yo/openldap-log-parser
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Compare commits

base: yo:v0.6.11
Branches Tags
yo:master
yo:v0.6.13
yo:v0.6.12
yo:v0.6.11
yo:v0.6.10
yo:v0.6.9
yo:v0.6.8
yo:v0.6.6
yo:v0.6.5
...
compare: yo:master
Branches Tags
yo:master
yo:v0.6.13
yo:v0.6.12
yo:v0.6.11
yo:v0.6.10
yo:v0.6.9
yo:v0.6.8
yo:v0.6.6
yo:v0.6.5

5 Commits
v0.6.11 ... master

Author SHA1 Message Date
yo
a910f1b69f version bump to 0.6.13 2023-01-03 13:24:50 +01:00
yo
37510ff1d1 Who says PID should be limited to 99999? 2023-01-03 13:23:12 +01:00
yo
dac551ece7 Add optional semicolon after "slapd[PID]" 2022-12-26 14:51:41 +01:00
yo
e484d80314 Add RW lock when iterating mQueue 2022-11-18 13:59:39 +01:00
yo
503fec99a8 Add rsyslog to graylog example config file 2022-11-13 14:00:44 +01:00
3 changed files with 171 additions and 5 deletions
Show Stats Expand all files Collapse all files

2
openldap-log-parser.go
View File

@ -18,7 +18,7 @@ const (
// FIXME: Not very strict // FIXME: Not very strict
IPv6RE = `(?:(?:[0-9a-fA-F]{1,4}\:){7})[0-9a-fA-F]{1,4}` IPv6RE = `(?:(?:[0-9a-fA-F]{1,4}\:){7})[0-9a-fA-F]{1,4}`
HostRE = `([0-9A-Za-z\-\_\.]*)` HostRE = `([0-9A-Za-z\-\_\.]*)`
ProcessRE = `(slapd\[[0-9]{1,5}\])` ProcessRE = `(slapd\[[0-9]{1,7}\])(?:\:)?`
// group[4] // group[4]
ConnIdRE = `conn=([0-9]{4,10})` ConnIdRE = `conn=([0-9]{4,10})`
ConnFdRE = `(?:fd=([0-9]{1,10}))?` ConnFdRE = `(?:fd=([0-9]{1,10}))?`

9
openldap-log-parser/cmd/root.go
View File

@ -129,7 +129,7 @@ var (
File os.File File os.File
Writer *bufio.Writer Writer *bufio.Writer
Version = "0.6.11" Version = "0.6.13"
BuildInfo = promauto.NewGaugeVec(prometheus.GaugeOpts{ BuildInfo = promauto.NewGaugeVec(prometheus.GaugeOpts{
Name: "openldaplogparser_build_info", Name: "openldaplogparser_build_info",
@ -354,7 +354,8 @@ func cleanMQueue(mqueue map[string]*OpenLdapConnection, mqMtx *sync.Mutex, age t
log.Printf("Start cleaning queue task: %d items in queue", len(mqueue)) log.Printf("Start cleaning queue task: %d items in queue", len(mqueue))
// Do we need read lock? // We need lock here
mqMtx.Lock()
for uid, ldcon := range mqueue { for uid, ldcon := range mqueue {
ok = false ok = false
// Check if a close operation exist // Check if a close operation exist
@ -366,11 +367,11 @@ func cleanMQueue(mqueue map[string]*OpenLdapConnection, mqMtx *sync.Mutex, age t
} }
} }
if ok == true { if ok == true {
mqMtx.Lock() // We already in RW lock
delete(mqueue, uid) delete(mqueue, uid)
mqMtx.Unlock()
} }
} }
mqMtx.Unlock()
log.Printf("Finished cleaning queue task: %d items in queue", len(mqueue)) log.Printf("Finished cleaning queue task: %d items in queue", len(mqueue))
} }

165
rsyslog/openldap-log-parser.conf Normal file
View File

@ -0,0 +1,165 @@
module(load="imfile") # lecture slapd.log.json
module(load="mmjsonparse") # parsing slapd.log.json
# Template de mise en forme JSON
template(name="sendJsonToGrayLogTemplate"
type="list" option.json="on") {
constant(value="{ ")
constant(value="\"facility\":\"local4\", ")
constant(value="\"facility_num\":\"20\", ")
constant(value="\"level\":\"6\", ")
constant(value="\"type\":\"")
property(name="programname")
constant(value="\", ")
# on renomme les proprietes venant de openldap-log-parser
constant(value="\"time\":\"")
property(name="$!time")
constant(value="\", ")
constant(value="\"source\":\"")
property(name="$!hostname")
constant(value="\", ")
constant(value="\"process\":\"")
property(name="$!process")
constant(value="\", ")
constant(value="\"client_ip\":\"")
property(name="$!client_ip")
constant(value="\", ")
constant(value="\"client_port\":\"")
property(name="$!client_port")
constant(value="\", ")
constant(value="\"server_ip\":\"")
property(name="$!server_ip")
constant(value="\", ")
constant(value="\"server_port\":\"")
property(name="$!server_port")
constant(value="\", ")
constant(value="\"bind_dn\":\"")
property(name="$!bind_dn")
constant(value="\", ")
constant(value="\"conn_id\":\"")
property(name="$!conn_id")
constant(value="\", ")
constant(value="\"conn_fd\":\"")
property(name="$!conn_fd")
constant(value="\", ")
constant(value="\"op_id\":\"")
property(name="$!op_id")
constant(value="\", ")
constant(value="\"op_type\":\"")
property(name="$!op_type")
constant(value="\", ")
constant(value="\"bind_method\":\"")
property(name="$!bind_method")
constant(value="\", ")
constant(value="\"bind_mech\":\"")
property(name="$!bind_mech")
constant(value="\", ")
constant(value="\"bind_ssf\":\"")
property(name="$!bind_ssf")
constant(value="\", ")
constant(value="\"ssf\":\"")
property(name="$!ssf")
constant(value="\", ")
constant(value="\"starttls\":\"")
property(name="$!starttls")
constant(value="\", ")
constant(value="\"mod_dn\":\"")
property(name="$!mod_dn")
constant(value="\", ")
constant(value="\"mod_attr\":\"")
property(name="$!mod_attr")
constant(value="\", ")
constant(value="\"add_dn\":\"")
property(name="$!add_dn")
constant(value="\", ")
constant(value="\"del_dn\":\"")
property(name="$!del_dn")
constant(value="\", ")
constant(value="\"passmod_dn\":\"")
property(name="$!passmod_dn")
constant(value="\", ")
constant(value="\"res_tag\":\"")
property(name="$!result_tag")
constant(value="\", ")
constant(value="\"res_oid\":\"")
property(name="$!result_oid")
constant(value="\", ")
constant(value="\"res_err\":\"")
property(name="$!result_err")
constant(value="\", ")
constant(value="\"res_qtime\":\"")
property(name="$!result_qtime")
constant(value="\", ")
constant(value="\"res_etime\":\"")
property(name="$!result_etime")
constant(value="\", ")
constant(value="\"res_text\":\"")
property(name="$!result_text")
constant(value="\", ")
constant(value="\"search_base\":\"")
property(name="$!search_base")
constant(value="\", ")
constant(value="\"search_scope\":\"")
property(name="$!search_scope")
constant(value="\", ")
constant(value="\"search_deref\":\"")
property(name="$!search_deref")
constant(value="\", ")
constant(value="\"search_filter\":\"")
property(name="$!search_filter")
constant(value="\", ")
constant(value="\"search_attr\":\"")
property(name="$!search_attr")
constant(value="\", ")
constant(value="\"search_res_tag\":\"")
property(name="$!search_res_tag")
constant(value="\", ")
constant(value="\"search_res_err\":\"")
property(name="$!search_res_err")
constant(value="\", ")
constant(value="\"search_res_qtime\":\"")
property(name="$!search_res_qtime")
constant(value="\", ")
constant(value="\"search_res_etime\":\"")
property(name="$!search_res_etime")
constant(value="\", ")
constant(value="\"search_res_nentries\":\"")
property(name="$!search_res_nentries")
constant(value="\", ")
constant(value="\"search_res_text\":\"")
property(name="$!search_res_text")
constant(value="\", ")
constant(value="\"message\":\"")
property(name="$!message")
constant(value="\" ")
constant(value=" }")
}
# On envoit les logs ldap vers openldap-log-parser qui tourne en tant que service
if $programname == 'slapd' then action(
type="omfwd"
Target="127.0.0.1"
Port="6514"
Protocol="tcp"
template="RSYSLOG_FileFormat")
# Le flux post openldap-log-parser, qu'on relit pour envoyer vers graylog
input(type="imfile"
File="/var/log/slapd.log.json"
Tag="openldap-agg"
addMetadata="on"
ruleset="remoteAllJsonLog"
)
ruleset(name="remoteAllJsonLog") {
action(type="mmjsonparse" cookie="")
action(
type="omfwd"
Target="graylog.example.org"
Port="2514"
Protocol="tcp"
template="sendJsonToGrayLogTemplate"
)
stop
}