Revert "revert [syslog] Add remote syslog configuration (cherry-pick to 202305) (#15897) (#16179)" (#16549)

This reverts commit 164fa10.

Author: StormLiangMS

files/image_config/rsyslog/rsyslog-config.sh

@@ -17,7 +17,10 @@ if [[ ($NUM_ASIC -gt 1) ]]; then
 else
     udp_server_ip=$(ip -j -4 addr list lo scope host | jq -r -M '.[0].addr_info[0].local')
 fi
+hostname=$(hostname)
 
-sonic-cfggen -d -t /usr/share/sonic/templates/rsyslog.conf.j2 -a "{\"udp_server_ip\": \"$udp_server_ip\"}"  >/etc/rsyslog.conf
+sonic-cfggen -d -t /usr/share/sonic/templates/rsyslog.conf.j2 \
+    -a "{\"udp_server_ip\": \"$udp_server_ip\", \"hostname\": \"$hostname\"}" \
+    > /etc/rsyslog.conf
 
 systemctl restart rsyslog

files/image_config/rsyslog/rsyslog.conf.j2

@@ -15,21 +15,14 @@
 
 $ModLoad imuxsock # provides support for local system logging
 
-{% if SYSLOG_CONFIG is defined %}
-{% if 'GLOBAL' in SYSLOG_CONFIG %}
-{% if 'rate_limit_interval' in SYSLOG_CONFIG['GLOBAL']%}
-{% set rate_limit_interval = SYSLOG_CONFIG['GLOBAL']['rate_limit_interval'] %}
-{% endif %}
-{% if 'rate_limit_burst' in SYSLOG_CONFIG['GLOBAL']%}
-{% set rate_limit_burst = SYSLOG_CONFIG['GLOBAL']['rate_limit_burst'] %}
-{% endif %}
-{% endif %}
-{% endif %}
+{% set gconf = (SYSLOG_CONFIG | d({})).get('GLOBAL', {}) -%}
+{% set rate_limit_interval = gconf.get('rate_limit_interval') %}
+{% set rate_limit_burst = gconf.get('rate_limit_burst') %}
 
-{% if rate_limit_interval is defined %}
+{% if rate_limit_interval is not none %}
 $SystemLogRateLimitInterval {{ rate_limit_interval }}
 {% endif %}
-{% if rate_limit_burst is defined %}
+{% if rate_limit_burst is not none %}
 $SystemLogRateLimitBurst {{ rate_limit_burst }}
 {% endif %}
 
@@ -49,6 +42,8 @@ $UDPServerRun 514
 ###########################
 #### GLOBAL DIRECTIVES ####
 ###########################
+{% set format = gconf.get('format', 'standard') -%}
+{% set fw_name = gconf.get('welf_firewall_name', hostname) -%}
 #
 # Use traditional timestamp format.
 # To enable high precision timestamps, comment out the following line.
@@ -59,6 +54,10 @@ $UDPServerRun 514
 $template SONiCFileFormat,"%timegenerated%.%timegenerated:::date-subseconds% %HOSTNAME% %syslogseverity-text:::uppercase% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
 $ActionFileDefaultTemplate SONiCFileFormat
 
+template(name="WelfRemoteFormat" type="string" string="%TIMESTAMP% id=firewall time=\"%timereported\
+:::date-year%-%timereported:::date-month%-%timereported:::date-day% %timereported:::date-hour%:%timereported:::date-minute%:%timereported\
+:::date-second%\" fw=\"{{ fw_name }}\" pri=%syslogpriority% msg=\"%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\"\n")
+
 #
 # Set the default permissions for all log files.
 #
@@ -91,25 +90,36 @@ $RepeatedMsgReduction on
 # Remote syslog logging
 #
 
-# The omfwd plug-in provides the core functionality of traditional message forwarding via UDP and plain TCP.
-# It is a built-in module that does not need to be loaded.
+# The omfwd plug-in provides the core functionality of traditional message
+# forwarding via UDP and plain TCP. It is a built-in module that does not need
+# to be loaded.
 
-{% if SYSLOG_SERVER is defined %}
-{% for server, data in SYSLOG_SERVER.items() %}
-{% set params_list = [] %}
-{% if 'source' in data %}
-{% set dummy = params_list.append('address=' + '"' + data.source|string + '"') %}
-{% endif %}
-{% if 'port' in data %}
-{% set dummy = params_list.append('port=' + '"' + data.port|string + '"') %}
-{% endif %}
-{% if 'vrf' in data and data['vrf'] != "default" %}
-{% set dummy = params_list.append('device=' + '"' + data.vrf|string + '"') %}
-{% endif %}
-{% if params_list %}
-*.* action(type="omfwd" target="{{ server }}" protocol="udp" {{ params_list|join(' ') }} template="SONiCFileFormat")
-{% else %}
-*.* action(type="omfwd" target="{{ server }}" protocol="udp" template="SONiCFileFormat")
+{% set servers = SYSLOG_SERVER | d({}) -%}
+{% for server in servers %}
+{% set conf = servers[server] | d({}) -%}
+
+{% set source = conf.get('source') -%}
+{% set port = conf.get('port', 514) -%}
+{% set proto = conf.get('protocol', 'udp') -%}
+{% set vrf = conf.get('vrf', 'default') -%}
+{% set severity = conf.get('severity', gconf.get('severity', 'notice')) -%}
+{% set filter = conf.get('filter') -%}
+{% set regex = conf.get('filter_regex') -%}
+
+{% set fmodifier = '!' if filter == 'exclude' else '' %}
+{% set device = 'eth0' if vrf == 'default' else vrf -%}
+{% set template = 'WelfRemoteFormat' if format == 'welf' else 'SONiCFileFormat' -%}
+
+{# Server extra options -#}
+{% set options = '' -%}
+
+{% if source -%}
+    {% set options = options ~ ' Address="' ~ source ~ '"'-%}
+{% endif -%}
+
+{% if filter %}
+:msg, {{ fmodifier }}ereregex, "{{ regex }}"
 {% endif %}
+*.{{ severity }}
+action(type="omfwd" Target="{{ server }}" Port="{{ port }}" Protocol="{{ proto }}" Device="{{ device }}" Template="{{ template }}"{{ options }})
 {% endfor %}
-{% endif %}

src/sonic-yang-models/doc/Configuration.md

@@ -51,7 +51,7 @@ Table of Contents
          * [MUX_LINKMGR](#mux_linkmgr)
          * [NEIGH](#neigh)
          * [NTP Global Configuration](#ntp-global-configuration)
-         * [NTP and SYSLOG servers](#ntp-and-syslog-servers)
+         * [NTP Servers](#ntp-servers)
          * [Peer Switch](#peer-switch)
          * [Policer](#policer)
          * [Port](#port)
@@ -60,7 +60,8 @@ Table of Contents
          * [Scheduler](#scheduler)
          * [Port QoS Map](#port-qos-map)
          * [Queue](#queue)
-         * [Syslog Rate Limit](#syslog-rate-limit)
+         * [Syslog Global Configuration](#syslog-global-configuration)
+         * [Syslog Servers](#syslog-servers)
          * [Sflow](#sflow)
          * [Restapi](#restapi)
          * [System Port](#system-port)
@@ -1517,7 +1518,7 @@ for that address.
 }
 ```
 
-### NTP and SYSLOG servers
+### NTP servers
 
 These information are configured in individual tables. Domain name or IP
 address of the server is used as object key. Currently there are no
@@ -1540,35 +1541,6 @@ attributes in those objects.
 }
 ```
 
-***Syslog server***
-```
-{
-    "SYSLOG_SERVER": {
-        "10.0.0.5": {},
-        "10.0.0.6": {},
-        "10.11.150.5": {}
-    },
-
-    "SYSLOG_SERVER" : {
-        "2.2.2.2": {
-            "source": "1.1.1.1",
-            "port": "514",
-            "vrf": "default"
-        },
-        "4.4.4.4": {
-            "source": "3.3.3.3",
-            "port": "514",
-            "vrf": "mgmt"
-        },
-        "2222::2222": {
-            "source": "1111::1111",
-            "port": "514",
-            "vrf": "Vrf-Data"
-        }
-    }
-}
-```
-
 ### Peer Switch
 
 Below is an exmaple of the peer switch table configuration.
@@ -1854,7 +1826,33 @@ key - name
 | collector_port | Destination L4 port of the Sflow collector                                              |             | 6343      |             |
 | collector_vrf  | Specify the Collector VRF. In this revision, it is either default VRF or Management VRF.|             |           |             |
 
-### Syslog Rate Limit
+### Syslog Global Configuration
+
+These configuration options are used to configure rsyslog utility and the way
+the system generates logs.
+
+***Configuration sample***
+```
+{
+    "SYSLOG_CONFIG": {
+        "GLOBAL": {
+            "rate_limit_interval": "5",
+            "rate_limit_burst": "100",
+            "format": "welf",
+            "welf_firewall_name": "bla",
+            "severity": "info"
+        }
+    }
+}
+```
+
+* `rate_limit_interval` - determines the amount of time that is being measured for rate limiting: `unsigned integer`
+* `rate_limit_burst` - defines the amount of messages, that have to occur in the time limit: `unsigned integer`
+* `format` - syslog log format: `{standard, welf}`
+* `welf_firewall_name` - WELF format firewall name: `string`
+* `severity` - global log severity: `{emerg, alert, crit, error, warning, notice, info, debug}`
+
+***Syslog Rate Limit***
 
 Host side configuration:
 
@@ -1886,6 +1884,50 @@ Container side configuration:
 }
 ```
 
+### Syslog servers
+
+These information are configured in individual tables. Domain name or IP
+address of the server is used as object key. Each server can be configurable.
+
+***Configuration sample***
+```
+{
+    "SYSLOG_SERVER": {
+        "10.0.0.5": {},
+        "10.0.0.6": {},
+        "10.11.150.5": {}
+    },
+
+    "SYSLOG_SERVER" : {
+        "4.4.4.4": {
+            "source": "3.3.3.3",
+            "port": "514",
+            "vrf": "mgmt"
+        },
+        "2222::2222": {
+            "source": "1111::1111",
+            "port": "514",
+            "vrf": "Vrf-Data"
+        },
+        "somehostname": {
+            "filter": "include",
+            "filter_regex": "ololo",
+            "port": "514",
+            "protocol": "tcp",
+            "severity": "notice",
+            "vrf": "default"
+        }
+    }
+}
+```
+
+* `filter` - determines if syslog will include or exclude messages specified by regex: `{include, exclude}`
+* `filter_regex` - filter messages by this regex: `string`
+* `port` - network port to use to connect to remote server: `integer: 1..65535`
+* `protocol` - network protocol to use to connect to remote server: `{tcp, udp}`
+* `severity` - per-server log severity, overrifes global one: `{emerg, alert, crit, error, warning, notice, info, debug}`
+
+
 ### System Port
 Every port on the system requires a global representation, known as a System Port,
 and is listed in this table.

src/sonic-yang-models/tests/files/sample_config_db.json

@@ -499,12 +499,23 @@
                 "source": "1111::1111",
                 "port": "514",
                 "vrf": "Vrf_blue"
+            },
+            "somehostname": {
+                "filter": "include",
+                "filter_regex": "ololo",
+                "port": "514",
+                "protocol": "tcp",
+                "severity": "notice",
+                "vrf": "default"
             }
         },
         "SYSLOG_CONFIG" : {
             "GLOBAL": {
                 "rate_limit_interval": "5",
-                "rate_limit_burst": "100"
+                "rate_limit_burst": "100",
+                "format": "welf",
+                "welf_firewall_name": "bla",
+                "severity": "info"
             }
         },
         "SYSLOG_CONFIG_FEATURE" : {

src/sonic-yang-models/tests/yang_model_tests/tests/syslog.json

@@ -29,10 +29,6 @@
         "desc": "Load syslog server table with empty address as syslog server.",
         "eStrKey": "InvalidValue"
     },
-    "SYSLOG_SERVER_INVALID_IPADDR_TEST": {
-        "desc": "Load syslog server table with invalid ipv4 address as syslog server.",
-        "eStrKey": "InvalidValue"
-    },
     "SYSLOG_SERVER_INVALID_IPV6_ADDR_TEST": {
         "desc": "Load syslog server table with invalid ipv6 address as syslog server.",
         "eStrKey": "InvalidValue"
@@ -62,5 +58,60 @@
     "SYSLOG_CONFIG_FEATURE_INVALID_BURST": {
         "desc": "Configure invalid rate_limit_burst in SYSLOG_CONFIG_FEATURE.",
         "eStrKey": "InvalidValue"
+    },
+    "SYSLOG_SERVER_HOSTNAME": {
+        "desc": "Load syslog server table with hostname"
+    },
+    "SYSLOG_SERVER_HOSTNAME_INVALID": {
+        "desc": "Load syslog server table with invalid hostname",
+        "eStrKey": "InvalidValue"
+    },
+    "SYSLOG_SERVER_FILTER_TYPE": {
+        "desc": "Valid filter type for syslog server"
+    },
+    "SYSLOG_SERVER_FILTER_TYPE_INVALID": {
+        "desc": "Invalid filter type for syslog server",
+        "eStrKey": "InvalidValue"
+    },
+    "SYSLOG_SERVER_FILTER_REGEX": {
+        "desc": "Valid filter regex"
+    },
+    "SYSLOG_SERVER_PROTOCOL": {
+        "desc": "Valid syslog server protocol"
+    },
+    "SYSLOG_SERVER_PROTOCOL_INVALID": {
+        "desc": "Invalid syslog server protocol",
+        "eStrKey": "InvalidValue"
+    },
+    "SYSLOG_SERVER_SEVERITY": {
+        "desc": "Syslog server valid severity"
+    },
+    "SYSLOG_SERVER_SEVERITY_INVALID": {
+        "desc": "Syslog server invalid severity",
+        "eStrKey": "InvalidValue"
+    },
+    "SYSLOG_CONFIG_GLOBAL_VALID": {
+        "desc": "Global syslog configuration"
+    },
+    "SYSLOG_CONFIG_FORMAT": {
+        "desc": "Syslog format type"
+    },
+    "SYSLOG_CONFIG_FORMAT_INVALID": {
+        "desc": "Invalid syslog format",
+        "eStrKey": "InvalidValue"
+    },
+    "SYSLOG_CONFIG_FORMAT_WELF_FW_NAME": {
+        "desc": "Syslog format WELF firewall name"
+    },
+    "SYSLOG_CONFIG_FORMAT_WELF_FW_NAME_INVALID": {
+        "desc": "Syslog format WELF invalid firewall name",
+        "eStrKey": "Must"
+    },
+    "SYSLOG_CONFIG_SEVERITY": {
+        "desc": "Global syslog severity"
+    },
+    "SYSLOG_CONFIG_SEVERITY_INVALID": {
+        "desc": "Global invalid syslog severity",
+        "eStrKey": "InvalidValue"
     }
 }