| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
There are a couple of logging calls which use the wrong specifiers for
their integer arguments. Change the specifiers to match the arguments.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
If `daemon` fails during start-up, ulogd attempts to print `errno` and
`strerror(errno)` to the log. However, the arguments are the wrong way
round. Swap them.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
There is a `strdup` at the beginning of `create_stack`. If it fails, an
empty log-line is printed. It's not useful, so remove it. This is
consistent with the error-handling of the `malloc` which immediately
follows it.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
`__ulogd_log` takes a printf-style format string and matching arguments.
Add the gcc `format` attribute to its declaration in order to allow the
compiler to type-check the function arguments against the specifiers in
the format string.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
make distcheck reports ipfix.h is not included in the tarball file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
configure.ac contains a mix of `AS_IF` and `if` conditionals. Prefer
the portable M4sh `AS_IF` macro. In some cases, where there are both
`AS_IF` and `if` conditionals evaluating the same predicates, the latter
are merged into the former.
Replace three instance of `test -n "$var"` with the usual, more portable,
autoconf idiom: `test "x$var" != "x"`.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Arguments are supposed to be quoted in square brackets. Fix several that
weren't.
Sort and reformat the `AC_OUTPUT_FILES` argument list while we're at it.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
There are a couple of blocks of macros in configure.ac which were
commented out in 2006. Remove them.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
`AC_CONFIG_HEADER` has been superseded by `AC_CONFIG_HEADERS`.
`AC_PROG_LIBTOOL` has been superseded by `LT_INIT`.
`AC_DISABLE_STATIC` can be replaced by an argument to `LT_INIT`.
`AC_HEADER_STDC` is obsolete.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
A couple of library dependencies are specified in `_LDFLAGS` variables.
They are supposed to be specified in `_LIBADD` variables. Move them.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
There are a few of commented-out variable definitions left over from
the introduction of Automake. Remove them.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Move the `_SOURCES`, `_LIBADD` and `_LDFLAGS` variables for each
input-packet library alongside the matching `.la` definition. In
particular, move the `NFLOG` and `ULOG` variables inside the
conditionals controlling whether the libraries get built.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, make enters all sub-directories containing source-code, even
if they only contain optional targets which are not configured to be
built. Instead, change the Makefiles so that the sub-directories are
optional, rather than the targets.
Group sub-directory definitions consistently at the top of the Makefiles
that contain them.
Trim a few leading and trailing blank lines.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
By using `dist_man_MANS`, instead of `man_MANS`, we no longer need to
include the man-pages in `EXTRA_DIST`.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Move `${regular_CFLAGS}` from configure.ac to Make_global.am, renaming
it to `AM_CFLAGS`. Add `AM_CPPFGLAGS` to include
`$(top_srcdir)/include`. Include the new file in the Makefiles that
require it.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The `ULOGD2_LIBDIR` macro is only used in one place, so move the flag
defining it out of the common `regular_CFLAGS` variable to the
`AM_CPPFLAGS` variable in the Makefile where it is needed.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The only file in filter/packet2flow is an empty Makefile.am. Remove it.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Rules.make.in contains a number of variables defined by configure. It
is left-over from the pre-Automake build-system, in which it used to
fill a similar role to Make_global.am. It is no longer used anywhere.
Remove it.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
It's created by automake while making sure that build directories (utils/
and utils/.deps/, in this case) exist if the `subdir-objects` option is
enabled.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Otherwise this is incorrectly setting on NFULNL_CFG_F_SEQ_GLOBAL if
local sequence number via NFULNL_CFG_F_SEQ is requested.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
plugin input type ULOGD_DTYPE_RAW was missing
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Print the pkt mark in hex with a preceding '0x', like the kernel prints
pkts logged by netfilter.
Signed-off-by: Cole Dishington <Cole.Dishington@alliedtelesis.co.nz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Timon Ulrich <t.ulrich@anapur.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Print the protocol number for protocols not known by name.
Signed-off-by: Andreas Jaggi <andreas.jaggi@waterwave.ch>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds the ability to send template records
to the remote collector.
In addition, it also introduces a new
configuration parameter 'send_template', which tells when template
records should be sent. It accepts the following string values:
- "once": Send the template record only the first time (might be coalesced
with data records).
- "always": Send the template record always, with every data record that is sent
to the collector (multiple data records might be sent together).
- "never": Assume the collector knows the schema already. Do not send template records.
If omitted, the default value for 'send_template' is "once".
Signed-off-by: Ander Juaristi <a@juaristi.eus>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds an IPFIX output plugin to ulogd2. It generates NetFlow/IPFIX
traces and sends them to a remote server (collector) via TCP or UDP.
Based on original work by Holger Eitzenberger <holger@eitzenberger.org>.
How to test this
----------------
I am currently testing this with the NFCT input and Wireshark.
Place the following in ulogd.conf:
# this will print all flows on screen
loglevel=1
# load NFCT and IPFIX plugins
plugin="/lib/ulogd/ulogd_inpflow_NFCT.so"
plugin="/lib/ulogd/ulogd_output_IPFIX.so"
stack=ct1:NFCT,ipfix1:IPFIX
[ct1]
netlink_socket_buffer_size=217088
netlink_socket_buffer_maxsize=1085440
accept_proto_filter=tcp,sctp
[ipfix1]
oid=1
host="127.0.0.1"
#port=4739
#send_template="once"
I am currently testing it by launching a plain NetCat listener on port
4739 (the default for IPFIX) and then running Wireshark and see that it
dissects the IPFIX/NetFlow traffic correctly (obviously this relies on
the Wireshark NetFlow dissector being correct).
First:
nc -vvvv -l 127.0.0.1 4739
Then:
sudo ulogd -vc ulogd.conf
Signed-off-by: Ander Juaristi <a@juaristi.eus>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The attached patch fixes building ulogd2 with musl libc. It is being
used on Void Linux right now.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1278
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Extend the JSON output plugin so that the generated JSON stream can be
sent to a remote host via TCP/UDP or to a local unix socket.
Signed-off-by: Andreas Jaggi <andreas.jaggi@waterwave.ch>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Fixes: 42b384044dab ("ulogd2: cleanup downstream files")
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
These files are outdated and they belong to downstream users (distributions).
Providing outdated and unmaintained files here serves no purpose other than
confusing users and annoy packagers.
If an user is using ulogd2 directly from the source tarball, I would expect it
to be proficient enough to generate these files by itself.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new configuration behaviour option eases a bit the configuration of ulogd2
by allowing to load all plugins in one go, without having to know their full
path.
Choosing concrete plugins and using full path for them is great for some
environmnets, but I don't think it's a common case. The common case is to
load all plugins, even ignoring where do they live in the filesystem.
Even worse, the full path may be architecture-dependant, which makes copying
the ulogd.conf file between machines unnecesarily complex.
To experiment this new behaviour, don't put any 'plugin=' directive in the
config file. Plugins will be loaded from a default directory, choosen at
build/configure time (--with-ulogd2libdir). If no specified, this is something
like '/usr/local/lib/ulogd/'.
This new configuration option doesn't implement any special logic. We simply
open the dir and try to load all files ending with '.so'.
The log message level for plugins loading is increased so users can see by
default which plugins are loaded.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Is common that ulogd runs in scenarios where a lot of packets are to be logged.
If there are more packets than ulogd can handle, users can start seing log
messages like this:
ulogd[556]: We are losing events. Please, consider using the clauses \
`netlink_socket_buffer_size' and `netlink_socket_buffer_maxsize'
Which means that Netlink buffer overrun have happened.
There are several approaches to prevent this situation:
* in the ruleset, limit the amount of packet queued for log
* in the ruleset, instruct the kernel to use a queue-threshold
* from userspace, increment Netlink buffer sizes
* from userspace, configure ulogd to run as high priority process
The first 3 method can be configured by users at runtime.
This patch deals with the last method. SCHED_RR is configured by default,
with no associated configuration parameter for users, since I believe
this is common enough, and should produce no harm.
A similar approach is used in the conntrackd daemon.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Acked-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Declaring a function inline and building with -O0 was causing the
following message:
undefined symbol: uint32_to_ipv6
By declaring the function as static we fix the problem.
|
| |
|
|
|
| |
Format string in error message had more arguments than given and
it was resulting in a crash at start.
|
| | |
|
| |
|
|
| |
Signed-off-by: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
|
| |
|
|
| |
Signed-off-by: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
|
| |
|
|
|
|
|
| |
The stack was not correctly defined triggering an error on
type conflict.
Signed-off-by: Eric Leblond <eric@regit.org>
|
| |
|
|
|
|
|
|
|
| |
On some architecture, ulogd is not starting due to a
crash in memcpy. This patch switches to strncpy to
avoid the problem.
Reported-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Signed-off-by: Eric Leblond <eric@regit.org>
|
| |
|
|
|
|
| |
This option will be needed for future version of automake.
Signed-off-by: Eric Leblond <eric@regit.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
If ipv4 packet is truncated, we should not try to dereference the
iph pointer. Otherwise, if the user add such iptables rules
"-j NFLOG --nflog-size 0", we will dereference the NULL pointer
and crash may happen.
Reported-by: Chris Caputo <ccaputo@alt.net>
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Some imbricated tests were not indented.
Signed-off-by: Eric Leblond <eric@regit.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
When cross-compiling ulogd, mysql_config and pg_config will return build host
configuration not build target configuration. This leads to build failures
if mysql_config is installed on the host system but mysql is not available
on the build target.
Fix this by not using mysql_config and pg_config for cross-compilation.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ulogd had a critical bug that is calling Async-Signal-Unsafe functions
in signal hander context.
- Most of libc functions like fopen(), malloc() are Async-Signal-Unsafe.
So you should not call these functions in signal handler context.
- Calling pluginstances in signal handler context is danger.
For implementer of pluginstances, it is very hard to recognize their
functions are called in signal handler context.
To solve the issue, I restructured signal handling by self-pipe trick.
For more detail on self-pipe trick, please see the following.
https://lwn.net/Articles/177897/
This patch will solve various symptoms like following.
- Deadlock
- Segmentation fault caused by libc management data corruption,
- Other unpredictable behavior.
Deadlock example
================
This bug was already filed at:
https://bugzilla.netfilter.org/show_bug.cgi?id=1030
I also hit this bug. The backtrace of this issue is following.
In this case, main thread was calling ctime(),
and signal handler called localtime_r().
That caused the dead lock while getting tzset_lock in __tz_convert().
Because vsyslog() is Async-Signal-Unsafe function, we cannot call
this function in signal handler context.
(gdb) bt
#0 __lll_lock_wait_private () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:95
#1 0x00007f3c3fc7e4ac in _L_lock_2462 () at tzset.c:621
#2 0x00007f3c3fc7e2e7 in __tz_convert (timer=0x7f3c3ff8bf00 <tzset_lock>,
timer@entry=0x7fffcfa923b8, use_localtime=use_localtime@entry=1,
tp=tp@entry=0x7fffcfa92400) at tzset.c:624
#3 0x00007f3c3fc7c28d in __localtime_r (t=t@entry=0x7fffcfa923b8,
tp=tp@entry=0x7fffcfa92400) at localtime.c:32
#4 0x00007f3c3fcbf1ba in __GI___vsyslog_chk (pri=<optimized out>, flag=1,
fmt=0x406fa8 "signal received, calling pluginstances\n", ap=0x7fffcfa924a0)
at ../misc/syslog.c:199
#5 0x00000000004037b5 in __ulogd_log ()
#6 0x00000000004047be in signal_handler ()
#7 <signal handler called>
#8 0x00007f3c3fcb62f5 in __GI___xstat (vers=<optimized out>,
name=0x7f3c3fd4b2c3 "/etc/localtime", buf=0x7fffcfa92c10)
at ../sysdeps/unix/sysv/linux/wordsize-64/xstat.c:37
#9 0x00007f3c3fc7e5f6 in __tzfile_read (file=file@entry=0x7f3c3fd4b2c3 "/etc/localtime",
extra=extra@entry=0, extrap=extrap@entry=0x0) at tzfile.c:170
#10 0x00007f3c3fc7d954 in tzset_internal (always=<optimized out>,
explicit=explicit@entry=1) at tzset.c:444
#11 0x00007f3c3fc7e303 in __tz_convert (timer=0x7fffcfa92d50,
use_localtime=use_localtime@entry=1, tp=tp@entry=0x7f3c3ff8ed80 <_tmbuf>)
at tzset.c:629
#12 0x00007f3c3fc7c2a1 in __GI_localtime (t=<optimized out>) at localtime.c:42
#13 0x00007f3c3fc7c1f9 in ctime (t=<optimized out>) at ctime.c:27
#14 0x00007f3c3e180ec2 in ?? ()
#15 0x0000000056a100c2 in ?? ()
#16 0xf8570f79d4fc4200 in ?? ()
#17 0x000000000209bec0 in ?? ()
#18 0x00007f3c4059f1f8 in ?? ()
#19 0x000000000000003c in ?? ()
#20 0x0000000000404952 in ulogd_propagate_results ()
#21 0x00007f3c3f9cc203 in ?? ()
#22 0x0000000000000000 in ?? ()
Segmentation fault in free()
============================
>From my experience, I think this was caused by some routine called
malloc()/free() in signal handler context.
By that, malloc() management data became inconsistent.
As a result, free() made a wrong dereference.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __GI___libc_free (mem=0x7f430f011000) at malloc.c:2903
2903 if (chunk_is_mmapped(p)) /* release mmapped memory. */
(gdb) bt
#0 __GI___libc_free (mem=0x7f430f011000) at malloc.c:2903
#1 0x00007f430e68affa in __GI__IO_free_backup_area (fp=fp@entry=0x742500)
at genops.c:210
#2 0x00007f430e68a795 in _IO_new_file_overflow (f=0x742500, ch=-1) at fileops.c:849
#3 0x00007f430e689511 in _IO_new_file_xsputn (f=0x742500, data=<optimized out>, n=15)
at fileops.c:1372
#4 0x00007f430e65aa4d in _IO_vfprintf_internal (s=s@entry=0x742500,
format=<optimized out>, format@entry=0x7f430cbc4008 "%.15s %s %s",
ap=ap@entry=0x7fff456ece38) at vfprintf.c:1635
#5 0x00007f430e71d615 in ___fprintf_chk (fp=0x742500, flag=flag@entry=1,
format=format@entry=0x7f430cbc4008 "%.15s %s %s") at fprintf_chk.c:36
#6 0x00007f430cbc3f04 in fprintf (__fmt=0x7f430cbc4008 "%.15s %s %s",
__stream=<optimized out>) at /usr/include/bits/stdio2.h:97
#7 _output_logemu (upi=0x74e5a0) at ulogd_output_LOGEMU.c:102
#8 0x0000000000404952 in ulogd_propagate_results ()
#9 0x00007f430e40f203 in interp_packet (ldata=0x7fff456ed060, pf_family=2 '\002',
upi=0x74a6b0) at ulogd_inppkt_NFLOG.c:400
#10 msg_cb (gh=<optimized out>, nfmsg=0x7f430efe2020, nfa=0x7fff456ed060, data=0x74a6b0)
at ulogd_inppkt_NFLOG.c:483
#11 0x00007f430e20a307 in __nflog_rcv_pkt (nlh=<optimized out>, nfa=<optimized out>,
data=<optimized out>) at libnetfilter_log.c:160
#12 0x00007f430e0056b7 in __nfnl_handle_msg (len=268, nlh=0x7f430efe2010, h=0x74e8e0)
at libnfnetlink.c:1236
#13 nfnl_handle_packet (h=0x74e8e0, buf=0x7f430efe2010 "\f\001", len=<optimized out>)
at libnfnetlink.c:1256
#14 0x00007f430e20a508 in nflog_handle_packet (h=<optimized out>, buf=<optimized out>,
len=<optimized out>) at libnetfilter_log.c:323
#15 0x00007f430e40eaed in nful_read_cb (fd=<optimized out>, what=<optimized out>,
param=0x74a6b0) at ulogd_inppkt_NFLOG.c:463
#16 0x0000000000404ee0 in ulogd_select_main ()
#17 0x0000000000402b17 in main ()
Signed-off-by: Hironobu Ishii <ishii.hironobu@jp.fujitsu.com>
|
| |
|
|
|
|
|
| |
This option was left behind when the code was rewritten and is no longer
functional or useful. Remove it entirely.
Signed-off-by: Alex Xu (Hello71) <alex_y_xu@yahoo.ca>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While this is not strictly needed for ISO 8601, this is helpful since
otherwise, the receiver can't assume anything about the
timezone.
This uses a GNU extension but as ulogd is quite Linux-specific, this
shouldn't be a problem. The POSIX variables (tzname and daylight) are
quite difficult to use because daylight handling is incomplete (daylight
don't say if DST is now in effect, it just says it is sometimes in
effect).
A timezone offset is used instead of a timezone since it is usually
easier to parse (strptime in glibc is not able to parse a timezone name)
and don't require an up-to-date TZ database.
Signed-off-by: Vincent Bernat <Vincent.Bernat@exoscale.ch>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While Logstash is quite flexible in the JSON messages received, the
canonical format it "expects" is the JSON Event v1 format. The timestamp
should be keyed by `@timestamp` and there should be a `@version` key
whose value is 1. All other keys are free.
There is no formal specification of this format. It is however described
here:
https://github.com/elastic/logstash/blob/1.5/lib/logstash/event.rb#L26-L47
It's useful to respect this format as it allows a user to use a less
capable receiver. The new format is enabled only when `eventv1=1` is set
in plugin configuration.
Signed-off-by: Vincent Bernat <Vincent.Bernat@exoscale.ch>
|
