########################################################################################################################## # $Id: 93_Log2Syslog.pm 18981 2019-03-20 21:39:53Z DS_Starter $ ########################################################################################################################## # 93_Log2Syslog.pm # # (c) 2017-2019 by Heiko Maaz # e-mail: Heiko dot Maaz at t-online dot de # # This script is part of fhem. # # Fhem is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 2 of the License, or # (at your option) any later version. # # Fhem is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with fhem. If not, see . # # The module is based on idea and input from betateilchen 92_rsyslog.pm # # Implements the Syslog Protocol of RFC 5424 https://tools.ietf.org/html/rfc5424 # and RFC 3164 https://tools.ietf.org/html/rfc3164 and # TLS Transport according to RFC5425 https://tools.ietf.org/pdf/rfc5425.pdf as well # ########################################################################################################################## package main; use strict; use warnings; use TcpServerUtils; use Scalar::Util qw(looks_like_number); use Encode qw(encode_utf8); eval "use IO::Socket::INET;1" or my $MissModulSocket = "IO::Socket::INET"; eval "use Net::Domain qw(hostname hostfqdn hostdomain domainname);1" or my $MissModulNDom = "Net::Domain"; # Versions History intern: our %Log2Syslog_vNotesIntern = ( "5.6.0" => "23.03.2019 attribute exclErrCond to exclude events from rating as \"error\" ", "5.5.0" => "18.03.2019 prepare for Meta.pm ", "5.4.0" => "17.03.2019 new feature parseProfile = Automatic ", "5.3.2" => "08.02.2019 fix version numbering ", "5.3.1" => "21.10.2018 get of FQDN changed ", "5.3.0" => "16.10.2018 attribute sslCertPrefix added (Forum:#92030), module hints & release info order switched ", "5.2.1" => "08.10.2018 setpayload of BSD-format changed, commandref revised ", "5.2.0" => "02.10.2018 added direct help for attributes", "5.1.0" => "01.10.2018 new get versionNotes command", "5.0.1" => "27.09.2018 Log2Syslog_closesock if write error:.* , delete readings code changed", "5.0.0" => "26.09.2018 TCP-Server in Collector-mode, HIPCACHE added, PROFILE as Internal, Parse_Err_No as reading, octetCount attribute, TCP-SSL-support, set 'reopen' command, code fixes", "4.8.5" => "20.08.2018 BSD/parseFn parsing changed, BSD setpayload changed, new variable \$IGNORE in parseFn", "4.8.4" => "15.08.2018 BSD parsing changed", "4.8.3" => "14.08.2018 BSD setpayload changed, BSD parsing changed, Internal MYFQDN", "4.8.2" => "13.08.2018 rename makeMsgEvent to makeEvent", "4.8.1" => "12.08.2018 IETF-Syslog without VERSION changed, Log verbose 1 to 2 changed in parsePayload", "4.8.0" => "12.08.2018 enhanced IETF Parser to match logs without version", "4.7.0" => "10.08.2018 Parser for TPLink", "4.6.1" => "10.08.2018 some perl warnings, changed IETF Parser", "4.6.0" => "08.08.2018 set sendTestMessage added, Attribute 'contDelimiter', 'respectSeverity'", "4.5.1" => "07.08.2018 BSD Regex changed, setpayload of BSD changed", "4.5.0" => "06.08.2018 Regex capture groups used in parsePayload to set variables, parsing of BSD changed, Attribute 'makeMsgEvent' added", "4.4.0" => "04.08.2018 Attribute 'outputFields' added", "4.3.0" => "03.08.2018 Attribute 'parseFn' added", "4.2.0" => "03.08.2018 evaluate sender peer ip-address/hostname, use it as reading in event generation", "4.1.0" => "02.08.2018 state event generation changed", "4.0.0" => "30.07.2018 server mode (Collector)", "3.2.1" => "04.05.2018 fix compatibility with newer IO::Socket::SSL on debian 9, attr ssldebug for debugging SSL messages", "3.2.0" => "22.11.2017 add NOTIFYDEV if possible", "3.1.0" => "28.08.2017 get-function added, commandref revised, \$readingFnAttributes deleted", "3.0.0" => "27.08.2017 change attr type to protocol, ready to check in", "2.6.0" => "26.08.2017 more than one Log2Syslog device can be created", "2.5.2" => "26.08.2018 fix in splitting timestamp, change Log2Syslog_trate using internaltimer with attr rateCalcRerun, function Log2Syslog_closesock", "2.5.1" => "24.08.2017 some fixes", "2.5.0" => "23.08.2017 TLS encryption available, new readings, \$readingFnAttributes", "2.4.1" => "21.08.2017 changes in sub Log2Syslog_charfilter, change PROCID to \$hash->{SEQNO} switch to non-blocking in subs event/Log2Syslog_fhemlog", "2.4.0" => "20.08.2017 new sub Log2Syslog_Log3slog for entries in local fhemlog only -> verbose support", "2.3.1" => "19.08.2017 commandref revised", "2.3.0" => "18.08.2017 new parameter 'ident' in DEF, sub setidex, Log2Syslog_charfilter", "2.2.0" => "17.08.2017 set BSD data length, set only acceptable characters (USASCII) in payload, commandref revised", "2.1.0" => "17.08.2017 sub Log2Syslog_opensock created", "2.0.0" => "16.08.2017 create syslog without SYS::SYSLOG", "1.1.1" => "13.08.2017 registrate Log2Syslog_fhemlog to %loginform in case of sending fhem-log attribute timeout, commandref revised", "1.1.0" => "26.07.2017 add regex search to sub Log2Syslog_fhemlog", "1.0.0" => "25.07.2017 initial version" ); # Versions History extern: our %Log2Syslog_vNotesExtern = ( "5.6.0" => "23.03.2019 New attribute \"exclErrCond\" to exclude events from rating as \"Error\" even though the ". "event contains the text \"Error\". ", "5.4.0" => "17.03.2019 New feature parseProfile = Automatic. The module may detect the message format BSD or IETF automatically in server mode ", "5.3.2" => "08.02.2019 fix version numbering ", "5.3.0" => "16.10.2018 attribute sslCertPrefix added to support multiple SSL-keys (Forum:#92030)", "5.2.1" => "08.10.2018 Send format of BSD changed. The TAG-field was changed to \"IDENT[PID]: \" ", "5.2.0" => "02.10.2018 direct help for attributes added", "5.1.0" => "29.09.2018 new get <name> versionNotes command ", "5.0.1" => "27.09.2018 automatic reconnect to syslog-server in case of write error ", "5.0.0" => "26.09.2018 Some changes:

TCP Server mode is possible now for Collector devices<\li>

the used parse-profile is shown as Internal<\li>

Parse_Err_No counts faulty persings since start<\li>

new octetCount attribute switches the syslog framing method (see also RFC6587 Transmission of Syslog Messages over TCP)<\li>

TCP SSL-support<\li>

new set 'reopen' command to reconnect a broken connection<\li>

some code fixes ", "4.8.5" => "20.08.2018 BSD/parseFn parse changed, BSD setpayload changed, new variable \$IGNORE in parseFn ", "4.8.4" => "15.08.2018 BSD parse changed again ", "4.8.3" => "14.08.2018 BSD setpayload changed, BSD parse changed, new Internal MYFQDN ", "4.8.2" => "13.08.2018 rename makeMsgEvent to makeEvent ", "4.8.1" => "12.08.2018 IETF-Syslog without VERSION changed, Log verbose 1 to 2 changed in parsePayload ", "4.8.0" => "12.08.2018 enhanced IETF Parser to match logs without version ", "4.7.0" => "10.08.2018 Parser for TPLink added ", "4.6.1" => "10.08.2018 fix some perl warnings, changed IETF Parser ", "4.6.0" => "08.08.2018 set sendTestMessage added, new attributes 'contDelimiter', 'respectSeverity' ", "4.5.1" => "07.08.2018 BSD Regex changed, setpayload of BSD changed ", "4.5.0" => "06.08.2018 parsing of BSD changed, attribute 'makeMsgEvent' added ", "4.4.0" => "04.08.2018 Attribute 'outputFields' added ", "4.3.0" => "03.08.2018 Attribute 'parseFn' added ", "4.2.0" => "03.08.2018 evaluate sender peer ip-address/hostname and use it as reading in event generation ", "4.1.0" => "02.08.2018 state event generation changed ", "4.0.0" => "30.07.2018 Server mode (Collector) implemented ", "3.2.1" => "04.05.2018 fix compatibility with newer IO::Socket::SSL on debian 9, attribute ssldebug for debugging SSL messages ", "3.2.0" => "22.11.2017 add NOTIFYDEV if possible ", "3.1.0" => "28.08.2017 get-function added, commandref revised ", "3.0.0" => "27.08.2017 change attr type to protocol, ready to first check in ", "2.6.0" => "26.08.2017 more than one Log2Syslog device can be created ", "2.5.2" => "26.08.2018 attribute rateCalcRerun ", "2.5.1" => "24.08.2017 some bugfixes ", "2.5.0" => "23.08.2017 TLS encryption available to Sender ", "2.4.1" => "21.08.2017 change PROCID to \$hash->{SEQNO}, switch to non-blocking in subs event/fhemlog ", "2.4.0" => "20.08.2017 new sub for entries in local fhemlog only including verbose support ", "2.3.1" => "19.08.2017 commandref revised ", "2.3.0" => "18.08.2017 new parameter 'ident' in Define to indentify sylog source ", "2.2.0" => "17.08.2017 set BSD data length, set only acceptable characters (USASCII) in payload ", "2.0.0" => "16.08.2017 create syslog without perl module SYS::SYSLOG ", "1.1.0" => "26.07.2017 add regex search to sub Log2Syslog_fhemlog ", "1.0.0" => "25.07.2017 initial version " ); # Mappinghash BSD-Formatierung Monat our %Log2Syslog_BSDMonth = ( "01" => "Jan", "02" => "Feb", "03" => "Mar", "04" => "Apr", "05" => "May", "06" => "Jun", "07" => "Jul", "08" => "Aug", "09" => "Sep", "10" => "Oct", "11" => "Nov", "12" => "Dec", "Jan" => "01", "Feb" => "02", "Mar" => "03", "Apr" => "04", "May" => "05", "Jun" => "06", "Jul" => "07", "Aug" => "08", "Sep" => "09", "Oct" => "10", "Nov" => "11", "Dec" => "12" ); # Mappinghash Severity my %Log2Syslog_Severity = ( "0" => "Emergency", "1" => "Alert", "2" => "Critical", "3" => "Error", "4" => "Warning", "5" => "Notice", "6" => "Informational", "7" => "Debug", "Emergency" => "0", "Alert" => "1", "Critical" => "2", "Error" => "3", "Warning" => "4", "Notice" => "5", "Informational" => "6", "Debug" => "7" ); # Mappinghash Facility my %Log2Syslog_Facility = ( "0" => "kernel", "1" => "user", "2" => "mail", "3" => "system", "4" => "security", "5" => "syslog", "6" => "printer", "7" => "network", "8" => "UUCP", "9" => "clock", "10" => "security", "11" => "FTP", "12" => "NTP", "13" => "log_audit", "14" => "log_alert", "15" => "clock", "16" => "local0", "17" => "local1", "18" => "local2", "19" => "local3", "20" => "local4", "21" => "local5", "22" => "local6", "23" => "local7" ); # Längenvorgaben nach RFC3164 my %RFC3164len = ("TAG" => 32, # max. Länge TAG-Feld "DL" => 1024 # max. Lange Message insgesamt ); # Längenvorgaben nach RFC5425 my %RFC5425len = ("DL" => 8192, # max. Lange Message insgesamt mit TLS "HST" => 255, # max. Länge Hostname "ID" => 48, # max. Länge APP-NAME bzw. Ident "PID" => 128, # max. Länge Proc-ID "MID" => 32 # max. Länge MSGID ); ############################################################################### # Forward declarations # sub Log2Syslog_Log3slog($$$); use vars qw(%Log2Syslog_vHintsExt_en); use vars qw(%Log2Syslog_vHintsExt_de); ############################################################################### sub Log2Syslog_Initialize($) { my ($hash) = @_; $hash->{DefFn} = "Log2Syslog_Define"; $hash->{UndefFn} = "Log2Syslog_Undef"; $hash->{DeleteFn} = "Log2Syslog_Delete"; $hash->{SetFn} = "Log2Syslog_Set"; $hash->{GetFn} = "Log2Syslog_Get"; $hash->{AttrFn} = "Log2Syslog_Attr"; $hash->{NotifyFn} = "Log2Syslog_eventlog"; $hash->{ReadFn} = "Log2Syslog_Read"; $hash->{AttrList} = "addStateEvent:1,0 ". "disable:1,0,maintenance ". "addTimestamp:0,1 ". "contDelimiter ". "exclErrCond:textField-long ". "logFormat:BSD,IETF ". "makeEvent:no,intern,reading ". "outputFields:sortable-strict,PRIVAL,FAC,SEV,TS,HOST,DATE,TIME,ID,PID,MID,SDFIELD,CONT ". "parseProfile:Automatic,BSD,IETF,TPLink-Switch,raw,ParseFn ". "parseFn:textField-long ". "respectSeverity:multiple-strict,Emergency,Alert,Critical,Error,Warning,Notice,Informational,Debug ". "octetCount:1,0 ". "ssldebug:0,1,2,3 ". "sslCertPrefix ". "TLS:1,0 ". "timeout ". "protocol:UDP,TCP ". "port ". "rateCalcRerun ". $readingFnAttributes ; FHEM::Meta::InitMod( __FILE__, $hash ); # für Meta.pm (https://forum.fhem.de/index.php/topic,97589.0.html) return; } ############################################################################### sub Log2Syslog_Define($@) { my ($hash, $def) = @_; my @a = split("[ \t][ \t]*", $def); my $name = $hash->{NAME}; return "Error: Perl module ".$MissModulSocket." is missing. Install it on Debian with: sudo apt-get install libio-socket-multicast-perl" if($MissModulSocket); return "Error: Perl module ".$MissModulNDom." is missing." if($MissModulNDom); # Example Sender: define splunklog Log2Syslog splunk.myds.me ident:Prod event:.* fhem:.* # Example Collector: define SyslogServer Log2Syslog delete($hash->{HELPER}{EVNTLOG}); delete($hash->{HELPER}{FHEMLOG}); delete($hash->{HELPER}{IDENT}); $hash->{MYHOST} = hostname(); # eigener Host (lt. RFC nur Hostname f. BSD) my $myfqdn = hostfqdn(); # MYFQDN eigener Host (f. IETF) $hash->{MYFQDN} = $myfqdn?$myfqdn:$hash->{MYHOST}; if(int(@a)-3 < 0){ # Einrichtung Servermode (Collector) $hash->{MODEL} = "Collector"; $hash->{PROFILE} = "Automatic"; readingsSingleUpdate ($hash, 'Parse_Err_No', 0, 1); # Fehlerzähler für Parse-Errors auf 0 Log2Syslog_Log3slog ($hash, 3, "Log2Syslog $name - entering Syslog servermode ..."); Log2Syslog_initServer("$name,global"); } else { # Sendermode $hash->{MODEL} = "Sender"; Log2Syslog_setidrex($hash,$a[3]) if($a[3]); Log2Syslog_setidrex($hash,$a[4]) if($a[4]); Log2Syslog_setidrex($hash,$a[5]) if($a[5]); eval { "Hallo" =~ m/^$hash->{HELPER}{EVNTLOG}$/ } if($hash->{HELPER}{EVNTLOG}); return "Bad regexp: $@" if($@); eval { "Hallo" =~ m/^$hash->{HELPER}{FHEMLOG}$/ } if($hash->{HELPER}{FHEMLOG}); return "Bad regexp: $@" if($@); return "Bad regexp: starting with *" if((defined($hash->{HELPER}{EVNTLOG}) && $hash->{HELPER}{EVNTLOG} =~ m/^\*/) || (defined($hash->{HELPER}{FHEMLOG}) && $hash->{HELPER}{FHEMLOG} =~ m/^\*/)); # nur Events dieser Devices an NotifyFn weiterleiten, NOTIFYDEV wird gesetzt wenn möglich notifyRegexpChanged($hash, $hash->{HELPER}{EVNTLOG}) if($hash->{HELPER}{EVNTLOG}); $hash->{PEERHOST} = $a[2]; # Destination Host (Syslog Server) } $hash->{SEQNO} = 1; # PROCID in IETF, wird kontinuierlich hochgezählt $logInform{$hash->{NAME}} = "Log2Syslog_fhemlog"; # Funktion die in hash %loginform für $name eingetragen wird $hash->{HELPER}{SSLVER} = "n.a."; # Initialisierung $hash->{HELPER}{SSLALGO} = "n.a."; # Initialisierung $hash->{HELPER}{LTIME} = time(); # Init Timestmp f. Ratenbestimmung $hash->{HELPER}{OLDSEQNO} = $hash->{SEQNO}; # Init Sequenznummer f. Ratenbestimmung $hash->{HELPER}{OLDSTATE} = "initialized"; # Versionsinformationen setzen Log2Syslog_setVersionInfo($hash); readingsBeginUpdate($hash); readingsBulkUpdate($hash, "SSL_Version", "n.a."); readingsBulkUpdate($hash, "SSL_Algorithm", "n.a."); readingsBulkUpdate($hash, "Transfered_logs_per_minute", 0); readingsBulkUpdate($hash, "state", "initialized") if($hash->{MODEL}=~/Sender/); readingsEndUpdate($hash,1); Log2Syslog_trate($hash); # regelm. Berechnung Transfer Rate starten return undef; } ################################################################################################# # Syslog Collector (Server-Mode) initialisieren # (im Collector Model) ################################################################################################# sub Log2Syslog_initServer($) { my ($a) = @_; my ($name,$global) = split(",",$a); my $hash = $defs{$name}; my $err; RemoveInternalTimer($hash, "Log2Syslog_initServer"); return if(IsDisabled($name) || $hash->{SERVERSOCKET}); if($init_done != 1 || Log2Syslog_IsMemLock($hash)) { InternalTimer(gettimeofday()+1, "Log2Syslog_initServer", "$name,$global", 0); return; } # Inititialisierung FHEM ist fertig -> Attribute geladen my $port = AttrVal($name, "TLS", 0)?AttrVal($name, "port", 6514):AttrVal($name, "port", 1514); my $protocol = lc(AttrVal($name, "protocol", "udp")); my $lh = ($global ? ($global eq "global" ? undef : $global) : ($hash->{IPV6} ? "::1" : "127.0.0.1")); Log2Syslog_Log3slog ($hash, 3, "Log2Syslog $name - Opening socket on interface \"$global\" ..."); if($protocol =~ /udp/) { $hash->{SERVERSOCKET} = IO::Socket::INET->new( Domain => ($hash->{IPV6} ? AF_INET6() : AF_UNSPEC), # Linux bug LocalHost => $lh, Proto => $protocol, LocalPort => $port, ReuseAddr => 1 ); if(!$hash->{SERVERSOCKET}) { $err = "Can't open Syslog Collector at $port: $!"; Log2Syslog_Log3slog ($hash, 1, "Log2Syslog $name - $err"); readingsSingleUpdate ($hash, 'state', $err, 1); return; } $hash->{FD} = $hash->{SERVERSOCKET}->fileno(); $hash->{PORT} = $hash->{SERVERSOCKET}->sockport(); } else { $lh = "global" if(!$lh); my $ret = TcpServer_Open($hash,$port,$lh); if($ret) { $err = "Can't open Syslog TCP Collector at $port: $ret"; Log2Syslog_Log3slog ($hash, 1, "Log2Syslog $name - $err"); readingsSingleUpdate ($hash, 'state', $err, 1); return; } } $hash->{PROTOCOL} = $protocol; $hash->{SEQNO} = 1; # PROCID wird kontinuierlich pro empfangenen Datensatz hochgezählt $hash->{HELPER}{OLDSEQNO} = $hash->{SEQNO}; # Init Sequenznummer f. Ratenbestimmung $hash->{INTERFACE} = $lh?$lh:"global"; Log2Syslog_Log3slog ($hash, 3, "Log2Syslog $name - port $hash->{PORT}/$protocol opened for Syslog Collector on interface \"$hash->{INTERFACE}\""); readingsSingleUpdate ($hash, "state", "initialized", 1); delete($readyfnlist{"$name.$port"}); $selectlist{"$name.$port"} = $hash; return; } ######################################################################################################## # Syslog Collector Daten empfangen (im Collector-Mode) # # !!!!! Achtung !!!!! # Kontextswitch des $hash beachten: initialer TCP-Server <-> temporärer TCP-Server ohne SERVERSOCKET # ######################################################################################################## # called from the global loop, when the select for hash->{FD} reports data sub Log2Syslog_Read($@) { my ($hash,$reread) = @_; my $socket = $hash->{SERVERSOCKET}; my ($err,$sev,$data,$ts,$phost,$pl,$ignore,$st,$len,$evt,$pen); return if($init_done != 1); my $mlen = 8192; # maximale Länge des Syslog-Frames als Begrenzung falls kein EOF # vom Sender initiiert wird (Endlosschleife vermeiden) if($hash->{TEMPORARY}) { # temporäre Instanz angelegt durch TcpServer_Accept $len = 8192; ($st,$data,$hash) = Log2Syslog_getifdata($hash,$len,$mlen,$reread); } my $name = $hash->{NAME}; return if(IsDisabled($name) || Log2Syslog_IsMemLock($hash)); my $pp = $hash->{PROFILE}; my $mevt = AttrVal($name, "makeEvent", "intern"); # wie soll Reading/Event erstellt werden my $sevevt = AttrVal($name, "respectSeverity", ""); # welcher Schweregrad soll berücksichtigt werden (default: alle) if($pp =~ /BSD/) { # BSD-Format $len = $RFC3164len{DL}; } elsif ($pp =~ /IETF/) { # IETF-Format $len = $RFC5425len{DL}; } else { # raw oder User eigenes Format $len = 8192; } if($socket) { ($st,$data,$hash) = Log2Syslog_getifdata($hash,$len,$mlen,$reread); } if($data) { # parse Payload my (@load,$mlen,$msg,$tail); if($data =~ /^(?(\d+))\s(?.*)/s) { # Syslog Sätze mit Octet Count -> Transmission of Syslog Messages over TCP https://tools.ietf.org/html/rfc6587 my $i = 0; $mlen = $+{mlen}; $tail = $+{tail}; $msg = substr($tail,0,$mlen); chomp $msg; push @load, $msg; $tail = substr($tail,$mlen); Log2Syslog_Log3slog ($hash, 5, "Log2Syslog $name -> LEN$i: $mlen, MSG$i: $msg, TAIL$i: $tail"); while($tail && $tail =~ /^(?(\d+))\s(?.*)/s) { $i++; $mlen = $+{mlen}; $tail = $+{tail}; $msg = substr($tail,0,$mlen); chomp $msg; push @load, $msg; $tail = substr($tail,$mlen); Log2Syslog_Log3slog ($hash, 5, "Log2Syslog $name -> LEN$i: $mlen, MSG$i: $msg, TAIL$i: $tail"); } } else { @load = split("[\r\n]",$data); } foreach my $line (@load) { ($err,$ignore,$sev,$phost,$ts,$pl) = Log2Syslog_parsePayload($hash,$line); $hash->{SEQNO}++; if($err) { $pen = ReadingsVal($name, "Parse_Err_No", 0); $pen++; readingsSingleUpdate($hash, 'Parse_Err_No', $pen, 1); $st = "parse error - see logfile"; } elsif ($ignore) { Log2Syslog_Log3slog ($hash, 5, "Log2Syslog $name -> dataset was ignored by parseFn"); } else { return if($sevevt && $sevevt !~ m/$sev/); # Message nicht berücksichtigen $st = "active"; if($mevt =~ /intern/) { # kein Reading, nur Event $pl = "$phost: $pl"; Log2Syslog_Trigger($hash,$ts,$pl); } elsif ($mevt =~ /reading/) { # Reading, Event abhängig von event-on-.* readingsSingleUpdate($hash, "MSG_$phost", $pl, 1); } else { # Reading ohne Event readingsSingleUpdate($hash, "MSG_$phost", $pl, 0); } } $evt = ($st eq $hash->{HELPER}{OLDSTATE})?0:1; readingsSingleUpdate($hash, "state", $st, $evt); $hash->{HELPER}{OLDSTATE} = $st; } } return; } ############################################################################### # Daten vom Interface holen # # Die einzige Aufgabe der Instanz mit SERVERSOCKET ist TcpServer_Accept # durchzufuehren (und evtl. noch Statistiken). Durch den Accept wird eine # weitere Instanz des gleichen Typs angelegt die eine Verbindung repraesentiert # und im ReadFn die eigentliche Arbeit macht: # # - ohne SERVERSOCKET dafuer mit CD/FD, PEER und PORT. CD/FD enthaelt den # neuen Filedeskriptor. # - mit TEMPORARY (damit es nicht gespeichert wird) # - SNAME verweist auf die "richtige" Instanz, damit man die Attribute # abfragen kann. # - TcpServer_Accept traegt den neuen Filedeskriptor in die globale %selectlist # ein. Damit wird ReadFn von fhem.pl/select mit dem temporaeren Instanzhash # aufgerufen, wenn Daten genau bei dieser Verbindung anstehen. # (sSiehe auch "list TYPE=FHEMWEB", bzw. "man -s2 accept") # ############################################################################### sub Log2Syslog_getifdata($$@) { my ($hash,$len,$mlen,$reread) = @_; my $name = $hash->{NAME}; my $socket = $hash->{SERVERSOCKET}; my $protocol = lc(AttrVal($name, "protocol", "udp")); if($hash->{TEMPORARY}) { # temporäre Instanz abgelegt durch TcpServer_Accept $protocol = "tcp"; } my $st = ReadingsVal($name,"state","active"); my ($data,$ret); if($socket && $protocol =~ /udp/) { # UDP Datagramm empfangen Log2Syslog_Log3slog ($hash, 4, "Log2Syslog $name - ####################################################### "); Log2Syslog_Log3slog ($hash, 4, "Log2Syslog $name - ######### new Syslog UDP Parsing ######### "); Log2Syslog_Log3slog ($hash, 4, "Log2Syslog $name - ####################################################### "); unless($socket->recv($data, $len)) { Log2Syslog_Log3slog ($hash, 3, "Log2Syslog $name - Seq \"$hash->{SEQNO}\" invalid data: $data"); $data = '' if(length($data) == 0); $st = "receive error - see logfile"; } } elsif ($protocol =~ /tcp/) { if($hash->{SERVERSOCKET}) { # Accept and create a child my $nhash = TcpServer_Accept($hash, "Log2Syslog"); return ($st,$data,$hash) if(!$nhash); $nhash->{CD}->blocking(0); if($nhash->{SSL}) { my $sslver = $nhash->{CD}->get_sslversion(); my $sslalgo = $nhash->{CD}->get_fingerprint(); readingsSingleUpdate($hash, "SSL_Version", $sslver, 1); readingsSingleUpdate($hash, "SSL_Algorithm", $sslalgo, 1); } return ($st,$data,$hash); } my $sname = $hash->{SNAME}; my $cname = $hash->{NAME}; my $shash = $defs{$sname}; # Hash des Log2Syslog-Devices bei temporärer TCP-Serverinstanz Log2Syslog_Log3slog ($shash, 4, "Log2Syslog $sname - ####################################################### "); Log2Syslog_Log3slog ($shash, 4, "Log2Syslog $sname - ######### new Syslog TCP Parsing ######### "); Log2Syslog_Log3slog ($shash, 4, "Log2Syslog $sname - ####################################################### "); Log2Syslog_Log3slog ($shash, 4, "Log2Syslog $sname - childname: $cname"); $st = ReadingsVal($sname,"state","active"); my $c = $hash->{CD}; if($c) { $shash->{HELPER}{TCPPADDR} = $hash->{PEER}; if(!$reread) { my $buf; my $off = 0; $ret = sysread($c, $buf, $len); # returns undef on error, 0 at end of file and Integer, number of bytes read on success. if(!defined($ret) && $! == EWOULDBLOCK ){ # error $hash->{wantWrite} = 1 if(TcpServer_WantWrite($hash)); $hash = $shash; return ($st,undef,$hash); } elsif (!$ret) { # end of file CommandDelete(undef, $cname); $hash = $shash; Log2Syslog_Log3slog ($shash, 4, "Log2Syslog $sname - Connection closed for $cname: ".(defined($ret) ? 'EOF' : $!)); return ($st,undef,$hash); } $hash->{BUF} .= $buf; if($hash->{SSL} && $c->can('pending')) { while($c->pending()) { sysread($c, $buf, 1024); $hash->{BUF} .= $buf; } } $data = $hash->{BUF}; delete $hash->{BUF}; $hash = $shash; Log2Syslog_Log3slog ($shash, 5, "Log2Syslog $sname - Buffer content:\n$data"); } } } else { $st = "error - no socket opened"; $data = ''; } return ($st,$data,$hash); } ############################################################################### # Parsen Payload für Syslog-Server # (im Collector Model) ############################################################################### sub Log2Syslog_parsePayload($$) { my ($hash,$data) = @_; my $name = $hash->{NAME}; my $pp = AttrVal($name, "parseProfile", $hash->{PROFILE}); my $severity = ""; my $facility = ""; my @evf = split(",",AttrVal($name, "outputFields", "FAC,SEV,ID,CONT")); # auszugebene Felder im Event/Reading my $ignore = 0; my ($Mmm,$dd,$delimiter,$day,$ietf,$err,$pl,$tail); # Hash zur Umwandlung Felder in deren Variablen my ($prival,$ts,$host,$date,$time,$id,$pid,$mid,$sdfield,$cont); my $fac = ""; my $sev = ""; my %fh = (PRIVAL => \$prival, FAC => \$fac, SEV => \$sev, TS => \$ts, HOST => \$host, DATE => \$date, TIME => \$time, ID => \$id, PID => \$pid, MID => \$mid, SDFIELD => \$sdfield, CONT => \$cont, DATA => \$data ); # Sender Host / IP-Adresse ermitteln, $phost wird Reading im Event my ($phost) = Log2Syslog_evalPeer($hash); Log2Syslog_Log3slog ($hash, 4, "Log2Syslog $name - raw message -> $data"); my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); # Istzeit Ableitung $year = $year+1900; if($pp =~ /^Automatic/) { $pp = "unknown"; Log2Syslog_Log3slog($name, 4, "Log2Syslog $name - Analyze message format automatically ..."); $data =~ /^<(?\d{1,3})>(?\w{3}).*$/; $tail = $+{tail}; # Test auf BSD-Format if($tail && " Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec " =~ /\s$tail\s/) { $pp = "BSD"; } else { # Test auf IETF-Format $data =~ /^<(?\d{1,3})>(?\d{0,2})\s?(?\d{4}-\d{2}-\d{2})T(?\d{2}:\d{2}:\d{2}).*$/; $prival = $+{prival}; # must $date = $+{date}; # must $time = $+{time}; # must $pp = "IETF" if($prival && $date && $time); } $hash->{PROFILE} = "Automatic - detected format: $pp"; Log2Syslog_Log3slog($name, 4, "Log2Syslog $name - Message format \"$pp\" detected. Try Parsing ... ") if($pp ne "unknown"); } if($pp =~ /raw/) { Log2Syslog_Log3slog($name, 4, "Log2Syslog $name - $data"); $ts = TimeNow(); $pl = $data; } elsif ($pp eq "BSD") { # BSD Protokollformat https://tools.ietf.org/html/rfc3164 # Beispiel data "<$prival>$month $day $time $myhost $id: $otp" $data =~ /^<(?\d{1,3})>(?.*)$/; $prival = $+{prival}; # must $tail = $+{tail}; $tail =~ /^((?\w{3})\s+(?\d{1,2})\s+(?\d{2}:\d{2}:\d{2}))?\s+(?.*)$/; $Mmm = $+{month}; # should $dd = $+{day}; # should $time = $+{time}; # should $tail = $+{tail}; if( $Mmm && $dd && $time ) { my $month = $Log2Syslog_BSDMonth{$Mmm}; $day = (length($dd) == 1)?("0".$dd):$dd; $ts = "$year-$month-$day $time"; } if($ts) { # Annahme: wenn Timestamp gesetzt, wird der Rest der Message ebenfalls dem Standard entsprechen $tail =~ /^(?[^\s]*)?\s(?.*)$/; $host = $+{host}; # should $tail = $+{tail}; $tail =~ /^(?(\w*))?(?(\[\w*\]:|:\s).*)$/; $id = $+{id}; # should if($id) { $id = substr($id,0, ($RFC3164len{TAG}-1)); # Länge TAG-Feld nach RFC begrenzen $cont = $+{cont}; # should } else { $cont = $tail; } } else { # andernfalls eher kein Standardaufbau $cont = $tail; } if(!$prival) { $err = 1; Log2Syslog_Log3slog ($hash, 2, "Log2Syslog $name - error parse msg -> $data"); } else { $cont =~ s/^(:\s*)(.*)$/$2/; if(looks_like_number($prival)) { $facility = int($prival/8) if($prival >= 0 && $prival <= 191); $severity = $prival-($facility*8); $fac = $Log2Syslog_Facility{$facility}; $sev = $Log2Syslog_Severity{$severity}; } else { $err = 1; Log2Syslog_Log3slog ($hash, 1, "Log2Syslog $name - error parse msg -> $data"); } no warnings 'uninitialized'; Log2Syslog_Log3slog($name, 4, "Log2Syslog $name - parsed message -> FAC: $fac, SEV: $sev, MM: $Mmm, Day: $dd, TIME: $time, TS: $ts, HOST: $host, ID: $id, CONT: $cont"); $host = "" if($host eq "-"); use warnings; $phost = $host?$host:$phost; # Payload zusammenstellen für Event/Reading $pl = ""; my $i = 0; foreach my $f (@evf) { if(${$fh{$f}}) { $pl .= " || " if($i); $pl .= "$f: ".${$fh{$f}}; $i++; } } } } elsif ($pp eq "IETF") { # IETF Protokollformat https://tools.ietf.org/html/rfc5424 # Beispiel data "<14>1 2018-08-09T21:45:08+02:00 SDS1 Connection - - [synolog@6574 synotype="Connection" luser="apiuser" event="User [apiuser\] logged in from [192.168.2.45\] via [DSM\]."][meta sequenceId="1"] apiuser: User [apiuser] logged in from [192.168.2.45] via [DSM]."; # $data =~ /^<(?\d{1,3})>(?\d+)\s(?\d{4}-\d{2}-\d{2})T(?\d{2}:\d{2}:\d{2})\S*\s(?\S*)\s(?\S*)\s(?\S*)\s(?\S*)\s(?(\[.*?(?!\\\]).\]|-))\s(?.*)$/; $data =~ /^<(?\d{1,3})>(?\d{0,2})\s(?.*)$/; $prival = $+{prival}; # must $ietf = $+{ietf}; # should if($prival && $ietf) { # Standard IETF-Syslog incl. VERSION if($ietf == 1) { $data =~ /^<(?\d{1,3})>(?\d{0,2})\s?(?\d{4}-\d{2}-\d{2})T(?\d{2}:\d{2}:\d{2})\S*\s(?\S*)\s(?\S*)\s?(?\S*)\s?(?\S*)\s?(?(\[.*?(?!\\\]).\]|-))\s(?.*)$/; $prival = $+{prival}; # must $ietf = $+{ietf}; # should $date = $+{date}; # must $time = $+{time}; # must $host = $+{host}; # should $id = $+{id}; # should $pid = $+{pid}; # should $mid = $+{mid}; # should $sdfield = $+{sdfield}; # must $cont = $+{cont}; # should } else { $err = 1; Log2Syslog_Log3slog ($hash, 1, "Log2Syslog $name - new IETF version detected, inform Log2Syslog Maintainer"); } } else { # IETF-Syslog ohne VERSION $data =~ /^<(?\d{1,3})>(?\d{4}-\d{2}-\d{2})T(?\d{2}:\d{2}:\d{2})\S*\s(?\S*)\s(?\S*)\s?(?\S*)\s?(?\S*)\s?(?(\[.*?(?!\\\]).\]|-))?\s(?.*)$/; $prival = $+{prival}; # must $date = $+{date}; # must $time = $+{time}; # must $host = $+{host}; # should $id = $+{id}; # should $pid = $+{pid}; # should $mid = $+{mid}; # should $sdfield = $+{sdfield}; # should $cont = $+{cont}; # should } if(!$prival || !$date || !$time) { $err = 1; Log2Syslog_Log3slog ($hash, 2, "Log2Syslog $name - error parse msg -> $data"); no warnings 'uninitialized'; Log2Syslog_Log3slog ($hash, 5, "Log2Syslog $name - parsed fields -> PRI: $prival, IETF: $ietf, DATE: $date, TIME: $time, HOST: $host, ID: $id, PID: $pid, MID: $mid, SDFIELD: $sdfield, CONT: $cont"); use warnings; } else { $ts = "$date $time"; if(looks_like_number($prival)) { $facility = int($prival/8) if($prival >= 0 && $prival <= 191); $severity = $prival-($facility*8); $fac = $Log2Syslog_Facility{$facility}; $sev = $Log2Syslog_Severity{$severity}; } else { $err = 1; Log2Syslog_Log3slog ($hash, 2, "Log2Syslog $name - error parse msg -> $data"); } # Längenbegrenzung nach RFC5424 $id = substr($id,0, ($RFC5425len{ID}-1)); $pid = substr($pid,0, ($RFC5425len{PID}-1)); $mid = substr($mid,0, ($RFC5425len{MID}-1)); $host = substr($host,0, ($RFC5425len{HST}-1)); no warnings 'uninitialized'; Log2Syslog_Log3slog($name, 4, "Log2Syslog $name - parsed message -> FAC: $fac, SEV: $sev, TS: $ts, HOST: $host, ID: $id, PID: $pid, MID: $mid, SDFIELD: $sdfield, CONT: $cont"); $host = "" if($host eq "-"); use warnings; $phost = $host?$host:$phost; # Payload zusammenstellen für Event/Reading $pl = ""; my $i = 0; foreach my $f (@evf) { if(${$fh{$f}}) { $pl .= " || " if($i); $pl .= "$f: ".${$fh{$f}}; $i++; } } } } elsif ($pp eq "TPLink-Switch") { # Parser für TPLink Switch # Beispiel data "<131>2018-08-10 09:03:58 10.0.x.y 31890 Login the web by admin on web (10.0.x.y)."; $data =~ /^<(?\d{1,3})>(?\d{4}-\d{2}-\d{2})\s(?\d{2}:\d{2}:\d{2})\s(?\S*)\s(?\S*)\s(?.*)$/; $prival = $+{prival}; # must $date = $+{date}; # must $time = $+{time}; # must $host = $+{host}; # should $id = $+{id}; # should $cont = $+{cont}; # should if(!$prival || !$date || !$time) { $err = 1; Log2Syslog_Log3slog ($hash, 2, "Log2Syslog $name - error parse msg -> $data"); } else { $ts = "$date $time"; if(looks_like_number($prival)) { $facility = int($prival/8) if($prival >= 0 && $prival <= 191); $severity = $prival-($facility*8); $fac = $Log2Syslog_Facility{$facility}; $sev = $Log2Syslog_Severity{$severity}; } else { $err = 1; Log2Syslog_Log3slog ($hash, 2, "Log2Syslog $name - error parse msg -> $data"); } no warnings 'uninitialized'; Log2Syslog_Log3slog($name, 4, "$name - parsed message -> FAC: $fac, SEV: $sev, TS: $ts, HOST: $host, ID: $id, CONT: $cont"); $host = "" if($host eq "-"); use warnings; $phost = $host?$host:$phost; # Payload zusammenstellen für Event/Reading $pl = ""; my $i = 0; foreach my $f (@evf) { if(${$fh{$f}}) { $pl .= " || " if($i); $pl .= "$f: ".${$fh{$f}}; $i++; } } } } elsif ($pp eq "ParseFn") { # user spezifisches Parsing my $parseFn = AttrVal( $name, "parseFn", "" ); $ts = TimeNow(); if( $parseFn =~ m/^\s*(\{.*\})\s*$/s ) { $parseFn = $1; } else { $parseFn = ''; } if($parseFn ne '') { my $PRIVAL = ""; my $TS = $ts; my $DATE = ""; my $TIME = ""; my $HOST = ""; my $ID = ""; my $PID = ""; my $MID = ""; my $CONT = ""; my $FAC = ""; my $SEV = ""; my $DATA = $data; my $SDFIELD = ""; my $IGNORE = 0; eval $parseFn; if($@) { Log2Syslog_Log3slog ($hash, 2, "Log2Syslog $name -> error parseFn: $@"); $err = 1; } $prival = $PRIVAL if($PRIVAL =~ /\d{1,3}/); $date = $DATE if($DATE =~ /^(\d{4})-(\d{2})-(\d{2})$/); $time = $TIME if($TIME =~ /^(\d{2}):(\d{2}):(\d{2})$/); $ts = ($TS =~ /^(\d{4})-(\d{2})-(\d{2})\s(\d{2}):(\d{2}):(\d{2})$/)?$TS:($date && $time)?"$date $time":$ts; $host = $HOST if(defined $HOST); $id = $ID if(defined $ID); $pid = $PID if(defined $PID); $mid = $MID if(defined $MID); $cont = $CONT if(defined $CONT); $fac = $FAC if(defined $FAC); $sev = $SEV if(defined $SEV); $sdfield = $SDFIELD if(defined $SDFIELD); $ignore = $IGNORE if($IGNORE =~ /\d/); if($prival && looks_like_number($prival)) { $facility = int($prival/8) if($prival >= 0 && $prival <= 191); $severity = $prival-($facility*8); $fac = $Log2Syslog_Facility{$facility}; $sev = $Log2Syslog_Severity{$severity}; } else { $err = 1; Log2Syslog_Log3slog ($hash, 2, "Log2Syslog $name - error parse msg -> $data"); } Log2Syslog_Log3slog($name, 4, "Log2Syslog $name - parsed message -> FAC: $fac, SEV: $sev, TS: $ts, HOST: $host, ID: $id, PID: $pid, MID: $mid, CONT: $cont"); $phost = $host?$host:$phost; # auszugebene Felder im Event/Reading my $ef = "PRIVAL,FAC,SEV,TS,HOST,DATE,TIME,ID,PID,MID,SDFIELD,CONT"; @evf = split(",",AttrVal($name, "outputFields", $ef)); # Payload zusammenstellen für Event/Reading $pl = ""; my $i = 0; foreach my $f (@evf) { if(${$fh{$f}}) { $pl .= " || " if($i); $pl .= "$f: ".${$fh{$f}}; $i++; } } } else { $err = 1; Log2Syslog_Log3slog ($hash, 1, "Log2Syslog $name - no parseFn defined."); } } elsif ($pp eq "unknown") { $err = 1; Log2Syslog_Log3slog ($hash, 1, "Log2Syslog $name - Message format could not be detected automatically. PLease check and set attribute \"parseProfile\" manually."); } return ($err,$ignore,$sev,$phost,$ts,$pl); } ################################################################################################# # Syslog Collector Events erzeugen # (im Collector Model) ################################################################################################# sub Log2Syslog_Trigger($$$) { my ($hash,$ts,$pl) = @_; my $name = $hash->{NAME}; my $no_replace = 1; # Ersetzung von Events durch das Attribut eventMap verhindern if($hash->{CHANGED}) { push @{$hash->{CHANGED}}, $pl; } else { $hash->{CHANGED}[0] = $pl; } if($hash->{CHANGETIME}) { push @{$hash->{CHANGETIME}}, $ts; } else { $hash->{CHANGETIME}[0] = $ts; } my $ret = DoTrigger($name, undef, $no_replace); return; } ############################################################################### # Undef Funktion ############################################################################### sub Log2Syslog_Undef($$) { my ($hash, $name) = @_; RemoveInternalTimer($hash); Log2Syslog_closesock($hash,1); # Clientsocket schließen Log2Syslog_downServer($hash,1); # Serversocket schließen, kill children return undef; } ############################################################################### # Collector-Socket schließen ############################################################################### sub Log2Syslog_downServer($;$) { my ($hash,$delchildren) = @_; my $name = $hash->{NAME}; my $port = $hash->{PORT}; my $protocol = $hash->{PROTOCOL}; my $ret; return if(!$hash->{SERVERSOCKET} || $hash->{MODEL} !~ /Collector/); Log2Syslog_Log3slog ($hash, 3, "Log2Syslog $name - Closing server socket $protocol/$port ..."); if($protocol =~ /tcp/) { TcpServer_Close($hash); delete($hash->{CONNECTS}); delete($hash->{SERVERSOCKET}); if($delchildren) { my @children = devspec2array($name."_.*"); foreach (@children) { my $child = $_; if($child ne $name."_.*") { CommandDelete(undef, $child); Log2Syslog_Log3slog ($hash, 3, "Log2Syslog $name - child instance $child deleted."); } } delete($hash->{HELPER}{SSLALGO}); delete($hash->{HELPER}{SSLVER}); readingsSingleUpdate($hash, "SSL_Version", "n.a.", 1); readingsSingleUpdate($hash, "SSL_Algorithm", "n.a.", 1); } return; } $ret = $hash->{SERVERSOCKET}->close(); Log2Syslog_Log3slog ($hash, 1, "Log2Syslog $name - Can't close Syslog Collector at port $port: $!") if(!$ret); delete($hash->{SERVERSOCKET}); delete($selectlist{"$name.$port"}); delete($readyfnlist{"$name.$port"}); delete($hash->{FD}); return; } ############################################################################### # Delete Funktion ############################################################################### sub Log2Syslog_Delete($$) { my ($hash, $arg) = @_; delete $logInform{$hash->{NAME}}; return undef; } ############################################################################### # Set ############################################################################### sub Log2Syslog_Set($@) { my ($hash, @a) = @_; return "\"set X\" needs at least an argument" if ( @a < 2 ); my $name = $a[0]; my $opt = $a[1]; my $prop = $a[2]; my $setlist = "Unknown argument $opt, choose one of ". "reopen:noArg ". (($hash->{MODEL} =~ /Sender/)?"sendTestMessage ":"") ; return if(AttrVal($name, "disable", "") eq "1"); if($opt =~ /sendTestMessage/) { my $own; if ($prop) { shift @a; shift @a; $own = join(" ",@a); } Log2Syslog_sendTestMsg($hash,$own); } elsif($opt =~ /reopen/) { $hash->{HELPER}{MEMLOCK} = 1; InternalTimer(gettimeofday()+2, "Log2Syslog_deleteMemLock", $hash, 0); Log2Syslog_closesock($hash,1); # Clientsocket schließen Log2Syslog_downServer($hash,1); # Serversocket schließen if($hash->{MODEL} =~ /Collector/) { # Serversocket öffnen InternalTimer(gettimeofday()+0.5, "Log2Syslog_initServer", "$name,global", 0); readingsSingleUpdate ($hash, 'Parse_Err_No', 0, 1); # Fehlerzähler für Parse-Errors auf 0 } } else { return "$setlist"; } return undef; } ############################################################################### # Get ############################################################################### sub Log2Syslog_Get($@) { my ($hash, @a) = @_; return "\"get X\" needs at least an argument" if ( @a < 2 ); my $name = $a[0]; my $opt = $a[1]; my $prop = $a[2]; my $st; my $getlist = "Unknown argument $opt, choose one of ". (($hash->{MODEL} !~ /Collector/)?"certInfo:noArg ":""). "versionNotes " ; return if(AttrVal($name, "disable", "") eq "1"); my($sock,$cert,@certs); if ($opt =~ /certInfo/) { if(ReadingsVal($name,"SSL_Version","n.a.") ne "n.a.") { ($sock,$st) = Log2Syslog_opensock($hash,0); if($sock) { $cert = $sock->dump_peer_certificate(); # Log2Syslog_closesock($hash); } } return $cert if($cert); return "no SSL session has been created"; } elsif ($opt =~ /versionNotes/) { my $header = "Module release information
"; my $header1 = "Helpful hints
"; my %hs; # Ausgabetabelle erstellen my ($ret,$val0,$val1); my $i = 0; $ret = ""; # Hints if(!$prop || $prop =~ /hints/i || $prop =~ /[\d]+/) { $ret .= sprintf("

$header1
"); $ret .= ""; $ret .= ""; $ret .= ""; if($prop && $prop =~ /[\d]+/) { my @hints = split(",",$prop); foreach (@hints) { if(AttrVal("global","language","EN") eq "DE") { $hs{$_} = $Log2Syslog_vHintsExt_de{$_}; } else { $hs{$_} = $Log2Syslog_vHintsExt_en{$_}; } } } else { if(AttrVal("global","language","EN") eq "DE") { %hs = %Log2Syslog_vHintsExt_de; } else { %hs = %Log2Syslog_vHintsExt_en; } } $i = 0; foreach my $key (Log2Syslog_sortVersion("desc",keys %hs)) { $val0 = $hs{$key}; $ret .= sprintf("" ); $ret .= ""; $i++; if ($i & 1) { # $i ist ungerade $ret .= ""; } else { $ret .= ""; } } $ret .= ""; $ret .= ""; $ret .= "

$key

$val0

"; $ret .= "

"; } # Notes if(!$prop || $prop =~ /rel/i) { $ret .= sprintf("

$header
"); $ret .= ""; $ret .= ""; $ret .= ""; $i = 0; foreach my $key (Log2Syslog_sortVersion("desc",keys %Log2Syslog_vNotesExtern)) { ($val0,$val1) = split(/\s/,$Log2Syslog_vNotesExtern{$key},2); $ret .= sprintf("" ); $ret .= ""; $i++; if ($i & 1) { # $i ist ungerade $ret .= ""; } else { $ret .= ""; } } $ret .= ""; $ret .= ""; $ret .= "

$key

$val0

$val1

"; $ret .= "

"; } $ret .= ""; return $ret; } else { return "$getlist"; } return undef; } ############################################################################### sub Log2Syslog_Attr ($$$$) { my ($cmd,$name,$aName,$aVal) = @_; my $hash = $defs{$name}; my ($do,$st); # $cmd can be "del" or "set" # $name is device name # aName and aVal are Attribute name and value if ($cmd eq "set" && $hash->{MODEL} !~ /Collector/ && $aName =~ /parseProfile|parseFn|outputFields|makeEvent/) { return "\"$aName\" is only valid for model \"Collector\""; } if ($cmd eq "set" && $hash->{MODEL} =~ /Collector/ && $aName =~ /addTimestamp|contDelimiter|addStateEvent|logFormat|octetCount|ssldebug|timeout|exclErrCond/) { return "\"$aName\" is only valid for model \"Sender\""; } if ($aName eq "disable") { if($cmd eq "set") { return "Mode \"$aVal\" is only valid for model \"Sender\"" if($aVal eq "maintenance" && $hash->{MODEL} !~ /Sender/); $do = $aVal?1:0; } $do = 0 if($cmd eq "del"); $st = ($do&&$aVal=~/maintenance/)?"maintenance":($do&&$aVal==1)?"disabled":"initialized"; $hash->{HELPER}{MEMLOCK} = 1; InternalTimer(gettimeofday()+2, "Log2Syslog_deleteMemLock", $hash, 0); if($do==0 || $aVal=~/maintenance/) { if($hash->{MODEL} =~ /Collector/) { Log2Syslog_downServer($hash,1); # Serversocket schließen und wieder öffnen InternalTimer(gettimeofday()+0.5, "Log2Syslog_initServer", "$name,global", 0); } } else { Log2Syslog_closesock($hash,1); # Clientsocket schließen Log2Syslog_downServer($hash); # Serversocket schließen } } if ($aName eq "TLS") { if($cmd eq "set") { $do = ($aVal) ? 1 : 0; } $do = 0 if($cmd eq "del"); if ($do == 0) { delete $hash->{SSL}; } else { if($hash->{MODEL} =~ /Collector/) { $attr{$name}{protocol} = "TCP" if(AttrVal($name, "protocol", "UDP") ne "TCP"); TcpServer_SetSSL($hash); } } $hash->{HELPER}{MEMLOCK} = 1; InternalTimer(gettimeofday()+2, "Log2Syslog_deleteMemLock", $hash, 0); Log2Syslog_closesock($hash,1); # Clientsocket schließen Log2Syslog_downServer($hash,1); # Serversocket schließen if($hash->{MODEL} =~ /Collector/) { InternalTimer(gettimeofday()+0.5, "Log2Syslog_initServer", "$name,global", 0); # Serversocket öffnen readingsSingleUpdate ($hash, 'Parse_Err_No', 0, 1); # Fehlerzähler für Parse-Errors auf 0 } } if ($aName =~ /rateCalcRerun/) { unless ($aVal =~ /^[0-9]+$/) { return "Value of $aName is not valid. Use only figures 0-9 without decimal places !";} $_[3] = 60 if($aVal < 60); RemoveInternalTimer($hash, "Log2Syslog_trate"); InternalTimer(gettimeofday()+5, "Log2Syslog_trate", $hash, 0); } if ($cmd eq "set" && $aName =~ /port|timeout/) { if($aVal !~ m/^\d+$/) { return " The Value of \"$aName\" is not valid. Use only figures !";} $hash->{HELPER}{MEMLOCK} = 1; InternalTimer(gettimeofday()+2, "Log2Syslog_deleteMemLock", $hash, 0); if($aName =~ /port/ && $hash->{MODEL} =~ /Collector/ && $init_done) { return "$aName \"$aVal\" is not valid because privileged ports are only usable by super users. Use a port grater than 1023." if($aVal < 1024); Log2Syslog_downServer($hash,1); # Serversocket schließen InternalTimer(gettimeofday()+0.5, "Log2Syslog_initServer", "$name,global", 0); readingsSingleUpdate ($hash, 'Parse_Err_No', 0, 1); # Fehlerzähler für Parse-Errors auf 0 } elsif ($aName =~ /port/ && $hash->{MODEL} !~ /Collector/) { Log2Syslog_closesock($hash,1); # Clientsocket schließen } } if ($aName =~ /protocol/) { if($aVal =~ /UDP/) { $attr{$name}{TLS} = 0 if(AttrVal($name, "TLS", 0)); } $hash->{HELPER}{MEMLOCK} = 1; InternalTimer(gettimeofday()+2, "Log2Syslog_deleteMemLock", $hash, 0); if($hash->{MODEL} eq "Collector") { Log2Syslog_downServer($hash,1); # Serversocket schließen InternalTimer(gettimeofday()+0.5, "Log2Syslog_initServer", "$name,global", 0); readingsSingleUpdate ($hash, 'Parse_Err_No', 0, 1); # Fehlerzähler für Parse-Errors auf 0 } else { Log2Syslog_closesock($hash,1); # Clientsocket schließen } } if ($cmd eq "set" && $aName =~ /parseFn/) { $_[3] = "{$aVal}" if($aVal !~ m/^\{.*\}$/s); $aVal = $_[3]; my %specials = ( "%IGNORE" => "0", "%DATA" => "1", "%PRIVAL" => "1", "%TS" => "1", "%DATE" => "1", "%TIME" => "1", "%HOST" => "1", "%ID" => "1", "%PID" => "1", "%MID" => "1", "%CONT" => "1", "%FAC" => "1", "%SDFIELD" => "1", "%SEV" => "1" ); my $err = perlSyntaxCheck($aVal, %specials); return $err if($err); } if ($aName =~ /parseProfile/) { if ($cmd eq "set" && $aVal =~ /ParseFn/) { return "You have to define a parse-function via attribute \"parseFn\" first !" if(!AttrVal($name,"parseFn","")); } if ($cmd eq "set") { $hash->{PROFILE} = $aVal; } else { $hash->{PROFILE} = "Automatic"; } readingsSingleUpdate ($hash, 'Parse_Err_No', 0, 1); # Fehlerzähler für Parse-Errors auf 0 } if ($cmd eq "del" && $aName =~ /parseFn/ && AttrVal($name,"parseProfile","") eq "ParseFn" ) { return "You use a parse-function via attribute \"parseProfile\". Please change/delete attribute \"parseProfile\" first !"; } if ($aName =~ /makeEvent/) { foreach my $key(keys%{$defs{$name}{READINGS}}) { delete($defs{$name}{READINGS}{$key}) if($key !~ /state|Transfered_logs_per_minute|SSL_.*|Parse_Err_No/); } } return; } ################################################################################# # Eventlogging ################################################################################# sub Log2Syslog_eventlog($$) { # $hash is my entry, $dev is the entry of the changed device my ($hash,$dev) = @_; my $name = $hash->{NAME}; my $rex = $hash->{HELPER}{EVNTLOG}; my $st = ReadingsVal($name,"state","active"); my $sendsev = AttrVal($name, "respectSeverity", ""); # Nachrichten welcher Schweregrade sollen gesendet werden my ($prival,$data,$sock,$pid,$sevAstxt); if(IsDisabled($name)) { $st = AttrVal($name, "disable", "0"); $st = ($st =~ /maintenance/)?$st:"disabled"; my $evt = ($st eq $hash->{HELPER}{OLDSTATE})?0:1; readingsSingleUpdate($hash, "state", $st, $evt); $hash->{HELPER}{OLDSTATE} = $st; return; } if($init_done != 1 || !$rex || $hash->{MODEL} !~ /Sender/ || Log2Syslog_IsMemLock($hash)) { return; } my $events = deviceEvents($dev, AttrVal($name, "addStateEvent", 0)); return if(!$events); my $n = $dev->{NAME}; my $max = int(@{$events}); my $tn = $dev->{NTFY_TRIGGERTIME}; my $ct = $dev->{CHANGETIME}; ($sock,$st) = Log2Syslog_opensock($hash,0); if($sock) { for (my $i = 0; $i < $max; $i++) { my $txt = $events->[$i]; $txt = "" if(!defined($txt)); $txt = Log2Syslog_charfilter($hash,$txt); my $tim = (($ct && $ct->[$i]) ? $ct->[$i] : $tn); my ($date,$time) = split(" ",$tim); if($n =~ m/^$rex$/ || "$n:$txt" =~ m/^$rex$/ || "$tim:$n:$txt" =~ m/^$rex$/) { my $otp = "$n $txt"; $otp = "$tim $otp" if AttrVal($name,'addTimestamp',0); ($prival,$sevAstxt) = Log2Syslog_setprival($hash,$txt); if($sendsev && $sendsev !~ m/$sevAstxt/) { # nicht senden wenn Severity nicht in "respectSeverity" enthalten Log2Syslog_Log3slog($name, 5, "Log2Syslog $name - Warning - Payload NOT sent due to Message Severity not in attribute \"respectSeverity\"\n"); next; } ($data,$pid) = Log2Syslog_setpayload($hash,$prival,$date,$time,$otp,"event"); next if(!$data); my $ret = syswrite ($sock,$data); if($ret && $ret > 0) { Log2Syslog_Log3slog($name, 4, "Log2Syslog $name - Payload sequence $pid sent\n"); } else { my $err = $!; Log2Syslog_Log3slog($name, 3, "Log2Syslog $name - Warning - Payload sequence $pid NOT sent: $err\n"); $st = "write error: $err"; } } } Log2Syslog_closesock($hash) if($st =~ /^write error:.*/); } my $evt = ($st eq $hash->{HELPER}{OLDSTATE})?0:1; readingsSingleUpdate($hash, "state", $st, $evt); $hash->{HELPER}{OLDSTATE} = $st; return ""; } ################################################################################# # FHEM system logging ################################################################################# sub Log2Syslog_fhemlog($$) { my ($name,$raw) = @_; my $hash = $defs{$name}; my $rex = $hash->{HELPER}{FHEMLOG}; my $st = ReadingsVal($name,"state","active"); my $sendsev = AttrVal($name, "respectSeverity", ""); # Nachrichten welcher Schweregrade sollen gesendet werden my ($prival,$sock,$err,$ret,$data,$pid,$sevAstxt); if(IsDisabled($name)) { $st = AttrVal($name, "disable", "1"); $st = ($st =~ /maintenance/)?$st:"disabled"; my $evt = ($st eq $hash->{HELPER}{OLDSTATE})?0:1; readingsSingleUpdate($hash, "state", $st, $evt); $hash->{HELPER}{OLDSTATE} = $st; return; } if($init_done != 1 || !$rex || $hash->{MODEL} !~ /Sender/ || Log2Syslog_IsMemLock($hash)) { return; } my ($date,$time,$vbose,undef,$txt) = split(" ",$raw,5); $txt = Log2Syslog_charfilter($hash,$txt); $date =~ s/\./-/g; my $tim = $date." ".$time; if($txt =~ m/^$rex$/ || "$vbose: $txt" =~ m/^$rex$/) { my $otp = "$vbose: $txt"; $otp = "$tim $otp" if AttrVal($name,'addTimestamp',0); ($prival,$sevAstxt) = Log2Syslog_setprival($hash,$txt,$vbose); if($sendsev && $sendsev !~ m/$sevAstxt/) { # nicht senden wenn Severity nicht in "respectSeverity" enthalten Log2Syslog_Log3slog($name, 5, "Log2Syslog $name - Warning - Payload NOT sent due to Message Severity not in attribute \"respectSeverity\"\n"); return; } ($data,$pid) = Log2Syslog_setpayload($hash,$prival,$date,$time,$otp,"fhem"); return if(!$data); ($sock,$st) = Log2Syslog_opensock($hash,0); if ($sock) { $ret = syswrite($sock,$data) if($data); if($ret && $ret > 0) { Log2Syslog_Log3slog($name, 4, "Log2Syslog $name - Payload sequence $pid sent\n"); } else { my $err = $!; Log2Syslog_Log3slog($name, 3, "Log2Syslog $name - Warning - Payload sequence $pid NOT sent: $err\n"); $st = "write error: $err"; } Log2Syslog_closesock($hash) if($st =~ /^write error:.*/); } } my $evt = ($st eq $hash->{HELPER}{OLDSTATE})?0:1; readingsSingleUpdate($hash, "state", $st, $evt); $hash->{HELPER}{OLDSTATE} = $st; return; } ################################################################################# # Test Message senden ################################################################################# sub Log2Syslog_sendTestMsg($$) { my ($hash,$own) = @_; my $name = $hash->{NAME}; my $st = ReadingsVal($name,"state","active"); my ($prival,$ts,$sock,$tim,$date,$time,$err,$ret,$data,$pid,$otp); if($own) { # eigene Testmessage ohne Formatanpassung raw senden $data = $own; $pid = $hash->{SEQNO}; # PayloadID zur Nachverfolgung der Eventabfolge $hash->{SEQNO}++; } else { $ts = TimeNow(); ($date,$time) = split(" ",$ts); $date =~ s/\./-/g; $tim = $date." ".$time; $otp = "Test message from FHEM Syslog Client from ($hash->{MYHOST})"; $otp = "$tim $otp" if AttrVal($name,'addTimestamp',0); $prival = "14"; ($data,$pid) = Log2Syslog_setpayload($hash,$prival,$date,$time,$otp,"fhem"); return if(!$data); } ($sock,$st) = Log2Syslog_opensock($hash,0); if ($sock) { $ret = syswrite $sock, $data."\n" if($data); if($ret && $ret > 0) { Log2Syslog_Log3slog($name, 4, "$name - Payload sequence $pid sent\n"); $st = "maintenance"; } else { my $err = $!; Log2Syslog_Log3slog($name, 3, "$name - Warning - Payload sequence $pid NOT sent: $err\n"); $st = "write error: $err"; } Log2Syslog_closesock($hash) if($st =~ /^write error:.*/); } my $evt = ($st eq $hash->{HELPER}{OLDSTATE})?0:1; readingsSingleUpdate($hash, "state", $st, $evt); $hash->{HELPER}{OLDSTATE} = $st; return; } ############################################################################### # Helper für ident & Regex setzen ############################################################################### sub Log2Syslog_setidrex ($$) { my ($hash,$a) = @_; $hash->{HELPER}{EVNTLOG} = (split("event:",$a))[1] if(lc($a) =~ m/^event:.*/); $hash->{HELPER}{FHEMLOG} = (split("fhem:",$a))[1] if(lc($a) =~ m/^fhem:.*/); $hash->{HELPER}{IDENT} = (split("ident:",$a))[1] if(lc($a) =~ m/^ident:.*/); return; } ############################################################################### # Zeichencodierung für Payload filtern ############################################################################### sub Log2Syslog_charfilter ($$) { my ($hash,$txt) = @_; my $name = $hash->{NAME}; # nur erwünschte Zeichen in payload, ASCII %d32-126 $txt =~ s/ß/ss/g; $txt =~ s/ä/ae/g; $txt =~ s/ö/oe/g; $txt =~ s/ü/ue/g; $txt =~ s/Ä/Ae/g; $txt =~ s/Ö/Oe/g; $txt =~ s/Ü/Ue/g; $txt =~ s/€/EUR/g; $txt =~ tr/ A-Za-z0-9!"#$%&'()*+,-.\/:;<=>?@[\]^_`{|}~//cd; return($txt); } ############################################################################### # erstelle Socket ############################################################################### sub Log2Syslog_opensock ($;$$) { my ($hash,$supresslog) = @_; my $name = $hash->{NAME}; my $host = $hash->{PEERHOST}; my $port = AttrVal($name, "TLS", 0)?AttrVal($name, "port", 6514):AttrVal($name, "port", 514); my $protocol = lc(AttrVal($name, "protocol", "udp")); my $st = ReadingsVal($name,"state","active"); my $timeout = AttrVal($name, "timeout", 0.5); my $ssldbg = AttrVal($name, "ssldebug", 0); my ($sock,$lo,$lof,$sslver,$sslalgo); return undef if($init_done != 1 || $hash->{MODEL} !~ /Sender/); if($hash->{CLIENTSOCKET}) { return($hash->{CLIENTSOCKET},$st); } Log2Syslog_Log3slog ($hash, 3, "Log2Syslog $name - Opening client socket on port \"$port\" ...") if(!$supresslog); if(AttrVal($name, "TLS", 0)) { # TLS gesicherte Verbindung # TLS Transport nach RFC5425 https://tools.ietf.org/pdf/rfc5425.pdf $attr{$name}{protocol} = "TCP" if(AttrVal($name, "protocol", "UDP") ne "TCP"); $sslver = "n.a."; $sslalgo = "n.a."; eval "use IO::Socket::SSL"; if($@) { $st = "$@"; } else { $sock = IO::Socket::INET->new(PeerHost => $host, PeerPort => $port, Proto => 'tcp', Blocking => 0); if (!$sock) { $st = "unable open socket for $host, $protocol, $port: $!"; } else { $sock->blocking(1); $IO::Socket::SSL::DEBUG = $ssldbg; eval { IO::Socket::SSL->start_SSL($sock, SSL_verify_mode => 0, SSL_version => "TLSv1_2:!TLSv1_1:!SSLv3:!SSLv23:!SSLv2", SSL_hostname => $host, SSL_veriycn_scheme => "rfc5425", SSL_veriycn_publicsuffix => '', Timeout => $timeout ) || undef $sock; }; $IO::Socket::SSL::DEBUG = 0; if($@) { $st = "SSL error: $@"; undef $sock; } elsif (!$sock) { $st = "SSL error: ".IO::Socket::SSL::errstr(); undef $sock; } else { $sslver = $sock->get_sslversion(); $sslalgo = $sock->get_fingerprint(); $sslalgo = (split("\\\$",$sslalgo))[0]; $lof = "Socket opened for Host: $host, Protocol: $protocol, Port: $port, TLS: 1"; $st = "active"; } } } } else { # erstellt ungesicherte Socket Verbindung $sslver = "n.a."; $sslalgo = "n.a."; $sock = new IO::Socket::INET (PeerHost => $host, PeerPort => $port, Proto => $protocol, Timeout => $timeout ); if (!$sock) { undef $sock; $st = "unable open socket for $host, $protocol, $port: $!"; $lo = "Socket not opened: $!"; } else { $sock->blocking(0); $st = "active"; # Logausgabe (nur in das fhem Logfile !) $lof = "Socket opened for Host: $host, Protocol: $protocol, Port: $port, TLS: 0"; } } if($sslver ne $hash->{HELPER}{SSLVER}) { readingsSingleUpdate($hash, "SSL_Version", $sslver, 1); $hash->{HELPER}{SSLVER} = $sslver; } if($sslalgo ne $hash->{HELPER}{SSLALGO}) { readingsSingleUpdate($hash, "SSL_Algorithm", $sslalgo, 1); $hash->{HELPER}{SSLALGO} = $sslalgo; } Log2Syslog_Log3slog($name, 3, "Log2Syslog $name - $lo") if($lo); Log2Syslog_Log3slog($name, 3, "Log2Syslog $name - $lof") if($lof && !$supresslog && !$hash->{CLIENTSOCKET}); $hash->{CLIENTSOCKET} = $sock if($sock); return($sock,$st); } ############################################################################### # Socket schließen ############################################################################### sub Log2Syslog_closesock($;$$) { my ($hash,$dolog) = @_; my $name = $hash->{NAME}; my $st = "closed"; my $evt; my $sock = $hash->{CLIENTSOCKET}; if($sock) { Log2Syslog_Log3slog ($hash, 3, "Log2Syslog $name - Closing client socket ...") if($dolog); shutdown($sock, 1); if(AttrVal($hash->{NAME}, "TLS", 0) && ReadingsVal($name,"SSL_Algorithm", "n.a.") ne "n.a.") { $sock->close(SSL_no_shutdown => 1); $hash->{HELPER}{SSLVER} = "n.a."; $hash->{HELPER}{SSLALGO} = "n.a."; readingsSingleUpdate($hash, "SSL_Version", "n.a.", 1); readingsSingleUpdate($hash, "SSL_Algorithm", "n.a.", 1); } else { $sock->close(); } Log2Syslog_Log3slog ($hash, 3, "Log2Syslog $name - Client socket closed ...") if($dolog); delete($hash->{CLIENTSOCKET}); if($dolog) { $evt = ($st eq $hash->{HELPER}{OLDSTATE})?0:1; readingsSingleUpdate($hash, "state", $st, $evt); $hash->{HELPER}{OLDSTATE} = $st; } } return; } ############################################################################### # set PRIVAL (severity & facility) ############################################################################### sub Log2Syslog_setprival ($$;$) { my ($hash,$txt,$vbose) = @_; my $name = $hash->{NAME}; my $do = 0; my ($prival,$sevAstxt); # Priority = (facility * 8) + severity # https://tools.ietf.org/pdf/rfc5424.pdf # determine facility my $fac = 5; # facility by syslogd # calculate severity # mapping verbose level to severity # 0: Critical -> 2 # 1: Error -> 3 # 2: Warning -> 4 # 3: Notice -> 5 # 4: Informational -> 6 # 5: Debug -> 7 my $sv = 5; # notice (default) if ($vbose) { # map verbose to severity $sv = 2 if ($vbose == 0); $sv = 3 if ($vbose == 1); $sv = 4 if ($vbose == 2); $sv = 5 if ($vbose == 3); $sv = 6 if ($vbose == 4); $sv = 7 if ($vbose == 5); } if (lc($txt) =~ m/error/) { # error condition $do = 1; my $ees = AttrVal($name, "exclErrCond", ""); if($ees) { $ees =~ m/^\s*(.*)\s*$/s; $ees = $1; $ees =~ s/[\n]//g; $ees =~ s/,,/_ESC_/g; my @excl = split(",",$ees); foreach my $e (@excl) { # Negativliste abarbeiten $e =~ s/_ESC_/,/g; Log2Syslog_trim($e); $do = 0 if($txt =~ m/^$e$/); } } $sv = 3 if($do); } $sv = 4 if (lc($txt) =~ m/warning/); # warning conditions $prival = ($fac*8)+$sv; $sevAstxt = $Log2Syslog_Severity{$sv}; return($prival,$sevAstxt); } ############################################################################### # erstellen Payload für Syslog ############################################################################### sub Log2Syslog_setpayload ($$$$$$) { my ($hash,$prival,$date,$time,$otp,$lt) = @_; my $name = $hash->{NAME}; my $ident = ($hash->{HELPER}{IDENT}?$hash->{HELPER}{IDENT}:$name)."_".$lt; my $myhost = $hash->{MYHOST}?$hash->{MYHOST}:"0.0.0.0"; my $myfqdn = $hash->{MYFQDN}?$hash->{MYFQDN}:$myhost; my $lf = AttrVal($name, "logFormat", "IETF"); my $cdl = AttrVal($name, "contDelimiter", ""); # Trennzeichen vor Content (z.B. für Synology nötig) my $data; return undef,undef if(!$otp); my $pid = $hash->{SEQNO}; # PayloadID zur Nachverfolgung der Eventabfolge $hash->{SEQNO}++; my ($year,$month,$day) = split("-",$date); if ($lf eq "BSD") { # BSD Protokollformat https://tools.ietf.org/html/rfc3164 $time = (split(/\./,$time))[0] if($time =~ m/\./); # msec ist nicht erlaubt $month = $Log2Syslog_BSDMonth{$month}; # Monatsmapping, z.B. 01 -> Jan $day =~ s/0/ / if($day =~ m/^0.*$/); # in Tagen < 10 muss 0 durch Space ersetzt werden my $tag = substr($ident,0, $RFC3164len{TAG}); # Länge TAG Feld begrenzen no warnings 'uninitialized'; $tag = $tag."[$pid]: ".$cdl; # TAG-Feld um PID und Content-Delimiter ergänzen $data = "<$prival>$month $day $time $myhost $tag$otp"; use warnings; $data = substr($data,0, ($RFC3164len{DL}-1)); # Länge Total begrenzen } if ($lf eq "IETF") { # IETF Protokollformat https://tools.ietf.org/html/rfc5424 my $IETFver = 1; # Version von syslog Protokoll Spec RFC5424 my $mid = "FHEM"; # message ID, identify protocol of message, e.g. for firewall filter my $tim = $date."T".$time; my $sdfield = "[version\@Log2Syslog version=\"$hash->{HELPER}{VERSION}\"]"; $otp = Encode::encode_utf8($otp); # Längenbegrenzung nach RFC5424 $ident = substr($ident,0, ($RFC5425len{ID}-1)); $pid = substr($pid,0, ($RFC5425len{PID}-1)); $mid = substr($mid,0, ($RFC5425len{MID}-1)); $myfqdn = substr($myfqdn,0, ($RFC5425len{HST}-1)); no warnings 'uninitialized'; if ($IETFver == 1) { $data = "<$prival>$IETFver $tim $myfqdn $ident $pid $mid $sdfield $cdl$otp"; } use warnings; } if($data =~ /\s$/) {$data =~ s/\s$//;} $data = $data."\n"; my $dl = length($data); # Länge muss ! für TLS stimmen, sonst keine Ausgabe ! # wenn Transport Layer Security (TLS) -> Transport Mapping for Syslog https://tools.ietf.org/pdf/rfc5425.pdf # oder Octet counting -> Transmission of Syslog Messages over TCP https://tools.ietf.org/html/rfc6587 if(AttrVal($name, "TLS", 0) || AttrVal($name, "octetCount", 0)) { $data = "$dl $data"; Log2Syslog_Log3slog($name, 4, "$name - Payload created with octet count length: ".$dl); } my $ldat = ($dl>130)?(substr($data,0, 130)." ..."):$data; Log2Syslog_Log3slog($name, 4, "$name - Payload sequence $pid created:\n$ldat"); return($data,$pid); } ############################################################################### # eigene Log3-Ableitung - Schleife vermeiden ############################################################################### sub Log2Syslog_Log3slog($$$) { my ($dev, $loglevel, $text) = @_; our ($logopened,$currlogfile); $dev = $dev->{NAME} if(defined($dev) && ref($dev) eq "HASH"); if(defined($dev) && defined($attr{$dev}) && defined (my $devlevel = $attr{$dev}{verbose})) { return if($loglevel > $devlevel); } else { return if($loglevel > $attr{global}{verbose}); } my ($seconds, $microseconds) = gettimeofday(); my @t = localtime($seconds); my $nfile = ResolveDateWildcards($attr{global}{logfile}, @t); OpenLogfile($nfile) if(!$currlogfile || $currlogfile ne $nfile); my $tim = sprintf("%04d.%02d.%02d %02d:%02d:%02d", $t[5]+1900,$t[4]+1,$t[3], $t[2],$t[1],$t[0]); if($attr{global}{mseclog}) { $tim .= sprintf(".%03d", $microseconds/1000); } if($logopened) { print LOG "$tim $loglevel: $text\n"; } else { print "$tim $loglevel: $text\n"; } return undef; } ############################################################################### # Bestimmung Übertragungsrate ############################################################################### sub Log2Syslog_trate($) { my ($hash) = @_; my $name = $hash->{NAME}; my $rerun = AttrVal($name, "rateCalcRerun", 60); if ($hash->{HELPER}{LTIME}+60 <= time()) { my $div = (time()-$hash->{HELPER}{LTIME})/60; my $spm = sprintf "%.0f", ($hash->{SEQNO} - $hash->{HELPER}{OLDSEQNO})/$div; $hash->{HELPER}{OLDSEQNO} = $hash->{SEQNO}; $hash->{HELPER}{LTIME} = time(); my $ospm = ReadingsVal($name, "Transfered_logs_per_minute", 0); if($spm != $ospm) { readingsSingleUpdate($hash, "Transfered_logs_per_minute", $spm, 1); } else { readingsSingleUpdate($hash, "Transfered_logs_per_minute", $spm, 0); } } RemoveInternalTimer($hash, "Log2Syslog_trate"); InternalTimer(gettimeofday()+$rerun, "Log2Syslog_trate", $hash, 0); return; } ############################################################################### # Peer IP-Adresse und Host ermitteln (Sender der Message) ############################################################################### sub Log2Syslog_evalPeer($) { my ($hash) = @_; my $name = $hash->{NAME}; my $socket = $hash->{SERVERSOCKET}; my $protocol = lc(AttrVal($name, "protocol", "udp")); if($hash->{TEMPORARY}) { # temporäre Instanz abgelegt durch TcpServer_Accept $protocol = "tcp"; } my ($phost,$paddr,$pport, $pipaddr); no warnings 'uninitialized'; if($protocol =~ /tcp/) { $pipaddr = $hash->{HELPER}{TCPPADDR}; # gespeicherte IP-Adresse $phost = $hash->{HIPCACHE}{$pipaddr}; # zuerst IP/Host-Kombination aus Cache nehmen falls vorhanden if(!$phost) { $paddr = inet_aton($pipaddr); $phost = gethostbyaddr($paddr, AF_INET); $hash->{HIPCACHE}{$pipaddr} = $phost if($phost); } } elsif ($protocol =~ /udp/ && $socket) { # Protokoll UDP ($pport, $paddr) = sockaddr_in($socket->peername) if($socket->peername); $pipaddr = inet_ntoa($paddr) if($paddr); $phost = $hash->{HIPCACHE}{$pipaddr}; # zuerst IP/Host-Kombination aus Cache nehmen falls vorhanden if(!$phost) { $phost = gethostbyaddr($paddr, AF_INET); $hash->{HIPCACHE}{$pipaddr} = $phost if($phost); } } Log2Syslog_Log3slog ($hash, 5, "Log2Syslog $name - message peer: $phost,$pipaddr"); use warnings; $phost = $phost?$phost:$pipaddr?$pipaddr:"unknown"; return ($phost); } ############################################################################### # Memory-Lock # - solange gesetzt erfolgt keine Socketöffnung # - löschen Sperre über Internaltimer ############################################################################### sub Log2Syslog_IsMemLock($) { my ($hash) = @_; my $ret = 0; $ret = 1 if($hash->{HELPER}{MEMLOCK}); return ($ret); } sub Log2Syslog_deleteMemLock($) { my ($hash) = @_; RemoveInternalTimer($hash, "Log2Syslog_deleteMemLock"); delete($hash->{HELPER}{MEMLOCK}); return; } ################################################################ # sortiert eine Liste von Versionsnummern x.x.x # Schwartzian Transform and the GRT transform # Übergabe: "asc | desc", ################################################################ sub Log2Syslog_sortVersion (@){ my ($sseq,@versions) = @_; my @sorted = map {$_->[0]} sort {$a->[1] cmp $b->[1]} map {[$_, pack "C*", split /\./]} @versions; @sorted = map {join ".", unpack "C*", $_} sort map {pack "C*", split /\./} @versions; if($sseq eq "desc") { @sorted = reverse @sorted; } return @sorted; } ################################################################ # Versionierungen des Moduls setzen # Die Verwendung von Meta.pm und Packages wird berücksichtigt ################################################################ sub Log2Syslog_setVersionInfo($) { my ($hash) = @_; my $name = $hash->{NAME}; my $v = (sortTopicNum("desc",keys %Log2Syslog_vNotesIntern))[0]; my $type = $hash->{TYPE}; $hash->{HELPER}{PACKAGE} = __PACKAGE__; $hash->{HELPER}{VERSION} = $v; if($modules{$type}{META}{x_prereqs_src}) { # META-Daten sind vorhanden $modules{$type}{META}{version} = "v".$v; # Version aus META.json überschreiben, Anzeige mit {Dumper $modules{SMAPortal}{META}} if($modules{$type}{META}{x_version}) { # {x_version} ( nur gesetzt wenn $Id: 93_Log2Syslog.pm 18981 2019-03-20 21:39:53Z DS_Starter $ im Kopf komplett! vorhanden ) $modules{$type}{META}{x_version} =~ s/1.1.1/$v/g; } else { $modules{$type}{META}{x_version} = $v; } return $@ unless (FHEM::Meta::SetInternals($hash)); # FVERSION wird gesetzt ( nur gesetzt wenn $Id: 93_Log2Syslog.pm 18981 2019-03-20 21:39:53Z DS_Starter $ im Kopf komplett! vorhanden ) if( __PACKAGE__ eq $type) { # es wird mit Packages gearbeitet -> Perl übliche Modulversion setzen # mit {->VERSION()} im FHEMWEB kann Modulversion abgefragt werden use version 0.77; our $VERSION = FHEM::Meta::Get( $hash, 'version' ); } } else { # herkömmliche Modulstruktur $hash->{VERSION} = $v; } return; } ################################################################ # Leerzeichen am Anfang / Ende eines strings entfernen ################################################################ sub Log2Syslog_trim ($) { my $str = shift; $str =~ s/^\s+|\s+$//g; return ($str); } ############################################################################################# # Hint Hash EN ############################################################################################# our %Log2Syslog_vHintsExt_en = ( "3" => "The RFC5425 TLS Transport Protocol", "2" => "The basics of RFC3164 (BSD) protocol", "1" => "Informations about RFC5424 (IETF) syslog protocol" ); ############################################################################################# # Hint Hash DE ############################################################################################# our %Log2Syslog_vHintsExt_de = ( "3" => "Die Beschreibung des RFC5425 TLS Transport Protokoll", "2" => "Die Grundlagen des RFC3164 (BSD) Protokolls", "1" => "Informationen über das RFC5424 (IETF) Syslog Protokoll" ); 1; =pod =item helper =item summary forward FHEM system logs/events to a syslog server/act as a syslog server =item summary_DE sendet FHEM Logs/Events an Syslog-Server / agiert als Syslog-Server =begin html

Log2Syslog

RFC5424 (IETF)

RFC3164 (BSD)

RFC5425

Prerequisits

sudo apt-get install libio-socket-multicast-perl

sudo apt-get install libio-socket-ssl-perl

Definition and usage

The Collector (Syslog-Server)

Definition of a Collector

define <name> Log2Syslog

attribute

Example of a Collector:

define SyslogServer Log2Syslog


2018-07-31 17:07:24.382 Log2Syslog SyslogServer HOST: fhem.myds.me || FAC: syslog || SEV: Notice || ID: Prod_event || CONT: USV state: OL 

2018-07-31 17:07:24.858 Log2Syslog SyslogServer HOST: fhem.myds.me || FAC: syslog || SEV: Notice || ID: Prod_event || CONT: HMLAN2 loadLvl: low

HOST	the Sender of the dataset
FAC	Facility corresponding to RFC5424
SEV	Severity corresponding to RFC5424
ID	Ident-Tag
CONT	the message part of the received message

"parse error - see logfile"

attribute

own parse function

attribute

The Sender (Syslog-Client)

Definition of a Sender

define <name> Log2Syslog <destination host> [ident:<ident>] [event:<regexp>] [fhem:<regexp>]

<destination host>	host (name or IP-address) where the syslog server is running
[ident:<ident>]	optional program identifier. If not set the device name will be used as default.
[event:<regexp>]	optional regex to filter events for logging
[fhem:<regexp>]	optional regex to filter fhem system log for logging

Lookup table Verbose-Level to Syslog severity level:

verbose-Level	Severity in Syslog
0	Critical
1	Error
2	Warning
3	Notice
4	Informational
5	Debug

Example of a Sender:

define splunklog Log2Syslog fhemtest 192.168.2.49 ident:Test event:.* fhem:.*

Aug 18 21:06:46 fhemtest.myds.me 1 2017-08-18T21:06:46 fhemtest.myds.me Test_event 13339 FHEM [version@Log2Syslog version="4.2.0"] : LogDB sql_processing_time: 0.2306
Aug 18 21:06:46 fhemtest.myds.me 1 2017-08-18T21:06:46 fhemtest.myds.me Test_event 13339 FHEM [version@Log2Syslog version="4.2.0"] : LogDB background_processing_time: 0.2397
Aug 18 21:06:45 fhemtest.myds.me 1 2017-08-18T21:06:45 fhemtest.myds.me Test_event 13339 FHEM [version@Log2Syslog version="4.2.0"] : LogDB CacheUsage: 21
Aug 18 21:08:27 fhemtest.myds.me 1 2017-08-18T21:08:27.760 fhemtest.myds.me Test_fhem 13339 FHEM [version@Log2Syslog version="4.2.0"] : 4: CamTER - Informations of camera Terrasse retrieved
Aug 18 21:08:27 fhemtest.myds.me 1 2017-08-18T21:08:27.095 fhemtest.myds.me Test_fhem 13339 FHEM [version@Log2Syslog version="4.2.0"] : 4: CamTER - CAMID already set - ignore get camid

logFormat IETF:

PRIVAL	priority value (coded from "facility" and "severity")
IETFVERS	used version of RFC5424 specification
TIME	timestamp according to RFC5424
MYHOST	Internal MYHOST
IDENT	ident-Tag from DEF if set, or else the own device name. The statement will be completed by "_fhem" (FHEM-Log) respectively "_event" (Event-Log).
PID	sequential Payload-ID
MID	fix value "FHEM"
SD-FIELD	contains additional iformation about used module version
MESSAGE	the dataset to transfer

logFormat BSD:

PRIVAL	priority value (coded from "facility" and "severity")
MONTH	month according to RFC3164
DAY	day of month according to RFC3164
TIME	timestamp according to RFC3164
MYHOST	Internal MYHOST
TAG	ident-Tag from DEF if set, or else the own device name. The statement will be completed by "_fhem" (FHEM-Log) respectively "_event" (Event-Log).
PID	the message-id (sequence number)
MESSAGE	the dataset to transfer

Set

reopen

Closes an existing Client/Server-connection and open it again. This command can be helpful in case of e.g. "broken pipe"-errors.

sendTestMessage [<Message>]

With device type "Sender" a testmessage can be transfered. The format of the message depends on attribute "logFormat" and contains data in BSD- or IETF-format. Alternatively an own <Message> can be set. This message will be sent in im raw-format without any conversion. The attribute "disable = maintenance" determines, that no data except test messages are sent to the receiver.

Get

certinfo

On a SenderDevice the command shows informations about the server certificate in case a TLS-session was created (Reading "SSL_Version" isn't "n.a.").

versionNotes [hints | rel | <key>]

Shows realease informations and/or hints about the module. It contains only main release informations for module users.
If no options are specified, both release informations and hints will be shown. "rel" shows only release informations and "hints" shows only hints. By the <key>-specification only the hint with the specified number is shown.

Attributes

addTimestamp

The attribute is only usable for device type "Sender". If set, FHEM timestamps will be logged too.
Default behavior is not log these timestamps, because syslog uses own timestamps.
Maybe useful if mseclog is activated in FHEM.

Example output (raw) of a Splunk syslog server:

Aug 18 21:26:55 fhemtest.myds.me 1 2017-08-18T21:26:55 fhemtest.myds.me Test_event 13339 FHEM - : 2017-08-18 21:26:55 USV state: OL
Aug 18 21:26:54 fhemtest.myds.me 1 2017-08-18T21:26:54 fhemtest.myds.me Test_event 13339 FHEM - : 2017-08-18 21:26:54 Bezug state: done
Aug 18 21:26:54 fhemtest.myds.me 1 2017-08-18T21:26:54 fhemtest.myds.me Test_event 13339 FHEM - : 2017-08-18 21:26:54 recalc_Bezug state: Next: 21:31:59

addStateEvent

The attribute is only usable for device type "Sender". If set, events will be completed with "state" if a state-event appears.
Default behavior is without getting "state".

contDelimiter

The attribute is only usable for device type "Sender". You can set an additional character which is straight inserted before the content-field.
This possibility is useful in some special cases if the receiver need it (e.g. the Synology-Protokollcenter needs the character ":" for proper function).

disable [1 | 0 | maintenance]

This device will be activated, deactivated respectSeverity set into the maintenance-mode. In maintenance-mode a test message can be sent by the "Sender"-device (pls. see also command "set <name> sendTestMessage").

exclErrCond <Pattern1,Pattern2,Pattern3,...>

This attribute is only usable for device type "Sender".
If within an event the text "Error" is identified, this message obtain the severity "Error" automatically. The attribute exclErrCond can contain a list of events separated by comma, whose severity nevertheless has not to be valued as "Error". Commas within the <Pattern> must be escaped by ,, (double comma). The attribute may contain line breaks.

Example
```
attr <name> exclErrCond Error: none, 
                        Errorcode: none,
                        Dum.Energy PV: 2853.0,, Error: none,
                        .*Seek_Error_Rate_.*,
                        .*Raw_Read_Error_Rate_.*,
                        .*sabotageError:.*,
        
```

logFormat [ BSD | IETF ]

This attribute is only usable for device type "Sender". Set the syslog protocol format.
Default value is "IETF" if not specified.

makeEvent [ intern | no | reading ]

The attribute is only usable for device type "Collector". With this attribute the behavior of the event- and reading generation is defined.

intern	events are generated by module intern mechanism and only visible in FHEM eventmonitor. Readings are not created.
no	only readings like "MSG_<hostname>" without event generation are created
reading	readings like "MSG_<hostname>" are created. Events are created dependent of the "event-on-.*"-attributes

octetCount

The attribute is only usable for device type "Sender".
If set, the Syslog Framing is changed from Non-Transparent-Framing (default) to Octet-Framing. The Syslog-Reciver must support Octet-Framing ! For further informations see RFC6587 "Transmission of Syslog Messages over TCP".

outputFields

The attribute is only usable for device type "Collector". By a sortable list the desired fields of generated events can be selected. The meaningful usable fields are depending on the attribute "parseProfil". Their meaning can be found in the description of attribute "parseProfil". Is "outputFields" not defined, a predefined set of fields for event generation is used.

parseFn {<Parsefunktion>}

The attribute is only usable for device type "Collector". The provided perl function (has to be set into "{}") will be applied to the received Syslog-message. The following variables are commited to the function. They can be used for programming, processing and for value return. Variables which are provided as blank, are marked as "".
In case of restrictions the expected format of variables return is specified in "()". Otherwise the variable is usable for free.

$PRIVAL	"" (0 ... 191)
$FAC	"" (0 ... 23)
$SEV	"" (0 ... 7)
$TS	Timestamp (YYYY-MM-DD hh:mm:ss)
$HOST	""
$DATE	"" (YYYY-MM-DD)
$TIME	"" (hh:mm:ss)
$ID	""
$PID	""
$MID	""
$SDFIELD	""
$CONT	""
$DATA	provided raw-data of received Syslog-message (no evaluation of value return!)
$IGNORE	0 (0\|1), if $IGNORE==1 the Syslog-dataset is ignored

The names of the variables corresponding to the field names and their primary meaning denoted in attribute "parseProfile" (explanation of the field data).

Example:

{
($PRIVAL,$CONT) = ($DATA =~ /^<(\d{1,3})>\s(.*)$/);
$CONT = (split(">",$CONT))[1] if($CONT =~ /^<.*>.*$/);
}

Automatic	try to recognize the BSD or IETF message format and use it for parsing (default)
BSD	Parsing of messages in BSD-format according to RFC3164
IETF	Parsing of messages in IETF-format according to RFC5424 (default)
...	further specific parse profiles for selective device are provided
ParseFn	Usage of an own specific parse function provided by attribute "parseFn"
raw	no parsing, events are created from the messages as received without conversion

The parsed data are provided in fields. The fields to use for events and their sequence can be defined by attribute "outputFields".
Dependent from used "parseProfile" the following fields are filled with values and therefor it is meaningful to use only the namend fields by attribute "outputFields". By the "raw"-profil the received data are not converted and the event is created directly.

The meaningful usable fields in attribute "outputFields" depending of the particular profil:

BSD	-> PRIVAL,FAC,SEV,TS,HOST,ID,CONT
IETF	-> PRIVAL,FAC,SEV,TS,HOST,DATE,TIME,ID,PID,MID,SDFIELD,CONT
ParseFn	-> PRIVAL,FAC,SEV,TS,HOST,DATE,TIME,ID,PID,MID,SDFIELD,CONT
raw	-> no selection is meaningful, the original message is used for event creation

Explanation of field data:

PRIVAL	coded Priority value (coded from "facility" and "severity")
FAC	decoded Facility
SEV	decoded Severity of message
TS	Timestamp containing date and time (YYYY-MM-DD hh:mm:ss)
HOST	Hostname / Ip-address of the Sender
DATE	Date (YYYY-MM-DD)
TIME	Time (hh:mm:ss)
ID	Device or application what was sending the Syslog-message
PID	Programm-ID, offen reserved by process name or prozess-ID
MID	Type of message (arbitrary string)
SDFIELD	Metadaten about the received Syslog-message
CONT	Content of the message
DATA	received raw-data

Note for manual setting:
The typical record layout of the format "BSD" or "IETF" starts with:

<45>Mar 17 20:23:46 ...	-> record start of the BSD message format
<45>1 2019-03-17T19:13:48 ...	-> record start of the IETF message format

port <Port>

The used port. For a Sender the default-port is 514. A Collector (Syslog-Server) uses the port 1514 per default.

protocol [ TCP | UDP ]

Sets the socket protocol which should be used. You can choose UDP or TCP.
Default value is "UDP" if not specified.

rateCalcRerun <Zeit in Sekunden>

Rerun cycle for calculation of log transfer rate (Reading "Transfered_logs_per_minute") in seconds (>=60). Values less than 60 seconds are corrected to 60 seconds automatically. Default is 60 seconds.

respectSeverity

Messages are only forwarded (Sender) respectively the receipt considered (Collector), whose severity is included by this attribute. If "respectSeverity" isn't set, messages of all severity is processed.

sslCertPrefix

Set the prefix for the SSL certificate, default is "certs/server-". Setting this attribute you are able to specify different SSL-certificates for different Log2Syslog devices. See also the TLS attribute.

ssldebug

Debugging level of SSL messages. The attribute is only usable for device type "Sender".
- 0 - No debugging (default).
- 1 - Print out errors from IO::Socket::SSL and ciphers from Net::SSLeay.
- 2 - Print also information about call flow from IO::Socket::SSL and progress information from Net::SSLeay.
- 3 - Print also some data dumps from IO::Socket::SSL and from Net::SSLeay.

TLS

A client (Sender) establish a secured connection to a Syslog-Server. A Syslog-Server (Collector) provide to establish a secured connection. The protocol will be switched to TCP automatically.
Thereby a Collector device can use TLS, a certificate has to be created or available. With following steps a certicate can be created:

1. in the FHEM basis directory create the directory "certs":
```
    sudo mkdir /opt/fhem/certs
    
```
2. create the SSL certicate:
```
    cd /opt/fhem/certs
    sudo openssl req -new -x509 -nodes -out server-cert.pem -days 3650 -keyout server-key.pem
	
```
3. set file/directory permissions:
```
    sudo chown -R fhem:dialout /opt/fhem/certs
    sudo chmod 644 /opt/fhem/certs/*.pem
    sudo chmod 711 /opt/fhem/certs
	
```

timeout

This attribute is only usable for device type "Sender". Timeout für die Verbindung zum Syslog-Server (TCP). Default: 0.5s.

verbose

Please see global attribute "verbose". To avoid loops, the output of verbose level of the Log2Syslog-Devices will only be reported into the local FHEM Logfile and not forwarded.

Readings

MSG_<Host>	the last successful parsed Syslog-message from <Host>
Parse_Err_No	the number of parse errors since start
SSL_Algorithm	used SSL algorithm if SSL is enabled and active
SSL_Version	the used TLS-version if encryption is enabled and is active
Transfered_logs_per_minute	the average number of forwarded logs/events per minute

=end html =begin html_DE

Log2Syslog

RFC5424 (IETF)

RFC3164 (BSD)

RFC5425

Voraussetzungen

sudo apt-get install libio-socket-multicast-perl

sudo apt-get install libio-socket-ssl-perl

Definition und Verwendung

Der Collector (Syslog-Server)

Definition eines Collectors

define <name> Log2Syslog

Attribut

Beispiel für einen Collector:

define SyslogServer Log2Syslog


2018-07-31 17:07:24.382 Log2Syslog SyslogServer HOST: fhem.myds.me || FAC: syslog || SEV: Notice || ID: Prod_event || CONT: USV state: OL 

2018-07-31 17:07:24.858 Log2Syslog SyslogServer HOST: fhem.myds.me || FAC: syslog || SEV: Notice || ID: Prod_event || CONT: HMLAN2 loadLvl: low

HOST	der Sender des Datensatzes
FAC	Facility (Kategorie) nach RFC5424
SEV	Severity (Schweregrad) nach RFC5424
ID	Ident-Tag
CONT	der Nachrichtenteil der empfangenen Meldung

"parse error - see logfile"

Attribut

eigenen Parse-Funktion

Attribut

Der Sender (Syslog-Client)

Definition eines Senders

define <name> Log2Syslog <Zielhost> [ident:<ident>] [event:<regexp>] [fhem:<regexp>]

<Zielhost>	Host (Name oder IP-Adresse) auf dem der Syslog-Server läuft
[ident:<ident>]	optionaler Programm Identifier. Wenn nicht gesetzt wird per default der Devicename benutzt.
[event:<regexp>]	optionaler regulärer Ausdruck zur Filterung von Events zur Weiterleitung
[fhem:<regexp>]	optionaler regulärer Ausdruck zur Filterung von FHEM Logs zur Weiterleitung

Umsetzungstabelle Verbose-Level in Syslog-Schweregrad Stufe:

Verbose-Level	Schweregrad in Syslog
0	Critical
1	Error
2	Warning
3	Notice
4	Informational
5	Debug

Beispiel für einen Sender:

define splunklog Log2Syslog fhemtest 192.168.2.49 ident:Test event:.* fhem:.*

Aug 18 21:06:46 fhemtest.myds.me 1 2017-08-18T21:06:46 fhemtest.myds.me Test_event 13339 FHEM [version@Log2Syslog version="4.2.0"] : LogDB sql_processing_time: 0.2306
Aug 18 21:06:46 fhemtest.myds.me 1 2017-08-18T21:06:46 fhemtest.myds.me Test_event 13339 FHEM [version@Log2Syslog version="4.2.0"] : LogDB background_processing_time: 0.2397
Aug 18 21:06:45 fhemtest.myds.me 1 2017-08-18T21:06:45 fhemtest.myds.me Test_event 13339 FHEM [version@Log2Syslog version="4.2.0"] : LogDB CacheUsage: 21
Aug 18 21:08:27 fhemtest.myds.me 1 2017-08-18T21:08:27.760 fhemtest.myds.me Test_fhem 13339 FHEM [version@Log2Syslog version="4.2.0"] : 4: CamTER - Informations of camera Terrasse retrieved
Aug 18 21:08:27 fhemtest.myds.me 1 2017-08-18T21:08:27.095 fhemtest.myds.me Test_fhem 13339 FHEM [version@Log2Syslog version="4.2.0"] : 4: CamTER - CAMID already set - ignore get camid

logFormat IETF:

PRIVAL	Priority Wert (kodiert aus "facility" und "severity")
IETFVERS	Version der benutzten RFC5424 Spezifikation
TIME	Timestamp nach RFC5424
MYHOST	Internal MYHOST
IDENT	Ident-Tag aus DEF wenn angegeben, sonst der eigene Devicename. Die Angabe wird mit "_fhem" (FHEM-Log) bzw. "_event" (Event-Log) ergänzt.
PID	fortlaufende Payload-ID
MID	fester Wert "FHEM"
[SD-FIELD]	Structured Data Feld. Enthält Informationen zur verwendeten Modulversion (die Klammern "[]" sind Bestandteil des Feldes)
MESSAGE	der zu übertragende Datensatz

logFormat BSD:

PRIVAL	Priority Wert (kodiert aus "facility" und "severity")
MONTH	Monatsangabe nach RFC3164
DAY	Tag des Monats nach RFC3164
TIME	Zeitangabe nach RFC3164
MYHOST	Internal MYHOST
TAG	Ident-Tag aus DEF wenn angegeben, sonst der eigene Devicename. Die Angabe wird mit "_fhem" (FHEM-Log) bzw. "_event" (Event-Log) ergänzt.
PID	Die ID der Mitteilung (= Sequenznummer)
MESSAGE	der zu übertragende Datensatz

Set

reopen

Schließt eine bestehende Client/Server-Verbindung und öffnet sie erneut. Der Befehl kann z.B. bei "broken pipe"-Fehlern hilfreich sein.

sendTestMessage [<Message>]

Mit einem Devicetyp "Sender" kann abhängig vom Attribut "logFormat" eine Testnachricht im BSD- bzw. IETF-Format gesendet werden. Wird eine optionale eigene <Message> angegeben, wird diese Nachricht im raw-Format ohne Formatanpassung (BSD/IETF) gesendet. Das Attribut "disable = maintenance" legt fest, dass keine Daten ausser eine Testnachricht an den Empfänger gesendet wird.

Get

certinfo

Zeigt auf einem Sender-Device Informationen zum Serverzertifikat an sofern eine TLS-Session aufgebaut wurde (Reading "SSL_Version" ist nicht "n.a.").

versionNotes [hints | rel | <key>]

Zeigt Release Informationen und/oder Hinweise zum Modul an. Es sind nur Release Informationen mit Bedeutung für den Modulnutzer enthalten.
Sind keine Optionen angegben, werden sowohl Release Informationen als auch Hinweise angezeigt. "rel" zeigt nur Release Informationen und "hints" nur Hinweise an. Mit der <key>-Angabe wird der Hinweis mit der angegebenen Nummer angezeigt. Ist das Attribut "language = DE" im global Device gesetzt, erfolgt die Ausgabe der Hinweise in deutscher Sprache.

Attribute

addTimestamp

Das Attribut ist nur für "Sender" verwendbar. Wenn gesetzt, werden FHEM Timestamps im Content-Feld der Syslog-Meldung mit übertragen.
Per default werden die Timestamps nicht im Content-Feld hinzugefügt, da innerhalb der Syslog-Meldungen im IETF- bzw. BSD-Format bereits Zeitstempel gemäß RFC-Vorgabe erstellt werden.
Die Einstellung kann hilfeich sein wenn mseclog in FHEM aktiviert ist.

Beispielausgabe (raw) eines Splunk Syslog Servers:
```
Aug 18 21:26:55 fhemtest.myds.me 1 2017-08-18T21:26:55 fhemtest.myds.me Test_event 13339 FHEM - : 2017-08-18 21:26:55 USV state: OL
Aug 18 21:26:54 fhemtest.myds.me 1 2017-08-18T21:26:54 fhemtest.myds.me Test_event 13339 FHEM - : 2017-08-18 21:26:54 Bezug state: done
Aug 18 21:26:54 fhemtest.myds.me 1 2017-08-18T21:26:54 fhemtest.myds.me Test_event 13339 FHEM - : 2017-08-18 21:26:54 recalc_Bezug state: Next: 21:31:59
        
```

addStateEvent

Das Attribut ist nur für "Sender" verwendbar. Wenn gesetzt, werden state-events mit dem Reading "state" ergänzt.
Die Standardeinstellung ist ohne state-Ergänzung.

contDelimiter

Das Attribut ist nur für "Sender" verwendbar. Es enthält ein zusätzliches Zeichen welches unmittelber vor das Content-Feld eingefügt wird.
Diese Möglichkeit ist in manchen speziellen Fällen hilfreich (z.B. kann das Zeichen ':' eingefügt werden um eine ordnungsgemäße Anzeige im Synology-Protokollcenter zu erhalten).

disable [1 | 0 | maintenance]

Das Device wird aktiviert, deaktiviert bzw. in den Maintenance-Mode geschaltet. Im Maintenance-Mode kann mit dem "Sender"-Device eine Testnachricht gesendet werden (siehe "set <name> sendTestMessage").

exclErrCond <Pattern1,Pattern2,Pattern3,...>

Das Attribut ist nur für "Sender" verwendbar.
Wird in einem Event der Text "Error" erkannt, bekommt diese Message automatisch den Schweregrad "Error" zugewiesen. Im Attribut exclErrCond kann eine durch Komma getrennte Liste von Events angegeben werden, deren Schweregrad trotzdem nicht als "Error" gewertet werden soll. Kommas innerhalb von <Pattern> müssen mit ,, (doppeltes Komma) escaped werden. Das Attribut kann Zeilenumbrüche enthalten.

Beispiel
```
attr <name> exclErrCond Error: none, 
                        Errorcode: none,
                        Dum.Energy PV: 2853.0,, Error: none,
                        .*Seek_Error_Rate_.*,
                        .*Raw_Read_Error_Rate_.*,
                        .*sabotageError:.*,
        
```

logFormat [ BSD | IETF ]

Das Attribut ist nur für "Sender" verwendbar. Es stellt das Protokollformat ein. (default: "IETF")

makeEvent [ intern | no | reading ]

Das Attribut ist nur für "Collector" verwendbar. Mit dem Attribut wird das Verhalten der Event- bzw. Readinggenerierung festgelegt.

intern	Events werden modulintern generiert und sind nur im Eventmonitor sichtbar. Readings werden nicht erstellt.
no	es werden nur Readings der Form "MSG_<Hostname>" ohne Eventfunktion erstellt
reading	es werden Readings der Form "MSG_<Hostname>" erstellt. Events werden in Abhängigkeit der "event-on-.*"-Attribute generiert

octetCount

Das Attribut ist nur für "Sender" verfügbar.
Wenn gesetzt, wird das Syslog Framing von Non-Transparent-Framing (default) in Octet-Framing geändert. Der Syslog-Empfänger muss Octet-Framing unterstützen ! Für weitere Informationen siehe RFC6587 "Transmission of Syslog Messages over TCP".

outputFields

Das Attribut ist nur für "Collector" verwendbar. Über eine sortierbare Liste können die gewünschten Felder des generierten Events ausgewählt werden. Die abhängig vom Attribut "parseProfil" sinnvoll verwendbaren Felder und deren Bedeutung ist der Beschreibung des Attributs "parseProfil" zu entnehmen. Ist "outputFields" nicht gesetzt, wird ein vordefinierter Satz Felder zur Eventgenerierung verwendet.

parseFn {<Parsefunktion>}

Das Attribut ist nur für Device-MODEL "Collector" verwendbar. Es wird die eingegebene Perl-Funktion auf die empfangene Syslog-Meldung angewendet. Der Funktion werden folgende Variablen übergeben die zur Verarbeitung und zur Werterückgabe genutzt werden können. Leer übergebene Variablen sind als "" gekennzeichnet.
Das erwartete Rückgabeformat einer Variable wird in "()" angegeben sofern sie Restriktionen unterliegt. Ansonsten ist die Variable frei verfügbar.

$PRIVAL	"" (0 ... 191)
$FAC	"" (0 ... 23)
$SEV	"" (0 ... 7)
$TS	Zeitstempel (YYYY-MM-DD hh:mm:ss)
$HOST	""
$DATE	"" (YYYY-MM-DD)
$TIME	"" (hh:mm:ss)
$ID	""
$PID	""
$MID	""
$SDFIELD	""
$CONT	""
$DATA	übergebene Rohdaten der Syslog-Mitteilung (keine Rückgabeauswertung!)
$IGNORE	0 (0\|1), wenn $IGNORE==1 wird der Syslog-Datensatz ignoriert

Die Variablennamen korrespondieren mit den Feldnamen und deren ursprünglicher Bedeutung angegeben im Attribut "parseProfile" (Erläuterung der Felddaten).

Beispiel:

{
($PRIVAL,$CONT) = ($DATA =~ /^<(\d{1,3})>\s(.*)$/);
$CONT = (split(">",$CONT))[1] if($CONT =~ /^<.*>.*$/);
}

Automatic	Es wird versucht das Datenformat zu erkennen und das BSD-Format RFC3164 oder IETF-Format RFC5424 anzuwenden (default)
BSD	Parsing der Meldungen im BSD-Format nach RFC3164
IETF	Parsing der Meldungen im IETF-Format nach RFC5424 (default)
...	Es werden weitere angepasste Parsingprofile für ausgewählte Geräte angeboten
ParseFn	Verwendung einer eigenen spezifischen Parsingfunktion im Attribut "parseFn".
raw	kein Parsing, die Meldungen werden wie empfangen in einen Event umgesetzt

Die geparsten Informationen werden in Feldern zur Verfügung gestellt. Die im Event erscheinenden Felder und deren Reihenfolge können mit dem Attribut "outputFields" bestimmt werden.
Abhängig vom verwendeten "parseProfile" oder erkannten Message-Format (Internal PROFILE) werden die folgenden Felder mit Werten gefüllt und es ist dementsprechend auch nur sinnvoll die benannten Felder im Attribut "outputFields" zu verwenden. Im raw-Profil werden die empfangenen Daten ohne Parsing in einen Event umgewandelt.

Die sinnvoll im Attribut "outputFields" verwendbaren Felder des jeweilgen Profils sind:

BSD	-> PRIVAL,FAC,SEV,TS,HOST,ID,CONT
IETF	-> PRIVAL,FAC,SEV,TS,HOST,DATE,TIME,ID,PID,MID,SDFIELD,CONT
ParseFn	-> PRIVAL,FAC,SEV,TS,HOST,DATE,TIME,ID,PID,MID,SDFIELD,CONT
raw	-> keine Auswahl sinnvoll, es wird immer die Originalmeldung in einen Event umgesetzt

Erläuterung der Felddaten:

PRIVAL	kodierter Priority Wert (kodiert aus "facility" und "severity")
FAC	Kategorie (Facility)
SEV	Schweregrad der Meldung (Severity)
TS	Zeitstempel aus Datum und Zeit (YYYY-MM-DD hh:mm:ss)
HOST	Hostname / Ip-Adresse des Senders
DATE	Datum (YYYY-MM-DD)
TIME	Zeit (hh:mm:ss)
ID	Gerät oder Applikation welche die Meldung gesendet hat
PID	Programm-ID, oft belegt durch Prozessname bzw. Prozess-ID
MID	Typ der Mitteilung (beliebiger String)
SDFIELD	Metadaten über die empfangene Syslog-Mitteilung
CONT	Inhalt der Meldung
DATA	empfangene Rohdaten

Hinweis für die manuelle Entscheidung:
Der typische Satzaufbau der Formate "BSD" bzw. "IETF" beginnt mit:

<45>Mar 17 20:23:46 ...	-> Satzstart des BSD-Formats
<45>1 2019-03-17T19:13:48 ...	-> Satzstart des IETF-Formats

port <Port>

Der verwendete Port. Für einen Sender ist der default-Port 514, für einen Collector (Syslog-Server) der Port 1514.

protocol [ TCP | UDP ]

Setzt den Protokolltyp der verwendet werden soll. Es kann UDP oder TCP gewählt werden.
Standard ist "UDP" wenn nichts spezifiziert ist.

rateCalcRerun <Zeit in Sekunden>

Wiederholungszyklus für die Bestimmung der Log-Transferrate (Reading "Transfered_logs_per_minute") in Sekunden (>=60). Eingegebene Werte <60 Sekunden werden automatisch auf 60 Sekunden korrigiert. Default sind 60 Sekunden.

respectSeverity

Es werden nur Nachrichten übermittelt (Sender) bzw. beim Empfang berücksichtigt (Collector), deren Schweregrad im Attribut enthalten ist. Ist "respectSeverity" nicht gesetzt, werden Nachrichten aller Schweregrade verarbeitet.

sslCertPrefix

Setzt das Präfix der SSL-Zertifikate, die Voreinstellung ist "certs/server-". Mit diesem Attribut kann für verschiedene Log2Syslog-Devices die Verwendung unterschiedlicher SSL-Zertifikate bestimmt werden. Siehe auch das "TLS" Attribut.

ssldebug

Debugging Level von SSL Messages. Das Attribut ist nur für Device-MODEL "Sender" verwendbar.
- 0 - Kein Debugging (default).
- 1 - Ausgabe Errors von from IO::Socket::SSL und ciphers von Net::SSLeay.
- 2 - zusätzliche Ausgabe von Informationen über den Protokollfluss von IO::Socket::SSL und Fortschrittinformationen von Net::SSLeay.
- 3 - zusätzliche Ausgabe einiger Dumps von IO::Socket::SSL und Net::SSLeay.

TLS

Ein Client (Sender) baut eine gesicherte Verbindung zum Syslog-Server auf. Ein Syslog-Server (Collector) stellt eine gesicherte Verbindung zur Verfügung. Das Protokoll schaltet automatisch auf TCP um.
Damit ein Collector TLS verwenden kann, muss ein Zertifikat erstellt werden bzw. vorhanden sein. Mit folgenden Schritten kann ein Zertifikat erzeugt werden:

1. im FHEM-Basisordner das Verzeichnis "certs" anlegen:
```
    sudo mkdir /opt/fhem/certs
    
```
2. SSL Zertifikat erstellen:
```
    cd /opt/fhem/certs
    sudo openssl req -new -x509 -nodes -out server-cert.pem -days 3650 -keyout server-key.pem
	
```
3. Datei/Verzeichnis-Rechte setzen:
```
    sudo chown -R fhem:dialout /opt/fhem/certs
    sudo chmod 644 /opt/fhem/certs/*.pem
    sudo chmod 711 /opt/fhem/certs
	
```

timeout

Das Attribut ist nur für "Sender" verwendbar. Timeout für die Verbindung zum Syslog-Server (TCP). Default: 0.5s.

verbose

Verbose-Level entsprechend dem globalen Attribut "verbose". Die Ausgaben der Verbose-Level von Log2Syslog-Devices werden ausschließlich im lokalen FHEM Logfile ausgegeben und nicht weitergeleitet um Schleifen zu vermeiden.

Readings

MSG_<Host>	die letzte erfolgreich geparste Syslog-Message von <Host>
Parse_Err_No	die Anzahl der Parse-Fehler seit Start
SSL_Algorithm	der verwendete SSL Algorithmus wenn SSL eingeschaltet und aktiv ist
SSL_Version	die verwendete TLS-Version wenn die Verschlüsselung aktiv ist
Transfered_logs_per_minute	die durchschnittliche Anzahl der übertragenen/empfangenen Logs/Events pro Minute

=end html_DE =for :application/json;q=META.json 93_Log2Syslog.pm { "abstract": "forward FHEM system logs/events to a syslog server or act as a syslog server itself", "x_lang": { "de": { "abstract": "sendet FHEM Logs/Events an einen Syslog-Server (Sender) oder agiert selbst als Syslog-Server (Collector)" } }, "keywords": [ "syslog", "syslog-server", "syslog-client", "logging" ], "version": "v1.1.1", "release_status": "stable", "author": [ "Heiko Maaz " ], "x_fhem_maintainer": [ "DS_Starter" ], "x_fhem_maintainer_github": [ "nasseeder1" ], "prereqs": { "runtime": { "requires": { "FHEM": 5.00918799, "perl": 5.014, "TcpServerUtils": 0, "Scalar::Util": 0, "Encode": 0, "IO::Socket::INET": 0, "Net::Domain": 0 }, "recommends": { "IO::Socket::SSL": 0 }, "suggests": { } } } } =end :application/json;q=META.json =cut