syslogstash 2.2.0 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f27f4b8bc47949fc01e4cfd9bcb596fdea9143516326e8eb4d129bc8e16b9897
-  data.tar.gz: 176a5842fcee9deb2acc965f5886ce2c36a71a6b8482d37179e63b12e50bf7b1
+  metadata.gz: 24900387c20afb629c78879987193840d830df0973b1a57131306ae01f47a0cf
+  data.tar.gz: 2236f3b6bca37894f160688e0cc7432e4877f753548b6eea93fcc270df0eebfc
 SHA512:
-  metadata.gz: ad2ebf46bfcc956a0cc88f67bd651856843aed2ca7b4714cc275951a4dd8443d4c674d50dc0b302ed0a50357fdbf4f444acce710b92d02b0cc1b8cec9279d4d1
-  data.tar.gz: a154a28707c4120e0ea4ff920f76557beaa103d52d6121db3973f6a52d819ee8a83bb3e396ab68f536424c8182e4842756131dbfe595d2a3260c7ed42b38c749
+  metadata.gz: e82d6d53e887428310b2c03e6e3d11f5f16f55b62485595f20650b4061c1e59469f9955a03b9c885a1d5f1d843c4687f1b0c8b87b844a8a3dd1892b1d067252d
+  data.tar.gz: b9b16ddc853c60d08302af3eeb4965fdd1c2a29ea91f4ca695b6c30765e4c12bca5bf64de3645a094c39004af181f5db394bbd6f8978704b0c250d42c0286770

data/.editorconfig

@@ -0,0 +1,7 @@
+[*.rb]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+insert_final_newline = true
+charset = utf-8
+trim_trailing_whitespace = true

data/.travis.yml

@@ -0,0 +1,11 @@
+language: ruby
+sudo: false
+cache: bundler
+
+rvm:
+  - 2.4
+  - 2.5
+  - 2.6
+
+gemfile:
+  - Gemfile

data/Dockerfile

@@ -1,13 +1,10 @@
-FROM ruby:2.3-alpine
+FROM ruby:2.6
 
 ARG GEM_VERSION="> 0"
 
 COPY pkg/syslogstash-$GEM_VERSION.gem /tmp/syslogstash.gem
 
-RUN apk update \
-	&& apk add build-base \
-	&& gem install /tmp/syslogstash.gem \
-	&& apk del build-base \
-	&& rm -f /var/cache/apk/* /tmp/syslogstash.gem
+RUN gem install /tmp/syslogstash.gem \
+	&& rm -f /tmp/syslogstash.gem
 
 ENTRYPOINT ["/usr/local/bundle/bin/syslogstash"]

data/README.md

@@ -49,8 +49,8 @@ least, `syslogstash` needs to know where logstash is (`LOGSTASH_SERVER`),
 and the socket to listen on for syslog messages (`SYSLOG_SOCKET`).  You
 specify those on the command line, like so:
 
-    LOGSTASH_SERVER=logstash-json \
-      SYSLOG_SOCKET=/dev/log \
+    SYSLOGSTASH_LOGSTASH_SERVER=logstash-json \
+      SYSLOGSTASH_SYSLOG_SOCKET=/dev/log \
       syslogstash
 
 The full set of environment variables, and their meaning, is described in
@@ -92,6 +92,12 @@ aspects of runtime operation.  They are:
   the logstash server from DNS, then SIGHUP syslogstash to make it switch
   to another server.
 
+* **`SIGQUIT`** -- dump thread stacktraces and allocation information to
+  `stderr`.
+
+* **`SIGINT`** / **`SIGTERM`** -- gracefully terminate.  Sending either signal
+  twice will cause shutdown to be done somewhat less gracefully.
+
 
 ## Use with Docker
 
@@ -139,8 +145,8 @@ All configuration of syslogstash is done by placing values in environment
 variables.  The environment variables that syslogstash recognises are listed
 below.
 
-* **`LOGSTASH_SERVER`** (required) -- the domain name or address of the
-  logstash server(s) you wish to send entries to.  This can be any of:
+* **`SYSLOGSTASH_LOGSTASH_SERVER`** (required) -- the domain name or address of
+  the logstash server(s) you wish to send entries to.  This can be any of:
 
   * An IPv4 address and port, separated by a colon.  For example,
     `192.0.2.42:5151`.  The port *must* be specified.
@@ -161,35 +167,33 @@ below.
   In all cases, syslogstash respects DNS record TTLs and SRV record
   weight/priority selection rules.  We're not monsters.
 
-* **`SYSLOG_SOCKET`** (required) -- the absolute path to the socket which
-  syslogstash should create and listen on for syslog format messages.
+* **`SYSLOGSTASH_SYSLOG_SOCKET`** (required) -- the absolute path to the socket
+  which syslogstash should create and listen on for syslog format messages.
 
-* **`BACKLOG_SIZE`** (optional; default `"1000000"`) -- the maximum number of
-  messages to queue if the logstash servers are unavailable.  Under normal
-  operation, syslog messages are immediately relayed to the logstash server
-  as they are received.  However, if no logstash servers are available,
-  syslogstash will maintain a backlog of up to this many syslog messages,
-  and will send the entire backlog once a logstash server becomes available
-  again.
+* **`SYSLOGSTASH_BACKLOG_SIZE`** (optional; default `"1000000"`) -- the maximum
+  number of messages to queue if the logstash servers are unavailable.  Under
+  normal operation, syslog messages are immediately relayed to the logstash
+  server as they are received.  However, if no logstash servers are available,
+  syslogstash will maintain a backlog of up to this many syslog messages, and
+  will send the entire backlog once a logstash server becomes available again.
 
     In the event that the queue size limit is reached, the oldest messages
     will be dropped to make way for the new ones.
 
-* **`RELAY_TO_STDOUT`** (optional; default `"no"`) -- if set to a
+* **`SYSLOGSTASH_RELAY_TO_STDOUT`** (optional; default `"no"`) -- if set to a
   true-ish string (any of `true`, `yes`, `on`, or `1`, compared
   case-insensitively), then all the syslog messages which are received will
   be printed to stdout (with the priority/facility prefix removed).  This
   isn't a replacement for a fully-featured syslog server, merely a quick way
   to dump messages if absolutely required.
 
-* **`STATS_SERVER`** (optional; default `"no"`) -- if set to a true-ish
-  string (any of `true`, `yes`, `on`, or `1`, compared case-insensitively),
-  then a Prometheus-compatible statistics exporter will be started,
-  listening on all interfaces on port 9159.
+* **`SYSLOGSTASH_METRICS_PORT`** (optional; default `""`) -- if set to a
+  valid port number (1-65535), a Prometheus-compatible statistics exporter will be
+  started, listening on all interfaces on the specified port.
 
-* **`ADD_FIELD_<name>`** (optional) -- if you want to add extra fields to
-  the entries which are forwarded to logstash, you can specify them here,
-  for example:
+* **`SYSLOGSTASH_ADD_FIELD_<name>`** (optional) -- if you want to add extra
+  fields to the entries which are forwarded to logstash, you can specify them
+  here, for example:
 
         ADD_FIELD_foo=bar ADD_FIELD_baz=wombat [...] syslogstash
 
@@ -199,14 +203,19 @@ below.
     than strings, are not supported.  Also, if you specify a field name also
     used by syslogstash, the results are explicitly undefined.
 
-* **`RELAY_SOCKETS`** (optional; default `""`) -- on the off-chance you want
-  to feed the syslog messages that syslogstash receives to another
+* **`SYSLOGSTASH_RELAY_SOCKETS`** (optional; default `""`) -- on the off-chance
+  you want to feed the syslog messages that syslogstash receives to another
   syslog-compatible consumer (say, an old-school syslogd) you can specify
-  additional filenames to use here.  Multiple socket filenames can be
-  specified by separating each file name with a colon.  Syslogstash will open
-  each of the specified sockets, if they exist, and write each received
-  message to the socket.  If the socket does not exist, or the open or write
-  operations fail, syslogstash **will not** retry.
+  additional filenames to use here.  Multiple socket filenames can be specified
+  by separating each file name with a colon.  Syslogstash will open each of the
+  specified sockets, if they exist, and write each received message to the
+  socket.  If the socket does not exist, or the open or write operations fail,
+  syslogstash **will not** retry.
+
+* **`SYSLOGSTASH_DROP_REGEX`** (optional) -- Regular expression to run on
+  input, if it matches then the message will be dropped and not sent to
+  logstash.  However, it *will* still be sent to stdout and any relay sockets,
+  if those options are enabled.
 
 
 # Contributing
@@ -222,7 +231,7 @@ request](https://github.com/discourse/syslogstash/pulls].
 Unless otherwise stated, everything in this repo is covered by the following
 copyright notice:
 
-    Copyright (C) 2015, 2018 Civilized Discourse Construction Kit Inc.
+    Copyright (C) 2015, 2018, 2019 Civilized Discourse Construction Kit Inc.
 
     This program is free software: you can redistribute it and/or modify it
     under the terms of the GNU General Public License version 3, as

data/bin/syslogstash

@@ -1,62 +1,10 @@
 #!/usr/bin/env ruby
 
 require 'syslogstash'
-require 'logger'
-
-logger = Logger.new($stderr)
-logger.formatter = ->(s, t, p, m) { "#{s[0]} [#{p}] #{m}\n" }
-logger.level = Logger.const_get(ENV['SYSLOGSTASH_LOG_LEVEL'] || "INFO")
 
 begin
-  cfg = Syslogstash::Config.new(ENV, logger: logger)
-rescue Syslogstash::Config::ConfigurationError => ex
-  $stderr.puts "Error in configuration: #{ex.message}"
+  Syslogstash.new(ENV).start
+rescue ServiceSkeleton::Error::InvalidEnvironmentError => ex
+  $stderr.puts "Configuration error: #{ex.message}"
   exit 1
 end
-
-syslogstash = Syslogstash.new(cfg)
-
-sig_r, sig_w = IO.pipe
-
-Signal.trap("USR1") do
-  sig_w.print '1'
-end
-Signal.trap("USR2") do
-  sig_w.print '2'
-end
-Signal.trap("URG") do
-  sig_w.print 'U'
-end
-Signal.trap("HUP") do
-  sig_w.print 'H'
-end
-
-Thread.new do
-  loop do
-    begin
-      c = sig_r.getc
-      if c == '1'
-        logger.level -= 1 unless logger.level == Logger::DEBUG
-        logger.info("SignalHandler") { "Received SIGUSR1; log level is now #{Logger::SEV_LABEL[logger.level]}." }
-      elsif c == '2'
-        logger.level += 1 unless logger.level == Logger::ERROR
-        logger.info("SignalHandler") { "Received SIGUSR2; log level is now #{Logger::SEV_LABEL[logger.level]}." }
-      elsif c == 'U'
-        cfg.relay_to_stdout = !cfg.relay_to_stdout
-        logger.info("SignalHandler") { "Received SIGURG; Relaying to stdout is now #{cfg.relay_to_stdout ? "enabled" : "disabled"}" }
-      elsif c== 'H'
-        logger.info("SignalHandler") { "Received SIGHUP" }
-        syslogstash.force_disconnect!
-      else
-        logger.error("SignalHandler") { "Got an unrecognised character from signal pipe: #{c.inspect}" }
-      end
-    rescue StandardError => ex
-      logger.error("SignalHandler") { (["Exception raised: #{ex.message} (#{ex.class})"] + ex.backtrace).join("\n  ") }
-    rescue Exception => ex
-      $stderr.puts (["Fatal exception in syslogstash signal handler: #{ex.message} (#{ex.class})"] + ex.backtrace).join("\n  ")
-      exit 42
-    end
-  end
-end
-
-syslogstash.run

data/lib/syslogstash.rb

@@ -2,54 +2,59 @@ require 'uri'
 require 'socket'
 require 'json'
 require 'thwait'
+require 'logstash_writer'
+require 'service_skeleton'
 
 # Read syslog messages from one or more sockets, and send it to a logstash
 # server.
 #
-class Syslogstash
-	def initialize(cfg)
-		@cfg    = cfg
-		@stats  = PrometheusExporter.new(cfg)
-		@writer = LogstashWriter.new(cfg, @stats)
-		@reader = SyslogReader.new(cfg, @writer, @stats)
-		@logger = cfg.logger
-	end
-
-	def run
-		if @cfg.stats_server
-			@logger.debug("main") { "Running stats server" }
-			@stats.run
-		end
-
-		@writer.run
-		@reader.run
-
-		dead_thread = ThreadsWait.new(@reader.thread, @writer.thread).next_wait
-
-		if dead_thread == @writer.thread
-			@logger.error("main") { "Writer thread crashed." }
-		elsif dead_thread == @reader.thread
-			@logger.error("main") { "Reader thread crashed." }
-		else
-			@logger.fatal("main") { "ThreadsWait#next_wait returned unexpected value #{dead_thread.inspect}" }
-			exit 1
-		end
-
-		begin
-			dead_thread.join
-		rescue Exception => ex
-			@logger.error("main") { (["Exception in crashed thread was: #{ex.message} (#{ex.class})"] + ex.backtrace).join("\n  ") }
-		end
-
-		exit 1
-	end
-
-	def force_disconnect!
-		@writer.force_disconnect!
-	end
+class Syslogstash < ServiceSkeleton
+  string    :SYSLOGSTASH_LOGSTASH_SERVER
+  string    :SYSLOGSTASH_SYSLOG_SOCKET
+  string    :SYSLOGSTASH_RELAY_TO_STDOUT, default: false
+  string    :SYSLOGSTASH_DROP_REGEX, default: nil
+  integer   :SYSLOGSTASH_BACKLOG_SIZE, default: 1_000_000, range: 0..(2**31-1)
+  path_list :SYSLOGSTASH_RELAY_SOCKETS, default: []
+  kv_list   :SYSLOGSTASH_ADD_FIELDS, default: {}, key_pattern: /\ASYSLOGSTASH_ADD_FIELD_(.*)\z/
+
+  def initialize(*_)
+    super
+
+    hook_signal("URG") do
+      config.relay_to_stdout = !config.relay_to_stdout
+      logger.info(logloc) { "SIGURG received; relay_to_stdout is now #{config.relay_to_stdout.inspect}" }
+    end
+
+    @shutdown_reader, @shutdown_writer = IO.pipe
+
+    metrics.counter(:syslogstash_messages_received_total, "The number of syslog messages received from the log socket")
+    metrics.counter(:syslogstash_messages_sent_total, "The number of logstash messages sent to each logstash server")
+    metrics.gauge(:syslogstash_last_relayed_message_timestamp, "When the last message that was successfully relayed to logstash was originally received")
+    metrics.gauge(:syslogstash_queue_size, "How many messages are currently in the queue to be sent")
+    metrics.counter(:syslogstash_dropped_total, "Number of log entries that were not forwarded due to matching the drop regex")
+
+    @writer = LogstashWriter.new(server_name: config.logstash_server, backlog: config.backlog_size, logger: config.logger, metrics_registry: metrics)
+    @reader = SyslogReader.new(config, @writer, metrics)
+  end
+
+  def run
+    @writer.run
+    @reader.start!
+
+    @shutdown_reader.getc
+    @shutdown_reader.close
+  end
+
+  def shutdown
+    @reader.stop!
+    @writer.stop
+
+    @shutdown_writer.close
+  end
+
+  def force_disconnect!
+    @writer.force_disconnect!
+  end
 end
 
-require_relative 'syslogstash/config'
 require_relative 'syslogstash/syslog_reader'
-require_relative 'syslogstash/logstash_writer'
-require_relative 'syslogstash/prometheus_exporter'

data/lib/syslogstash/syslog_reader.rb

@@ -1,184 +1,216 @@
 # A single socket reader.
 #
 class Syslogstash::SyslogReader
-	attr_reader :thread
-
-	def initialize(cfg, logstash, stats)
-		@file, @logstash, @stats = cfg.syslog_socket, logstash, stats
-
-		@add_fields = cfg.add_fields
-		@relay_to   = cfg.relay_sockets
-		@cfg        = cfg
-		@logger     = cfg.logger
-	end
-
-	# Start reading from the socket file, parsing entries, and flinging
-	# them at logstash.  This method will return, with the operation
-	# continuing in a separate thread.
-	#
-	def run
-		@logger.debug("reader") { "#run called" }
-
-		begin
-			socket = Socket.new(Socket::AF_UNIX, Socket::SOCK_DGRAM, 0)
-			socket.bind(Socket.pack_sockaddr_un(@file))
-			File.chmod(0666, @file)
-		rescue Errno::EEXIST, Errno::EADDRINUSE
-			@logger.info("reader") { "socket file #{@file} already exists; deleting" }
-			File.unlink(@file) rescue nil
-			retry
-		rescue StandardError => ex
-			raise ex.class, "Error while trying to bind to #{@file}: #{ex.message}", ex.backtrace
-		end
-
-		@thread = Thread.new do
-			begin
-				loop do
-					msg = socket.recvmsg
-					@logger.debug("reader") { "Message received: #{msg.inspect}" }
-					@stats.received(@file)
-					relay_message msg.first
-					process_message msg.first.chomp
-				end
-			ensure
-				socket.close
-				@logger.debug("reader") { "removing socket file #{@file}" }
-				File.unlink(@file) rescue nil
-			end
-		end
-	end
-
-	private
-
-	def process_message(msg)
-		if msg =~ /^<(\d+)>(\w{3} [ 0-9]{2} [0-9:]{8}) (.*)$/
-			flags     = $1.to_i
-			timestamp = $2
-			content   = $3
-
-			# Lo! the many ways that syslog messages can be formatted
-			hostname, program, pid, message = case content
-				# the gold standard: hostname, program name with optional PID
-				when /^([a-zA-Z0-9._-]*[^:]) (\S+?)(\[(\d+)\])?: (.*)$/
-					[$1, $2, $4, $5]
-				# hostname, no program name
-				when /^([a-zA-Z0-9._-]+) (\S+[^:] .*)$/
-					[$1, nil, nil, $2]
-				# program name, no hostname (yeah, you heard me, non-RFC compliant!)
-				when /^(\S+?)(\[(\d+)\])?: (.*)$/
-					[nil, $1, $3, $4]
-				else
-					# I have NFI
-					[nil, nil, nil, content]
-			end
-
-			severity = flags % 8
-			facility = flags / 8
-
-			log_entry = log_entry(
-				syslog_timestamp: timestamp,
-				severity:         severity,
-				facility:         facility,
-				hostname:         hostname,
-				program:          program,
-				pid:              pid.nil? ? nil : pid.to_i,
-				message:          message,
-			).to_json
-
-			@logstash.send_entry(log_entry)
-		else
-			@logger.warn("reader") { "Unparseable message: #{msg.inspect}" }
-		end
-	end
-
-	def log_entry(h)
-		{}.tap do |e|
-			e['@version']   = '1'
-			e['@timestamp'] = Time.now.utc.strftime("%FT%T.%LZ")
-
-			h[:facility_name] = FACILITIES[h[:facility]]
-			h[:severity_name] = SEVERITIES[h[:severity]]
-
-			e.merge!(h.delete_if { |k,v| v.nil? })
-			e.merge!(@add_fields)
-
-			@logger.debug("reader") { "Complete log entry is: #{e.inspect}" }
-		end
-	end
-
-	def relay_message(msg)
-		@currently_failed ||= {}
-
-		if @cfg.relay_to_stdout
-			# This one's easy
-			puts msg.sub(/\A<\d+>/, '')
-			$stdout.flush
-		end
-
-		@relay_to.each do |f|
-			s = Socket.new(Socket::AF_UNIX, Socket::SOCK_DGRAM, 0)
-			begin
-				s.connect(Socket.pack_sockaddr_un(f))
-			rescue Errno::ENOENT
-				# Socket doesn't exist; we don't care enough about this to bother
-				# reporting it.  People will figure it out themselves soon enough.
-			rescue StandardError => ex
-				unless @currently_failed[f]
-					@logger.warn("reader") { "Error while connecting to relay socket #{f}: #{ex.message} (#{ex.class})" }
-					@currently_failed[f] = true
-				end
-				next
-			end
-
-			begin
-				# We really, *really* don't want to block the world just because
-				# whoever's on the other end of the relay socket can't process
-				# messages quick enough.
-				s.sendmsg_nonblock(msg)
-				if @currently_failed[f]
-					@logger.info("reader") { "Error on socket #{f} has cleared; messages are being delivered again" }
-					@currently_failed[f] = false
-				end
-			rescue Errno::ENOTCONN
-				unless @currently_failed[f]
-					@logger.debug("reader") { "Nothing is listening on socket #{f}" }
-					@currently_failed[f] = true
-				end
-			rescue IO::EAGAINWaitWritable
-				unless @currently_failed[f]
-					@logger.warn("reader") { "Socket #{f} is currently backlogged; messages to this socket are now being discarded undelivered" }
-					@currently_failed[f] = true
-				end
-			rescue StandardError => ex
-				@logger.warn("reader") { (["Failed to relay message to socket #{f} from #{@file}: #{ex.message} (#{ex.class})"] + ex.backtrace).join("\n  ") }
-			end
-		end
-	end
-
-	FACILITIES = %w{
-		kern
-		user
-		mail
-		daemon
-		auth
-		syslog
-		lpr
-		news
-		uucp
-		cron
-		authpriv
-		ftp
-		local0 local1 local2 local3 local4 local5 local6 local7
-	}
-
-	SEVERITIES = %w{
-		emerg
-		alert
-		crit
-		err
-		warning
-		notice
-		info
-		debug
-	}
+  include ServiceSkeleton::BackgroundWorker
+
+  def initialize(config, logstash, metrics)
+    @config, @logstash, @metrics = config, logstash, metrics
+
+    @logger = config.logger
+
+    @shutdown_reader, @shutdown_writer = IO.pipe
+
+    super
+  end
+
+  # Start reading from the socket file, parsing entries, and flinging
+  # them at logstash.
+  #
+  def start
+    config.logger.debug(logloc) { "off we go!" }
+
+    begin
+      socket = Socket.new(Socket::AF_UNIX, Socket::SOCK_DGRAM, 0)
+      socket.bind(Socket.pack_sockaddr_un(config.syslog_socket))
+      File.chmod(0666, config.syslog_socket)
+    rescue Errno::EEXIST, Errno::EADDRINUSE
+      config.logger.info(logloc) { "socket file #{config.syslog_socket} already exists; deleting" }
+      File.unlink(config.syslog_socket) rescue nil
+      retry
+    rescue StandardError => ex
+      raise ex.class, "Error while trying to bind to #{config.syslog_socket}: #{ex.message}", ex.backtrace
+    end
+
+    begin
+      loop do
+        IO.select([@shutdown_reader, socket]).first.each do |fd|
+          if fd == socket
+            begin
+              msg = socket.recvmsg_nonblock
+            rescue IO::WaitWritable
+              config.logger.debug(logloc) { "select said a message was waiting, but it wasn't.  o.O" }
+            else
+              config.logger.debug(logloc) { "Message received: #{msg.inspect}" }
+              @metrics.messages_received_total.increment(socket_path: config.syslog_socket)
+              @metrics.queue_size.increment({})
+              relay_message msg.first
+              process_message msg.first.chomp
+            end
+          elsif fd == @shutdown_reader
+            @shutdown_reader.close
+            config.logger.debug(logloc) { "Tripped over shutdown reader" }
+            break
+          end
+        end
+      end
+    ensure
+      socket.close
+      config.logger.debug(logloc) { "removing socket file #{config.syslog_socket}" }
+      File.unlink(config.syslog_socket) rescue nil
+    end
+  end
+
+  def shutdown
+    @shutdown_writer.close
+  end
+
+  private
+
+  attr_reader :config, :logger
+
+  def process_message(msg)
+    if msg =~ /^<(\d+)>(\w{3} [ 0-9]{2} [0-9:]{8}) (.*)$/
+      flags     = $1.to_i
+      timestamp = $2
+      content   = $3
+
+      # Lo! the many ways that syslog messages can be formatted
+      hostname, program, pid, message = case content
+        # the gold standard: hostname, program name with optional PID
+        when /^([a-zA-Z0-9._-]*[^:]) (\S+?)(\[(\d+)\])?: (.*)$/
+          [$1, $2, $4, $5]
+        # hostname, no program name
+        when /^([a-zA-Z0-9._-]+) (\S+[^:] .*)$/
+          [$1, nil, nil, $2]
+        # program name, no hostname (yeah, you heard me, non-RFC compliant!)
+        when /^(\S+?)(\[(\d+)\])?: (.*)$/
+          [nil, $1, $3, $4]
+        else
+          # I have NFI
+          [nil, nil, nil, content]
+      end
+
+      if config.drop_regex && message && message.match?(config.drop_regex)
+        @metrics.dropped_total.increment({})
+        config.logger.debug(logloc) { "dropping message #{message}" }
+        return
+      end
+
+      severity = flags % 8
+      facility = flags / 8
+
+      log_entry = log_entry(
+        syslog_timestamp: timestamp,
+        severity:         severity,
+        facility:         facility,
+        hostname:         hostname,
+        program:          program,
+        pid:              pid.nil? ? nil : pid.to_i,
+        message:          message,
+      )
+
+      @logstash.send_event(log_entry)
+    else
+      config.logger.warn(logloc) { "Unparseable message: #{msg.inspect}" }
+    end
+  end
+
+  def log_entry(h)
+    {}.tap do |e|
+      e['@version']   = '1'
+      e['@timestamp'] = Time.now.utc.strftime("%FT%T.%LZ")
+
+      h[:facility_name] = FACILITIES[h[:facility]]
+      h[:severity_name] = SEVERITIES[h[:severity]]
+
+      e.merge!(h.delete_if { |k,v| v.nil? })
+      e.merge!(config.add_fields)
+
+      config.logger.debug(logloc) { "Complete log entry is: #{e.inspect}" }
+    end
+  end
+
+  def relay_message(msg)
+    @currently_failed ||= {}
+
+    if config.relay_to_stdout
+      # This one's easy
+      puts msg.sub(/\A<\d+>/, '')
+      $stdout.flush
+    end
+
+    config.relay_sockets.each do |f|
+      relay_to_socket(f)
+    end
+  end
+
+  def relay_to_socket(f)
+    begin
+      s = Socket.new(Socket::AF_UNIX, Socket::SOCK_DGRAM, 0)
+      begin
+        s.connect(Socket.pack_sockaddr_un(f))
+      rescue Errno::ENOENT
+        # Socket doesn't exist; we don't care enough about this to bother
+        # reporting it.  People will figure it out themselves soon enough.
+      rescue StandardError => ex
+        unless @currently_failed[f]
+          config.logger.warn(logloc) { "Error while connecting to relay socket #{f}: #{ex.message} (#{ex.class})" }
+          @currently_failed[f] = true
+        end
+        return
+      end
+
+      begin
+        # We really, *really* don't want to block the world just because
+        # whoever's on the other end of the relay socket can't process
+        # messages quick enough.
+        s.sendmsg_nonblock(msg)
+        if @currently_failed[f]
+          config.logger.info(logloc) { "Error on socket #{f} has cleared; messages are being delivered again" }
+          @currently_failed[f] = false
+        end
+      rescue Errno::ENOTCONN
+        unless @currently_failed[f]
+          config.logger.debug(logloc) { "Nothing is listening on socket #{f}" }
+          @currently_failed[f] = true
+        end
+      rescue IO::EAGAINWaitWritable
+        unless @currently_failed[f]
+          config.logger.warn(logloc) { "Socket #{f} is currently backlogged; messages to this socket are now being discarded undelivered" }
+          @currently_failed[f] = true
+        end
+      rescue StandardError => ex
+        config.logger.warn(logloc) { (["Failed to relay message to socket #{f} from #{config.syslog_socket}: #{ex.message} (#{ex.class})"] + ex.backtrace).join("\n  ") }
+      end
+    ensure
+      s.close
+    end
+  end
+
+  FACILITIES = %w{
+    kern
+    user
+    mail
+    daemon
+    auth
+    syslog
+    lpr
+    news
+    uucp
+    cron
+    authpriv
+    ftp
+    local0 local1 local2 local3 local4 local5 local6 local7
+  }
+
+  SEVERITIES = %w{
+    emerg
+    alert
+    crit
+    err
+    warning
+    notice
+    info
+    debug
+  }
 end