logstash-output-syslog 2.1.0 → 2.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: fed3005266aeadaa979f5943e57231766a852a1c
-  data.tar.gz: e9b7625982c94a62f18e80d7819fb23681ed65a8
+  metadata.gz: aee984517a11e5ef3e6940d6a34a4ee6cac6c9fc
+  data.tar.gz: 81de265a5c4f28c56273e9c837e5383a906d91d5
 SHA512:
-  metadata.gz: 876f0086824fb91936086645f1290f2864b450c301a9f5201512f8f3d75ed01d162cfe9ec203669a3578132b57a31b94729c18a33132d74f64ff624da8904880
-  data.tar.gz: cf49d0c4b980c542333d4691d3fb57d0f531439a8649cffb661b917795388a33bf42dbabfa7b6435c73626bb7eb3b82ee1223f347a517434d16654bfb8d2fdef
+  metadata.gz: eae8c4f8b72bd7ec9891d430fea8573f1b39f80052770cbd8679f8ade14cac266f3ad8ae4a5a7f73c2a8eded295873be893981408a1c270ec7a6a374c7a4208d
+  data.tar.gz: f9df3603f5f561a86f7078998dd4bf075116ff014ed92f1db3dcbe72d43c2ad760763279b08caef440185157fecafa65341c983057b8542b694a6eb1fc9bda4d

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 2.1.1
+ - Add SSL/TLS support to syslog output plugin (thanks @breml)
+ - Added ability to use codecs for this output (thanks @breml)
+
 ## 2.1.0
  - reconnect on exception. added basic specs
 

data/lib/logstash/outputs/syslog.rb

@@ -2,6 +2,7 @@
 require "logstash/outputs/base"
 require "logstash/namespace"
 require "date"
+require "logstash/codecs/plain"
 
 
 # Send events to a syslog server.
@@ -28,12 +29,10 @@ class LogStash::Outputs::Syslog < LogStash::Outputs::Base
     "network news",
     "uucp",
     "clock",
-    "security/authorization",
     "ftp",
     "ntp",
     "log audit",
     "log alert",
-    "clock",
     "local0",
     "local1",
     "local2",
@@ -64,31 +63,66 @@ class LogStash::Outputs::Syslog < LogStash::Outputs::Base
   # when connection fails, retry interval in sec.
   config :reconnect_interval, :validate => :number, :default => 1
 
-  # syslog server protocol. you can choose between udp and tcp
-  config :protocol, :validate => ["tcp", "udp"], :default => "udp"
+  # syslog server protocol. you can choose between udp, tcp and ssl/tls over tcp
+  config :protocol, :validate => ["tcp", "udp", "ssl-tcp"], :default => "udp"
+
+  # Verify the identity of the other end of the SSL connection against the CA.
+  config :ssl_verify, :validate => :boolean, :default => false
+
+  # The SSL CA certificate, chainfile or CA path. The system CA path is automatically included.
+  config :ssl_cacert, :validate => :path
+
+  # SSL certificate path
+  config :ssl_cert, :validate => :path
+
+  # SSL key path
+  config :ssl_key, :validate => :path
+
+  # SSL key passphrase
+  config :ssl_key_passphrase, :validate => :password, :default => nil
+
+  # use label parsing for severity and facility levels
+  # use priority field if set to false
+  config :use_labels, :validate => :boolean, :default => true
+
+  # syslog priority
+  # The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
+  config :priority, :validate => :string, :default => "%{syslog_pri}"
 
   # facility label for syslog message
-  config :facility, :validate => FACILITY_LABELS, :required => true
+  # default fallback to user-level as in rfc3164
+  # The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
+  config :facility, :validate => :string, :default => "user-level"
 
   # severity label for syslog message
-  config :severity, :validate => SEVERITY_LABELS, :required => true
+  # default fallback to notice as in rfc3164
+  # The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
+  config :severity, :validate => :string, :default => "notice"
 
-  # source host for syslog message
+  # source host for syslog message. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
   config :sourcehost, :validate => :string, :default => "%{host}"
 
   # timestamp for syslog message
   config :timestamp, :validate => :string, :default => "%{@timestamp}", :deprecated => "This setting is no longer necessary. The RFC setting will determine what time format is used."
 
-  # application name for syslog message
+  # application name for syslog message. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
   config :appname, :validate => :string, :default => "LOGSTASH"
 
-  # process id for syslog message
+  # process id for syslog message. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
   config :procid, :validate => :string, :default => "-"
 
-  # message text to log
+  # message text to log. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
   config :message, :validate => :string, :default => "%{message}"
 
-  # message id for syslog message
+  # message id for syslog message. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
   config :msgid, :validate => :string, :default => "-"
 
   # syslog message format: you can choose between rfc3164 or rfc5424
@@ -97,32 +131,59 @@ class LogStash::Outputs::Syslog < LogStash::Outputs::Base
   def register
     @client_socket = nil
 
-    facility_code = FACILITY_LABELS.index(@facility)
-    severity_code = SEVERITY_LABELS.index(@severity)
-    @priority = (facility_code * 8) + severity_code
+    if ssl?
+      @ssl_context = setup_ssl
+    end
+    
+    if @codec.instance_of? LogStash::Codecs::Plain
+      if @codec.config["format"].nil?
+        @codec = LogStash::Codecs::Plain.new({"format" => @message})
+      end
+    end
+    @codec.on_event(&method(:publish))
 
     # use instance variable to avoid string comparison for each event
     @is_rfc3164 = (@rfc == "rfc3164")
   end
 
   def receive(event)
+    @codec.encode(event)
+  end
+
+  def publish(event, payload)
     appname = event.sprintf(@appname)
     procid = event.sprintf(@procid)
     sourcehost = event.sprintf(@sourcehost)
 
+    message = payload.to_s.rstrip.gsub(/[\r][\n]/, "\n").gsub(/[\n]/, '\n')
+
+    # fallback to pri 13 (facility 1, severity 5)
+    if @use_labels
+      facility_code = (FACILITY_LABELS.index(event.sprintf(@facility)) || 1)
+      severity_code = (SEVERITY_LABELS.index(event.sprintf(@severity)) || 5)
+      priority = (facility_code * 8) + severity_code
+    else
+      priority = Integer(event.sprintf(@priority)) rescue 13
+      priority = 13 if (priority < 0 || priority > 191)
+    end
+
     if @is_rfc3164
       timestamp = event.sprintf("%{+MMM dd HH:mm:ss}")
-      syslog_msg = "<#{@priority.to_s}>#{timestamp} #{sourcehost} #{appname}[#{procid}]: #{event.sprintf(@message)}"
+      syslog_msg = "<#{priority.to_s}>#{timestamp} #{sourcehost} #{appname}[#{procid}]: #{message}"
     else
       msgid = event.sprintf(@msgid)
       timestamp = event.sprintf("%{+YYYY-MM-dd'T'HH:mm:ss.SSSZZ}")
-      syslog_msg = "<#{@priority.to_s}>1 #{timestamp} #{sourcehost} #{appname} #{procid} #{msgid} - #{event.sprintf(@message)}"
+      syslog_msg = "<#{priority.to_s}>1 #{timestamp} #{sourcehost} #{appname} #{procid} #{msgid} - #{message}"
     end
 
     begin
       @client_socket ||= connect
       @client_socket.write(syslog_msg + "\n")
     rescue => e
+      # We don't expect udp connections to fail because they are stateless, but ...
+      # udp connections may fail/raise an exception if used with localhost/127.0.0.1
+      return if udp?
+
       @logger.warn("syslog " + @protocol + " output exception: closing, reconnecting and resending event", :host => @host, :port => @port, :exception => e, :backtrace => e.backtrace, :event => event)
       @client_socket.close rescue nil
       @client_socket = nil
@@ -138,6 +199,10 @@ class LogStash::Outputs::Syslog < LogStash::Outputs::Base
     @protocol == "udp"
   end
 
+  def ssl?
+    @protocol == "ssl-tcp"
+  end
+
   def connect
     socket = nil
     if udp?
@@ -145,7 +210,39 @@ class LogStash::Outputs::Syslog < LogStash::Outputs::Base
       socket.connect(@host, @port)
     else
       socket = TCPSocket.new(@host, @port)
+      if ssl?
+        socket = OpenSSL::SSL::SSLSocket.new(socket, @ssl_context)
+        begin
+          socket.connect
+        rescue OpenSSL::SSL::SSLError => ssle
+          @logger.error("SSL Error", :exception => ssle,
+                        :backtrace => ssle.backtrace)
+          # NOTE(mrichar1): Hack to prevent hammering peer
+          sleep(5)
+          raise
+        end
+      end
     end
     socket
   end
+
+  def setup_ssl
+    require "openssl"
+    ssl_context = OpenSSL::SSL::SSLContext.new
+    ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@ssl_cert))
+    ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key),@ssl_key_passphrase)
+    if @ssl_verify
+      cert_store = OpenSSL::X509::Store.new
+      # Load the system default certificate path to the store
+      cert_store.set_default_paths
+      if File.directory?(@ssl_cacert)
+        cert_store.add_path(@ssl_cacert)
+      else
+        cert_store.add_file(@ssl_cacert)
+      end
+      ssl_context.cert_store = cert_store
+      ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
+    end
+    ssl_context
+  end
 end

data/logstash-output-syslog.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-output-syslog'
-  s.version         = '2.1.0'
+  s.version         = '2.1.1'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Send events to a syslog server."
   s.description     = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
@@ -21,8 +21,9 @@ Gem::Specification.new do |s|
 
   # Gem dependencies
   s.add_runtime_dependency "logstash-core", ">= 2.0.0.beta2", "< 3.0.0"
+  s.add_runtime_dependency 'logstash-codec-plain'
 
   s.add_development_dependency 'logstash-devutils'
-  s.add_development_dependency 'logstash-codec-plain'
+  s.add_development_dependency 'logstash-codec-json'
 end
 

data/spec/outputs/syslog_spec.rb

@@ -2,6 +2,7 @@
 
 require "logstash/devutils/rspec/spec_helper"
 require "logstash/outputs/syslog"
+require "logstash/codecs/plain"
 
 describe LogStash::Outputs::Syslog do
 
@@ -47,4 +48,80 @@ describe LogStash::Outputs::Syslog do
 
     it_behaves_like "syslog output"
   end
+
+  context "sprintf rfc 3164" do
+    let(:event) { LogStash::Event.new({"message" => "bar", "host" => "baz", "facility" => "mail", "severity" => "critical", "appname" => "appname", "procid" => "1000" }) }
+    let(:options) { {"host" => "foo", "port" => "123", "facility" => "%{facility}", "severity" => "%{severity}", "appname" => "%{appname}", "procid" => "%{procid}"} }
+    let(:output) { /^<18>.+baz appname\[1000\]: bar\n/m }
+
+    it_behaves_like "syslog output"
+  end
+
+  context "sprintf rfc 5424" do
+    let(:event) { LogStash::Event.new({"message" => "bar", "host" => "baz", "facility" => "mail", "severity" => "critical", "appname" => "appname", "procid" => "1000", "msgid" => "2000" }) }
+    let(:options) { {"rfc" => "rfc5424", "host" => "foo", "port" => "123", "facility" => "%{facility}", "severity" => "%{severity}", "appname" => "%{appname}", "procid" => "%{procid}", "msgid" => "%{msgid}"} }
+    let(:output) { /^<18>1 .+baz appname 1000 2000 - bar\n/m }
+
+    it_behaves_like "syslog output"
+  end
+
+  context "use_labels == false, default" do
+    let(:event) { LogStash::Event.new({"message" => "bar", "host" => "baz" }) }
+    let(:options) { {"use_labels" => false, "host" => "foo", "port" => "123" } }
+    let(:output) { /^<13>.+baz LOGSTASH\[-\]: bar\n/m }
+
+    it_behaves_like "syslog output"
+  end
+
+  context "use_labels == false, syslog_pri" do
+    let(:event) { LogStash::Event.new({"message" => "bar", "host" => "baz", "syslog_pri" => "18" }) }
+    let(:options) { {"use_labels" => false, "host" => "foo", "port" => "123" } }
+    let(:output) { /^<18>.+baz LOGSTASH\[-\]: bar\n/m }
+
+    it_behaves_like "syslog output"
+  end
+
+  context "use_labels == false, sprintf" do
+    let(:event) { LogStash::Event.new({"message" => "bar", "host" => "baz", "priority" => "18" }) }
+    let(:options) { {"use_labels" => false, "host" => "foo", "port" => "123", "priority" => "%{priority}" } }
+    let(:output) { /^<18>.+baz LOGSTASH\[-\]: bar\n/m }
+
+    it_behaves_like "syslog output"
+  end
+
+  context "use plain codec with format set" do
+    let(:plain) { LogStash::Codecs::Plain.new({"format" => "%{host} %{message}"}) }
+    let(:options) { {"host" => "foo", "port" => "123", "facility" => "kernel", "severity" => "emergency", "codec" => plain} }
+    let(:output) { /^<0>.+baz LOGSTASH\[-\]: baz bar\n/m }
+
+    it_behaves_like "syslog output"
+  end
+
+  context "use codec json" do
+    let(:options) { {"host" => "foo", "port" => "123", "facility" => "kernel", "severity" => "emergency", "codec" => "json" } }
+    let(:output) { /^<0>.+baz LOGSTASH\[-\]: {\"message\":\"bar\",\"host\":\"baz\",\"@version\":\"1\",\"@timestamp\":\"[0-9TZ:.+-]+\"}\n/m }
+
+    it_behaves_like "syslog output"
+  end
+
+  context "escape carriage return, newline and newline to \\n" do
+    let(:options) { {"host" => "foo", "port" => "123", "facility" => "kernel", "severity" => "emergency", "message" => "foo\r\nbar\nbaz" } }
+    let(:output) { /^<0>.+baz LOGSTASH\[-\]: foo\\nbar\\nbaz\n/m }
+
+    it_behaves_like "syslog output"
+  end
+
+  context "tailing newline" do
+    let(:options) { {"host" => "foo", "port" => "123", "facility" => "kernel", "severity" => "emergency", "message" => "%{message}\n" } }
+    let(:output) { /^<0>.+baz LOGSTASH\[-\]: bar\n/m }
+
+    it_behaves_like "syslog output"
+  end
+
+  context "tailing carriage return and newline (windows)" do
+    let(:options) { {"host" => "foo", "port" => "123", "facility" => "kernel", "severity" => "emergency", "message" => "%{message}\n" } }
+    let(:output) { /^<0>.+baz LOGSTASH\[-\]: bar\n/m }
+
+    it_behaves_like "syslog output"
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-output-syslog
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.1.1
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-11-18 00:00:00.000000000 Z
+date: 2016-01-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logstash-core
@@ -30,6 +30,20 @@ dependencies:
         version: 3.0.0
   prerelease: false
   type: :runtime
+- !ruby/object:Gem::Dependency
+  name: logstash-codec-plain
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  prerelease: false
+  type: :runtime
 - !ruby/object:Gem::Dependency
   name: logstash-devutils
   version_requirements: !ruby/object:Gem::Requirement
@@ -45,7 +59,7 @@ dependencies:
   prerelease: false
   type: :development
 - !ruby/object:Gem::Dependency
-  name: logstash-codec-plain
+  name: logstash-codec-json
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
@@ -64,15 +78,15 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- lib/logstash/outputs/syslog.rb
-- spec/outputs/syslog_spec.rb
-- logstash-output-syslog.gemspec
 - CHANGELOG.md
-- README.md
 - CONTRIBUTORS
 - Gemfile
 - LICENSE
 - NOTICE.TXT
+- README.md
+- lib/logstash/outputs/syslog.rb
+- logstash-output-syslog.gemspec
+- spec/outputs/syslog_spec.rb
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses:
 - Apache License (2.0)
@@ -95,7 +109,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.1.9
+rubygems_version: 2.4.8
 signing_key:
 specification_version: 4
 summary: Send events to a syslog server.