Implement export to remote syslog server (implement #4419)

2026-04-29 07:29:32 +00:00 · 2020-11-09 18:40:24 +01:00 · 2020-11-09 18:40:24 +01:00 · 841b476f59
commit 841b476f59
parent 1c73df18db
9 changed files with 184 additions and 33 deletions
--- a/scripts/plugins/endpoints/syslog_alert_endpoint/alert_endpoints/syslog.lua
+++ b/scripts/plugins/endpoints/syslog_alert_endpoint/alert_endpoints/syslog.lua
@ -6,12 +6,16 @@ require "lua_utils"
 local json = require "dkjson"
 local alert_utils = require "alert_utils"
 local alert_consts = require "alert_consts"
+local format_utils = require "format_utils"

 local syslog = {
   name = "Syslog",
   conf_max_num = 1, -- At most 1 endpoint
   endpoint_params = {
      { param_name = "syslog_alert_format" },
+      { param_name = "syslog_protocol", optional = true },
+      { param_name = "syslog_host", optional = true },
+      { param_name = "syslog_port", optional = true },
   },
   endpoint_template = {
      plugin_key = "syslog_alert_endpoint",
@ -21,7 +25,7 @@ local syslog = {
   },
   recipient_template = {
      plugin_key = "syslog_alert_endpoint",
-      template_name = "syslog_recipient.template" -- TODO: add template
+      template_name = "syslog_recipient.template"
   },
 }

@ -37,6 +41,32 @@ end

 -- ##############################################

+local function readSettings(recipient)
+   local settings = {
+      -- Endpoint
+      protocol = recipient.endpoint_conf.syslog_protocol, -- tcp or udp
+      host = recipient.endpoint_conf.syslog_host,
+      port = recipient.endpoint_conf.syslog_port,
+   }
+
+   if isEmptyString(settings.host) then
+      settings.host = nil
+   else
+      if settings.protocol == nil or settings.protocol ~= 'tcp' then
+         settings.protocol = 'udp'
+      end
+      if settings.port == nil then
+         settings.port = 514
+      else
+         settings.port = tonumber(settings.port)
+      end
+   end
+
+   return settings
+end
+
+-- ##############################################
+
 -- @brief Returns the desided formatted output for recipient params
 function syslog.format_recipient_params(recipient_params)
   return string.format("(%s)", syslog.name)
@ -44,7 +74,7 @@ end

 -- ##############################################

-function syslog.sendMessage(notif, severity, syslog_format)
+function syslog.sendMessage(settings, notif, severity, syslog_format)
   local syslog_severity = alert_consts.alertLevelToSyslogLevel(severity)
   local msg

@ -64,7 +94,27 @@ function syslog.sendMessage(notif, severity, syslog_format)
 	 show_entity = true})
   end

-   ntop.syslog(msg, syslog_severity)
+   if settings.host == nil then
+      ntop.syslog(msg, syslog_severity)
+   else
+      local facility = 14 -- log alert
+      local level = 1 -- alert (what about mapping severity?)
+      local prio = (facility * 8) + level
+      local date = format_utils.formatEpoch() -- "2020-11-09 18:00:00"
+      local tag = "ntopng"
+      local info = ntop.getInfo()
+      local pid = info.pid
+
+      -- Example 
+      -- Example: <113>09/11/2020 18:31:21 ntopng[21365]: ...  
+      msg = "<"..prio..">"..date.." "..tag.."["..pid.."]: "..msg
+
+      if settings.protocol == 'tcp' then
+         ntop.send_tcp_data(settings.host, settings.port, msg, 1 --[[ timeout (msec) --]] )
+      else
+         ntop.send_udp_data(settings.host, settings.port, msg)
+      end
+   end

   return true
 end
@ -73,15 +123,17 @@ end

 -- Dequeue alerts from a recipient queue for sending notifications
 function syslog.dequeueRecipientAlerts(recipient, budget, high_priority)   
-    local notifications = {}
-    for i = 1, budget do
-       local notification = ntop.recipient_dequeue(recipient.recipient_id, high_priority)
-       if notification then 
-	  notifications[#notifications + 1] = notification
-       else
-	  break
-       end
-    end
+   local settings = readSettings(recipient)
+
+   local notifications = {}
+   for i = 1, budget do
+      local notification = ntop.recipient_dequeue(recipient.recipient_id, high_priority)
+      if notification then 
+         notifications[#notifications + 1] = notification
+      else
+         break
+      end
+   end

   if not notifications or #notifications == 0 then
      return {success = true, more_available = false}
@ -105,7 +157,7 @@ function syslog.dequeueRecipientAlerts(recipient, budget, high_priority)

 	 -- Most recent notifications first
 	 for _, notif in pairsByValues(sev_notifications, alert_utils.notification_timestamp_rev) do
-            syslog.sendMessage(notif, severity, recipient.endpoint_conf.syslog_alert_format)
+            syslog.sendMessage(settings, notif, severity, recipient.endpoint_conf.syslog_alert_format)
 	 end
      end
   end
@ -116,19 +168,20 @@ end
 -- ##############################################

 function syslog.runTest(recipient)
-  local now = os.time()
-  local notif = {
-    alert_tstamp = now,
-    alert_entity = alert_consts.alert_entities.test.entity_id,
-  }
+   local settings = readSettings(recipient)

-  local success = syslog.sendMessage(notif, "info", recipient.endpoint_conf.syslog_alert_format)
+   local now = os.time()
+   local notif = {
+      alert_tstamp = now,
+      alert_entity = alert_consts.alert_entities.test.entity_id,
+   }

-  local message_info = i18n("prefs.syslog_sent_successfully")
-  return success, message_info
+   local success = syslog.sendMessage(settings, notif, "info", recipient.endpoint_conf.syslog_alert_format)
+
+   local message_info = i18n("prefs.syslog_sent_successfully")
+   return success, message_info
 end

-
 -- ##############################################

 return syslog