SlideShare a Scribd company logo

Writing External Rsyslog Plugins

Rainer Gerhards
Rainer Gerhards

Want to make rsyslog talk to some not-yet-supported output? With v8 it's extremly simple.This presentation contains everything you need to know about writing great plugins in ANY language (like perl or pyton).

TechnologyArt & Photos
1 of 13
Writing external output plugins for rsyslog Rainer Gerhards
Output plugins in rsyslog • Output plugins permit to connect to a variety of log destinations • Pre-v8, plugins needed to be internal modules ▫ Loaded into rsyslog process space ▫ Must be written in C (or link to it) ▫ Deeply tied into rsyslog infrastructure • with v8, we officially support external plugins ▫ Written in any language (Python, Perl, Java, ...) ▫ Have their own process ▫ Relatively de-coupled Rainer Gerhards, http://blog.gerhards.net
Interface Overview process border Internal plugin rsyslog core engine perl plugin external plugin connector python plugin Rainer Gerhards, http://blog.gerhards.net
External Interface Design Goals • Keep it stupid simple ▫ Must support almost any language ▫ Dumb easy to use even for novice programmer ▫ Do not require explicit threading • Speed is NOT the most important goal ▫ Don't make it unnecessarily slow ▫ Many real-world log destinations are slow in any case (like when you connect via http...) ▫ Focus on “enable to build solution” ▫ If necessary, conversion to internal module can be done later Rainer Gerhards, http://blog.gerhards.net
Interface Details: communication • use pipes • stdin ▫ one message per line ▫ format can be customized via rsyslog templates ▫ multi-line messags via JSON • stdout/stderr ▫ Must NOT be written in initial version ▫ Will later convey back state information via plain text (e.g. “ERR”, “ERRMSG:xxx”, ...) • JSON as input format is recommended Rainer Gerhards, http://blog.gerhards.net
Interface Details: Threading • Do NOT care about threading • Write app according to single-thread paradigm • rsyslog will spawn multiple instances of your plugin if there is need to do so ▫ ▫ ▫ ▫ Happens based on config in busy cases Works well in most cases (e.g. http connects) Can be disabled if necessary If your program can run in multiple ter-minal sessions concurrently, it can also be run as multiple rsyslog action instances. Rainer Gerhards, http://blog.gerhards.net
Startup & Termination • • • • • • rsyslog will startup the plugin automatically Plugin needs to read stdin until EOF Do NOT terminate before EOF is reached On EOF, cleanup and terminate If the plugin dies, rsyslog restarts a new instance Some signals (like sigint) are blocked and should remain so Rainer Gerhards, http://blog.gerhards.net
Skeletons • The rsyslog project provides sample plugin skeletons • Available in ./plugins/external/skeletons • These contain ▫ the necessary plumbing ▫ often a kind of abstraction layer to make writing plugins even easier ▫ often performance-enhancement features • Can simply be copied to create your own plugins, don't care about the (minimal) plumbing! Rainer Gerhards, http://blog.gerhards.net
Example: Python Skeleton • Handles all interface plumbing • Uses “eventHandlers” to call the acutal app coding • Is used as a basis, for example, for the Solr output plugin • Available at https://github.com/rsyslog/rsyslog/blob/master/plugin Rainer Gerhards, http://blog.gerhards.net
onInit() Handler • Called when the plugin is initially loaded • Ready outbound connections, files, etc... def onInit(): """ Do everything that is needed to initialize processing (e.g. open files, create handles, connect to systems...) """ global outfile outfile = open("/tmp/logfile", "w") Rainer Gerhards, http://blog.gerhards.net
onReceive() • Called when new messages arrive • Receives one or more message via Python list object --> e.g. place them into one transaction, HTTP request, ... def onReceive(msgs): """This is the entry point where actual work needs to be done. It receives a list with all messages pulled from rsyslog. The list is of variable length, but contains all messages that are currently available. It is suggest NOT to use any further buffering, as we do not know when the next message will arrive. It may be in a nanosecond from now, but it may also be in three hours... """ global outfile for msg in msgs: outfile.write(msg) Rainer Gerhards, http://blog.gerhards.net
onExit() • Called immediately before the plugin terminates • Gurantees that no more messages arrive • Used to cleanup connections, write some final records, ... def onExit(): """ Do everything that is needed to finish processing (e.g. close files, handles, disconnect from systems...). This is being called immediately before exiting. """ global outfile outfile.close() Rainer Gerhards, http://blog.gerhards.net
Call to Action • If you need to send logs to a destination that is not yet supported, you can quickly write an external plugin – in any language you know! • Writing rsyslog plugins is easy ▫ If there is already a skeleton for your language, copy it and add your app-specific code ▫ If not ... no problem, the interface is dumb easy If you can write a script that reads stdin and does something useful with it, you can also write a rsyslog plugin! Rainer Gerhards, http://blog.gerhards.net

Recommended

Using Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfileUsing Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfile
Rainer Gerhards
 
コンテナにおけるパフォーマンス調査でハマった話
コンテナにおけるパフォーマンス調査でハマった話コンテナにおけるパフォーマンス調査でハマった話
コンテナにおけるパフォーマンス調査でハマった話
Yuta Shimada
 
Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2
Giuseppe Paterno'
 
Velocity 2015 linux perf tools
Velocity 2015 linux perf toolsVelocity 2015 linux perf tools
Velocity 2015 linux perf tools
Brendan Gregg
 
Rsyslog log normalization
Rsyslog log normalizationRsyslog log normalization
Rsyslog log normalization
Rainer Gerhards
 
Graylog for open stack 3 steps to know why
Graylog for open stack 3 steps to know whyGraylog for open stack 3 steps to know why
Graylog for open stack 3 steps to know why
Vietnam Open Infrastructure User Group
 
今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -
今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -
今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -
onozaty
 
暗認本読書会4
暗認本読書会4暗認本読書会4
暗認本読書会4
MITSUNARI Shigeo
 

Recommended

Using Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfileUsing Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfile
Rainer Gerhards
 
コンテナにおけるパフォーマンス調査でハマった話
コンテナにおけるパフォーマンス調査でハマった話コンテナにおけるパフォーマンス調査でハマった話
コンテナにおけるパフォーマンス調査でハマった話
Yuta Shimada
 
Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2
Giuseppe Paterno'
 
Velocity 2015 linux perf tools
Velocity 2015 linux perf toolsVelocity 2015 linux perf tools
Velocity 2015 linux perf tools
Brendan Gregg
 
Rsyslog log normalization
Rsyslog log normalizationRsyslog log normalization
Rsyslog log normalization
Rainer Gerhards
 
Graylog for open stack 3 steps to know why
Graylog for open stack 3 steps to know whyGraylog for open stack 3 steps to know why
Graylog for open stack 3 steps to know why
Vietnam Open Infrastructure User Group
 
今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -
今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -
今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -
onozaty
 
暗認本読書会4
暗認本読書会4暗認本読書会4
暗認本読書会4
MITSUNARI Shigeo
 
#logstudy 01 rsyslog入門
#logstudy 01 rsyslog入門#logstudy 01 rsyslog入門
#logstudy 01 rsyslog入門
Takashi Takizawa
 
SSH力をつけよう
SSH力をつけようSSH力をつけよう
SSH力をつけよう(^-^) togakushi
 
ARMアーキテクチャにおけるセキュリティ機構の紹介
ARMアーキテクチャにおけるセキュリティ機構の紹介ARMアーキテクチャにおけるセキュリティ機構の紹介
ARMアーキテクチャにおけるセキュリティ機構の紹介
sounakano
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
WindowsのCP932に苦闘している件
WindowsのCP932に苦闘している件WindowsのCP932に苦闘している件
WindowsのCP932に苦闘している件
Hidetoshi Hirokawa
 
5 Steps to PostgreSQL Performance
5 Steps to PostgreSQL Performance5 Steps to PostgreSQL Performance
5 Steps to PostgreSQL Performance
Command Prompt., Inc
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
Nikos Gkogkos
 
Nginx
NginxNginx
Nginx
Geeta Vinnakota
 
Extreme Linux Performance Monitoring and Tuning
Extreme Linux Performance Monitoring and TuningExtreme Linux Performance Monitoring and Tuning
Extreme Linux Performance Monitoring and Tuning
Milind Koyande
 
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Opersys inc.
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 
Gocon2017:Goのロギング周りの考察
Gocon2017:Goのロギング周りの考察Gocon2017:Goのロギング周りの考察
Gocon2017:Goのロギング周りの考察
貴仁 大和屋
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
Angel Boy
 
ゼロからはじめるKVM超入門
ゼロからはじめるKVM超入門ゼロからはじめるKVM超入門
ゼロからはじめるKVM超入門
VirtualTech Japan Inc.
 
Ceph and RocksDB
Ceph and RocksDBCeph and RocksDB
Ceph and RocksDB
Sage Weil
 
ARM Trusted FirmwareのBL31を単体で使う!
ARM Trusted FirmwareのBL31を単体で使う!ARM Trusted FirmwareのBL31を単体で使う!
ARM Trusted FirmwareのBL31を単体で使う!
Mr. Vengineer
 
GPU仮想化最前線 - KVMGTとvirtio-gpu -
GPU仮想化最前線 - KVMGTとvirtio-gpu -GPU仮想化最前線 - KVMGTとvirtio-gpu -
GPU仮想化最前線 - KVMGTとvirtio-gpu -
zgock
 
Getting started with postgresql
Getting started with postgresqlGetting started with postgresql
Getting started with postgresql
botsplash.com
 
Troubleshooting PostgreSQL Streaming Replication
Troubleshooting PostgreSQL Streaming ReplicationTroubleshooting PostgreSQL Streaming Replication
Troubleshooting PostgreSQL Streaming Replication
Alexey Lesovsky
 
Xbyakの紹介とその周辺
Xbyakの紹介とその周辺Xbyakの紹介とその周辺
Xbyakの紹介とその周辺
MITSUNARI Shigeo
 
RSYSLOG v8 improvements and how to write plugins in any language.
RSYSLOG v8 improvements and how to write plugins in any language.RSYSLOG v8 improvements and how to write plugins in any language.
RSYSLOG v8 improvements and how to write plugins in any language.
Rainer Gerhards
 
Fedora Developer's Conference 2014 Talk
Fedora Developer's Conference 2014 TalkFedora Developer's Conference 2014 Talk
Fedora Developer's Conference 2014 Talk
Rainer Gerhards
 

More Related Content

What's hot

#logstudy 01 rsyslog入門
#logstudy 01 rsyslog入門#logstudy 01 rsyslog入門
#logstudy 01 rsyslog入門
Takashi Takizawa
 
ARMアーキテクチャにおけるセキュリティ機構の紹介
ARMアーキテクチャにおけるセキュリティ機構の紹介ARMアーキテクチャにおけるセキュリティ機構の紹介
ARMアーキテクチャにおけるセキュリティ機構の紹介
sounakano
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
WindowsのCP932に苦闘している件
WindowsのCP932に苦闘している件WindowsのCP932に苦闘している件
WindowsのCP932に苦闘している件
Hidetoshi Hirokawa
 
5 Steps to PostgreSQL Performance
5 Steps to PostgreSQL Performance5 Steps to PostgreSQL Performance
5 Steps to PostgreSQL Performance
Command Prompt., Inc
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
Nikos Gkogkos
 
Nginx
NginxNginx
Nginx
Geeta Vinnakota
 
Extreme Linux Performance Monitoring and Tuning
Extreme Linux Performance Monitoring and TuningExtreme Linux Performance Monitoring and Tuning
Extreme Linux Performance Monitoring and Tuning
Milind Koyande
 
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Opersys inc.
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 
Gocon2017:Goのロギング周りの考察
Gocon2017:Goのロギング周りの考察Gocon2017:Goのロギング周りの考察
Gocon2017:Goのロギング周りの考察
貴仁 大和屋
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
Angel Boy
 
ゼロからはじめるKVM超入門
ゼロからはじめるKVM超入門ゼロからはじめるKVM超入門
ゼロからはじめるKVM超入門
VirtualTech Japan Inc.
 
Ceph and RocksDB
Ceph and RocksDBCeph and RocksDB
Ceph and RocksDB
Sage Weil
 
ARM Trusted FirmwareのBL31を単体で使う!
ARM Trusted FirmwareのBL31を単体で使う!ARM Trusted FirmwareのBL31を単体で使う!
ARM Trusted FirmwareのBL31を単体で使う!
Mr. Vengineer
 
GPU仮想化最前線 - KVMGTとvirtio-gpu -
GPU仮想化最前線 - KVMGTとvirtio-gpu -GPU仮想化最前線 - KVMGTとvirtio-gpu -
GPU仮想化最前線 - KVMGTとvirtio-gpu -
zgock
 
Getting started with postgresql
Getting started with postgresqlGetting started with postgresql
Getting started with postgresql
botsplash.com
 
Troubleshooting PostgreSQL Streaming Replication
Troubleshooting PostgreSQL Streaming ReplicationTroubleshooting PostgreSQL Streaming Replication
Troubleshooting PostgreSQL Streaming Replication
Alexey Lesovsky
 
Xbyakの紹介とその周辺
Xbyakの紹介とその周辺Xbyakの紹介とその周辺
Xbyakの紹介とその周辺
MITSUNARI Shigeo
 

What's hot (20)

#logstudy 01 rsyslog入門
#logstudy 01 rsyslog入門#logstudy 01 rsyslog入門
#logstudy 01 rsyslog入門
 
SSH力をつけよう
SSH力をつけようSSH力をつけよう
SSH力をつけよう
 
ARMアーキテクチャにおけるセキュリティ機構の紹介
ARMアーキテクチャにおけるセキュリティ機構の紹介ARMアーキテクチャにおけるセキュリティ機構の紹介
ARMアーキテクチャにおけるセキュリティ機構の紹介
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
WindowsのCP932に苦闘している件
WindowsのCP932に苦闘している件WindowsのCP932に苦闘している件
WindowsのCP932に苦闘している件
 
5 Steps to PostgreSQL Performance
5 Steps to PostgreSQL Performance5 Steps to PostgreSQL Performance
5 Steps to PostgreSQL Performance
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
 
Nginx
NginxNginx
Nginx
 
Extreme Linux Performance Monitoring and Tuning
Extreme Linux Performance Monitoring and TuningExtreme Linux Performance Monitoring and Tuning
Extreme Linux Performance Monitoring and Tuning
 
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
 
Gocon2017:Goのロギング周りの考察
Gocon2017:Goのロギング周りの考察Gocon2017:Goのロギング周りの考察
Gocon2017:Goのロギング周りの考察
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
 
ゼロからはじめるKVM超入門
ゼロからはじめるKVM超入門ゼロからはじめるKVM超入門
ゼロからはじめるKVM超入門
 
Ceph and RocksDB
Ceph and RocksDBCeph and RocksDB
Ceph and RocksDB
 
ARM Trusted FirmwareのBL31を単体で使う!
ARM Trusted FirmwareのBL31を単体で使う!ARM Trusted FirmwareのBL31を単体で使う!
ARM Trusted FirmwareのBL31を単体で使う!
 
GPU仮想化最前線 - KVMGTとvirtio-gpu -
GPU仮想化最前線 - KVMGTとvirtio-gpu -GPU仮想化最前線 - KVMGTとvirtio-gpu -
GPU仮想化最前線 - KVMGTとvirtio-gpu -
 
Getting started with postgresql
Getting started with postgresqlGetting started with postgresql
Getting started with postgresql
 
Troubleshooting PostgreSQL Streaming Replication
Troubleshooting PostgreSQL Streaming ReplicationTroubleshooting PostgreSQL Streaming Replication
Troubleshooting PostgreSQL Streaming Replication
 
Xbyakの紹介とその周辺
Xbyakの紹介とその周辺Xbyakの紹介とその周辺
Xbyakの紹介とその周辺
 

Similar to Writing External Rsyslog Plugins

RSYSLOG v8 improvements and how to write plugins in any language.
RSYSLOG v8 improvements and how to write plugins in any language.RSYSLOG v8 improvements and how to write plugins in any language.
RSYSLOG v8 improvements and how to write plugins in any language.
Rainer Gerhards
 
Fedora Developer's Conference 2014 Talk
Fedora Developer's Conference 2014 TalkFedora Developer's Conference 2014 Talk
Fedora Developer's Conference 2014 Talk
Rainer Gerhards
 
rsyslog meets docker
rsyslog meets dockerrsyslog meets docker
rsyslog meets docker
Rainer Gerhards
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
orkaplan
 
Ansible - A 'crowd' introduction
Ansible - A 'crowd' introductionAnsible - A 'crowd' introduction
Ansible - A 'crowd' introduction
Manuel de la Peña Peña
 
linux_internals_2.3 (1).pdf àaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
linux_internals_2.3 (1).pdf àaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalinux_internals_2.3 (1).pdf àaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
linux_internals_2.3 (1).pdf àaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
YasaswiniChintamalla1
 
My "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails ProjectsMy "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails Projects
GR8Conf
 
Techtalks: taking docker to production
Techtalks: taking docker to productionTechtalks: taking docker to production
Techtalks: taking docker to production
muayyad alsadi
 
JOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to ProductionJOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to Production
Jordan Open Source Association
 
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios
 
IT Operations for Web Developers
IT Operations for Web DevelopersIT Operations for Web Developers
IT Operations for Web Developers
Mahmoud Said
 
Demo 0.9.4
Demo 0.9.4Demo 0.9.4
Demo 0.9.4
eTimeline, LLC
 
Deep Postgres Extensions in Rust | PGCon 2019 | Jeff Davis
Deep Postgres Extensions in Rust | PGCon 2019 | Jeff DavisDeep Postgres Extensions in Rust | PGCon 2019 | Jeff Davis
Deep Postgres Extensions in Rust | PGCon 2019 | Jeff Davis
Citus Data
 
Logstash
LogstashLogstash
Logstash
琛琳 饶
 
Warden @ Meet magento Romania 2021
Warden @ Meet magento Romania 2021Warden @ Meet magento Romania 2021
Warden @ Meet magento Romania 2021
alinalexandru
 
Node.js 101 with Rami Sayar
Node.js 101 with Rami SayarNode.js 101 with Rami Sayar
Node.js 101 with Rami Sayar
FITC
 
Fluentd v1.0 in a nutshell
Fluentd v1.0 in a nutshellFluentd v1.0 in a nutshell
Fluentd v1.0 in a nutshell
N Masahiro
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Chris Gates
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Codemotion
 
O365Con19 - Things I've Learned While Building a Product on SharePoint Modern...
O365Con19 - Things I've Learned While Building a Product on SharePoint Modern...O365Con19 - Things I've Learned While Building a Product on SharePoint Modern...
O365Con19 - Things I've Learned While Building a Product on SharePoint Modern...
NCCOMMS
 

Similar to Writing External Rsyslog Plugins (20)

RSYSLOG v8 improvements and how to write plugins in any language.
RSYSLOG v8 improvements and how to write plugins in any language.RSYSLOG v8 improvements and how to write plugins in any language.
RSYSLOG v8 improvements and how to write plugins in any language.
 
Fedora Developer's Conference 2014 Talk
Fedora Developer's Conference 2014 TalkFedora Developer's Conference 2014 Talk
Fedora Developer's Conference 2014 Talk
 
rsyslog meets docker
rsyslog meets dockerrsyslog meets docker
rsyslog meets docker
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
 
Ansible - A 'crowd' introduction
Ansible - A 'crowd' introductionAnsible - A 'crowd' introduction
Ansible - A 'crowd' introduction
 
linux_internals_2.3 (1).pdf àaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
linux_internals_2.3 (1).pdf àaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalinux_internals_2.3 (1).pdf àaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
linux_internals_2.3 (1).pdf àaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
My "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails ProjectsMy "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails Projects
 
Techtalks: taking docker to production
Techtalks: taking docker to productionTechtalks: taking docker to production
Techtalks: taking docker to production
 
JOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to ProductionJOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to Production
 
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
 
IT Operations for Web Developers
IT Operations for Web DevelopersIT Operations for Web Developers
IT Operations for Web Developers
 
Demo 0.9.4
Demo 0.9.4Demo 0.9.4
Demo 0.9.4
 
Deep Postgres Extensions in Rust | PGCon 2019 | Jeff Davis
Deep Postgres Extensions in Rust | PGCon 2019 | Jeff DavisDeep Postgres Extensions in Rust | PGCon 2019 | Jeff Davis
Deep Postgres Extensions in Rust | PGCon 2019 | Jeff Davis
 
Logstash
LogstashLogstash
Logstash
 
Warden @ Meet magento Romania 2021
Warden @ Meet magento Romania 2021Warden @ Meet magento Romania 2021
Warden @ Meet magento Romania 2021
 
Node.js 101 with Rami Sayar
Node.js 101 with Rami SayarNode.js 101 with Rami Sayar
Node.js 101 with Rami Sayar
 
Fluentd v1.0 in a nutshell
Fluentd v1.0 in a nutshellFluentd v1.0 in a nutshell
Fluentd v1.0 in a nutshell
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
 
O365Con19 - Things I've Learned While Building a Product on SharePoint Modern...
O365Con19 - Things I've Learned While Building a Product on SharePoint Modern...O365Con19 - Things I've Learned While Building a Product on SharePoint Modern...
O365Con19 - Things I've Learned While Building a Product on SharePoint Modern...
 

More from Rainer Gerhards

Sicherheit im Internet - Wie kann man sich schützen?
Sicherheit im Internet - Wie kann man sich schützen?Sicherheit im Internet - Wie kann man sich schützen?
Sicherheit im Internet - Wie kann man sich schützen?
Rainer Gerhards
 
Rsyslog version naming (v8.6.0+)
Rsyslog version naming (v8.6.0+)Rsyslog version naming (v8.6.0+)
Rsyslog version naming (v8.6.0+)
Rainer Gerhards
 
The rsyslog v8 engine (developer's view)
The rsyslog v8 engine (developer's view)The rsyslog v8 engine (developer's view)
The rsyslog v8 engine (developer's view)
Rainer Gerhards
 
Wetterbeobachtung - Ein Vortrag für die Grundschule
Wetterbeobachtung - Ein Vortrag für die GrundschuleWetterbeobachtung - Ein Vortrag für die Grundschule
Wetterbeobachtung - Ein Vortrag für die Grundschule
Rainer Gerhards
 
Rsyslog vs Systemd Journal Presentation
Rsyslog vs Systemd Journal PresentationRsyslog vs Systemd Journal Presentation
Rsyslog vs Systemd Journal Presentation
Rainer Gerhards
 
Rsyslog vs Systemd Journal (Paper)
Rsyslog vs Systemd Journal (Paper)Rsyslog vs Systemd Journal (Paper)
Rsyslog vs Systemd Journal (Paper)
Rainer Gerhards
 
CEE Log Integrity and the "Counterpane Paper"
CEE Log Integrity and the "Counterpane Paper"CEE Log Integrity and the "Counterpane Paper"
CEE Log Integrity and the "Counterpane Paper"
Rainer Gerhards
 
State of syslog (2005)
State of syslog (2005)State of syslog (2005)
State of syslog (2005)
Rainer Gerhards
 
Status of syslog as of 2005
Status of syslog as of 2005Status of syslog as of 2005
Status of syslog as of 2005
Rainer Gerhards
 
LogFile Auswertung (log analysis)
LogFile Auswertung (log analysis)LogFile Auswertung (log analysis)
LogFile Auswertung (log analysis)
Rainer Gerhards
 

More from Rainer Gerhards (10)

Sicherheit im Internet - Wie kann man sich schützen?
Sicherheit im Internet - Wie kann man sich schützen?Sicherheit im Internet - Wie kann man sich schützen?
Sicherheit im Internet - Wie kann man sich schützen?
 
Rsyslog version naming (v8.6.0+)
Rsyslog version naming (v8.6.0+)Rsyslog version naming (v8.6.0+)
Rsyslog version naming (v8.6.0+)
 
The rsyslog v8 engine (developer's view)
The rsyslog v8 engine (developer's view)The rsyslog v8 engine (developer's view)
The rsyslog v8 engine (developer's view)
 
Wetterbeobachtung - Ein Vortrag für die Grundschule
Wetterbeobachtung - Ein Vortrag für die GrundschuleWetterbeobachtung - Ein Vortrag für die Grundschule
Wetterbeobachtung - Ein Vortrag für die Grundschule
 
Rsyslog vs Systemd Journal Presentation
Rsyslog vs Systemd Journal PresentationRsyslog vs Systemd Journal Presentation
Rsyslog vs Systemd Journal Presentation
 
Rsyslog vs Systemd Journal (Paper)
Rsyslog vs Systemd Journal (Paper)Rsyslog vs Systemd Journal (Paper)
Rsyslog vs Systemd Journal (Paper)
 
CEE Log Integrity and the "Counterpane Paper"
CEE Log Integrity and the "Counterpane Paper"CEE Log Integrity and the "Counterpane Paper"
CEE Log Integrity and the "Counterpane Paper"
 
State of syslog (2005)
State of syslog (2005)State of syslog (2005)
State of syslog (2005)
 
Status of syslog as of 2005
Status of syslog as of 2005Status of syslog as of 2005
Status of syslog as of 2005
 
LogFile Auswertung (log analysis)
LogFile Auswertung (log analysis)LogFile Auswertung (log analysis)
LogFile Auswertung (log analysis)
 

Recently uploaded

LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
zjhamm304
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
ScyllaDB
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
ScyllaDB
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Ukraine
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
HarpalGohil4
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
AlexanderRichford
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 

Recently uploaded (20)

LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 

Writing External Rsyslog Plugins

  • 1. Writing external output plugins for rsyslog Rainer Gerhards
  • 2. Output plugins in rsyslog • Output plugins permit to connect to a variety of log destinations • Pre-v8, plugins needed to be internal modules ▫ Loaded into rsyslog process space ▫ Must be written in C (or link to it) ▫ Deeply tied into rsyslog infrastructure • with v8, we officially support external plugins ▫ Written in any language (Python, Perl, Java, ...) ▫ Have their own process ▫ Relatively de-coupled Rainer Gerhards, http://blog.gerhards.net
  • 3. Interface Overview process border Internal plugin rsyslog core engine perl plugin external plugin connector python plugin Rainer Gerhards, http://blog.gerhards.net
  • 4. External Interface Design Goals • Keep it stupid simple ▫ Must support almost any language ▫ Dumb easy to use even for novice programmer ▫ Do not require explicit threading • Speed is NOT the most important goal ▫ Don't make it unnecessarily slow ▫ Many real-world log destinations are slow in any case (like when you connect via http...) ▫ Focus on “enable to build solution” ▫ If necessary, conversion to internal module can be done later Rainer Gerhards, http://blog.gerhards.net
  • 5. Interface Details: communication • use pipes • stdin ▫ one message per line ▫ format can be customized via rsyslog templates ▫ multi-line messags via JSON • stdout/stderr ▫ Must NOT be written in initial version ▫ Will later convey back state information via plain text (e.g. “ERR”, “ERRMSG:xxx”, ...) • JSON as input format is recommended Rainer Gerhards, http://blog.gerhards.net
  • 6. Interface Details: Threading • Do NOT care about threading • Write app according to single-thread paradigm • rsyslog will spawn multiple instances of your plugin if there is need to do so ▫ ▫ ▫ ▫ Happens based on config in busy cases Works well in most cases (e.g. http connects) Can be disabled if necessary If your program can run in multiple ter-minal sessions concurrently, it can also be run as multiple rsyslog action instances. Rainer Gerhards, http://blog.gerhards.net
  • 7. Startup & Termination • • • • • • rsyslog will startup the plugin automatically Plugin needs to read stdin until EOF Do NOT terminate before EOF is reached On EOF, cleanup and terminate If the plugin dies, rsyslog restarts a new instance Some signals (like sigint) are blocked and should remain so Rainer Gerhards, http://blog.gerhards.net
  • 8. Skeletons • The rsyslog project provides sample plugin skeletons • Available in ./plugins/external/skeletons • These contain ▫ the necessary plumbing ▫ often a kind of abstraction layer to make writing plugins even easier ▫ often performance-enhancement features • Can simply be copied to create your own plugins, don't care about the (minimal) plumbing! Rainer Gerhards, http://blog.gerhards.net
  • 9. Example: Python Skeleton • Handles all interface plumbing • Uses “eventHandlers” to call the acutal app coding • Is used as a basis, for example, for the Solr output plugin • Available at https://github.com/rsyslog/rsyslog/blob/master/plugin Rainer Gerhards, http://blog.gerhards.net
  • 10. onInit() Handler • Called when the plugin is initially loaded • Ready outbound connections, files, etc... def onInit(): """ Do everything that is needed to initialize processing (e.g. open files, create handles, connect to systems...) """ global outfile outfile = open("/tmp/logfile", "w") Rainer Gerhards, http://blog.gerhards.net
  • 11. onReceive() • Called when new messages arrive • Receives one or more message via Python list object --> e.g. place them into one transaction, HTTP request, ... def onReceive(msgs): """This is the entry point where actual work needs to be done. It receives a list with all messages pulled from rsyslog. The list is of variable length, but contains all messages that are currently available. It is suggest NOT to use any further buffering, as we do not know when the next message will arrive. It may be in a nanosecond from now, but it may also be in three hours... """ global outfile for msg in msgs: outfile.write(msg) Rainer Gerhards, http://blog.gerhards.net
  • 12. onExit() • Called immediately before the plugin terminates • Gurantees that no more messages arrive • Used to cleanup connections, write some final records, ... def onExit(): """ Do everything that is needed to finish processing (e.g. close files, handles, disconnect from systems...). This is being called immediately before exiting. """ global outfile outfile.close() Rainer Gerhards, http://blog.gerhards.net
  • 13. Call to Action • If you need to send logs to a destination that is not yet supported, you can quickly write an external plugin – in any language you know! • Writing rsyslog plugins is easy ▫ If there is already a skeleton for your language, copy it and add your app-specific code ▫ If not ... no problem, the interface is dumb easy If you can write a script that reads stdin and does something useful with it, you can also write a rsyslog plugin! Rainer Gerhards, http://blog.gerhards.net