feat: add syslog filterchecks

therealbobo · therealbobo · commit 7ac235b592fc · 2025-12-10T10:38:38.000+01:00
Signed-off-by: Roberto Scolaro &lt;roberto.scolaro21@gmail.com&gt;
diff --git a/userspace/sysdig/filterchecks/sinsp_filtercheck_syslog.cpp b/userspace/sysdig/filterchecks/sinsp_filtercheck_syslog.cpp
@@ -0,0 +1,96 @@
+#include "sinsp_filtercheck_syslog.h"
+#include <libsinsp/sinsp.h>
+#include <libsinsp/sinsp_int.h>
+
+using namespace std;
+
+#define RETURN_EXTRACT_VAR(x)  \
+	do {                       \
+		*len = sizeof((x));    \
+		return (uint8_t*)&(x); \
+	} while(0)
+
+#define RETURN_EXTRACT_STRING(x)      \
+	do {                              \
+		*len = (x).size();            \
+		return (uint8_t*)(x).c_str(); \
+	} while(0)
+
+#define RETURN_EXTRACT_CSTR(x)           \
+	do {                                 \
+		if((x)) {                        \
+			*len = strlen((char*)((x))); \
+		}                                \
+		return (uint8_t*)((x));          \
+	} while(0)
+
+static const filtercheck_field_info sinsp_filter_check_syslog_fields[] = {
+        {PT_CHARBUF, EPF_NONE, PF_NA, "syslog.facility.str", "Facility", "facility as a string."},
+        {PT_UINT32,
+         EPF_NONE,
+         PF_DEC,
+         "syslog.facility",
+         "Numeric Facility",
+         "facility as a number (0-23)."},
+        {PT_CHARBUF,
+         EPF_NONE,
+         PF_NA,
+         "syslog.severity.str",
+         "Severity",
+         "severity as a string. Can have one of these values: emerg, alert, crit, err, warn, "
+         "notice, info, debug"},
+        {PT_UINT32,
+         EPF_NONE,
+         PF_DEC,
+         "syslog.severity",
+         "Numeric Severity",
+         "severity as a number (0-7)."},
+        {PT_CHARBUF, EPF_NONE, PF_NA, "syslog.message", "Message", "message sent to syslog."},
+};
+
+sinsp_filter_check_syslog::sinsp_filter_check_syslog(std::shared_ptr<sinsp_syslog_decoder> syslog_decoder) {
+	static const filter_check_info s_field_infos = {
+	        "syslog",
+	        "",
+	        "Content of Syslog messages.",
+	        sizeof(sinsp_filter_check_syslog_fields) / sizeof(sinsp_filter_check_syslog_fields[0]),
+	        sinsp_filter_check_syslog_fields,
+	        filter_check_info::FL_NONE,
+	};
+	m_info = &s_field_infos;
+    m_syslog_decoder = syslog_decoder;
+}
+
+std::unique_ptr<sinsp_filter_check> sinsp_filter_check_syslog::allocate_new() {
+	return std::make_unique<sinsp_filter_check_syslog>(m_syslog_decoder);
+}
+
+uint8_t* sinsp_filter_check_syslog::extract_single(sinsp_evt* evt,
+                                                   uint32_t* len,
+                                                   bool sanitize_strings) {
+	*len = 0;
+	if(!m_syslog_decoder->is_data_valid()) {
+		return NULL;
+	}
+
+	switch(m_field_id) {
+	case TYPE_FACILITY:
+		m_storageu32 = m_syslog_decoder->get_facility();
+		RETURN_EXTRACT_VAR(m_storageu32);
+	case TYPE_FACILITY_STR:
+		mstrstorage = m_syslog_decoder->get_facility_str();
+		RETURN_EXTRACT_STRING(mstrstorage);
+	case TYPE_SEVERITY:
+		m_storageu32 = m_syslog_decoder->get_severity();
+		RETURN_EXTRACT_VAR(m_storageu32);
+	case TYPE_SEVERITY_STR:
+		mstrstorage = m_syslog_decoder->get_severity_str();
+		RETURN_EXTRACT_STRING(mstrstorage);
+	case TYPE_MESSAGE:
+		mstrstorage = m_syslog_decoder->get_msg();
+		RETURN_EXTRACT_STRING(mstrstorage);
+	default:
+		ASSERT(false);
+		return NULL;
+	}
+}
diff --git a/userspace/sysdig/filterchecks/sinsp_filtercheck_syslog.h b/userspace/sysdig/filterchecks/sinsp_filtercheck_syslog.h
@@ -0,0 +1,28 @@
+#pragma once
+
+#include <libsinsp/sinsp_filtercheck.h>
+#include "../utils/sinsp_syslog.h"
+
+class sinsp_filter_check_syslog : public sinsp_filter_check {
+public:
+	enum check_type {
+		TYPE_FACILITY_STR = 0,
+		TYPE_FACILITY,
+		TYPE_SEVERITY_STR,
+		TYPE_SEVERITY,
+		TYPE_MESSAGE,
+	};
+
+	sinsp_filter_check_syslog(std::shared_ptr<sinsp_syslog_decoder> syslog_decoder);
+	virtual ~sinsp_filter_check_syslog() = default;
+
+	std::unique_ptr<sinsp_filter_check> allocate_new() override;
+
+protected:
+	uint8_t* extract_single(sinsp_evt*, uint32_t* len, bool sanitize_strings = true) override;
+
+private:
+	uint32_t m_storageu32;
+	std::string mstrstorage;
+	std::shared_ptr<sinsp_syslog_decoder> m_syslog_decoder;
+};
diff --git a/userspace/sysdig/utils/sinsp_syslog.cpp b/userspace/sysdig/utils/sinsp_syslog.cpp
@@ -0,0 +1,109 @@
+#include "sinsp_syslog.h"
+#include <libsinsp/utils.h>
+
+#define PRI_BUF_SIZE 16
+
+static const std::string s_syslog_severity_strings[] =
+        {"emerg", "alert", "crit", "err", "warn", "notice", "info", "debug"};
+
+static const std::string s_syslog_facility_strings[] = {
+        "kern",   "user",   "mail",     "daemon", "auth",   "syslog",   "lpr",      "news",
+        "uucp",   "clock",  "authpriv", "ftp",    "ntp",    "logaudit", "logalert", "cron",
+        "local0", "local1", "local2",   "local3", "local4", "local5",   "local6",   "local7"};
+
+void sinsp_syslog_decoder::parse_data(const char* data, uint32_t len) {
+	char pri[PRI_BUF_SIZE];
+	const char* tc = data + 1;
+	const char* te = data + len;
+	uint32_t j = 0;
+
+	while(tc < te && *tc != '>' && *tc != '\0' && j < PRI_BUF_SIZE - 1) {
+		pri[j++] = *tc;
+		tc++;
+	}
+
+	pri[j] = 0;
+
+	decode_message(data, len, pri, j);
+}
+
+std::string sinsp_syslog_decoder::get_severity_str() const {
+	if(!is_data_valid() ||
+	   m_severity >= sizeof(s_syslog_severity_strings) / sizeof(s_syslog_severity_strings[0])) {
+		return "<NA>";
+	} else {
+		return s_syslog_severity_strings[m_severity];
+	}
+}
+
+std::string sinsp_syslog_decoder::get_facility_str() const {
+	if(!is_data_valid() ||
+	   m_facility >= sizeof(s_syslog_facility_strings) / sizeof(s_syslog_facility_strings[0])) {
+		return "<NA>";
+	} else {
+		return s_syslog_facility_strings[m_facility];
+	}
+}
+
+void sinsp_syslog_decoder::decode_message(const char* data,
+                                          uint32_t len,
+                                          char* pristr,
+                                          uint32_t pristrlen) {
+	if(len < pristrlen + 2 || pristrlen == 0) {
+		m_priority = s_invalid_priority;
+		return;
+	}
+
+	bool res = sinsp_numparser::tryparsed32_fast(pristr, pristrlen, &m_priority);
+
+	if(!res) {
+		m_priority = s_invalid_priority;
+		return;
+	}
+
+	m_severity = m_priority & 0x07;
+	m_facility = m_priority >> 3;
+
+	m_msg.assign(data + pristrlen + 2, len - pristrlen - 2);
+}
+
+std::string sinsp_syslog_decoder::get_info_line() const {
+	if(!is_data_valid()) {
+		return "<NA>";
+	}
+
+	return "syslog sev=" + get_severity_str() + " msg=" + m_msg;
+}
+
+void sinsp_syslog_decoder::parse(sinsp_evt* evt) {
+	if(!evt || !evt->get_fd_info()) {
+		return;
+	}
+
+	// Check if this is a syslog fd
+	if(!evt->get_fd_info()->is_syslog()) {
+		return;
+	}
+
+	// Extract the data buffer based on event type
+	uint16_t etype = evt->get_type();
+	const sinsp_evt_param* parinfo = nullptr;
+
+	// Determine which parameter contains the data based on event type
+	if(etype == PPME_SOCKET_SENDMMSG_X) {
+		parinfo = evt->get_param(2);
+	} else if(etype == PPME_SYSCALL_READV_X || etype == PPME_SYSCALL_PREADV_X ||
+	          etype == PPME_SOCKET_RECVMSG_X) {
+		parinfo = evt->get_param(2);
+	} else if(etype == PPME_SOCKET_RECVMMSG_X) {
+		parinfo = evt->get_param(3);
+	} else {
+		parinfo = evt->get_param(1);
+	}
+
+	if(parinfo) {
+		const char* data = parinfo->m_val;
+		uint32_t datalen = parinfo->m_len;
+		parse_data(data, datalen);
+	}
+}
diff --git a/userspace/sysdig/utils/sinsp_syslog.h b/userspace/sysdig/utils/sinsp_syslog.h
@@ -0,0 +1,42 @@
+#pragma once
+
+#include <libsinsp/sinsp.h>
+#include <libsinsp/sinsp_exception.h>
+
+#include <stdint.h>
+#include <string>
+#include <memory>
+
+class sinsp_syslog_decoder {
+public:
+	void parse_data(const char* data, uint32_t len);
+
+	std::string get_info_line() const;
+	std::string get_severity_str() const;
+	std::string get_facility_str() const;
+
+	inline void reset() { m_priority = s_invalid_priority; }
+
+	bool is_data_valid() const { return m_priority != s_invalid_priority; }
+
+	inline int32_t get_priority() const { return m_priority; }
+
+	inline uint32_t get_facility() const { return m_facility; }
+
+	inline uint32_t get_severity() const { return m_severity; }
+
+	inline const std::string& get_msg() const { return m_msg; }
+
+    void parse(sinsp_evt* evt);
+
+private:
+	void decode_message(const char* data, uint32_t len, char* pristr, uint32_t pristrlen);
+
+	int32_t m_priority{s_invalid_priority};
+	uint32_t m_facility{0};
+	uint32_t m_severity{0};
+	std::string m_msg;
+	std::string m_infostr;
+
+	static constexpr const int32_t s_invalid_priority = -1;
+};
