pacctformat: a new plugin to handle Process Accounting files

bazsi · bazsi · commit fc10d0b006a1 · 2010-07-14T11:05:21.000+02:00
This plugin makes it possible to read/follow process accounting
files on Linux.
diff --git a/configure.in b/configure.in
@@ -819,6 +819,7 @@ AC_OUTPUT(dist.conf
           src/csvparser/Makefile
           src/confgen/Makefile
           src/syslogformat/Makefile
+          src/pacctformat/Makefile
 	  scripts/Makefile
 	  scripts/update-patterndb
 	  doc/Makefile
diff --git a/scl/Makefile.am b/scl/Makefile.am
@@ -1,4 +1,4 @@
-SCL_SUBDIRS = system
+SCL_SUBDIRS = system pacct
 SCL_CONFIGS = scl.conf modules.conf syslog-ng.conf
 EXTRA_DIST = ./scl.conf $(SCL_SUBDIRS)
 
diff --git a/scl/pacct/plugin.conf b/scl/pacct/plugin.conf
@@ -0,0 +1,29 @@
+#############################################################################
+# Copyright (c) 2010 BalaBit IT Ltd, Budapest, Hungary
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 as published
+# by the Free Software Foundation.
+#
+# Note that this permission is granted for only version 2 of the GPL.
+#
+# As an additional exemption you are allowed to compile & link against the
+# OpenSSL libraries as published by the OpenSSL project. See the file
+# COPYING for details.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+#############################################################################
+
+@module pacctformat
+
+block source pacct(file("/var/log/account/pacct") follow-freq(1)) {
+        file("`file`" follow-freq(`follow-freq`) format("pacct"));
+};
diff --git a/scl/scl.conf b/scl/scl.conf
@@ -32,3 +32,4 @@
 
 @include 'modules.conf'
 @include 'scl/system/plugin.conf'
+@include 'scl/pacct/plugin.conf'
diff --git a/src/Makefile.am b/src/Makefile.am
@@ -1,4 +1,4 @@
-SUBDIRS = . afsocket afsql afstreams affile afprog afuser dbparser csvparser confgen syslogformat dummy
+SUBDIRS = . afsocket afsql afstreams affile afprog afuser dbparser csvparser confgen syslogformat pacctformat dummy
 YFLAGS=@YFLAGS@
 
 export top_srcdir
diff --git a/src/pacctformat/Makefile.am b/src/pacctformat/Makefile.am
@@ -0,0 +1,11 @@
+plugindir = @plugindir@
+AM_CPPFLAGS = -I$(top_srcdir)/src -I..
+export top_srcdir
+
+plugin_LTLIBRARIES := libpacctformat.la
+libpacctformat_la_SOURCES = \
+	pacct-format.c pacct-format.h pacct-format-plugin.c
+
+libpacctformat_la_CPPFLAGS = $(AM_CPPFLAGS)
+
+include $(top_srcdir)/build/lex-rules.am
diff --git a/src/pacctformat/pacct-format-plugin.c b/src/pacctformat/pacct-format-plugin.c
@@ -0,0 +1,24 @@
+
+#include "pacct-format.h"
+#include "messages.h"
+#include "plugin.h"
+
+static MsgFormatHandler *
+pacct_format_construct(Plugin *self, GlobalConfig *cfg, gint plugin_type, const gchar *plugin_name)
+{
+  return &pacct_handler;
+}
+
+static Plugin pacct_format_plugin =
+{
+  .type = LL_CONTEXT_FORMAT,
+  .name = "pacct",
+  .construct = &pacct_format_construct,
+};
+
+gboolean
+syslogng_module_init(GlobalConfig *cfg, CfgArgs *args)
+{
+  plugin_register(cfg, &pacct_format_plugin, 1);
+  return TRUE;
+}
diff --git a/src/pacctformat/pacct-format.c b/src/pacctformat/pacct-format.c
@@ -0,0 +1,141 @@
+#include "pacct-format.h"
+#include "logmsg.h"
+
+/* we're using the Linux header as the glibc one is incomplete */
+#include <linux/acct.h>
+
+typedef struct acct_v3 acct_t;
+
+#define PACCT_PREFIX ".pacct."
+
+static gboolean handles_registered = FALSE;
+static NVHandle handle_ac_flag;
+static NVHandle handle_ac_tty;
+static NVHandle handle_ac_exitcode;
+static NVHandle handle_ac_uid;
+static NVHandle handle_ac_gid;
+static NVHandle handle_ac_pid;
+static NVHandle handle_ac_ppid;
+static NVHandle handle_ac_btime;
+static NVHandle handle_ac_etime;
+static NVHandle handle_ac_utime;
+static NVHandle handle_ac_stime;
+static NVHandle handle_ac_mem;
+static NVHandle handle_ac_io;
+static NVHandle handle_ac_rw;
+static NVHandle handle_ac_minflt;
+static NVHandle handle_ac_majflt;
+static NVHandle handle_ac_swaps;
+static NVHandle handle_ac_comm;
+
+#define PACCT_REGISTER(field) \
+  do {                        \
+    handle_##field = log_msg_get_value_handle(PACCT_PREFIX # field);        \
+  } while(0)
+
+#define PACCT_CONVERT_NOP(x) (x)
+
+#define PACCT_CONVERT_COMP_TO_ULONG(x) ((ulong) ((x & 0x1fff) << (((x >> 13) & 0x7) * 3)))
+
+#define PACCT_FORMAT_CONVERT(msg, rec, field, format, convert)                  \
+  do {                                                                  \
+    gchar __buf[64];                                                    \
+    gsize __len;                                                        \
+                                                                        \
+    __len = g_snprintf(__buf, sizeof(__buf), format, convert(rec->field)); \
+    log_msg_set_value(msg, handle_##field, __buf, __len);                     \
+  } while (0)
+
+#define PACCT_FORMAT(msg, rec, field, format) \
+  PACCT_FORMAT_CONVERT(msg, rec, field, format, PACCT_CONVERT_NOP)
+
+void
+pacct_register_handles(void)
+{
+  PACCT_REGISTER(ac_flag);
+  PACCT_REGISTER(ac_tty);
+  PACCT_REGISTER(ac_exitcode);
+  PACCT_REGISTER(ac_uid);
+  PACCT_REGISTER(ac_gid);
+  PACCT_REGISTER(ac_pid);
+  PACCT_REGISTER(ac_ppid);
+  PACCT_REGISTER(ac_btime);
+  PACCT_REGISTER(ac_etime);
+  PACCT_REGISTER(ac_utime);
+  PACCT_REGISTER(ac_stime);
+  PACCT_REGISTER(ac_mem);
+  PACCT_REGISTER(ac_io);
+  PACCT_REGISTER(ac_rw);
+  PACCT_REGISTER(ac_minflt);
+  PACCT_REGISTER(ac_majflt);
+  PACCT_REGISTER(ac_swaps);
+  PACCT_REGISTER(ac_comm);
+}
+
+void
+pacct_format_handler(MsgFormatOptions *options, const guchar *data, gsize length, LogMessage *msg)
+{
+  acct_t *rec;
+  gsize len;
+
+  if (length < sizeof(*rec))
+    {
+      gchar *buf;
+
+      buf = g_strdup_printf("Error parsing process accounting record, record too small; rec_size='%d', expected_size='%d'",
+                            (gint) length, (gint) sizeof(*rec));
+      log_msg_set_value(msg, LM_V_MESSAGE, buf, -1);
+      g_free(buf);
+      return;
+    }
+  rec = (acct_t *) data;
+  if (rec->ac_version != 3)
+    {
+      gchar *buf;
+
+      buf = g_strdup_printf("Error parsing process accounting record, only the v3 format is supported; version='%d'",
+                            rec->ac_version);
+      log_msg_set_value(msg, LM_V_MESSAGE, buf, -1);
+      g_free(buf);
+      return;
+    }
+  if (G_UNLIKELY(!handles_registered))
+    {
+      pacct_register_handles();
+      handles_registered = TRUE;
+    }
+  PACCT_FORMAT(msg, rec, ac_flag, "%02x");
+  PACCT_FORMAT(msg, rec, ac_tty, "%u");
+  PACCT_FORMAT(msg, rec, ac_exitcode, "%u");
+  PACCT_FORMAT(msg, rec, ac_uid, "%u");
+  PACCT_FORMAT(msg, rec, ac_gid, "%u");
+  PACCT_FORMAT(msg, rec, ac_pid, "%u");
+  PACCT_FORMAT(msg, rec, ac_ppid, "%u");
+  PACCT_FORMAT_CONVERT(msg, rec, ac_btime, "%lu.00", PACCT_CONVERT_COMP_TO_ULONG);
+  PACCT_FORMAT(msg, rec, ac_etime, "%9.2f");
+  PACCT_FORMAT_CONVERT(msg, rec, ac_utime, "%lu.00", PACCT_CONVERT_COMP_TO_ULONG);
+  PACCT_FORMAT_CONVERT(msg, rec, ac_stime, "%lu.00", PACCT_CONVERT_COMP_TO_ULONG);
+  PACCT_FORMAT_CONVERT(msg, rec, ac_mem, "%lu", PACCT_CONVERT_COMP_TO_ULONG);
+  PACCT_FORMAT_CONVERT(msg, rec, ac_io, "%lu", PACCT_CONVERT_COMP_TO_ULONG);
+  PACCT_FORMAT_CONVERT(msg, rec, ac_rw, "%lu", PACCT_CONVERT_COMP_TO_ULONG);
+  PACCT_FORMAT_CONVERT(msg, rec, ac_minflt, "%lu", PACCT_CONVERT_COMP_TO_ULONG);
+  PACCT_FORMAT_CONVERT(msg, rec, ac_majflt, "%lu", PACCT_CONVERT_COMP_TO_ULONG);
+  PACCT_FORMAT_CONVERT(msg, rec, ac_swaps, "%lu", PACCT_CONVERT_COMP_TO_ULONG);
+  if (rec->ac_comm[ACCT_COMM - 1] == 0)
+    len = strlen(rec->ac_comm);
+  else
+    len = ACCT_COMM;
+  log_msg_set_value(msg, handle_ac_comm, rec->ac_comm, len);
+}
+
+LogProto *
+pacct_construct_proto(MsgFormatOptions *options, LogTransport *transport, guint flags)
+{
+  return log_proto_record_server_new(transport, sizeof(acct_t), flags | LPRS_BINARY);
+}
+
+MsgFormatHandler pacct_handler =
+{
+  .construct_proto = pacct_construct_proto,
+  .parse = &pacct_format_handler
+};
diff --git a/src/pacctformat/pacct-format.h b/src/pacctformat/pacct-format.h
@@ -0,0 +1,8 @@
+#ifndef PACCT_FORMAT_H_INCLUDED
+#define PACCT_FORMAT_H_INCLUDED
+
+#include "msg-format.h"
+
+extern MsgFormatHandler pacct_handler;
+
+#endif

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-SCL_SUBDIRS = system`
	`1`	`+SCL_SUBDIRS = system pacct`
`2`	`2`	`SCL_CONFIGS = scl.conf modules.conf syslog-ng.conf`
`3`	`3`	`EXTRA_DIST = ./scl.conf $(SCL_SUBDIRS)`
`4`	`4`
Original file line number	Diff line number	Diff line change
`@@ -32,3 +32,4 @@`
`32`	`32`
`33`	`33`	`@include 'modules.conf'`
`34`	`34`	`@include 'scl/system/plugin.conf'`
	`35`	`+@include 'scl/pacct/plugin.conf'`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-SUBDIRS = . afsocket afsql afstreams affile afprog afuser dbparser csvparser confgen syslogformat dummy`
	`1`	`+SUBDIRS = . afsocket afsql afstreams affile afprog afuser dbparser csvparser confgen syslogformat pacctformat dummy`
`2`	`2`	`YFLAGS=@YFLAGS@`
`3`	`3`
`4`	`4`	`export top_srcdir`