modseccfg: Check-in [33aecba645]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview

Comment:	Add docs for logfmt1
Downloads:	Tarball \| ZIP archive \| SQL archive
Timelines:	family \| ancestors \| descendants \| both \| trunk
Files:	files \| file ages \| folders
SHA3-256:	33aecba64597a3e352be71d43a57412a671150a761325ef2b2233a4b2b091f2e
User & Date:	mario 2020-12-28 12:59:08

Context

2020-12-28
13:21		switch to RTD theme check-in: c7a4cf835d user: mario tags: trunk
12:59		Add docs for logfmt1 check-in: 33aecba645 user: mario tags: trunk
2020-12-26
22:38		Add basic plugin_load(), generilize `add_menu()` into `init()` check-in: 0f1d190f43 user: mario tags: trunk

Changes

Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to Makefile.

Added logfmt1/docs/custom.css.

Added logfmt1/docs/fmt.md.

Added logfmt1/docs/index.md.

Added logfmt1/docs/log.fmt.md.

Added logfmt1/docs/logex.md.

Added logfmt1/docs/logopen.md.

Added logfmt1/docs/update-logfmt.md.

Added logfmt1/docs/update-regex.md.

Added logfmt1/html/404.html.

Added logfmt1/html/css/base.css.

Added logfmt1/html/css/bootstrap.min.css.

cannot compute difference between binary files

Added logfmt1/html/css/font-awesome.min.css.

Added logfmt1/html/custom.css.

Added logfmt1/html/fmt.html.

Added logfmt1/html/index.html.

Added logfmt1/html/log.fmt.html.

Added logfmt1/html/logex.html.

Added logfmt1/html/logopen.html.

Added logfmt1/html/update-logfmt.html.

Added logfmt1/html/update-regex.html.

Changes to logfmt1/logex.py.

Changes to logfmt1/logfmt1.py.

Added logfmt1/mkdocs.yml.

︙			︙
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25	# alongside (generate with `update-logfmt`). # # Syntax: # logex.py /var/log/apache2/access.log request_path request_time @host # # Other args: # --json / --tab / --csv ~~# --iso8601 / --debug~~ # # Where any @'s are decoration, and fields can be supplied as individual # arguments (become space-separated without --tab/--csv). Field names are # application-type specific (internal) names. (E.g. @request_method, @host # or @tm_wday for Apache logs. With some predefined aliases, e.g. the w3c # extended log field names.) #	\|	11 12 13 14 15 16 17 18 19 20 21 22 23 24 25	# alongside (generate with `update-logfmt`). # # Syntax: # logex.py /var/log/apache2/access.log request_path request_time @host # # Other args: # --json / --tab / --csv # --iso8601 / --debug / --rx # # Where any @'s are decoration, and fields can be supplied as individual # arguments (become space-separated without --tab/--csv). Field names are # application-type specific (internal) names. (E.g. @request_method, @host # or @tm_wday for Apache logs. With some predefined aliases, e.g. the w3c # extended log field names.) #
︙			︙
54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83	if "--tab" in argv: space = "\t" if "--csv" in argv: space = "," iso8601 = any(a in argv for a in ("--iso", "--iso8601", "--date", "--fixdates", "--die-apachedateformat-die")) as_json = any(a in argv for a in ("--json", "--asjson", "--as-json")) dodebug = any(a in argv for a in ("--debug", "-D")) # remove --params argv = [a for a in argv if not re.match("^--\w+$\|^-\w$", a)] # filename and field list try: log_fn = argv[1] except: sys.stderr.write("logex: no filename given\n") sys.exit(errno.ENOENT) output_fields = space.join(argv[2:]) #-- open log file try: reader = logfmt1.logopen(log_fn, debug=dodebug, duplicate=False) #if dodebug: # sys.stdout.write(json.dumps(reader.__dict__, indent=2, default=lambda x:str(x))+"\n") except Exception as e: sys.stderr.write(traceback.format_exc()+"\n") sys.stderr.write("Use `update-logfmt-apache` or modseccfg→File→Install→update_logfmt to generate a .fmt descriptor\n") sys.exit(errno.ENODATA) # extra aliases (for apache/httpd)	> > > >	54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87	if "--tab" in argv: space = "\t" if "--csv" in argv: space = "," iso8601 = any(a in argv for a in ("--iso", "--iso8601", "--date", "--fixdates", "--die-apachedateformat-die")) as_json = any(a in argv for a in ("--json", "--asjson", "--as-json")) dodebug = any(a in argv for a in ("--debug", "-D")) only_rx = any(a in argv for a in ("--regex", "--rx")) # remove --params argv = [a for a in argv if not re.match("^--\w+$\|^-\w$", a)] # filename and field list try: log_fn = argv[1] except: sys.stderr.write("logex: no filename given\n") sys.exit(errno.ENOENT) output_fields = space.join(argv[2:]) #-- open log file try: reader = logfmt1.logopen(log_fn, debug=dodebug, duplicate=False) #if dodebug: # sys.stdout.write(json.dumps(reader.__dict__, indent=2, default=lambda x:str(x))+"\n") if only_rx: sys.stdout.write(reader.rx.pattern) exit(0) except Exception as e: sys.stderr.write(traceback.format_exc()+"\n") sys.stderr.write("Use `update-logfmt-apache` or modseccfg→File→Install→update_logfmt to generate a .fmt descriptor\n") sys.exit(errno.ENODATA) # extra aliases (for apache/httpd)
︙			︙

1 2 3 4 5 6 7 8 9 10 11 12 13 14	# encoding: utf-8 # api: python # title: python3-logfmt1 # description: handle *.log.fmt specifiers and regex conversion # type: transform # category: io ~~# version: 0.5-2~~ # license: Apache-2.0 # pack: # logfmt1.py=/usr/lib/python3/dist-packages/ # update_logfmt.py=/usr/bin/update-logfmt # ./logex.py=/usr/bin/logex # share=/usr/share/logfmt # architecture: all	\|	1 2 3 4 5 6 7 8 9 10 11 12 13 14	# encoding: utf-8 # api: python # title: python3-logfmt1 # description: handle *.log.fmt specifiers and regex conversion # type: transform # category: io # version: 0.5.3 # license: Apache-2.0 # pack: # logfmt1.py=/usr/lib/python3/dist-packages/ # update_logfmt.py=/usr/bin/update-logfmt # ./logex.py=/usr/bin/logex # share=/usr/share/logfmt # architecture: all
︙			︙
51 52 53 54 55 56 57 ~~58 59~~ 60 61 62 63 64 65 66 67 68 69 70 71	import re, json, os, sys from copy import copy class rulesdb: ~~~~# K~~nown format strings and field identifiers.~~ ~~# T~~his mixes both accesslog and errorlog ~~format strings, should~~ ~~~~# be split out perhaps,~~ as `%{cu}t` won't work in access.logs.~~ # # - "[client %s:%d]" : "[remote %s:%d]" only in errorlogdefault? # apache = { "class": "apache generic", #"record": "%h %l %u %t \"%r\" %>s %b", #"regex": "(?<remote_host>\S+) …",	\| \| > > > > \| > \| > \| > <	51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77	import re, json, os, sys from copy import copy class rulesdb: """ Lookup table for known format strings and field identifiers. This class will also `.get("appname variant")` definitions from /usr/share/logfmt/*.fmt files, if they exist. Future versions might support prebuilt .grok or .lnav files as well. In the case of Apache logs, this mixes both accesslog and errorlog format strings, albeit they probably should be split out perhaps, as `%{cu}t` won't work in access.logs. It's both close enough to make one set of placeholders work, but requires aliasing at least. """ # - "[client %s:%d]" : "[remote %s:%d]" only in errorlogdefault? apache = { "class": "apache generic", #"record": "%h %l %u %t \"%r\" %>s %b", #"regex": "(?<remote_host>\S+) …",
︙			︙
294 295 296 297 298 299 300 ~~301~~ 302 303 304 305 306 307 308 309 310	"id": "$1", "value": "$2$3", "class": "inilog" } }, } ~~# return builtin definitions or from /usr/share/logfmt/..fmt~~ @staticmethod def get(cls): rules = {} cls = cls.split(" ") while cls: lookup = ".".join(cls) lookup_ = "_".join(cls) add = {} dir = "/usr/share/logfmt"	< > > >	300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318	"id": "$1", "value": "$2$3", "class": "inilog" } }, } @staticmethod def get(cls): """ Return builtin definitions or from /usr/share/logfmt/..fmt """ rules = {} cls = cls.split(" ") while cls: lookup = ".".join(cls) lookup_ = "_".join(cls) add = {} dir = "/usr/share/logfmt"
︙			︙
339 340 341 342 343 344 345 ~~346~~ 347 348 349 ~~350~~ 351 352 ~~353~~ 354 ~~355~~ ~~356~~ ~~357 358~~ 359 ~~360 361~~ 362 363 364 365 366 367 368	def extract_all(self): for key,val in rulesdb.__dict__.items(): if isinstance(val, dict): open(f"share/{key}.fmt", "w").write(json.dumps(val, indent=4)) #rulesdb().extract_all() ~~# should be the other way round: regex() is meant to be a subset of update()~~ def update(fmt): fmt["regex"] = regex(fmt, update=True) ~~# assemble regex for format string~~ def regex(fmt, update=False): """ ~~Create regex for log fmt{}~~ ~~Arg~~uments~~~~ ~~---------~~ ~~fmt :~~ dict ~~Should contain record and class~~ ~~return ~~: string~~ Combined regex~~ """ rules = rulesdb.merge( fmt, rulesdb.get(fmt["class"]) ) fields = rules["fields"]	< > \| \| \| > > \| > \| < \| \| > > >	347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381	def extract_all(self): for key,val in rulesdb.__dict__.items(): if isinstance(val, dict): open(f"share/{key}.fmt", "w").write(json.dumps(val, indent=4)) #rulesdb().extract_all() def update(fmt): """ should be the other way round: regex() is meant to be a subset of update() """ fmt["regex"] = regex(fmt, update=True) def regex(fmt, update=False): """ Create regex for log fmt{}. Args: fmt (dict): Should contain record: and class:, but may define custom fields or aliases. update (bool: Inject fields and other declarations from shared .fmt database into `fmt` dict. Returns: str: Combined regex, for example `(?<remote_host>[\\w\\-.:]+) (?<remote_logname>[\\w\\-.:]+) (?<remote_user>[\\-\\w@.]+) \\[?(?<request_time>\\d[\\d:\\w\\s:./\\-+,;]+)\\]? "(?<request_line>(?<request_method>\\w+) …␣…)"…` """ rules = rulesdb.merge( fmt, rulesdb.get(fmt["class"]) ) fields = rules["fields"]
︙			︙
425 426 427 428 429 430 431 ~~432~~ 433 434 435 436 437 438 439 440 441 442 443 ~~444~~ 445 446 447 ~~448~~ 449 450 451 452 453 ~~454~~ 455 456 457 458 ~~459~~ 460 ~~461~~ 462 463 ~~464~~ ~~465~~ ~~466~~ ~~467~~ 468 469 470 471 472 473 474	else: rx = f"(?<{id}>{rx})" return rx rx = re.sub(rules["placeholder"], sub_placeholder, record) rx = rename_duplicates(rx) return rx ~~# (?<duplicate2>)~~ def rename_duplicates(rx): fields = [] def count_ph(m): s, i = m.group(1), 1 while s in fields: i += 1 s = f"{m.group(1)}{i}" fields.append(s) return s return re.sub("(?<=\(\?\<)(\w+)(?=\>)", count_ph, rx) ~~# (?<name>) to (?P<name>)~~ def rx2re(rx): return re.sub("\(\?<(?=\w+>)", "(?P<", rx) ~~# allow for $1, $2, $3 in re.sub()~~ def rx_sub(pattern, replacement, source, flags=0): if replacement.find('$') >= 0: replacement = re.sub(r'[\\\\](?=[0-9])', '$', replacement) return re.sub(pattern, replacement, source, flags) ~~# replace $0 $1 $2 in string with entries from list~~ def repl_sub_dict(s, row): return re.sub("\$(\d+)", lambda m: row.get(int(m.group(1))), s) ~~# file-style wrapper that yields parsed dictionaries instead of string lines~~ class parsy_parse: def __init__(self, logfn="", fmt=None, debug=False, fail=False, duplicate=True): """ ~~Open log file and .fmt specifier, to iterate log lines ~~as dictionary.~~~~ ~~Alternatively to *.log.fmt allows to specify fmt={"class":"apache error"}~~ ~~or even fixated {"record":"%a %t %e %F"} formatstring.~~ ~~Dictionaries should contain both expanded entries and aliases unpacked.~~ """ self.debug = debug self.fail = fail self.duplicate = duplicate # try + nicer error.... self.f = open(logfn, "r", encoding="utf-8") if not fmt:	< > < > > > > > > > > > > < > < > \| > > > > > \| > > > > > > > > \| > \| > > > > > > \| > > > > > > > \| > > > > > > > > > > > > > >	438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537	else: rx = f"(?<{id}>{rx})" return rx rx = re.sub(rules["placeholder"], sub_placeholder, record) rx = rename_duplicates(rx) return rx def rename_duplicates(rx): """ Rename duplicate regex <?P<capt_groups>…) """ fields = [] def count_ph(m): s, i = m.group(1), 1 while s in fields: i += 1 s = f"{m.group(1)}{i}" fields.append(s) return s return re.sub("(?<=\(\?\<)(\w+)(?=\>)", count_ph, rx) def rx2re(rx): """ Convert generic `(?<name>…)` to Python `(?P<name>…)` regex capture group. (logfmt1 definitions use standard syntax per default.) Args: rx (str): Generic/PCRE regex syntax Returns: str: Python re syntax """ return re.sub("\(\?<(?=\w+>)", "(?P<", rx) def rx_sub(pattern, replacement, source, flags=0): """ allow for $1, $2, $3 in re.sub() """ if replacement.find('$') >= 0: replacement = re.sub(r'[\\\\](?=[0-9])', '$', replacement) return re.sub(pattern, replacement, source, flags) def repl_sub_dict(s, row): """ replace $0 $1 $2 in string with entries from list """ return re.sub("\$(\d+)", lambda m: row.get(int(m.group(1))), s) # log extraction class parsy_parse: """ Open log file and its associated .fmt specifier, to iterate over log lines as dictionary. File-style wrapper that yields parsed dictionaries instead of string lines. for row in logfmt1.logopen("/var/log/apache2/access.log", debug=True): print(row["remote_host"]) Though you might want to keep a reference to the iterator to utilize `.names()` and `.alias{}` manually. """ def __init__(self, logfn="", fmt=None, debug=False, fail=False, duplicate=True): """ Open log file and its associated .fmt specifier, to iterate over log lines as dictionary. Args: logfn (str): Filename of .log file to open. Which should be accompanied by a .log.fmt declaration to allow unpacking lines into dictionary. fmt (dict): Alternatively to existing .log.fmt, a predefined class might be given with `fmt={"class":"syslog"}`. You might even add a fixated `{"record":"%a %t %e %F"}` format string this way. debug (bool): In case of log extraction failures, prints (stdout) some regex debugging. fail (bool): In case of failure, just error out instead of continuing the iterator. duplicate (bool): Automatically expand aliases. This effectively copies row entries. Attributes: f (file): Read handle onto log file debug (bool): Debug flag fail (bool): Exception flag alias (dict): List of row aliases container (dict): Rules for field expansion rx (re.compile): Compiled regex Raises: StopIteration: For EOF or if the regex failed and fail=True FileNotFound: If logfn doesn't exist etc. Returns: iterator: Traverses log file line-wise, but yields dictionaries. """ self.debug = debug self.fail = fail self.duplicate = duplicate # try + nicer error.... self.f = open(logfn, "r", encoding="utf-8") if not fmt:
︙			︙
483 484 485 486 487 488 489 ~~490~~ 491 492 493 494 ~~495~~ 496 497 498 499 500 501 502 503	fmt, # this should be in regex/update rulesdb.get(fmt.get("class")) ) self.alias = fmt.get("alias", {}) self.container = fmt.get("container", {}) self.rx = re.compile(rx2re(regex(fmt))) ~~# allow iterating multiple times?~~ def __iter__(self): self.f.seek(0, os.SEEK_SET) return self ~~# iterate over lines, and unpack with regex and aliases~~ def __next__(self): line = self.f.readline() if not line: # should be implied really raise StopIteration() m = self.rx.match(line) if m: d = m.groupdict() if self.container:	< > < >	546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566	fmt, # this should be in regex/update rulesdb.get(fmt.get("class")) ) self.alias = fmt.get("alias", {}) self.container = fmt.get("container", {}) self.rx = re.compile(rx2re(regex(fmt))) def __iter__(self): """ allow iterating multiple times? """ self.f.seek(0, os.SEEK_SET) return self def __next__(self): """ iterate over lines, and unpack with regex and aliases """ line = self.f.readline() if not line: # should be implied really raise StopIteration() m = self.rx.match(line) if m: d = m.groupdict() if self.container:
︙			︙
512 513 514 515 516 517 518 ~~519~~ 520 521 522 ~~523 524~~ ~~525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541~~ 542 543 ~~544~~ ~~545~~ 546 547 548 549 550 551 552	if self.fail: raise StopIteration() elif self.fail: raise StopIteration() else: pass # just try next line ~~# pass .close() and similar to file object~~ def __getattr__(self, name): return getattr(self.f, name) ~~~~# unpack [key "value"] fields~~ def ~~container_expand~~(self~~, d~~):~~ ~~for k,op~~t in se~~lf.contai~~ner.ite~~ms():~~ ~~if not k in d:~~ ~~continue~~ ~~# find `(key)……(val+)` pairs according to regex~~ ~~for row in re.findall(opt["rx"], d[k]):~~ ~~id = repl_sub_dict(opt.get("id", "$1"), row)~~ ~~val = repl_sub_dict(opt.get("val", "$2"), row)~~ ~~# pack into list, if key is duplicated~~ ~~if not id in d:~~ ~~d[id] = val~~ ~~elif not isinstance(d[id], list):~~ ~~d[id] = [d[id], val]~~ ~~else:~~ ~~d[id].append(val)~~ ~~# get column names (from regex, in order of appearance)~~ ~~def names(self):~~ return re.findall("\(\?P?<(\w+)>", self.rx.pattern) ~~# ANSI output for debugging regex/fmt string~~ ~~def~~ ~~debug_rx(self,~~ ~~line):~~ rx = self.rx.pattern line = line.rstrip() #rx_cut = re.compile("[^)]* \(\?P<\w+> ( [^()]+ \| \([^()]+\) )+ \) [^()]* \Z", re.X) # iteratively strip (?...) capture groups while len(rx) and rx.find("(?P<") >= 0: #fail = rx_cut.search(rx) #if fail: fail = fail.group(0)	< > < \| > \| < < < < < < < < < < < < < \| < < > > > > > \| > \| > > > > > > > > > >	575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616	if self.fail: raise StopIteration() elif self.fail: raise StopIteration() else: pass # just try next line def __getattr__(self, name): """ pass .close() and similar to file object """ return getattr(self.f, name) def names(self): """ Get column names from generated .fmt regex. Returns: list: dictionary keys of row (without aliases). """ return re.findall("\(\?P?<(\w+)>", self.rx.pattern) def debug_rx(self, line:str): """ ANSI output for debugging regex/fmt string. Automatically invoked for failing lines if `debug=True` was given. ![failed regex + log line](https://imgur.com/QBKzDsK.png) Args: line: Current raw line (string) from log file. Output: Prints directly to stdout using ANSI escape sequences to highlight where regex failed on input line. It's not very exact anymore, but reasonably speedy. """ rx = self.rx.pattern line = line.rstrip() #rx_cut = re.compile("[^)]* \(\?P<\w+> ( [^()]+ \| \([^()]+\) )+ \) [^()]* \Z", re.X) # iteratively strip (?...) capture groups while len(rx) and rx.find("(?P<") >= 0: #fail = rx_cut.search(rx) #if fail: fail = fail.group(0)
︙			︙
567 568 569 570 571 572 573 574 575 576 577	try: matched = re.match(rx, line) matched = matched.group(0) except: matched = "" print("\033[36m" + "failed regex section: \033[1;33;41m" + fail + "\033[40;0m") print("\033[42m" + matched + "\033[41m" + line[len(matched):] + "\033[40;0m") # alias logopen = parsy_parse	> > > > > > > > > > > > > > > > > > > > > > >	631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664	try: matched = re.match(rx, line) matched = matched.group(0) except: matched = "" print("\033[36m" + "failed regex section: \033[1;33;41m" + fail + "\033[40;0m") print("\033[42m" + matched + "\033[41m" + line[len(matched):] + "\033[40;0m") def container_expand(self, d:dict): """ Internal. Unpacks e.g. `[key "value"]` fields, if any `container:` regex was defined in the .fmt defiiution. Arguments: d: current log row """ for k,opt in self.container.items(): if not k in d: continue # find `(key)……(val+)` pairs according to regex for row in re.findall(opt["rx"], d[k]): id = repl_sub_dict(opt.get("id", "$1"), row) val = repl_sub_dict(opt.get("val", "$2"), row) # pack into list, if key is duplicated if not id in d: d[id] = val elif not isinstance(d[id], list): d[id] = [d[id], val] else: d[id].append(val) # alias logopen = parsy_parse