Skip to content

Add no-piggyback-errors flag to syslog-parser() and syslog related source drivers.#245

Merged
MrAnno merged 5 commits intoaxoflow:mainfrom
bazsi:retain-rawmsg-on-msg-parse-errors
Aug 12, 2024
Merged

Add no-piggyback-errors flag to syslog-parser() and syslog related source drivers.#245
MrAnno merged 5 commits intoaxoflow:mainfrom
bazsi:retain-rawmsg-on-msg-parse-errors

Conversation

@bazsi
Copy link
Member

@bazsi bazsi commented Aug 8, 2024
edited
Loading

Problem:
In case syslog-parser() fails, the entire log message is cleared: all name-value pairs, tags, along with partially parsed values already extracted from the message when the parsing failed. This also clears anything that was set prior to syslog-parser() and unrelated to syslog parsing (e.g. $SOURCEIP or $SOURCE or even $TRANSPORT).

Then, syslog-ng adds some error information to the message and then attributes it to itself, as if it was coming from syslog-ng itself, but not via the internal() driver, rather by the driver which actually receives the message.

This behaviour makes sense in cases where the syslog parser is embedded in source drivers, as in that case the message should not have any other things yet.

It is not intuitive with syslog-parser() though, as in this case, we might have requested store-raw-message or even associated various name-value pairs to the message already.

Solution

This PR adds a no-piggyback-errors flag to syslog-parser (both the embedded case and the syslog-parser case). This flag is not enabled by default, as that would be an incompatible change with syslog-parser().

With no-piggyback-errors then the message will not be attributed to syslog-ng in case of errors. Actually it retains everything that was present at the time of the parse error, potentially things that were already extracted.

So $MSG remains that was set (potentially the raw message), $HOST may or may not be extracted, likewise for $PROGRAM, $PID, $MSGID, etc.

The error is still indicated via $MSGFORMAT set to "syslog-error" (but note #250, which will change this to syslog:error).

Others:

This branch also:

  • adds predefined tags to indicate various parsing issues for RFC5424 (similarly to what we have for RFC3164).
  • fixes that such piggybacked error messages lacked a $HOST value in case they were generated by a syslog-parser(), in contrast when they are generated as a part of a source driver.
  • added a log_msg_clear_sdata() function, which did not exist before. there was a state of this branch where that would have been used, but now it is not. it is exercised by a unit test though, so I kept it here. could be dropped from the series.

@MrAnno MrAnno self-requested a review August 8, 2024 20:59
@bazsi
Copy link
Member Author

bazsi commented Aug 9, 2024

I'm thinking about retaining even more information in case parsing fails. The current behaviour drops everything, for instance the original sending IP address does seem useful when you want to diagnose parse errors.

@bazsi bazsi force-pushed the retain-rawmsg-on-msg-parse-errors branch from 592694c to 1d360a7 Compare August 9, 2024 13:55
MrAnno
MrAnno previously approved these changes Aug 9, 2024
View reviewed changes
@bazsi bazsi force-pushed the retain-rawmsg-on-msg-parse-errors branch from 1d360a7 to dbd411f Compare August 9, 2024 16:37
@bazsi bazsi changed the title Retain rawmsg on msg parse errors WIP: Retain rawmsg on msg parse errors Aug 9, 2024
@bazsi bazsi force-pushed the retain-rawmsg-on-msg-parse-errors branch from dbd411f to 9e33b79 Compare August 9, 2024 18:22
@bazsi bazsi changed the title WIP: Retain rawmsg on msg parse errors Retain rawmsg on msg parse errors Aug 9, 2024
@bazsi bazsi force-pushed the retain-rawmsg-on-msg-parse-errors branch from 9e33b79 to 4862157 Compare August 10, 2024 15:00
@bazsi bazsi changed the title Retain rawmsg on msg parse errors Add no-piggyback-errors flag to syslog-parser() and syslog related source drivers. Aug 10, 2024
@bazsi
Copy link
Member Author

bazsi commented Aug 10, 2024

I am finished with the branch now and mostly happy how it shaped up. @mbonsack would be great to get your input.

@MrAnno MrAnno self-requested a review August 10, 2024 19:23
@mbonsack
Copy link

mbonsack commented Aug 12, 2024

LGTM based on our review this past weekend.

MrAnno
MrAnno reviewed Aug 12, 2024
View reviewed changes
Copy link
Contributor

@MrAnno MrAnno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM otherwise.

Another idea that may probably be a separate PR but could be attached to this new flag:

We should allow a syslog-parser() mode where we don't fall back to parsing bsdsyslog when we fail to parse the message as IETF syslog. This could be useful for writing complex parser logic (I saw something like this assumed in @jszigetvari 's filterx codes).

@bazsi
Copy link
Member Author

bazsi commented Aug 12, 2024

LGTM otherwise.

Another idea that may probably be a separate PR but could be attached to this new flag:

We should allow a syslog-parser() mode where we don't fall back to parsing bsdsyslog when we fail to parse the message as IETF syslog. This could be useful for writing complex parser logic (I saw something like this assumed in @jszigetvari 's filterx codes).

it is already possible, there's a flag called 'no-rfc3164-fallback'

bazsi added 5 commits August 12, 2024 21:13
@bazsi
msg-format: set the $HOST value in errors
52c21c4 
Signed-off-by: Balazs Scheidler <[email protected]>
@bazsi
logmsg: add assertion for a writable log message in log_msg_clear()
d9597df 
Signed-off-by: Balazs Scheidler <[email protected]>
@bazsi
logmsg: add log_msg_clear_sdata() function
36a2791 
Signed-off-by: Balazs Scheidler <[email protected]>
@bazsi
syslog-format: add 5424 parsing errors as tags
e5c3ed4 
Just like rfc3164, make it possible to report rfc5424 style parsing issues
as tags.

Signed-off-by: Balazs Scheidler <[email protected]>
@bazsi
msg-format: add piggyback-errors and no-piggyback-errors flags
2ab3cd1 
This tells syslog-ng not to wipe out the input message in syslog-parser() and
source encapsulated syslog parsers when there's a parse issue.

For example:

    parser { syslog-parser(flags(syslog-protocol, no-piggyback-errors)); };

With that in place, $MSG retains its original value and various tags (e.g.
the syslog.* ones) report what kind of issues we detected with the messsage.

When the message is sent to a syslog-like destination, we will prepend
a header.

Basically this makes 5424 and 3164 parsing more similar. Previously 5424 parsing
reported its errors by completely wiping out the the existing log message
fields and adding a message attributed to "syslog-ng" itself. But this
message was coming from the same source and not internal().




Signed-off-by: Balazs Scheidler <[email protected]>
@bazsi bazsi force-pushed the retain-rawmsg-on-msg-parse-errors branch from 4862157 to 2ab3cd1 Compare August 12, 2024 19:21
@bazsi
Copy link
Member Author

bazsi commented Aug 12, 2024

if you can re-approve @MrAnno we could merge this so the work on the dependant PR can continue.
thanks

@MrAnno MrAnno merged commit a7aec7a into axoflow:main Aug 12, 2024
@kovgeri01 kovgeri01 mentioned this pull request Aug 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MrAnno MrAnno MrAnno approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bazsi @mbonsack @MrAnno