Refactored rsyslog plugin (#4658)

We now use the same code for forwarding logs to syslog:
1. Syslog now uses octet counting transport
2. Syslog log forwarding now works on Windows as well.

Author: scudette

api/events_test.go

@@ -8,7 +8,6 @@ import (
 
 	"github.com/Velocidex/ordereddict"
 	errors "github.com/go-errors/errors"
-	"github.com/golang/protobuf/proto"
 	"github.com/stretchr/testify/suite"
 	acl_proto "www.velocidex.com/golang/velociraptor/acls/proto"
 	actions_proto "www.velocidex.com/golang/velociraptor/actions/proto"
@@ -36,6 +35,8 @@ var (
 name: Server.Audit.Logs
 type: SERVER_EVENT
 `}
+
+	FALSE = false
 )
 
 // Tests the public API endpoints
@@ -338,7 +339,7 @@ func (self *GeneralAPITest) TestVFSGetBufferSparse() {
 	buf, err = client.VFSGetBuffer(self.Ctx, &api_proto.VFSFileBuffer{
 		Components: filename.Components(),
 		Length:     100,
-		Padding:    proto.Bool(false),
+		Padding:    &FALSE,
 	})
 	assert.NoError(self.T(), err)
 	assert.Equal(self.T(), string(buf.Data), "HelloWorld")

logging/logging.go

@@ -18,6 +18,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
 package logging
 
 import (
+	"context"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -116,7 +117,7 @@ func InitLogging(config_obj *config_proto.Config) error {
 		new_manager.contexts[component] = logger
 	}
 
-	err := maybeAddRemoteSyslog(config_obj, new_manager)
+	err := maybeAddRemoteSyslog(context.Background(), config_obj, new_manager)
 	if err != nil {
 		return err
 	}

logging/syslog_nonwindows.go logging/syslog.gologging/syslog_nonwindows.go renamed to logging/syslog.go

@@ -1,17 +1,17 @@
-//go:build !windows
-// +build !windows
-
 package logging
 
 import (
-	"log/syslog"
+	"context"
+	"fmt"
 	"strings"
+	"time"
 
-	lSyslog "github.com/sirupsen/logrus/hooks/syslog"
 	config_proto "www.velocidex.com/golang/velociraptor/config/proto"
+	"www.velocidex.com/golang/velociraptor/utils/syslog"
 )
 
 func maybeAddRemoteSyslog(
+	ctx context.Context,
 	config_obj *config_proto.Config, manager *LogManager) error {
 
 	if config_obj.Logging == nil ||
@@ -58,11 +58,11 @@ func maybeAddRemoteSyslog(
 	Prelog("<green>Will connect to syslog server %v over %v</>",
 		server, protocol)
 
-	hook, err := lSyslog.NewSyslogHook(
-		protocol, server, syslog.LOG_INFO, "")
+	connect_timeout := time.Minute
+	hook, err := syslog.NewHook(ctx, config_obj.Client, protocol, server,
+		"", connect_timeout)
 	if err != nil {
-		Prelog("While connecting to Syslog %v: %v", server, err)
-		return err
+		return fmt.Errorf("While connecting to Syslog Server: %w", err)
 	}
 
 	for k := range components {

logging/syslog_windows.go

@@ -0,0 +1,48 @@
+// Provides an implementation of a syslog logger
+
+package syslog
+
+import (
+	"context"
+	"io"
+	"time"
+
+	"github.com/sirupsen/logrus"
+	"github.com/sirupsen/logrus/hooks/writer"
+	config_proto "www.velocidex.com/golang/velociraptor/config/proto"
+	"www.velocidex.com/golang/velociraptor/utils"
+)
+
+var (
+	Factory func(ctx context.Context,
+		config_obj *config_proto.ClientConfig,
+		network, raddr string,
+		root_certs string,
+		connectTimeout time.Duration) (io.Writer, error) = nil
+)
+
+func NewHook(ctx context.Context,
+	config_obj *config_proto.ClientConfig,
+	network, raddr string,
+	root_certs string,
+	connectTimeout time.Duration) (logrus.Hook, error) {
+	if Factory == nil {
+		return nil, utils.Wrap(utils.NotImplementedError, "Syslog factory not initialized")
+	}
+
+	writer_fd, err := Factory(ctx, config_obj, network, raddr, root_certs, connectTimeout)
+	if err != nil {
+		return nil, err
+	}
+
+	return &writer.Hook{
+		Writer: writer_fd,
+		LogLevels: []logrus.Level{
+			logrus.PanicLevel,
+			logrus.FatalLevel,
+			logrus.ErrorLevel,
+			logrus.WarnLevel,
+			logrus.InfoLevel,
+		},
+	}, nil
+}

utils/syslog/api.go

@@ -1,29 +1,80 @@
 package rsyslog
 
 import (
+	"context"
 	"time"
 
-	"github.com/Velocidex/ttlcache/v2"
+	config_proto "www.velocidex.com/golang/velociraptor/config/proto"
+	vql_subsystem "www.velocidex.com/golang/velociraptor/vql"
+	"www.velocidex.com/golang/vfilter"
+)
+
+const (
+	SYSLOG_POOL_TAG = "$SYSLOG"
 )
 
 type connectionPool struct {
-	lru *ttlcache.Cache // map[string]*Logger
+	ctx     context.Context
+	loggers map[string]*Logger
+}
+
+// Get a new Logger for the specified address
+func (self *connectionPool) Dial(
+	config_obj *config_proto.ClientConfig,
+	network, raddr string,
+	root_certs string,
+	connectTimeout time.Duration) (*Logger, error) {
+
+	// Check if the connection is already in the pool
+	existing, ok := self.loggers[raddr]
+	if ok {
+		return existing, nil
+	}
+
+	// No logger found, make a new one.
+	res := &Logger{
+		ctx:            self.ctx,
+		config_obj:     config_obj,
+		network:        network,
+		raddr:          raddr,
+		root_certs:     root_certs,
+		connectTimeout: connectTimeout,
+		messageQueue:   make(chan string, 1000),
+	}
+
+	err := res.Connect()
+	if err != nil {
+		return nil, err
+	}
+
+	go res.Start()
+
+	self.loggers[raddr] = res
+
+	return res, nil
 }
 
-func NewConnectionPool() *connectionPool {
-	self := &connectionPool{
-		lru: ttlcache.NewCache(),
+// A pool manages access to several syslog loggers. The pool's life
+// span is managed using the ctx.
+func NewConnectionPool(ctx context.Context) *connectionPool {
+	return &connectionPool{
+		ctx:     ctx,
+		loggers: make(map[string]*Logger),
 	}
+}
 
-	_ = self.lru.SetTTL(time.Minute)
-	self.lru.SetCacheSizeLimit(10)
-	self.lru.SetExpirationCallback(func(key string, value interface{}) error {
-		logger, ok := value.(*Logger)
+// Get a pool stored in the scope for the lifetime of the query.
+func GetPool(ctx context.Context, scope vfilter.Scope) *connectionPool {
+	pool_any := vql_subsystem.CacheGet(scope, SYSLOG_POOL_TAG)
+	if pool_any != nil {
+		pool, ok := pool_any.(*connectionPool)
 		if ok {
-			logger.Close()
+			return pool
 		}
-		return nil
-	})
+	}
+
+	pool := NewConnectionPool(ctx)
+	vql_subsystem.CacheSet(scope, SYSLOG_POOL_TAG, pool)
 
-	return self
+	return pool
 }