Skip to content

Commit

Permalink
Modified syslog output for systemd messages.
Browse files Browse the repository at this point in the history
  • Loading branch information
@dirk29
dirk29 committed Sep 25, 2024
1 parent 2912032 commit 2c7640c
Show file tree
Hide file tree
Showing 5 changed files with 42 additions and 51 deletions.
10 changes: 5 additions & 5 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -301,18 +301,18 @@ kflowd outputs JSON messages generated for each record of aggregated file system
"SockAge": 18.095146325,
"App": "SYSLOG",
"AppTxSyslog": [{
"Facility": "security/authorization",
"Severity": "informational",
"Priority": 86,
"Facility": "Security/Authorization",
"Severity": "Notice (5)",
"Priority": 85,
"Version": 0,
"Timestamp": "Sep 16 14:30:01",
"Appname": "CRON",
"ProcId": "2122368",
"Message": "pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)"
},
{
"Facility": "security/authorization",
"Severity": "informational",
"Facility": "Security/Authorization",
"Severity": "Informational (6)",
"Priority": 86,
"Version": 0,
"Timestamp": "Sep 16 14:30:01",
Expand Down
2 changes: 1 addition & 1 deletion plugins
Submodule plugins updated from c4df0c to fcbfd2
16 changes: 2 additions & 14 deletions src/kflowd.bpf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1863,9 +1863,9 @@ static __always_inline int handle_unix_event(void *ctx, const struct SOCK_EVENT_
unix_sock = (struct unix_sock *)BPF_CORE_READ((struct unix_sock *)sock, peer);
bpf_probe_read_kernel_str(comm, sizeof(comm), BPF_CORE_READ(task, mm, exe_file, f_path.dentry, d_name.name));
if (__builtin_memcmp(BPF_CORE_READ(unix_sock, addr, name[0].sun_path), SYSLOG_DEVLOG_SOCKET,
sizeof(SYSLOG_DEVLOG_SOCKET)) /*&&
sizeof(SYSLOG_DEVLOG_SOCKET)) &&
__builtin_memcmp(BPF_CORE_READ(unix_sock, addr, name[0].sun_path), SYSLOG_JOURNAL_SOCKET,
sizeof(SYSLOG_JOURNAL_SOCKET))*/)
sizeof(SYSLOG_JOURNAL_SOCKET)))
return 0;

/* clean expired records */
Expand Down Expand Up @@ -2059,18 +2059,6 @@ int BPF_KPROBE(unix_dgram_sendmsg, struct socket *socket, struct msghdr *msg, si
return 0;
};

/* kprobe for unix domain socket rx datagram events */
// SEC("kprobe/unix_dgram_recvmsg")
// int BPF_KPROBE(unix_dgram_recvmsg, struct socket *socket, struct msghdr *msg, size_t size, int flags) {
// KPROBE_SWITCH(MONITOR_SOCK);
// __u16 family = AF_UNIX;
// struct sock *sock = BPF_CORE_READ(socket, sk);
// struct SOCK_EVENT_INFO event = {sock, NULL, msg, family, 0, 0, NULL, true, "unix_dgram_recvmsg"};
// handle_unix_event(ctx, &event);
//
// return 0;
// };

/* socket filter used to capture large tcp data packets */
SEC("socket")
int handle_skb(struct __sk_buff *skb) {
Expand Down
8 changes: 4 additions & 4 deletions src/kflowd.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -766,15 +766,15 @@ static int handle_event(void *ctx, void *data, size_t data_sz) {
else
msg = mkjson(MKJ_OBJ, 1, J_STRING, "_Exception", "HTTP Message Decoder");
} else if (app_msg->type == APP_SYSLOG && !plugin_syslog_decode(app_msg->data[idx], app_msg->len[idx], &syslog)) {
// TBD: make module, escape syslog.data
//if (9 != sscanf(app_msg->data[idx], "<%u>%u %32s %255s %48s %48s %32s [%255[^]]] %255[^\n]", &syslog.priority, &syslog.version,
// syslog.timestamp, syslog.hostname, syslog.appname, syslog.procid, syslog.msgid, syslog.data, syslog.message)) {
/* ignore empty messsages from sytemd */
if(!strcmp(rs->addr, SYSLOG_JOURNAL_SOCKET) && !strlen(syslog.message))
continue;
msg = mkjson(MKJ_OBJ, 11,
J_STRING, "Facility", syslog_facility_table[syslog.priority/8],
J_STRING, "Severity", syslog_severity_table[syslog.priority%8],
J_UINT, "Priority", syslog.priority,
J_UINT, "Version", syslog.version,
J_STRING, "Timestamp", syslog.timestamp,
strlen(syslog.timestamp) ? J_STRING : J_IGN_STRING, "Timestamp", syslog.timestamp,
strlen(syslog.hostname) ? J_STRING : J_IGN_STRING, "Hostname", syslog.hostname,
J_STRING, "Appname", syslog.appname,
strlen(syslog.procid) ? J_STRING : J_IGN_STRING, "ProcId", syslog.procid,
Expand Down
57 changes: 30 additions & 27 deletions src/kflowd.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -261,6 +261,8 @@ struct SOCK_EVENT {
#define DNS_RDATA_DEC_LEN_MAX 512
#define DNS_QTYPE_MAX (int)(sizeof(dns_qtypes) / sizeof(struct DNS_QTYPE))
#define SYSLOG_PORT 514
#define SYSLOG_KEY_LEN_MAX 256
#define SYSLOG_VALUE_LEN_MAX 256
#define UNIX_SEGS_MAX 32

/* define application constants */
Expand Down Expand Up @@ -456,37 +458,38 @@ struct APP_MSG_HTTP {

/* dfine syslog constants */
#define SYSLOG_FACILITY_LEN_MAX 32
#define SYSLOG_SEVERITY_LEN_MAX 16
#define SYSLOG_SEVERITY_LEN_MAX 32
#define SYSLOG_HEADER_SHORT_LEN_MAX 48
#define SYSLOG_HEADER_LEN_MAX 255
#define SYSLOG_DEVLOG_SOCKET "/run/systemd/journal/dev-log"
#define SYSLOG_JOURNAL_SOCKET "/run/systemd/journal/socket"
char syslog_facility_table[][SYSLOG_FACILITY_LEN_MAX] = {"kernel",
"user",
"mail system",
"system daemon",
"security/authorization",
"internal",
"line printer",
"network news",
"uucp",
"clock daemon",
"security/authorization",
"ftp daemon",
"ntp",
"log audit",
"log alert",
"clock daemon",
"local0",
"local1",
"local2",
"local3",
"local4",
"local5",
"local6",
"local7"};
char syslog_severity_table[][SYSLOG_SEVERITY_LEN_MAX] = {"emergency", "alert", "critical", "error",
"warning", "notice", "informational", "debug"};
char syslog_facility_table[][SYSLOG_FACILITY_LEN_MAX] = {"Kernel",
"User",
"Mail System",
"System Daemon",
"Security/Authorization",
"Internal",
"Line Printer",
"Network News",
"UUCP",
"Clock Daemon",
"Security/Authorization",
"FTP Daemon",
"NTP",
"Log Audit",
"Log Alert",
"Clock Daemon",
"Local0",
"Local1",
"Local2",
"Local3",
"Local4",
"Local5",
"Local6",
"Local7"};
char syslog_severity_table[][SYSLOG_SEVERITY_LEN_MAX] = {"Emergency (0)", "Alert (1)", "Critical (2)",
"Error (3)", "Warning (4)", "Notice (5)",
"Informational (6)", "Debug (7)"};

/* define decoded http message */
struct APP_MSG_SYSLOG {
Expand Down

0 comments on commit 2c7640c

Please sign in to comment.