Add support for ietf-syslog.yang #544
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
16 tasks
Closed
|
Marking this as draft to make it clear it's not done yet. TODOCurrently the last patch, to add support for audit, does not report the correct user initiating the change. APIs tested include sr_session_get_user() and sr_nacm_get_user(). Both return
|
Closed
troglobit
force-pushed
the
syslog-yang
branch
2 times, most recently
from
17a6c65
to
81ef3b0
Compare
|
Finally done. |
This was
linked to
issues
Aug 23, 2024
mattiaswal
reviewed
Aug 23, 2024
mattiaswal
approved these changes
Aug 23, 2024
These changes are designed to make the experience working with log files easier. Both listing available log files and viewing them. - replace C dir@infix with a shell script for easier extensions, e.g., we want to show both available .cfg and log files - add support for gunzipping .gz log files before viewing them Signed-off-by: Joachim Wiberg <[email protected]>
These changes mirror the changes made to the CLI in an attempt to create a better user experience for working with log files even from the shell. Signed-off-by: Joachim Wiberg <[email protected]>
Backport upstream fix, https://src.libcode.org/pkun/klish/commit/a1ecbdc Signed-off-by: Joachim Wiberg <[email protected]>
When a the type of a leaf node (of a list) is buried inside a union we need to fish out the module prefix if one of the types in the union is an identityref. It's all very simple really. Also, when tab completing for possible identities, always make sure to strip any leading module prefix. Signed-off-by: Joachim Wiberg <[email protected]>
This is a backport of sysklogd v2.6.0 support for log rotation settings in the .conf file. Previously only supported on the command line. Signed-off-by: Joachim Wiberg <[email protected]>
With the latest sysklogd backports syslogd now supports log rotation settings in the .conf files, which we'll add yang support for later in this patch series. Signed-off-by: Joachim Wiberg <[email protected]>
Add YANG models and an initial plugin for file logging. Signed-off-by: Joachim Wiberg <[email protected]>
Signed-off-by: Joachim Wiberg <[email protected]>
Signed-off-by: Joachim Wiberg <[email protected]>
Also, add [] guards to remote IPv6 address. Signed-off-by: Joachim Wiberg <[email protected]>
This augments ietf-syslog.yang with global file rotation settings which are used when per-file rotation is not configured. The defaults chosen match previously decided defaults for Infix: 1M:10, i.e., rotate every file at 1 MiB and keep up to 10 gzipped aged-out archives. The standard model includes a default value of 1 for the number of files kept, which is removed (deviated). There is also a unit specified for max-file-size, 'megabytes', replaced with 'kilobytes' in this change. On smaller embedded systems, smaller sizes may be required. Signed-off-by: Joachim Wiberg <[email protected]>
Signed-off-by: Joachim Wiberg <[email protected]>
Signed-off-by: Joachim Wiberg <[email protected]>
Reduces the overhead/repetition for module callbacks by combining the forces of srx_get_diff() and lydx_get_descendant() into one API. The resulting function supports both XPath and simplified paths to get the subtree of changes applicable to the callback. Signed-off-by: Joachim Wiberg <[email protected]>
Signed-off-by: Joachim Wiberg <[email protected]>
Signed-off-by: Joachim Wiberg <[email protected]>
Signed-off-by: Joachim Wiberg <[email protected]>
Signed-off-by: Joachim Wiberg <[email protected]>
This refactor changes the callback subscription for log-file and remote log actions to ensure they are called for *all* changes. Even changes to deeply nested sub-trees like file-rotation when no other changes are made. The previous attempt failed to address that. The refactored callbacks replace sr_get_changes() with srx_get_changes() for better control over what they iterate over. The callbacks always regenerate the syslogd *.conf file snippets for each log action, so there is no need for the overly granular sr_get_changes(), ever. Signed-off-by: Joachim Wiberg <[email protected]>
As a bare minimum, all augments and deviations made to standard models should have a description denoting *why* they exist. In the case of ietf-syslog the base model is still a draft and carries some odd defaults we want to disable, or replace with better ones. The augments are global log rotation and and log format. Signed-off-by: Joachim Wiberg <[email protected]>
Signed-off-by: Joachim Wiberg <[email protected]>
- For consistency and clarity, rename format -> log-format
- Add must expression to ban 'bsd' format from file logging
Note: technically, sysklogd silently reverts back to rfc3164 for file
logging, but it's better to be clear with the user with what is
possible to configure and is going to be used.
Signed-off-by: Joachim Wiberg <[email protected]>
Signed-off-by: Joachim Wiberg <[email protected]>
Signed-off-by: Joachim Wiberg <[email protected]>
This commit introduces a new SECURITY() log macro that logs to facility 'audit' (sometimes called 'security') with severity set to 'alert'. It is then used to instrument the single most important things to log; all changes to users and their privileges. We also add logging to sysrepo, which knows the username for changes to running-config, copies to startup-config, and RPCs. Fixes #521 Signed-off-by: Joachim Wiberg <[email protected]>
Allow completing with startup-config for both src and dst datastores in copy command. Fixes #576 Signed-off-by: Joachim Wiberg <[email protected]>
Ensure audit trail events are logged for 'copy' to datastores. Signed-off-by: Joachim Wiberg <[email protected]>
Fixes #570 Signed-off-by: Joachim Wiberg <[email protected]>
This is a refactor to ensure sysrepo functionality guarded by NACM works as intended in Infix. Relocate infix_rpc() to klish-plugin-sysrepo, ensuring unauthenticated users are denied access. Drop infix_commit() in favor of slightly modified srp_commit(), this to ensure sysrepo audit trail logs are visible at all times. Signed-off-by: Joachim Wiberg <[email protected]>
Signed-off-by: Joachim Wiberg <[email protected]>
As of KernelKit Klish @ 710a631 the script plugin has been refactored to run all commands as the logged in user instead of as root. The default admin user is member of the wheel group, which allows access to sysrepo and sudo access to containers thanks to NOPASSWD rights. The doas script is a dummy wrapper to silence 'sudo -n' output for users without any privileges. As of this commit, unprivileged users can no longer copy, show, or in any other way manipulate the system configuraiton. Signed-off-by: Joachim Wiberg <[email protected]>
Signed-off-by: Joachim Wiberg <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR primarily adds support for configuring syslog, both for local/remote logging and acting as a log server for syslog clients. See issue #503 for the complete specification.
Additionally, a few bug fixes:
Checklist
Tick relevant boxes, this PR is-a or has-a: