syslogstash 0.1.0

data/README.md

@@ -0,0 +1,93 @@
+Feed everything from one or more syslog pipes to a logstash server.
+
+# Installation
+
+It's a gem:
+
+    gem install syslogstash
+
+There's also the wonders of [the Gemfile](http://bundler.io):
+
+    gem 'syslogstash'
+
+If you're the sturdy type that likes to run from git:
+
+    rake install
+
+Or, if you've eschewed the convenience of Rubygems entirely, then you
+presumably know what to do already.
+
+
+# Usage
+
+Write a configuration file, then start `syslogstash` giving the name of the
+config file as an argument:
+
+    syslogstash /etc/syslogstash.conf
+
+## Config File Format
+
+The file which describes how `syslogstash` will operate is a fairly simple
+YAML file.  It consists of two sections, `sockets` and `servers`, which list
+the UNIX sockets to listen for syslog messages on, and the URLs of logstash
+servers to send the resulting log entries to.  Optionally, you can specify
+additional tags to insert into every message received from each syslog
+socket.
+
+It looks like this:
+
+    sockets:
+      # These sockets have no additional tags
+      /tmp/sock1:
+      /tmp/sock2:
+
+      # This socket will have its messages tagged
+      /tmp/taggedsock:
+        foo: bar
+        baz: wombat
+
+    # Every log entry received will be sent to *exactly* one of these
+    # servers.  This provides high availability for your log messages.
+    # NOTE: Only tcp:// URLs are supported.
+    servers:
+      - tcp://10.0.0.1:5151
+      - tcp://10.0.0.2:5151
+
+
+## Logstash server configuration
+
+You'll need to setup a TCP input, with the `json_lines` codec, for
+`syslogstash` to send log entries to.  It can look as simple as this:
+
+      tcp {
+        port  => 5151
+        codec => "json_lines"
+      }
+
+
+# Contributing
+
+Bug reports should be sent to the [Github issue
+tracker](https://github.com/discourse/syslogstash/issues).
+Patches can be sent as a [Github pull
+request](https://github.com/discourse/syslogstash/pulls].
+
+
+# Licence
+
+Unless otherwise stated, everything in this repo is covered by the following
+copyright notice:
+
+    Copyright (C) 2015 Civilized Discourse Construction Kit Inc.
+
+    This program is free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License version 3, as
+    published by the Free Software Foundation.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.

data/bin/syslogstash

@@ -0,0 +1,51 @@
+#!/usr/bin/env ruby
+
+require 'syslogstash'
+require 'yaml'
+
+if ARGV.length != 1
+	$stderr.puts <<-EOF.gsub(/^\t\t/, '')
+		Invalid usage
+
+		Usage:
+		  #{$0} <configfile>
+	EOF
+
+	exit 1
+end
+
+unless File.exist?(ARGV[0])
+	$stderr.puts "Config file #{ARGV[0]} does not exist"
+	exit 1
+end
+
+unless File.readable?(ARGV[0])
+	$stderr.puts "Config file #{ARGV[0]} not readable"
+	exit 1
+end
+
+cfg = YAML.load_file(ARGV[0])
+
+unless cfg.is_a? Hash
+	$stderr.puts "Config file #{ARGV[0]} does not contain a YAML hash"
+	exit 1
+end
+
+%w{sockets servers}.each do |section|
+	unless cfg.has_key?(section)
+		$stderr.puts "Config file #{ARGV[0]} does not have a '#{section}' section"
+		exit 1
+	end
+
+	unless cfg[section].respond_to?(:empty?)
+		$stderr.puts "Config file #{ARGV[0]} has a malformed '#{section}' section"
+		exit 1
+	end
+
+	if cfg[section].empty?
+		$stderr.puts "Config file #{ARGV[0]} has an empty '#{section}' section"
+		exit 1
+	end
+end
+
+Syslogstash.new(cfg['sockets'], cfg['servers']).run

data/lib/syslogstash.rb

@@ -0,0 +1,26 @@
+require 'uri'
+require 'socket'
+require 'json'
+
+# Read syslog messages from one or more sockets, and send it to a logstash
+# server.
+#
+class Syslogstash
+	def initialize(sockets, servers)
+		@writer = LogstashWriter.new(servers)
+
+		@readers = sockets.map { |f, tags| SyslogReader.new(f, tags, @writer) }
+	end
+
+	def run
+		@writer.run
+		@readers.each { |w| w.run }
+
+		@writer.wait
+		@readers.each { |w| w.wait }
+	end
+end
+
+require_relative 'syslogstash/syslog_reader'
+require_relative 'syslogstash/logstash_writer'
+

data/lib/syslogstash/logstash_writer.rb

@@ -0,0 +1,110 @@
+require_relative 'worker'
+
+# Write messages to one of a collection of logstash servers.
+#
+class Syslogstash::LogstashWriter
+	include Syslogstash::Worker
+
+	# Create a new logstash writer.
+	#
+	# Give it a list of servers, and your writer will be ready to go.
+	# No messages will actually be *delivered*, though, until you call #run.
+	#
+	def initialize(servers)
+		@servers = servers.map { |s| URI(s) }
+
+		unless @servers.all? { |url| url.scheme == 'tcp' }
+			raise ArgumentError,
+					"Unsupported URL scheme: #{@servers.select { |url| url.scheme != 'tcp' }.join(', ')}"
+		end
+
+		@entries = []
+		@entries_mutex = Mutex.new
+	end
+
+	# Add an entry to the list of messages to be sent to logstash.  Actual
+	# message delivery will happen in a worker thread that is started with
+	# #run.
+	#
+	def send_entry(e)
+		@entries_mutex.synchronize { @entries << e }
+		@worker.run if @worker
+	end
+
+	# Start sending messages to logstash servers.  This method will return
+	# almost immediately, and actual message sending will occur in a
+	# separate worker thread.
+	#
+	def run
+		@worker = Thread.new { send_messages }
+	end
+
+	private
+
+	def send_messages
+		loop do
+			if @entries_mutex.synchronize { @entries.empty? }
+				sleep 1
+			else
+				begin
+					entry = @entries_mutex.synchronize { @entries.shift }
+
+					current_server do |s|
+						s.puts entry
+					end
+
+					# If we got here, we sent successfully, so we don't want
+					# to put the entry back on the queue in the ensure block
+					entry = nil
+				ensure
+					@entries_mutex.synchronize { @entries.unshift if entry }
+				end
+			end
+		end
+	end
+
+	# *Yield* a TCPSocket connected to the server we currently believe to
+	# be accepting log entries, so that something can send log entries to
+	# it.
+	#
+	# The yielding is very deliberate: it allows us to centralise all
+	# error detection and handling within this one method, and retry
+	# sending just be calling `yield` again when we've connected to
+	# another server.
+	#
+	def current_server
+		# I could handle this more cleanly with recursion, but I don't want
+		# to fill the stack if we have to retry a lot of times
+		done = false
+
+		until done
+			if @current_server
+				begin
+					debug { "Using current server" }
+					yield @current_server
+					done = true
+				rescue SystemCallError => ex
+					# Something went wrong during the send; disconnect from this
+					# server and recycle
+					debug { "Error while writing to current server: #{ex.message} (#{ex.class})" }
+					@current_server.close
+					@current_server = nil
+					sleep 0.1
+				end
+			else
+				begin
+					# Rotate the next server onto the back of the list
+					next_server = @servers.shift
+					debug { "Trying to connect to #{next_server.to_s}" }
+					@servers.push(next_server)
+					@current_server = TCPSocket.new(next_server.host, next_server.port)
+				rescue SystemCallError => ex
+					# Connection failed for any number of reasons; try again
+					debug { "Failed to connect to #{next_server.to_s}: #{ex.message} (#{ex.class})" }
+					sleep 0.1
+					retry
+				end
+			end
+		end
+	end
+end

data/lib/syslogstash/syslog_reader.rb

@@ -0,0 +1,123 @@
+require_relative 'worker'
+
+# A single socket reader.
+#
+class Syslogstash::SyslogReader
+	include Syslogstash::Worker
+
+	def initialize(file, tags, logstash)
+		@file, @tags, @logstash = file, tags, logstash
+	end
+
+	# Start reading from the socket file, parsing entries, and flinging
+	# them at logstash.  This method will return, with the operation
+	# continuing in a separate thread.
+	#
+	def run
+		debug { "#run called" }
+
+		socket = Socket.new(Socket::AF_UNIX, Socket::SOCK_DGRAM, 0)
+		socket.bind(Socket.pack_sockaddr_un(@file))
+
+		@worker = Thread.new do
+			begin
+				loop do
+					msg = socket.recvmsg
+					debug { "Message received: #{msg.inspect}" }
+					process_message msg.first.chomp
+				end
+			ensure
+				socket.close
+				File.unlink(@file) rescue nil
+			end
+		end
+	end
+
+	private
+
+	def process_message(msg)
+		if msg =~ /^<(\d+)>(\w{3} [ 0-9]{2} [0-9:]{8}) (.*)$/
+			flags     = $1.to_i
+			timestamp = $2
+			content   = $3
+
+			# Lo! the many ways that syslog messages can be formatted
+			hostname, program, pid, message = case content
+				# the gold standard: hostname, program name with optional PID
+				when /^([a-zA-Z0-9_-]*[^:]) (\S+?)(\[(\d+)\])?: (.*)$/
+					[$1, $2, $4, $5]
+				# hostname, no program name
+				when /^([a-zA-Z0-9_-]+) (\S+[^:] .*)$/
+					[$1, nil, nil, $2]
+				# program name, no hostname (yeah, you heard me, non-RFC compliant!)
+				when /^(\S+?)(\[(\d+)\])?: (.*)$/
+					[nil, $1, $3, $4]
+				else
+					# I have NFI
+					[nil, nil, nil, content]
+			end
+
+			severity = flags % 8
+			facility = flags / 8
+
+			log_entry = log_entry(
+				syslog_timestamp: timestamp,
+				severity:         severity,
+				facility:         facility,
+				hostname:         hostname,
+				program:          program,
+				pid:              pid,
+				message:          message,
+			).to_json
+
+			@logstash.send_entry(log_entry)
+		else
+			$stderr.puts "Unparseable message: #{msg}"
+		end
+	end
+
+	def log_entry(h)
+		{}.tap do |e|
+			e['@version']   = '1'
+			e['@timestamp'] = Time.now.utc.strftime("%FT%T.%LZ")
+
+			h['facility_name'] = FACILITIES[h[:facility]]
+			h['severity_name'] = SEVERITIES[h[:severity]]
+
+			e.merge!(h.delete_if { |k,v| v.nil? })
+
+			e[:pid] = e[:pid].to_i if e.has_key?(:pid)
+
+			e.merge!(@tags) if @tags.is_a? Hash
+
+			debug { "Log entry is: #{e.inspect}" }
+		end
+	end
+
+	FACILITIES = %w{
+		kern
+		user
+		mail
+		daemon
+		auth
+		syslog
+		lpr
+		news
+		uucp
+		cron
+		authpriv
+		ftp
+		local0 local1 local2 local3 local4 local5 local6 local7
+	}
+
+	SEVERITIES = %w{
+		emerg
+		alert
+		crit
+		err
+		warning
+		notice
+		info
+		debug
+	}
+end

data/lib/syslogstash/worker.rb

@@ -0,0 +1,26 @@
+# Common code shared between both readers and writers.
+#
+module Syslogstash::Worker
+	# If you ever want to stop a reader, here's how.
+	def stop
+		if @worker
+			@worker.kill
+			@worker.join
+			@worker = nil
+		end
+	end
+
+	# If you want to wait for a reader to die, here's how.
+	#
+	def wait
+		@worker.join
+	end
+
+	private
+
+	def debug
+		if ENV['DEBUG_SYSLOGSTASH']
+			puts "#{Time.now.strftime("%F %T.%L")} #{self.class} #{yield.to_s}"
+		end
+	end
+end

data/syslogstash.gemspec

@@ -0,0 +1,37 @@
+begin
+	require 'git-version-bump'
+rescue LoadError
+	nil
+end
+
+Gem::Specification.new do |s|
+	s.name = "syslogstash"
+
+	s.version = GVB.version rescue "0.0.0.1.NOGVB"
+	s.date    = GVB.date    rescue Time.now.strftime("%Y-%m-%d")
+
+	s.platform = Gem::Platform::RUBY
+
+	s.summary  = "Send messages from syslog UNIX sockets to logstash"
+
+	s.authors  = ["Matt Palmer"]
+	s.email    = ["matt.palmer@discourse.org"]
+	s.homepage = "https://github.com/discourse/syslogstash"
+
+	s.files = `git ls-files -z`.split("\0").reject { |f| f =~ /^(G|spec|Rakefile)/ }
+	s.executables = ["syslogstash"]
+
+	s.required_ruby_version = ">= 2.1.0"
+
+	s.add_development_dependency 'bundler'
+	s.add_development_dependency 'github-release'
+	s.add_development_dependency 'guard-spork'
+	s.add_development_dependency 'guard-rspec'
+	s.add_development_dependency 'rake', '~> 10.4', '>= 10.4.2'
+	# Needed for guard
+	s.add_development_dependency 'rb-inotify', '~> 0.9'
+	s.add_development_dependency 'redcarpet'
+	s.add_development_dependency 'rspec'
+	s.add_development_dependency 'webmock'
+	s.add_development_dependency 'yard'
+end