2
* This is a custom developed plugin to process bind information into
3
* a specific SQL statement. While the actual processing may be too specific
4
* to be of general use, this module serves as a template on how this type
5
* of processing can be done.
8
* "%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
9
* Note that this is the same as smtradfile.c, except that we do have a RFC3339 timestamp. However,
10
* we have copied over the code from there, it is too simple to go through all the hassle
11
* of having a single code base.
13
* NOTE: read comments in module-template.h to understand how this file
16
* File begun on 2011-03-17 by RGerhards
18
* Copyright 2011 Rainer Gerhards and Adiscon GmbH.
20
* This file is part of rsyslog.
22
* Rsyslog is free software: you can redistribute it and/or modify
23
* it under the terms of the GNU General Public License as published by
24
* the Free Software Foundation, either version 3 of the License, or
25
* (at your option) any later version.
27
* Rsyslog is distributed in the hope that it will be useful,
28
* but WITHOUT ANY WARRANTY; without even the implied warranty of
29
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
30
* GNU General Public License for more details.
32
* You should have received a copy of the GNU General Public License
33
* along with Rsyslog. If not, see <http://www.gnu.org/licenses/>.
35
* A copy of the GPL can be found in the file "COPYING" in this distribution.
45
#include "syslogd-types.h"
46
#include "cfsysline.h"
49
#include "module-template.h"
50
#include "unicode-helper.h"
55
STRGEN_NAME("Custom_BindCDR,sql")
57
/* internal structures
62
/* list of "allowed" IPs */
63
typedef struct allowedip_s {
65
struct allowedip_s *next;
68
static allowedip_t *root;
73
/* check if the provided IP is (already) in the allowed list
76
isAllowed(uchar *pszIP)
81
for(pallow = root ; pallow != NULL ; pallow = pallow->next) {
82
if(!ustrcmp(pallow->pszIP, pszIP)) {
87
finalize_it: return ret;
90
/* This function is called to add an additional allowed IP. It adds
91
* the IP to the linked list of them. An error is emitted if the IP
94
static rsRetVal addAllowedIP(void __attribute__((unused)) *pVal, uchar *pNewVal)
99
if(isAllowed(pNewVal)) {
100
errmsg.LogError(0, NO_ERRCODE, "error: allowed IP '%s' already configured "
101
"duplicate ignored", pNewVal);
102
ABORT_FINALIZE(RS_RET_ERR);
105
CHKmalloc(pNew = malloc(sizeof(allowedip_t)));
106
pNew->pszIP = pNewVal;
109
DBGPRINTF("sm_cust_bindcdr: allowed IP '%s' added.\n", pNewVal);
112
if(iRet != RS_RET_OK) {
119
/* This strgen tries to minimize the amount of reallocs be first obtaining pointers to all strings
120
* needed (including their length) and then calculating the actual space required. So when we
121
* finally copy, we know exactly what we need. So we do at most one alloc.
122
* An actual message sample for what we intend to parse is (one line):
123
<30>Mar 24 13:01:51 named[6085]: 24-Mar-2011 13:01:51.865 queries: info: client 10.0.0.96#39762: view trusted: query: 8.6.0.9.9.4.1.4.6.1.8.3.mobilecrawler.com IN TXT + (10.0.0.96)
125
//previos dev: #define SQL_STMT "INSERT INTO CDR(`Date`,`Time`, timeMS, client, view, query, ip) VALUES ('"
126
#define SQL_STMT "INSERT INTO CDR(`date`,ip,user,dest) VALUES ('"
127
#define ADD_SQL_DELIM \
128
memcpy(*ppBuf + iBuf, "', '", sizeof("', '") - 1); \
129
iBuf += sizeof("', '") - 1;
130
#define SQL_STMT_END "');\n"
150
/* first create an empty statement. This is to be replaced if
151
* we have better data to fill in.
153
/* now make sure buffer is large enough */
155
CHKiRet(ExtendBuf(ppBuf, pLenBuf, 2));
156
memcpy(*ppBuf, ";", sizeof(";"));
158
/* first obtain all strings and their length (if not fixed) */
159
/* Note that there are two date fields present, one in the header
160
* and one more in the actual message. We use the one from the message
161
* and parse that our. We check validity based on some fixe fields. In-
162
* depth verification is probably not worth the effort (CPU time), because
163
* we do various other checks on the message format below).
166
if(psz[0] == ' ' && psz[3] == '-' && psz[7] == '-') {
167
memcpy(szDate, psz+8, 4);
169
if(!strncmp((char*)psz+4, "Jan", 3)) {
172
} else if(!strncmp((char*)psz+4, "Feb", 3)) {
175
} else if(!strncmp((char*)psz+4, "Mar", 3)) {
178
} else if(!strncmp((char*)psz+4, "Apr", 3)) {
181
} else if(!strncmp((char*)psz+4, "May", 3)) {
184
} else if(!strncmp((char*)psz+4, "Jun", 3)) {
187
} else if(!strncmp((char*)psz+4, "Jul", 3)) {
190
} else if(!strncmp((char*)psz+4, "Aug", 3)) {
193
} else if(!strncmp((char*)psz+4, "Sep", 3)) {
196
} else if(!strncmp((char*)psz+4, "Oct", 3)) {
199
} else if(!strncmp((char*)psz+4, "Nov", 3)) {
202
} else if(!strncmp((char*)psz+4, "Dec", 3)) {
212
dbgprintf("Custom_BindCDR: date part in msg missing\n");
213
ABORT_FINALIZE(RS_RET_ERR);
216
/* now time (pull both regular time and ms) */
217
if(psz[12] == ' ' && psz[15] == ':' && psz[18] == ':' && psz[21] == '.' && psz[25] == ' ') {
218
memcpy(szTime, (char*)psz+13, 8);
221
memcpy(szMSec, (char*)psz+22, 3);
225
dbgprintf("Custom_BindCDR: date part in msg missing\n");
226
ABORT_FINALIZE(RS_RET_ERR);
230
psz = (uchar*) strstr((char*) getMSG(pMsg), "client ");
232
dbgprintf("Custom_BindCDR: client part in msg missing\n");
233
ABORT_FINALIZE(RS_RET_ERR);
235
psz += sizeof("client ") - 1; /* skip "label" */
237
; *psz && *psz != '#' && lenClient < sizeof(szClient) - 1
239
szClient[lenClient] = *psz++;
241
szClient[lenClient] = '\0';
245
psz = (uchar*) strstr((char*) getMSG(pMsg), "view ");
247
dbgprintf("Custom_BindCDR: view part in msg missing\n");
248
ABORT_FINALIZE(RS_RET_ERR);
250
psz += sizeof("view ") - 1; /* skip "label" */
252
; *psz && *psz != ':' && lenView < sizeof(szView) - 1
254
szView[lenView] = *psz++;
256
szView[lenView] = '\0';
259
/* "query" - we must extract just the number, and in reverse! */
260
psz = (uchar*) strstr((char*) getMSG(pMsg), "query: ");
262
dbgprintf("Custom_BindCDR: query part in msg missing\n");
263
ABORT_FINALIZE(RS_RET_ERR);
265
psz += sizeof("query: ") - 1; /* skip "label" */
266
/* first find end-of-strihttp://www.rsyslog.com/doc/omruleset.htmlng to process */
267
while(*psz && (isdigit(*psz) || *psz == '.')) {
270
/* now shuffle data */
272
; *psz && *psz != ' ' && lenQuery < sizeof(szQuery) - 1
275
szQuery[lenQuery++] = *psz;
277
szQuery[lenQuery] = '\0';
281
psz = (uchar*) strstr((char*) getMSG(pMsg), "IN TXT + (");
283
dbgprintf("Custom_BindCDR: ip part in msg missing\n");
284
ABORT_FINALIZE(RS_RET_ERR);
286
psz += sizeof("IN TXT + (") - 1; /* skip "label" */
288
; *psz && *psz != ')' && lenIP < sizeof(szIP) - 1
290
szIP[lenIP] = *psz++;
296
/* --- strings extracted ---- */
298
/* now check if the IP is "allowed", in which case we should not
299
* insert into the database.
301
if(isAllowed(szIP)) {
302
DBGPRINTF("sm_cust_bindcdr: message from allowed IP, ignoring\n");
303
ABORT_FINALIZE(RS_RET_ERR);
306
/* calculate len, constants for spaces and similar fixed strings */
307
lenTotal = lenDate + lenTime + lenMSec + lenClient + lenView + lenQuery
308
+ lenIP + 7 * 5 + sizeof(SQL_STMT) + sizeof(SQL_STMT_END) + 2;
310
/* now make sure buffer is large enough */
311
if(lenTotal >= *pLenBuf)
312
CHKiRet(ExtendBuf(ppBuf, pLenBuf, lenTotal));
314
/* and concatenate the resulting string */
315
memcpy(*ppBuf, SQL_STMT, sizeof(SQL_STMT) - 1);
316
iBuf = sizeof(SQL_STMT) - 1;
318
memcpy(*ppBuf + iBuf, szDate, lenDate);
320
/* prviously: ADD_SQL_DELIM */
321
*(*ppBuf + iBuf) = ' ';
324
memcpy(*ppBuf + iBuf, szTime, lenTime);
328
/* we shall now discard this part
329
memcpy(*ppBuf + iBuf, szMSec, lenMSec);
334
/* Note that this seem to be the IP to use */
335
memcpy(*ppBuf + iBuf, szClient, lenClient);
339
memcpy(*ppBuf + iBuf, szView, lenView);
343
memcpy(*ppBuf + iBuf, szQuery, lenQuery);
345
/* this is now the last field, so we dont need: ADD_SQL_DELIM */
347
/* no longer to be included
348
memcpy(*ppBuf + iBuf, szIP, lenIP);
352
/* end of SQL statement/trailer (NUL is contained in string!) */
353
memcpy(*ppBuf + iBuf, SQL_STMT_END, sizeof(SQL_STMT_END));
354
iBuf += sizeof(SQL_STMT_END);
361
allowedip_t *pallow, *pdel;
363
for(pallow = root ; pallow != NULL ; ) {
365
pallow = pallow->next;
370
objRelease(errmsg, CORE_COMPONENT);
376
CODEqueryEtryPt_STD_SMOD_QUERIES
382
*ipIFVersProvided = CURR_MOD_IF_VERSION; /* we only support the current interface specification */
383
CODEmodInit_QueryRegCFSLineHdlr
384
CHKiRet(objUse(errmsg, CORE_COMPONENT));
387
CHKiRet(omsdRegCFSLineHdlr((uchar *)"sgcustombindcdrallowedip", 0, eCmdHdlrGetWord,
388
addAllowedIP, NULL, STD_LOADABLE_MODULE_ID));
389
dbgprintf("rsyslog sm_cust_bindcdr called, compiled with version %s\n", VERSION);