log checksums and proctree for syslog formats

 - Log the checksums and process tree when using rfc3164 and rfc5424
   formats.
 - Minor performance improvements.

Author: gustavo-iniguez-goya

daemon/log/formats/formats.go

@@ -1,9 +1,25 @@
 package formats
 
+import (
+	"log/syslog"
+	"os"
+	"strconv"
+)
+
 // LoggerFormat is the common interface that every format must meet.
 // Transform expects an arbitrary number of arguments and types, and
 // it must transform them to a string.
 // Arguments can be of type Connection, string, int, etc.
 type LoggerFormat interface {
 	Transform(...interface{}) string
 }
+
+var (
+	ourPid      = ""
+	syslogLevel = ""
+)
+
+func init() {
+	ourPid = strconv.FormatUint(uint64(os.Getpid()), 10)
+	syslogLevel = strconv.FormatUint(uint64(syslog.LOG_NOTICE|syslog.LOG_DAEMON), 10)
+}

daemon/log/formats/rfc3164.go

@@ -2,8 +2,6 @@ package formats
 
 import (
 	"fmt"
-	"log/syslog"
-	"os"
 	"strconv"
 	"strings"
 	"time"
@@ -40,7 +38,16 @@ func (r *Rfc3164) Transform(args ...interface{}) (out string) {
 	for n, val := range values {
 		switch val.(type) {
 		case *protocol.Connection:
+			checksums := ""
+			tree := ""
 			con := val.(*protocol.Connection)
+
+			for k, v := range con.ProcessChecksums {
+				checksums = core.ConcatStrings(checksums, k, ":", v)
+			}
+			for _, y := range con.ProcessTree {
+				tree = core.ConcatStrings(tree, y.Key, ",")
+			}
 			out = core.ConcatStrings(out,
 				" SRC=\"", con.SrcIp, "\"",
 				" SPT=\"", strconv.FormatUint(uint64(con.SrcPort), 10), "\"",
@@ -54,17 +61,19 @@ func (r *Rfc3164) Transform(args ...interface{}) (out string) {
 				" PATH=\"", con.ProcessPath, "\"",
 				" CMDLINE=\"", strings.Join(con.ProcessArgs, " "), "\"",
 				" CWD=\"", con.ProcessCwd, "\"",
+				" CHECKSUMS=\"", checksums, "\"",
+				" PROCTREE=\"", tree, "\"",
 			)
 		default:
 			out = fmt.Sprint(out, " ARG", n, "=\"", val, "\"")
 		}
 	}
-	out = fmt.Sprintf("<%d>%s %s %s[%d]: [%s]\n",
-		syslog.LOG_NOTICE|syslog.LOG_DAEMON,
+	out = fmt.Sprintf("<%s>%s %s %s[%s]: [%s]\n",
+		syslogLevel,
 		time.Now().Format(time.RFC3339),
 		hostname,
 		tag,
-		os.Getpid(),
+		ourPid,
 		out[1:])
 
 	return

daemon/log/formats/rfc5424.go

@@ -2,8 +2,6 @@ package formats
 
 import (
 	"fmt"
-	"log/syslog"
-	"os"
 	"strconv"
 	"strings"
 	"time"
@@ -30,6 +28,7 @@ func NewRfc5424() *Rfc5424 {
 func (r *Rfc5424) Transform(args ...interface{}) (out string) {
 	hostname := ""
 	tag := ""
+	event := "GENERIC"
 	arg1 := args[0]
 	if len(args) > 1 {
 		arg2 := args[1]
@@ -41,7 +40,19 @@ func (r *Rfc5424) Transform(args ...interface{}) (out string) {
 	for n, val := range values {
 		switch val.(type) {
 		case *protocol.Connection:
+			tree := ""
+			checksums := ""
 			con := val.(*protocol.Connection)
+			event = "CONNECTION"
+
+			for k, v := range con.ProcessChecksums {
+				checksums = core.ConcatStrings(checksums, k, ":", v)
+			}
+			for _, y := range con.ProcessTree {
+				tree = core.ConcatStrings(tree, y.Key, ",")
+			}
+
+			// TODO: allow to configure this via configuration file.
 			out = core.ConcatStrings(out,
 				" SRC=\"", con.SrcIp, "\"",
 				" SPT=\"", strconv.FormatUint(uint64(con.SrcPort), 10), "\"",
@@ -55,17 +66,20 @@ func (r *Rfc5424) Transform(args ...interface{}) (out string) {
 				" PATH=\"", con.ProcessPath, "\"",
 				" CMDLINE=\"", strings.Join(con.ProcessArgs, " "), "\"",
 				" CWD=\"", con.ProcessCwd, "\"",
+				" CHECKSUMS=\"", checksums, "\"",
+				" PROCTREE=\"", tree, "\"",
 			)
 		default:
 			out = fmt.Sprint(out, " ARG", n, "=\"", val, "\"")
 		}
 	}
-	out = fmt.Sprintf("<%d>1 %s %s %s %d TCPOUT - [%s]\n",
-		syslog.LOG_NOTICE|syslog.LOG_DAEMON,
+	out = fmt.Sprintf("<%s>1 %s %s %s %s %s - [%s]\n",
+		syslogLevel,
 		time.Now().Format(time.RFC3339),
 		hostname,
 		tag,
-		os.Getpid(),
+		ourPid,
+		event,
 		out[1:])
 
 	return