Module: check_mk
Branch: master
Commit: 6b686ebceefae4b255cbe9d1f4ac4b8785f4eb58
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=6b686ebceefae4…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Thu Jun 2 17:58:07 2016 +0200
3589 FIX Fixed processing of RFC 5424 syslog messages
---
.werks/3589 | 10 ++++++++++
ChangeLog | 1 +
bin/mkeventd | 48 +++++++++++++++++++++++++++++++++++++++++++++++-
3 files changed, 58 insertions(+), 1 deletion(-)
diff --git a/.werks/3589 b/.werks/3589
new file mode 100644
index 0000000..8231cb6
--- /dev/null
+++ b/.werks/3589
@@ -0,0 +1,10 @@
+Title: Fixed processing of RFC 5424 syslog messages
+Level: 1
+Component: ec
+Class: fix
+Compatible: compat
+State: unknown
+Version: 1.2.9i1
+Date: 1464883071
+
+
diff --git a/ChangeLog b/ChangeLog
index 9b8b66d..ffe75f3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -468,6 +468,7 @@
* 3026 FIX: Event console: The "Add comment" option of a rule is now able
to add the original text (\0)
* 3566 FIX: Fixed exception on SNMP MIB management page when MIB directory is
missing
* 3568 FIX: Fixed broken link in "Access to event status via TCP" help
text
+ * 3589 FIX: Fixed processing of RFC 5424 syslog messages
Livestatus:
* 3233 FIX: Fixed shutdown of Nagios core with Livestatus module...
diff --git a/bin/mkeventd b/bin/mkeventd
index 2a45ca2..e8c09fb 100755
--- a/bin/mkeventd
+++ b/bin/mkeventd
@@ -2251,6 +2251,7 @@ class EventServer:
if "set_contact" in rule and "contact" not in event:
event["contact"] = replace_groups(rule["set_contact"],
event.get("contact", ""), groups)
+
def parse_syslog_info(self, line):
event = {}
# Replaced ":" by ": " here to make tags with ":"
possible. This
@@ -2270,6 +2271,44 @@ class EventServer:
event["pid"] = pid
return event
+
+ def parse_rfc5424_syslog_info(self, line):
+ event = {}
+
+ version, timestamp, hostname, app_name, procid, \
+ msgid, rest = line.split(" ", 6)
+
+ # There is no 3339 parsing built into python. We do ignore subseconds and
timezones
+ # here. This is seems to be ok for the moment - sorry. Please drop a note if you
+ # got a good solutuion for this.
+ event['time'] = time.mktime(time.strptime(timestamp[:19],
'%Y-%m-%dT%H:%M:%S'))
+
+ if hostname != "-":
+ event["host"] = hostname
+
+ if app_name != "-":
+ event["application"] = app_name
+
+ if procid != "-":
+ event["pid"] = procid
+
+ if rest[0] == "[":
+ # has stuctured data
+ structured_data, message = rest[1:].split("] ", 1)
+ elif rest.startswith("- "):
+ # has no stuctured data
+ structured_data, message = rest.split(" ", 1)
+ else:
+ raise Exception("Invalid RFC 5424 syslog message")
+
+ if structured_data != "-":
+ event["text"] = "[%s] %s" % (structured_data, message)
+ else:
+ event["text"] = message
+
+ return event
+
+
def parse_monitoring_info(self, line):
event = {}
# line starts with '@'
@@ -2362,7 +2401,7 @@ class EventServer:
# Variant 4: remote Nagios alert posted by mkevent -n -> syslog
# <154>Jul 9 17:28:32 Klapprechner @1341847712;5;Contact Info; MyHost
My Service: CRIT - This che
- # Variant 5: syslog message (RFC 5424)
+ # Variant 5: syslog message
# Timestamp is RFC3339 with additional restrictions:
# - The "T" and "Z" characters in this syntax MUST be
upper case.
# - Usage of the "T" character is REQUIRED.
@@ -2381,6 +2420,9 @@ class EventServer:
# Variant 8: syslog message from sophos firewall
# <84>2015:03:25-12:02:06 gw pluto[7122]: listening for IKE messages
+ # Variant 9: syslog message (RFC 5424)
+ # <134>1 2016-06-02T12:49:05.181+02:00 chrissw7 ChrisApp - TestID -
coming from java code
+
# FIXME: Would be better to parse the syslog messages in another way:
# Split the message by the first ":", then split the syslog header
part
# and detect which information are present. Take a look at the syslog RFCs
@@ -2422,6 +2464,10 @@ class EventServer:
event['time'] = time.mktime(time.strptime(rfc3339_part[:19],
'%Y-%m-%dT%H:%M:%S'))
event.update(self.parse_syslog_info(line))
+ # Variant 9
+ elif len(line) > 24 and line[12] == "T":
+ event.update(self.parse_rfc5424_syslog_info(line))
+
# Variant 8
elif line[10] == '-' and line[19] == ' ':
event['host'] = line.split(' ')[1]