1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
|
/* vi: set et ts=4: */
/* Copyright (C) 2007-2014 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Mike Pomraning <mpomraning@qualys.com>
*
* File-like output for logging: regular files and sockets.
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include "suricata-common.h" /* errno.h, string.h, etc. */
#include "tm-modules.h" /* LogFileCtx */
#include "conf.h" /* ConfNode, etc. */
#include "output.h" /* DEFAULT_LOG_* */
#include "util-logopenfile.h"
#include "util-logopenfile-tile.h"
/** \brief connect to the indicated local stream socket, logging any errors
* \param path filesystem path to connect to
* \param log_err, non-zero if connect failure should be logged.
* \retval FILE* on success (fdopen'd wrapper of underlying socket)
* \retval NULL on error
*/
static FILE *
SCLogOpenUnixSocketFp(const char *path, int sock_type, int log_err)
{
struct sockaddr_un sun;
int s = -1;
FILE * ret = NULL;
memset(&sun, 0x00, sizeof(sun));
s = socket(PF_UNIX, sock_type, 0);
if (s < 0) goto err;
sun.sun_family = AF_UNIX;
strlcpy(sun.sun_path, path, sizeof(sun.sun_path));
if (connect(s, (const struct sockaddr *)&sun, sizeof(sun)) < 0)
goto err;
ret = fdopen(s, "w");
if (ret == NULL)
goto err;
return ret;
err:
if (log_err)
SCLogWarning(SC_ERR_SOCKET,
"Error connecting to socket \"%s\": %s (will keep trying)",
path, strerror(errno));
if (s >= 0)
close(s);
return NULL;
}
/**
* \brief Attempt to reconnect a disconnected (or never-connected) Unix domain socket.
* \retval 1 if it is now connected; otherwise 0
*/
static int SCLogUnixSocketReconnect(LogFileCtx *log_ctx)
{
int disconnected = 0;
if (log_ctx->fp) {
SCLogWarning(SC_ERR_SOCKET,
"Write error on Unix socket \"%s\": %s; reconnecting...",
log_ctx->filename, strerror(errno));
fclose(log_ctx->fp);
log_ctx->fp = NULL;
log_ctx->reconn_timer = 0;
disconnected = 1;
}
struct timeval tv;
uint64_t now;
gettimeofday(&tv, NULL);
now = (uint64_t)tv.tv_sec * 1000;
now += tv.tv_usec / 1000; /* msec resolution */
if (log_ctx->reconn_timer != 0 &&
(now - log_ctx->reconn_timer) < LOGFILE_RECONN_MIN_TIME) {
/* Don't bother to try reconnecting too often. */
return 0;
}
log_ctx->reconn_timer = now;
log_ctx->fp = SCLogOpenUnixSocketFp(log_ctx->filename, log_ctx->sock_type, 0);
if (log_ctx->fp) {
/* Connected at last (or reconnected) */
SCLogNotice("Reconnected socket \"%s\"", log_ctx->filename);
} else if (disconnected) {
SCLogWarning(SC_ERR_SOCKET, "Reconnect failed: %s (will keep trying)",
strerror(errno));
}
return log_ctx->fp ? 1 : 0;
}
/**
* \brief Write buffer to log file.
* \retval 0 on failure; otherwise, the return value of fwrite (number of
* characters successfully written).
*/
static int SCLogFileWrite(const char *buffer, int buffer_len, LogFileCtx *log_ctx)
{
/* Check for rotation. */
if (log_ctx->rotation_flag) {
log_ctx->rotation_flag = 0;
SCConfLogReopen(log_ctx);
}
int ret = 0;
if (log_ctx->fp == NULL && log_ctx->is_sock)
SCLogUnixSocketReconnect(log_ctx);
if (log_ctx->fp) {
clearerr(log_ctx->fp);
ret = fwrite(buffer, buffer_len, 1, log_ctx->fp);
fflush(log_ctx->fp);
if (ferror(log_ctx->fp) && log_ctx->is_sock) {
/* Error on Unix socket, maybe needs reconnect */
if (SCLogUnixSocketReconnect(log_ctx)) {
ret = fwrite(buffer, buffer_len, 1, log_ctx->fp);
fflush(log_ctx->fp);
}
}
}
return ret;
}
static void SCLogFileClose(LogFileCtx *log_ctx)
{
if (log_ctx->fp)
fclose(log_ctx->fp);
}
/** \brief open the indicated file, logging any errors
* \param path filesystem path to open
* \param append_setting open file with O_APPEND: "yes" or "no"
* \retval FILE* on success
* \retval NULL on error
*/
static FILE *
SCLogOpenFileFp(const char *path, const char *append_setting)
{
FILE *ret = NULL;
if (strcasecmp(append_setting, "yes") == 0) {
ret = fopen(path, "a");
} else {
ret = fopen(path, "w");
}
if (ret == NULL)
SCLogError(SC_ERR_FOPEN, "Error opening file: \"%s\": %s",
path, strerror(errno));
return ret;
}
/** \brief open the indicated file remotely over PCIe to a host
* \param path filesystem path to open
* \param append_setting open file with O_APPEND: "yes" or "no"
* \retval FILE* on success
* \retval NULL on error
*/
static PcieFile *SCLogOpenPcieFp(LogFileCtx *log_ctx, const char *path,
const char *append_setting)
{
#ifndef __tile__
SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY,
"PCIe logging only supported on Tile-Gx Architecture.");
return NULL;
#else
return TileOpenPcieFp(log_ctx, path, append_setting);
#endif
}
/** \brief open a generic output "log file", which may be a regular file or a socket
* \param conf ConfNode structure for the output section in question
* \param log_ctx Log file context allocated by caller
* \param default_filename Default name of file to open, if not specified in ConfNode
* \param rotate Register the file for rotation in HUP.
* \retval 0 on success
* \retval -1 on error
*/
int
SCConfLogOpenGeneric(ConfNode *conf,
LogFileCtx *log_ctx,
const char *default_filename,
int rotate)
{
char log_path[PATH_MAX];
char *log_dir;
const char *filename, *filetype;
// Arg check
if (conf == NULL || log_ctx == NULL || default_filename == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"SCConfLogOpenGeneric(conf %p, ctx %p, default %p) "
"missing an argument",
conf, log_ctx, default_filename);
return -1;
}
if (log_ctx->fp != NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"SCConfLogOpenGeneric: previously initialized Log CTX "
"encountered");
return -1;
}
// Resolve the given config
filename = ConfNodeLookupChildValue(conf, "filename");
if (filename == NULL)
filename = default_filename;
log_dir = ConfigGetLogDirectory();
if (PathIsAbsolute(filename)) {
snprintf(log_path, PATH_MAX, "%s", filename);
} else {
snprintf(log_path, PATH_MAX, "%s/%s", log_dir, filename);
}
filetype = ConfNodeLookupChildValue(conf, "filetype");
if (filetype == NULL)
filetype = DEFAULT_LOG_FILETYPE;
const char *append = ConfNodeLookupChildValue(conf, "append");
if (append == NULL)
append = DEFAULT_LOG_MODE_APPEND;
// Now, what have we been asked to open?
if (strcasecmp(filetype, "unix_stream") == 0) {
/* Don't bail. May be able to connect later. */
log_ctx->is_sock = 1;
log_ctx->sock_type = SOCK_STREAM;
log_ctx->fp = SCLogOpenUnixSocketFp(log_path, SOCK_STREAM, 1);
} else if (strcasecmp(filetype, "unix_dgram") == 0) {
/* Don't bail. May be able to connect later. */
log_ctx->is_sock = 1;
log_ctx->sock_type = SOCK_DGRAM;
log_ctx->fp = SCLogOpenUnixSocketFp(log_path, SOCK_DGRAM, 1);
} else if (strcasecmp(filetype, DEFAULT_LOG_FILETYPE) == 0 ||
strcasecmp(filetype, "file") == 0) {
log_ctx->fp = SCLogOpenFileFp(log_path, append);
if (log_ctx->fp == NULL)
return -1; // Error already logged by Open...Fp routine
log_ctx->is_regular = 1;
if (rotate) {
OutputRegisterFileRotationFlag(&log_ctx->rotation_flag);
}
} else if (strcasecmp(filetype, "pcie") == 0) {
log_ctx->pcie_fp = SCLogOpenPcieFp(log_ctx, log_path, append);
if (log_ctx->pcie_fp == NULL)
return -1; // Error already logged by Open...Fp routine
} else {
SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Invalid entry for "
"%s.filetype. Expected \"regular\" (default), \"unix_stream\", "
"\"pcie\" "
"or \"unix_dgram\"",
conf->name);
}
log_ctx->filename = SCStrdup(log_path);
if (unlikely(log_ctx->filename == NULL)) {
SCLogError(SC_ERR_MEM_ALLOC,
"Failed to allocate memory for filename");
return -1;
}
SCLogInfo("%s output device (%s) initialized: %s", conf->name, filetype,
filename);
return 0;
}
/**
* \brief Reopen a regular log file with the side-affect of truncating it.
*
* This is useful to clear the log file and start a new one, or to
* re-open the file after its been moved by something external
* (eg. logrotate).
*/
int SCConfLogReopen(LogFileCtx *log_ctx)
{
if (!log_ctx->is_regular) {
/* Not supported and not needed on non-regular files. */
return 0;
}
if (log_ctx->filename == NULL) {
SCLogWarning(SC_ERR_INVALID_ARGUMENT,
"Can't re-open LogFileCtx without a filename.");
return -1;
}
fclose(log_ctx->fp);
/* Reopen the file. Append is forced in case the file was not
* moved as part of a rotation process. */
SCLogDebug("Reopening log file %s.", log_ctx->filename);
log_ctx->fp = SCLogOpenFileFp(log_ctx->filename, "yes");
if (log_ctx->fp == NULL) {
return -1; // Already logged by Open..Fp routine.
}
return 0;
}
/** \brief LogFileNewCtx() Get a new LogFileCtx
* \retval LogFileCtx * pointer if succesful, NULL if error
* */
LogFileCtx *LogFileNewCtx(void)
{
LogFileCtx* lf_ctx;
lf_ctx = (LogFileCtx*)SCMalloc(sizeof(LogFileCtx));
if (lf_ctx == NULL)
return NULL;
memset(lf_ctx, 0, sizeof(LogFileCtx));
SCMutexInit(&lf_ctx->fp_mutex,NULL);
// Default Write and Close functions
lf_ctx->Write = SCLogFileWrite;
lf_ctx->Close = SCLogFileClose;
return lf_ctx;
}
/** \brief LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
* \param motcx pointer to the OutputCtx
* \retval int 1 if succesful, 0 if error
* */
int LogFileFreeCtx(LogFileCtx *lf_ctx)
{
if (lf_ctx == NULL) {
SCReturnInt(0);
}
if (lf_ctx->fp != NULL) {
SCMutexLock(&lf_ctx->fp_mutex);
lf_ctx->Close(lf_ctx);
SCMutexUnlock(&lf_ctx->fp_mutex);
}
SCMutexDestroy(&lf_ctx->fp_mutex);
if (lf_ctx->prefix != NULL)
SCFree(lf_ctx->prefix);
if(lf_ctx->filename != NULL)
SCFree(lf_ctx->filename);
OutputUnregisterFileRotationFlag(&lf_ctx->rotation_flag);
SCFree(lf_ctx);
SCReturnInt(1);
}
|
