diff --git a/README.md b/README.md index c8bc71d..0306c63 100644 --- a/README.md +++ b/README.md @@ -1,33 +1,35 @@ # Syslog Server -All received messages are written to *stdout* and/or forwarded to another syslog server. +All received messages are written to *stdout* and/or forwarded to a remote logging solution. The syslog server is able to listen on both UDP and TCP and parses syslog messages in either RFC5424 or RFC3164 (BSD) format. The default syslog port (514) requires you to run syslogd as root / administrator. If you do not wish to do so, you can choose a port number (with the *-p* or *--port* flag) above 1024. +Supported remote logging solutions are Syslog (RFC5424 over UDP), Graylog (GELF over UDP) and Grafana Loki. + ## Usage Instructions - Install the syslogd package (*.deb* or *.rpm*) from [downloads](https://bitbucket.org/mnellemann/syslogd/downloads/) or build from source. - Run *bin/syslogd*, use the *-h* option for help :) -```` -Usage: syslogd [-dghV] [--[no-]ansi] [--[no-]stdout] [--[no-]tcp] [--[no-]udp] - [--rfc5424] [-f=] [-p=] -Syslog Server - -d, --debug Enable debugging [default: 'false']. - -f, --forward= Forward to UDP host[:port] (RFC-5424). - -g, --gelf Forward in Graylog (GELF) JSON format. - -h, --help Show this help message and exit. - --[no-]ansi Output ANSI colors [default: true]. - --[no-]stdout Output messages to stdout [default: true]. - --[no-]tcp Listen on TCP [default: true]. - --[no-]udp Listen on UDP [default: true]. - -p, --port= Listening port [default: 514]. - --rfc5424 Parse RFC-5424 messages [default: RFC-3164]. - -V, --version Print version information and exit. -```` +```text +Usage: syslogd [-dhV] [--[no-]ansi] [--[no-]stdout] [--[no-]tcp] [--[no-]udp] + [--rfc5424] [-g=] [-l=] [-p=] [-s=] + -d, --debug Enable debugging [default: 'false']. + -g, --gelf= Forward to Graylog . + -h, --help Show this help message and exit. + -l, --loki= Forward to Grafana Loki . + --[no-]ansi Output ANSI colors [default: true]. + --[no-]stdout Output messages to stdout [default: true]. + --[no-]tcp Listen on TCP [default: true]. + --[no-]udp Listen on UDP [default: true]. + -p, --port= Listening port [default: 514]. + --rfc5424 Parse RFC-5424 messages [default: RFC-3164]. + -s, --syslog= Forward to Syslog (RFC-5424). + -V, --version Print version information and exit. +``` ### Examples @@ -46,20 +48,40 @@ or, if installed as a *deb* or *rpm* package: Listening on the standard syslog port (requires root privileges) and forwarding messages on to another log-system on a non-standard port. ``` -java -jar /path/to/syslogd-x.y.z-all.jar --forward remotehost:1514 +java -jar /path/to/syslogd-x.y.z-all.jar --syslog udp://remotehost:514 ``` Forwarding to a Graylog server in GELF format. ``` -java -jar /path/to/syslogd-x.y.z-all.jar --forward remotehost:12201 --gelf +java -jar /path/to/syslogd-x.y.z-all.jar --gelf udp://remotehost:12201 ``` +Forwarding to a Grafana Loki server. + +``` +java -jar /path/to/syslogd-x.y.z-all.jar --loki http://remotehost:3100 +``` If you don't want any output locally (only forwarding), you can use the ```--no-stdout``` flag. ## Notes +### IBM AIX and VIO Servers + Syslog messages from AIX (and IBM Power Virtual I/O Servers) can be troublesome with some logging solutions. These can be received with -syslogd and optionally forwarded on to Graylog, Splunk or other logging solutions. +syslogd and then forwarded on to your preferred logging solution. + + +## Development Notes + +### Test Grafana Loki + +Run Loki and Grafana in local containers to test. + +```shell +docker run --rm -d --name=loki -p 3100:3100 grafana/loki +docker run --rm -d --name=grafana --link loki:loki -p 3000:3000 grafana/grafana:7.1.3 +``` + diff --git a/gradle.properties b/gradle.properties index 199c37e..3887c25 100644 --- a/gradle.properties +++ b/gradle.properties @@ -1,3 +1,3 @@ id = syslogd group = biz.nellemann.syslogd -version = 1.0.13 +version = 1.0.14 diff --git a/src/main/java/biz/nellemann/syslogd/Application.java b/src/main/java/biz/nellemann/syslogd/Application.java index 248d9b0..8f1ff14 100644 --- a/src/main/java/biz/nellemann/syslogd/Application.java +++ b/src/main/java/biz/nellemann/syslogd/Application.java @@ -16,6 +16,7 @@ package biz.nellemann.syslogd; import biz.nellemann.syslogd.msg.SyslogMessage; +import biz.nellemann.syslogd.net.LokiClient; import biz.nellemann.syslogd.net.TcpServer; import biz.nellemann.syslogd.net.UdpClient; import biz.nellemann.syslogd.net.UdpServer; @@ -28,6 +29,10 @@ import picocli.CommandLine; import picocli.CommandLine.Command; import java.io.IOException; +import java.net.InetSocketAddress; +import java.net.URI; +import java.net.URL; +import java.util.Locale; import java.util.concurrent.Callable; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -40,9 +45,11 @@ public class Application implements Callable, LogListener { private boolean doForward = false; private SyslogParser syslogParser; private UdpClient udpClient; + private UdpClient gelfClient; + private LokiClient lokiClient; - @CommandLine.Option(names = {"-p", "--port"}, description = "Listening port [default: 514].", defaultValue = "514") + @CommandLine.Option(names = {"-p", "--port"}, description = "Listening port [default: 514].", defaultValue = "514", paramLabel = "") private int port; @CommandLine.Option(names = "--no-udp", negatable = true, description = "Listen on UDP [default: true].", defaultValue = "true") @@ -60,11 +67,14 @@ public class Application implements Callable, LogListener { @CommandLine.Option(names = "--rfc5424", description = "Parse RFC-5424 messages [default: RFC-3164].", defaultValue = "false") private boolean rfc5424; - @CommandLine.Option(names = { "-f", "--forward"}, description = "Forward to UDP host[:port] (RFC-5424).", paramLabel = "") - private String forward; + @CommandLine.Option(names = { "-s", "--syslog"}, description = "Forward to Syslog (RFC-5424).", paramLabel = "") + private URI syslog; - @CommandLine.Option(names = { "-g", "--gelf"}, description = "Forward in Graylog (GELF) JSON format.", defaultValue = "false") - private boolean gelf; + @CommandLine.Option(names = { "-g", "--gelf"}, description = "Forward to Graylog .", paramLabel = "") + private URI gelf; + + @CommandLine.Option(names = { "-l", "--loki"}, description = "Forward to Grafana Loki .", paramLabel = "") + private URL loki; @CommandLine.Option(names = { "-d", "--debug" }, description = "Enable debugging [default: 'false'].") private boolean enableDebug = false; @@ -83,23 +93,27 @@ public class Application implements Callable, LogListener { syslogParser = new SyslogParserRfc3164(); } - if(forward != null && !forward.isEmpty()) { - String fHost, fPort; - Pattern pattern = Pattern.compile("^([^:]+)(?::([0-9]+))?$", Pattern.CASE_INSENSITIVE); - Matcher matcher = pattern.matcher(forward); - if(matcher.find()) { - fHost = matcher.group(1); - if(matcher.groupCount() == 2 && matcher.group(2) != null) { - fPort = matcher.group(2); - } else { - fPort = "514"; - } + if(syslog != null) { + if(syslog.getScheme().toLowerCase(Locale.ROOT).equals("udp")) { + udpClient = new UdpClient(getInetSocketAddress(syslog)); + doForward = true; } else { - fHost = "localhost"; - fPort = "514"; + throw new UnsupportedOperationException("Syslog protocol not implemented: " + syslog.getScheme()); } + } - udpClient = new UdpClient(fHost, Integer.parseInt(fPort)); + if(gelf != null) { + System.err.println(gelf.getScheme()); + if(gelf.getScheme().toLowerCase(Locale.ROOT).equals("udp")) { + gelfClient = new UdpClient(getInetSocketAddress(gelf)); + doForward = true; + } else { + throw new UnsupportedOperationException("GELF protocol not implemented: " + gelf.getScheme()); + } + } + + if(loki != null) { + lokiClient = new LokiClient(loki); doForward = true; } @@ -143,11 +157,19 @@ public class Application implements Callable, LogListener { if(doForward) { try { - if(gelf) { - udpClient.send(SyslogPrinter.toGelf(msg)); - } else { + + if(udpClient != null) { udpClient.send(SyslogPrinter.toRfc5424(msg)); } + + if(gelfClient != null) { + gelfClient.send(SyslogPrinter.toGelf(msg)); + } + + if(lokiClient != null) { + lokiClient.send(SyslogPrinter.toLoki(msg)); + } + } catch (Exception e) { e.printStackTrace(); } @@ -157,6 +179,34 @@ public class Application implements Callable, LogListener { } + private InetSocketAddress getInetSocketAddress(URI input) { + InetSocketAddress inetSocketAddress = new InetSocketAddress(input.getHost(), input.getPort()); + return inetSocketAddress; + } + + + private InetSocketAddress getInetSocketAddress(String input) { + + String dstHost; + int dstPort; + InetSocketAddress inetSocketAddress = null; + + Pattern pattern = Pattern.compile("^([^:]+)(?::([0-9]+))?$", Pattern.CASE_INSENSITIVE); + Matcher matcher = pattern.matcher(input); + if(matcher.find()) { + dstHost = matcher.group(1); + if(matcher.groupCount() == 2 && matcher.group(2) != null) { + dstPort = Integer.parseInt(matcher.group(2)); + } else { + dstPort = 514; + } + inetSocketAddress = new InetSocketAddress(dstHost, dstPort); + } + + return inetSocketAddress; + } + + public static void main(String... args) { int exitCode = new CommandLine(new Application()).execute(args); System.exit(exitCode); diff --git a/src/main/java/biz/nellemann/syslogd/SyslogPrinter.java b/src/main/java/biz/nellemann/syslogd/SyslogPrinter.java index 7d478fb..0efb53c 100644 --- a/src/main/java/biz/nellemann/syslogd/SyslogPrinter.java +++ b/src/main/java/biz/nellemann/syslogd/SyslogPrinter.java @@ -81,7 +81,7 @@ public class SyslogPrinter { /** - * Return a GELF formatted string of the SyslogMessage. + * Return a GELF JSON formatted string of the SyslogMessage. * https://www.graylog.org/features/gelf * @param msg * @return @@ -104,6 +104,32 @@ public class SyslogPrinter { } + /** + * Return a Loki JSON formatted string of the SyslogMessage. + * https://grafana.com/docs/loki/latest/api/ + * @param msg + * @return + */ + +/* +{ "streams": [ { "stream": { "label": "value" }, "values": [ [ "", "" ], [ "", "" ] ] } ] } +{ "streams": [ { "stream": { "host": "hyperion", "facility": "USER", "severity": "NOTICE", "application": "mark"}, "values": [ [ "1615823598000000000", "Test 2345534343434" ] ] } ] } +{ "streams": [ { "stream": { "host": "hyperion", "facility": "USER", "severity": "NOTICE", "application": "mark"}, "values": [ [ "1615842165000000000", "Test" ] ] } ] } +*/ + + public static String toLoki(SyslogMessage msg) { + StringBuilder sb = new StringBuilder("{ \"streams\": [ { \"stream\": {"); + sb.append(String.format(" \"host\": \"%s\",", msg.hostname)); + sb.append(String.format(" \"facility\": \"%s\",", msg.facility)); + sb.append(String.format(" \"severity\": \"%s\",", msg.severity)); + sb.append(String.format(" \"application\": \"%s\"", msg.application)); + sb.append("}, \"values\": [ "); + sb.append(String.format("[ \"%d\", \"%s\" ]", msg.timestamp.getEpochSecond() * 1000000000l, msg.message)); + sb.append(" ] } ] }"); + return sb.toString(); + } + + static private String getPri(Facility facility, Severity severity) { int pri = (facility.toNumber() * 8) + severity.toNumber(); return String.format("%c%d%c", '<', pri, '>'); diff --git a/src/main/java/biz/nellemann/syslogd/net/LokiClient.java b/src/main/java/biz/nellemann/syslogd/net/LokiClient.java new file mode 100644 index 0000000..7eda2b9 --- /dev/null +++ b/src/main/java/biz/nellemann/syslogd/net/LokiClient.java @@ -0,0 +1,55 @@ +package biz.nellemann.syslogd.net; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; +import java.io.OutputStream; +import java.net.*; +import java.nio.charset.StandardCharsets; + +public class LokiClient { + + private final static Logger log = LoggerFactory.getLogger(LokiClient.class); + + private final URL url; + + + public LokiClient(URL url) { + this.url = url; + } + + + public void send(String msg) throws MalformedURLException { + + URL pushUrl = new URL(url, "/loki/api/v1/push"); + HttpURLConnection con = null; + try { + con = (HttpURLConnection)pushUrl.openConnection(); + con.setRequestMethod("POST"); + con.setRequestProperty("Content-Type", "application/json"); + con.setDoOutput(true); + + byte[] input = msg.getBytes(StandardCharsets.UTF_8); + try(OutputStream os = con.getOutputStream()) { + os.write(input, 0, input.length); + } catch (IOException e) { + log.warn(e.getMessage()); + } + + int responseCode = con.getResponseCode(); + if(responseCode != 204) { + log.warn("send() - response: " + responseCode); + } + + } catch (IOException e) { + log.warn("send() - " + e.getMessage()); + } finally { + if(con != null) { + con.disconnect(); + } + } + + } + +} diff --git a/src/main/java/biz/nellemann/syslogd/net/UdpClient.java b/src/main/java/biz/nellemann/syslogd/net/UdpClient.java index 69659c5..76e1a03 100644 --- a/src/main/java/biz/nellemann/syslogd/net/UdpClient.java +++ b/src/main/java/biz/nellemann/syslogd/net/UdpClient.java @@ -11,30 +11,17 @@ public class UdpClient { private final static Logger log = LoggerFactory.getLogger(UdpClient.class); + private InetSocketAddress inetSocketAddress; private DatagramSocket socket; - private InetAddress address; - private final Integer port; - public UdpClient(String host, Integer port) { - - try { - this.address = InetAddress.getByName(host); - } catch (UnknownHostException e) { - log.error("UdpClient() - UnknownHostException: " + e.getMessage()); - } - - try { - this.socket = new DatagramSocket(); - } catch (SocketException e) { - log.error("UdpClient() - Could not instantiate DatagramSocket: " + e.getMessage()); - } - - this.port = port; + public UdpClient(InetSocketAddress inetSocketAddress) throws SocketException { + this.inetSocketAddress = inetSocketAddress; + this.socket = new DatagramSocket(); } public void send(String msg) { byte[] buf = msg.getBytes(StandardCharsets.US_ASCII); - DatagramPacket packet = new DatagramPacket(buf, buf.length, address, port); + DatagramPacket packet = new DatagramPacket(buf, buf.length, inetSocketAddress.getAddress(), inetSocketAddress.getPort()); if(this.socket != null) { try { socket.send(packet); diff --git a/src/test/groovy/biz/nellemann/syslogd/SyslogPrinterTest.groovy b/src/test/groovy/biz/nellemann/syslogd/SyslogPrinterTest.groovy index 0b16366..adc03fc 100644 --- a/src/test/groovy/biz/nellemann/syslogd/SyslogPrinterTest.groovy +++ b/src/test/groovy/biz/nellemann/syslogd/SyslogPrinterTest.groovy @@ -24,6 +24,19 @@ class SyslogPrinterTest extends Specification { output.contains("_structured-data") } + void "test toLoki"() { + setup: + SyslogParser syslogParser = new SyslogParserRfc5424(); + String input = '<13>1 2020-09-23T08:57:30.950699+02:00 xps13 mark - - [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] adfdfdf3432434565656' + SyslogMessage msg = syslogParser.parse(input) + + when: + String output = SyslogPrinter.toLoki(msg) + + then: + output == '{ "streams": [ { "stream": { "host": "xps13", "facility": "USER", "severity": "NOTICE", "application": "mark"}, "values": [ [ "1600845200000000000", "adfdfdf3432434565656" ] ] } ] }' + } + }