Making logging configurable. If no logging outputs are defined the default will be used. - Currently per output log formatting is not available.

17 years ago · c72d6be58b
parent a857fa7170
commit c72d6be58b
4 changed files with 102 additions and 61 deletions
--- a/src/util-debug.c
+++ b/src/util-debug.c
@ -256,9 +256,9 @@ void SCLogOutputBuffer(SCLogLevel log_level, char *msg)
 SCError SCLogMessage(SCLogLevel log_level, char **msg, const char *file,
                     unsigned line, const char *function)
 {
-	char *temp_fmt = strdup(sc_log_config->log_format);
+    char *temp_fmt = strdup(sc_log_config->log_format);
    char *temp_fmt_h = temp_fmt;
-	char *substr = temp_fmt;
+    char *substr = temp_fmt;
    char *temp = *msg;
    const char *s = NULL;
@ -1010,53 +1010,103 @@ void SCLogInitLogModule(SCLogInitData *sc_lid)
 void SCLogLoadConfig(void)
 {
    ConfNode *outputs;
    SCLogInitData *sc_lid;
-    outputs = ConfGetNode("logging.output");
+    outputs = ConfGetNode("logging.outputs");
    if (outputs == NULL) {
        SCLogDebug("No logging.output configuration section found.");
        return;
    }
-    /* Process each output. */
+    sc_lid = SCLogAllocLogInitData();
-    ConfNode *output;
+
-    TAILQ_FOREACH(output, &outputs->head, next) {
+    /* Get default log level and format. */
-        //ConfNode *param;
+    char *default_log_level_s = NULL;
-        const char *interface = NULL;
+    if (ConfGet("logging.default-log-level", &default_log_level_s) == 1) {
-        const char *log_level = NULL;
+        sc_lid->global_log_level =
-        const char *facility = NULL;
+            SCMapEnumNameToValue(default_log_level_s, sc_log_level_map);
-        //const char *filename = NULL;
+        if (sc_lid->global_log_level == -1) {
-        const char *format = NULL;
+            SCLogError(SC_INVALID_ARGUMENT, "Invalid default log level: %s",
-
+                default_log_level_s);
        interface = ConfNodeLookupChildValue(output, "interface");
        if (interface == NULL) {
            /* No interface in this item, ignore. */
            continue;
        }
        if (SCMapEnumNameToValue(interface, sc_log_op_iface_map) < 0) {
            SCLogError(SC_INVALID_ARGUMENT,
                "Invalid logging interface: %s", interface);
            exit(EXIT_FAILURE);
        }
    }
    else {
        SCLogWarning(SC_ERR_MISSING_CONFIG_PARAM,
            "No default log level set, will use info.");
        sc_lid->global_log_level = SC_LOG_INFO;
    }
    if (ConfGet("logging.default-log-format", &sc_lid->global_log_format) != 1)
        sc_lid->global_log_format = SC_LOG_DEF_LOG_FORMAT;
    ConfNode *seq_node, *output;
    TAILQ_FOREACH(seq_node, &outputs->head, next) {
        SCLogLevel level = sc_lid->global_log_level;
        SCLogOPIfaceCtx *op_iface_ctx = NULL;
        const char *format;
        const char *level_s;
        output = ConfNodeLookupChild(seq_node, seq_node->val);
        if (output == NULL)
            continue;
-        /* Any output may have a log-level set. */
+        /* By default an output is enabled. */
-        log_level = ConfNodeLookupChildValue(output, "log-level");
+        const char *enabled = ConfNodeLookupChildValue(output, "enabled");
        if (enabled != NULL && strcmp(enabled, "no") == 0)
            continue;
        /* Any output may have a format set. */
        format = ConfNodeLookupChildValue(output, "format");
        level_s = ConfNodeLookupChildValue(output, "level");
        if (level_s != NULL) {
            level = SCMapEnumNameToValue(level_s, sc_log_level_map);
            if (level == -1) {
                SCLogError(SC_INVALID_ARGUMENT, "Invalid log level: %s",
                    level_s);
                exit(EXIT_FAILURE);
            }
        }
-        if (strcmp(interface, "console") == 0) {
+        if (strcmp(output->name, "console") == 0) {
-            /* No other lookups required for console logging. */
+            op_iface_ctx = SCLogInitConsoleOPIface(format, level);
-            /* \todo Setup console logging... */
+        }
        else if (strcmp(output->name, "file") == 0) {
            const char *filename = ConfNodeLookupChildValue(output, "filename");
            if (filename == NULL) {
                SCLogError(SC_ERR_MISSING_CONFIG_PARAM,
                    "Logging to file requires a filename");
                exit(EXIT_FAILURE);
            }
            op_iface_ctx = SCLogInitFileOPIface(filename, format, level);
        }
-        else if (strcmp(interface, "syslog") == 0) {
+        else if (strcmp(output->name, "syslog") == 0) {
-            /* \todo Setup syslog logging. */
+            int facility = SC_LOG_DEF_SYSLOG_FACILITY;
-            facility = ConfNodeLookupChildValue(output, "facility");
+            const char *facility_s = ConfNodeLookupChildValue(output,
                "facility");
            if (facility_s != NULL) {
                facility = SCMapEnumNameToValue(facility_s,
                    sc_syslog_facility_map);
                if (facility == -1) {
                    SCLogError(SC_INVALID_ARGUMENT,
                        "Invalid syslog facility: %s", facility_s);
                    exit(EXIT_FAILURE);
                }
            }
            printf("Initialization syslog logging with format \"%s\".\n",
                format);
            op_iface_ctx = SCLogInitSyslogOPIface(facility, format, level);
        }
        else {
-            SCLogWarning(SC_UNIMPLEMENTED,
+            SCLogWarning(SC_INVALID_ARGUMENT, "Invalid logging method: %s, "
-                "Ignoring unknown logging interface: %s", interface);
+                "ignoring", output->name);
        }
        if (op_iface_ctx != NULL) {
            SCLogAppendOPIfaceCtx(op_iface_ctx, sc_lid);
        }
    }
    SCLogInitLogModule(sc_lid);
    //exit(1);
    /* \todo Can we free sc_lid now? */
 }
 /**
--- a/src/util-error.c
+++ b/src/util-error.c
@ -88,6 +88,7 @@ const char * SCErrorToString(SCError err)
        CASE_CODE (SC_ERR_MULTIPLE_RUN_MODE);
        CASE_CODE (SC_ERR_BPF);
        CASE_CODE (SC_ERR_PCAP_DISPATCH);
        CASE_CODE (SC_ERR_MISSING_CONFIG_PARAM);
        default:
            return "UNKNOWN_ERROR";
    }
--- a/src/util-error.h
+++ b/src/util-error.h
@ -99,6 +99,7 @@ typedef enum {
    SC_ERR_STAT_ERROR,
    SC_ERR_LOGDIR_CONFIG,
    SC_ERR_LOGDIR_CMDLINE,
    SC_ERR_MISSING_CONFIG_PARAM,
    SC_RADIX_TREE_GENERIC_ERROR,
    SC_ERR_MISSING_QUOTE,
    SC_ERR_MUTEX,
--- a/suricata.yaml
+++ b/suricata.yaml
@ -6,6 +6,7 @@
 # overridden with the -l command line parameter.
 default-log-dir: /var/log/suricata
 # Configure the type of alert (and other) logging you would like.
 outputs:
  - fast:
@ -112,43 +113,31 @@ stream:
 logging:
  # The default log level, can be overridden in an output section.
-  default-log-level: debug
+  # Note that debug level logging will only be emitted if Suricata was
  # compiled with the --enable-debug configure option.
  default-log-level: info
  # The default output format.  Optional parameter, should default to
  # something reasonable if not provided.  Can be overriden in an
-  # output section.
+  # output section.  You can leave this out to get the default.
-  default-format: "<%t> - <%l>"
+  #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
  # Default startup message.  Optional parameter, should default to
  # something reasonable if not provided.  Can be overridden in an
  # output section.
  default-startup-message: Your IDS has started.
  # A regex to filter output.  Can be overridden in an output section.
  # Defaults to empty (no filter).
  default-output-filter:
-  # Configure the outputs.  If no outputs are specified the engine
+  # Define your logging outputs.  If none are define, or they are all
-  # will log to the console with an error log level.
+  # disabled you will get the default - console output.
-  output:
+  outputs:
-
+  - console:
-  # Enable logging to the console.  Be a little more verbose than
+      enabled: yes
-  # default, log info and more critical.
+  - file:
-  - interface: console
+      enabled: no
-    log-level: error
+      filename: /var/log/suricata.log
-
+  - syslog:
-  # Log to a file as well.  No log level specified so level will be
+      enabled: no
-  # set to the default-log-level.
+      facility: local5
-  - interface: file
+      format: "[%i] <%d> -- "
    filename: /var/log/suricata.log
  # Log to syslog with facility local5.  Again, no level specified so
  # will level will be set to default-log-level.  We also override the
  # format as we don't want to log a timestamp, syslog will do that
  # for us.
  - interface: syslog
    facility: local5
    format: "%l"
 # PF_RING configuration. for use with native PF_RING support
 # for more info see http://www.ntop.org/PF_RING.html