTdlYjZhMjE0ZGYwYjQ2NWUxMzU5NA==
+  data.tar.gz: !binary |-
+    MzJmNGU5MmI2NjQ0ZGYxYjAzYmE4OTgwZDQxMmU4M2M5MGQ0N2E5NQ==
+SHA512:
+  metadata.gz: !binary |-
+    NGQ0M2RjNWEzMjI1NTQ1ZGYzNDhhNzA0OWI3MjNmOWE0MTIyODE5MGI4NzVh
+    MDRmMTU3NjJhNGFlZjBhY2FhOWU2ZDMzOTNlNTVmMThlZDc1NjY5NTYxZDU1
+    MWFlY2Y0Y2Y3YmIxZjQwYmQ1MjljZjg0YmYxYmFmNWFkNWE3YzM=
+  data.tar.gz: !binary |-
+    NTkwNzY3NTQ5YWQ0NzM1YTUwMmU2NDFiZjQxOTMyZDk3MzdmZTViYjliMDEx
+    ZDgzZTkyYzFkODc2ZWE0ZTJmMWI4ZGZkNWJkNDVlOTJkMGMwZTNiODkwZDFm
+    MDk1NjVmMGNlYjBhMDJjMTAzYjdmOWI5NTFjZTFjZDg4ZDJlYWI=

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+Gemfile.lock
+.bundle
+vendor

data/Gemfile

@@ -0,0 +1,4 @@
+source 'http://rubygems.org'
+gem 'rake'
+gem 'gem_publisher'
+gem 'archive-tar-minitar'

data/LICENSE

@@ -0,0 +1,13 @@
+Copyright (c) 2012-2014 Elasticsearch <http://www.elasticsearch.org>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/Rakefile

@@ -0,0 +1,6 @@
+@files=[]
+
+task :default do
+  system("rake -T")
+end
+

data/lib/logstash/inputs/syslog.rb

@@ -0,0 +1,238 @@
+# encoding: utf-8
+require "date"
+require "logstash/filters/grok"
+require "logstash/filters/date"
+require "logstash/inputs/base"
+require "logstash/namespace"
+require "socket"
+
+# Read syslog messages as events over the network.
+#
+# This input is a good choice if you already use syslog today.
+# It is also a good choice if you want to receive logs from
+# appliances and network devices where you cannot run your own
+# log collector.
+#
+# Of course, 'syslog' is a very muddy term. This input only supports RFC3164
+# syslog with some small modifications. The date format is allowed to be
+# RFC3164 style or ISO8601. Otherwise the rest of RFC3164 must be obeyed.
+# If you do not use RFC3164, do not use this input.
+#
+# For more information see [the RFC3164 page](http://www.ietf.org/rfc/rfc3164.txt).
+#
+# Note: This input will start listeners on both TCP and UDP.
+class LogStash::Inputs::Syslog < LogStash::Inputs::Base
+  config_name "syslog"
+  milestone 1
+
+  default :codec, "plain"
+
+  # The address to listen on.
+  config :host, :validate => :string, :default => "0.0.0.0"
+
+  # The port to listen on. Remember that ports less than 1024 (privileged
+  # ports) may require root to use.
+  config :port, :validate => :number, :default => 514
+
+  # Use label parsing for severity and facility levels.
+  config :use_labels, :validate => :boolean, :default => true
+
+  # Labels for facility levels. These are defined in RFC3164.
+  config :facility_labels, :validate => :array, :default => [ "kernel", "user-level", "mail", "system", "security/authorization", "syslogd", "line printer", "network news", "UUCP", "clock", "security/authorization", "FTP", "NTP", "log audit", "log alert", "clock", "local0", "local1", "local2", "local3", "local4", "local5", "local6", "local7" ]
+
+  # Labels for severity levels. These are defined in RFC3164.
+  config :severity_labels, :validate => :array, :default => [ "Emergency" , "Alert", "Critical", "Error", "Warning", "Notice", "Informational", "Debug" ]
+
+  public
+  def initialize(params)
+    super
+    @shutdown_requested = false
+    BasicSocket.do_not_reverse_lookup = true
+  end # def initialize
+
+  public
+  def register
+    require "thread_safe"
+    @grok_filter = LogStash::Filters::Grok.new(
+      "overwrite" => "message",
+      "match" => { "message" => "<%{POSINT:priority}>%{SYSLOGLINE}" },
+      "tag_on_failure" => ["_grokparsefailure_sysloginput"],
+    )
+
+    @date_filter = LogStash::Filters::Date.new(
+      "match" => [ "timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601"]
+    )
+
+    @grok_filter.register
+    @date_filter.register
+
+    @tcp_clients = ThreadSafe::Array.new
+  end # def register
+
+  public
+  def run(output_queue)
+    # udp server
+    udp_thr = Thread.new do
+      begin
+        udp_listener(output_queue)
+      rescue => e
+        break if @shutdown_requested
+        @logger.warn("syslog udp listener died",
+                     :address => "#{@host}:#{@port}", :exception => e,
+                     :backtrace => e.backtrace)
+        sleep(5)
+        retry
+      end # begin
+    end # Thread.new
+
+    # tcp server
+    tcp_thr = Thread.new do
+      begin
+        tcp_listener(output_queue)
+      rescue => e
+        break if @shutdown_requested
+        @logger.warn("syslog tcp listener died",
+                     :address => "#{@host}:#{@port}", :exception => e,
+                     :backtrace => e.backtrace)
+        sleep(5)
+        retry
+      end # begin
+    end # Thread.new
+
+    # If we exit and we're the only input, the agent will think no inputs
+    # are running and initiate a shutdown.
+    udp_thr.join
+    tcp_thr.join
+  end # def run
+
+  private
+  def udp_listener(output_queue)
+    @logger.info("Starting syslog udp listener", :address => "#{@host}:#{@port}")
+
+    if @udp
+      @udp.close
+    end
+
+    @udp = UDPSocket.new(Socket::AF_INET)
+    @udp.bind(@host, @port)
+
+    loop do
+      payload, client = @udp.recvfrom(9000)
+      # Ruby uri sucks, so don't use it.
+      @codec.decode(payload) do |event|
+        decorate(event)
+        event["host"] = client[3]
+        syslog_relay(event)
+        output_queue << event
+      end
+    end
+  ensure
+    close_udp
+  end # def udp_listener
+
+  private
+  def tcp_listener(output_queue)
+    @logger.info("Starting syslog tcp listener", :address => "#{@host}:#{@port}")
+    @tcp = TCPServer.new(@host, @port)
+    @tcp_clients = []
+
+    loop do
+      client = @tcp.accept
+      @tcp_clients << client
+      Thread.new(client) do |client|
+        ip, port = client.peeraddr[3], client.peeraddr[1]
+        @logger.info("new connection", :client => "#{ip}:#{port}")
+        LogStash::Util::set_thread_name("input|syslog|tcp|#{ip}:#{port}}")
+        begin
+          client.each do |line|
+            @codec.decode(line) do |event|
+              decorate(event)
+              event["host"] = ip
+              syslog_relay(event)
+              output_queue << event
+            end
+          end
+        rescue Errno::ECONNRESET
+        ensure
+          @tcp_clients.delete(client)
+        end
+      end # Thread.new
+    end # loop do
+  ensure
+    close_tcp
+  end # def tcp_listener
+
+  public
+  def teardown
+    @shutdown_requested = true
+    close_udp
+    close_tcp
+    finished
+  end
+
+  private
+  def close_udp
+    if @udp
+      @udp.close_read rescue nil
+      @udp.close_write rescue nil
+    end
+    @udp = nil
+  end
+
+  private
+  def close_tcp
+    # If we somehow have this left open, close it.
+    @tcp_clients.each do |client|
+      client.close rescue nil
+    end
+    @tcp.close if @tcp rescue nil
+    @tcp = nil
+  end
+
+  # Following RFC3164 where sane, we'll try to parse a received message
+  # as if you were relaying a syslog message to it.
+  # If the message cannot be recognized (see @grok_filter), we'll
+  # treat it like the whole event["message"] is correct and try to fill
+  # the missing pieces (host, priority, etc)
+  public
+  def syslog_relay(event)
+    @grok_filter.filter(event)
+
+    if event["tags"].nil? || !event["tags"].include?(@grok_filter.tag_on_failure)
+      # Per RFC3164, priority = (facility * 8) + severity
+      #                       = (facility << 3) & (severity)
+      priority = event["priority"].to_i rescue 13
+      severity = priority & 7   # 7 is 111 (3 bits)
+      facility = priority >> 3
+      event["priority"] = priority
+      event["severity"] = severity
+      event["facility"] = facility
+
+      event["timestamp"] = event["timestamp8601"] if event.include?("timestamp8601")
+      @date_filter.filter(event)
+    else
+      @logger.info? && @logger.info("NOT SYSLOG", :message => event["message"])
+
+      # RFC3164 says unknown messages get pri=13
+      priority = 13
+      event["priority"] = 13
+      event["severity"] = 5   # 13 & 7 == 5
+      event["facility"] = 1   # 13 >> 3 == 1
+    end
+
+    # Apply severity and facility metadata if
+    # use_labels => true
+    if @use_labels
+      facility_number = event["facility"]
+      severity_number = event["severity"]
+
+      if @facility_labels[facility_number]
+        event["facility_label"] = @facility_labels[facility_number]
+      end
+
+      if @severity_labels[severity_number]
+        event["severity_label"] = @severity_labels[severity_number]
+      end
+    end
+  end # def syslog_relay
+end # class LogStash::Inputs::Syslog

data/logstash-input-syslog.gemspec

@@ -0,0 +1,30 @@
+Gem::Specification.new do |s|
+
+  s.name            = 'logstash-input-syslog'
+  s.version         = '0.1.0'
+  s.licenses        = ['Apache License (2.0)']
+  s.summary         = "Read syslog messages as events over the network."
+  s.description     = "Read syslog messages as events over the network."
+  s.authors         = ["Elasticsearch"]
+  s.email           = 'richard.pijnenburg@elasticsearch.com'
+  s.homepage        = "http://logstash.net/"
+  s.require_paths = ["lib"]
+
+  # Files
+  s.files = `git ls-files`.split($\)+::Dir.glob('vendor/*')
+
+  # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "group" => "input" }
+
+  # Gem dependencies
+  s.add_runtime_dependency 'logstash', '>= 1.4.0', '< 2.0.0'
+
+  s.add_runtime_dependency 'logstash-codec-plain'
+  s.add_runtime_dependency 'logstash-filter-grok'
+  s.add_runtime_dependency 'logstash-filter-date'
+
+end
+

data/rakelib/publish.rake

@@ -0,0 +1,9 @@
+require "gem_publisher"
+
+desc "Publish gem to RubyGems.org"
+task :publish_gem do |t|
+  gem_file = Dir.glob(File.expand_path('../*.gemspec',File.dirname(__FILE__))).first
+  gem = GemPublisher.publish_if_updated(gem_file, :rubygems)
+  puts "Published #{gem}" if gem
+end
+

data/rakelib/vendor.rake

@@ -0,0 +1,169 @@
+require "net/http"
+require "uri"
+require "digest/sha1"
+
+def vendor(*args)
+  return File.join("vendor", *args)
+end
+
+directory "vendor/" => ["vendor"] do |task, args|
+  mkdir task.name
+end
+
+def fetch(url, sha1, output)
+
+  puts "Downloading #{url}"
+  actual_sha1 = download(url, output)
+
+  if actual_sha1 != sha1
+    fail "SHA1 does not match (expected '#{sha1}' but got '#{actual_sha1}')"
+  end
+end # def fetch
+
+def file_fetch(url, sha1)
+  filename = File.basename( URI(url).path )
+  output = "vendor/#{filename}"
+  task output => [ "vendor/" ] do
+    begin
+      actual_sha1 = file_sha1(output)
+      if actual_sha1 != sha1
+        fetch(url, sha1, output)
+      end
+    rescue Errno::ENOENT
+      fetch(url, sha1, output)
+    end
+  end.invoke
+
+  return output
+end
+
+def file_sha1(path)
+  digest = Digest::SHA1.new
+  fd = File.new(path, "r")
+  while true
+    begin
+      digest << fd.sysread(16384)
+    rescue EOFError
+      break
+    end
+  end
+  return digest.hexdigest
+ensure
+  fd.close if fd
+end
+
+def download(url, output)
+  uri = URI(url)
+  digest = Digest::SHA1.new
+  tmp = "#{output}.tmp"
+  Net::HTTP.start(uri.host, uri.port, :use_ssl => (uri.scheme == "https")) do |http|
+    request = Net::HTTP::Get.new(uri.path)
+    http.request(request) do |response|
+      fail "HTTP fetch failed for #{url}. #{response}" if [200, 301].include?(response.code)
+      size = (response["content-length"].to_i || -1).to_f
+      count = 0
+      File.open(tmp, "w") do |fd|
+        response.read_body do |chunk|
+          fd.write(chunk)
+          digest << chunk
+          if size > 0 && $stdout.tty?
+            count += chunk.bytesize
+            $stdout.write(sprintf("\r%0.2f%%", count/size * 100))
+          end
+        end
+      end
+      $stdout.write("\r      \r") if $stdout.tty?
+    end
+  end
+
+  File.rename(tmp, output)
+
+  return digest.hexdigest
+rescue SocketError => e
+  puts "Failure while downloading #{url}: #{e}"
+  raise
+ensure
+  File.unlink(tmp) if File.exist?(tmp)
+end # def download
+
+def untar(tarball, &block)
+  require "archive/tar/minitar"
+  tgz = Zlib::GzipReader.new(File.open(tarball))
+  # Pull out typesdb
+  tar = Archive::Tar::Minitar::Input.open(tgz)
+  tar.each do |entry|
+    path = block.call(entry)
+    next if path.nil?
+    parent = File.dirname(path)
+    
+    mkdir_p parent unless File.directory?(parent)
+
+    # Skip this file if the output file is the same size
+    if entry.directory?
+      mkdir path unless File.directory?(path)
+    else
+      entry_mode = entry.instance_eval { @mode } & 0777
+      if File.exists?(path)
+        stat = File.stat(path)
+        # TODO(sissel): Submit a patch to archive-tar-minitar upstream to
+        # expose headers in the entry.
+        entry_size = entry.instance_eval { @size }
+        # If file sizes are same, skip writing.
+        next if stat.size == entry_size && (stat.mode & 0777) == entry_mode
+      end
+      puts "Extracting #{entry.full_name} from #{tarball} #{entry_mode.to_s(8)}"
+      File.open(path, "w") do |fd|
+        # eof? check lets us skip empty files. Necessary because the API provided by
+        # Archive::Tar::Minitar::Reader::EntryStream only mostly acts like an
+        # IO object. Something about empty files in this EntryStream causes
+        # IO.copy_stream to throw "can't convert nil into String" on JRuby
+        # TODO(sissel): File a bug about this.
+        while !entry.eof?
+          chunk = entry.read(16384)
+          fd.write(chunk)
+        end
+          #IO.copy_stream(entry, fd)
+      end
+      File.chmod(entry_mode, path)
+    end
+  end
+  tar.close
+  File.unlink(tarball) if File.file?(tarball)
+end # def untar
+
+def ungz(file)
+
+  outpath = file.gsub('.gz', '')
+  tgz = Zlib::GzipReader.new(File.open(file))
+  begin
+    File.open(outpath, "w") do |out|
+      IO::copy_stream(tgz, out)
+    end
+    File.unlink(file)
+  rescue
+    File.unlink(outpath) if File.file?(outpath)
+   raise
+  end
+  tgz.close
+end
+
+desc "Process any vendor files required for this plugin"
+task "vendor" do |task, args|
+
+  @files.each do |file| 
+    download = file_fetch(file['url'], file['sha1'])
+    if download =~ /.tar.gz/
+      prefix = download.gsub('.tar.gz', '').gsub('vendor/', '')
+      untar(download) do |entry|
+        if !file['files'].nil?
+          next unless file['files'].include?(entry.full_name.gsub(prefix, ''))
+          out = entry.full_name.split("/").last
+        end
+        File.join('vendor', out)
+      end
+    elsif download =~ /.gz/
+      ungz(download)
+    end
+  end
+
+end

data/spec/inputs/syslog_spec.rb

@@ -0,0 +1,92 @@
+# coding: utf-8
+require "spec_helper"
+require "socket"
+require "logstash/inputs/syslog"
+require "logstash/event"
+
+describe "inputs/syslog" do
+  
+
+  it "should properly handle priority, severity and facilities", :socket => true do
+    port = 5511
+    event_count = 10
+
+    config <<-CONFIG
+      input {
+        syslog {
+          type => "blah"
+          port => #{port}
+        }
+      }
+    CONFIG
+
+    input do |pipeline, queue|
+      Thread.new { pipeline.run }
+      sleep 0.1 while !pipeline.ready?
+
+      socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
+      event_count.times do |i|
+        socket.puts("<164>Oct 26 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434 dst outside:192.168.0.1/53 by access-group \"acl_drac\" [0x0, 0x0]")
+      end
+      socket.close
+
+      events = event_count.times.collect { queue.pop }
+
+      insist { events.length } == event_count
+      event_count.times do |i|
+        insist { events[i]["priority"] } == 164
+        insist { events[i]["severity"] } == 4
+        insist { events[i]["facility"] } == 20
+      end
+    end
+  end
+
+  it "should add unique tag when grok parsing fails with live syslog input", :socket => true do
+    port = 5511
+    event_count = 10
+
+    config <<-CONFIG
+      input {
+        syslog {
+          type => "blah"
+          port => #{port}
+        }
+      }
+    CONFIG
+
+    input do |pipeline, queue|
+      Thread.new { pipeline.run }
+      sleep 0.1 while !pipeline.ready?
+
+      socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
+      event_count.times do |i|
+        socket.puts("message which causes the a grok parse failure")
+      end
+      socket.close
+
+      events = event_count.times.collect { queue.pop }
+
+      insist { events.length } == event_count
+      event_count.times do |i|
+        insist { events[i]["tags"] } == ["_grokparsefailure_sysloginputplugin"]
+      end
+    end
+  end
+
+  it "should add unique tag when grok parsing fails" do
+    input = LogStash::Inputs::Syslog.new({})
+    input.register
+
+    # event which is not syslog should have a new tag
+    event = LogStash::Event.new({ "message" => "hello world, this is not syslog RFC3164" })
+    input.syslog_relay(event)
+    insist { event["tags"] } ==  ["_grokparsefailure_sysloginput"]
+
+    syslog_event = LogStash::Event.new({ "message" => "<164>Oct 26 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434" })
+    input.syslog_relay(syslog_event)
+    insist { syslog_event["priority"] } ==  164
+    insist { syslog_event["severity"] } ==  4
+    insist { syslog_event["tags"] } ==  nil
+  end
+
+end

metadata

@@ -0,0 +1,117 @@
+--- !ruby/object:Gem::Specification
+name: logstash-input-syslog
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Elasticsearch
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-11-05 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: logstash
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+    - - <
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+    - - <
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+- !ruby/object:Gem::Dependency
+  name: logstash-codec-plain
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: logstash-filter-grok
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: logstash-filter-date
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Read syslog messages as events over the network.
+email: richard.pijnenburg@elasticsearch.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE
+- Rakefile
+- lib/logstash/inputs/syslog.rb
+- logstash-input-syslog.gemspec
+- rakelib/publish.rake
+- rakelib/vendor.rake
+- spec/inputs/syslog_spec.rb
+homepage: http://logstash.net/
+licenses:
+- Apache License (2.0)
+metadata:
+  logstash_plugin: 'true'
+  group: input
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.1
+signing_key: 
+specification_version: 4
+summary: Read syslog messages as events over the network.
+test_files:
+- spec/inputs/syslog_spec.rb