postfix-log-parser 0.2.0

高性能模块化Postfix日志解析器,经3.2GB生产数据验证,SMTPD事件100%准确率
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254

//! # Postfix Script 系统脚本组件解析器
//!
//! Postfix Script 是 Postfix 的系统管理脚本组件,负责:
//! - 执行系统启动、停止、重载操作
//! - 验证 Postfix 配置文件和权限
//! - 检查系统目录的安全性和所有权
//! - 处理管理命令的执行和错误报告
//!
//! ## 核心功能
//!
//! - **系统操作**: 启动、运行状态检查、配置重载
//! - **安全检查**: 文件权限、目录所有权验证
//! - **命令执行**: postconf 等系统命令的执行
//! - **错误处理**: 致命错误和警告的记录
//!
//! ## 支持的事件类型
//!
//! - **系统操作**: 启动、运行、刷新配置等操作
//! - **致命错误**: 命令执行失败、配置错误
//! - **警告事件**: 权限问题、安全风险警告
//!
//! ## 示例日志格式
//!
//! ```text
//! # 系统操作
//! starting the Postfix mail system
//! the Postfix mail system is running: PID: 12345
//! refreshing the Postfix mail system
//!
//! # 致命错误
//! cannot execute /usr/sbin/postconf!
//!
//! # 警告事件
//! not owned by root: /etc/postfix/main.cf
//! group or other writable: /var/spool/postfix
//! symlink leaves directory: /etc/postfix/aliases
//! ```

use crate::components::ComponentParser;
use crate::error::ParseError;
use crate::events::base::{BaseEvent, PostfixLogLevel};
use crate::events::postfix_script::{
    PostfixScriptEvent, PostfixScriptFatalError, PostfixScriptOperation, PostfixScriptWarningType,
};
use crate::events::ComponentEvent;
use chrono::{DateTime, Utc};
use regex::Regex;

pub struct PostfixScriptParser {
    // System operations
    starting_regex: Regex,
    running_regex: Regex,
    refreshing_regex: Regex,

    // Fatal errors
    cannot_execute_postconf_regex: Regex,
    cannot_execute_command_regex: Regex,

    // Warnings
    not_owned_regex: Regex,
    group_writable_regex: Regex,
    symlink_leaves_regex: Regex,
}

impl PostfixScriptParser {
    pub fn new() -> Self {
        PostfixScriptParser {
            // System operations
            starting_regex: Regex::new(r"^starting the Postfix mail system\s*$").unwrap(),
            running_regex: Regex::new(r"^the Postfix mail system is running: PID: (\d+)\s*$")
                .unwrap(),
            refreshing_regex: Regex::new(r"^refreshing the Postfix mail system\s*$").unwrap(),

            // Fatal errors
            cannot_execute_postconf_regex: Regex::new(r"^cannot execute /usr/sbin/postconf!$")
                .unwrap(),
            cannot_execute_command_regex: Regex::new(r"^cannot execute (.+?)!?$").unwrap(),

            // Warnings
            not_owned_regex: Regex::new(r"^not owned by (root|postfix): (.+)$").unwrap(),
            group_writable_regex: Regex::new(r"^group or other writable: (.+)$").unwrap(),
            symlink_leaves_regex: Regex::new(r"^symlink leaves directory: (.+)$").unwrap(),
        }
    }

    fn create_base_event(&self, message: &str) -> BaseEvent {
        BaseEvent {
            timestamp: DateTime::parse_from_rfc3339("2024-04-27T16:20:48Z")
                .unwrap()
                .with_timezone(&Utc),
            hostname: "unknown".to_string(),
            component: "postfix-script".to_string(),
            process_id: 0,
            log_level: PostfixLogLevel::Info,
            raw_message: message.to_string(),
        }
    }

    fn parse_system_operation(&self, message: &str) -> Option<PostfixScriptEvent> {
        let base = self.create_base_event(message);

        if self.starting_regex.is_match(message) {
            return Some(PostfixScriptEvent::SystemOperation {
                base,
                operation: PostfixScriptOperation::Starting,
            });
        }

        if let Some(caps) = self.running_regex.captures(message) {
            let pid = caps.get(1).and_then(|m| m.as_str().parse::<u32>().ok());
            return Some(PostfixScriptEvent::SystemOperation {
                base,
                operation: PostfixScriptOperation::Running { pid },
            });
        }

        if self.refreshing_regex.is_match(message) {
            return Some(PostfixScriptEvent::SystemOperation {
                base,
                operation: PostfixScriptOperation::Refreshing,
            });
        }

        None
    }

    fn parse_fatal_error(&self, message: &str) -> Option<PostfixScriptEvent> {
        let mut base = self.create_base_event(message);
        base.log_level = PostfixLogLevel::Fatal;

        if self.cannot_execute_postconf_regex.is_match(message) {
            return Some(PostfixScriptEvent::FatalError {
                base,
                error: PostfixScriptFatalError::CannotExecutePostconf,
            });
        }

        if let Some(caps) = self.cannot_execute_command_regex.captures(message) {
            let command = caps
                .get(1)
                .map(|m| m.as_str().to_string())
                .unwrap_or_else(|| "unknown".to_string());
            return Some(PostfixScriptEvent::FatalError {
                base,
                error: PostfixScriptFatalError::CannotExecuteCommand { command },
            });
        }

        // Generic fatal error
        Some(PostfixScriptEvent::FatalError {
            base,
            error: PostfixScriptFatalError::Other {
                message: message.to_string(),
            },
        })
    }

    fn parse_warning(&self, message: &str) -> Option<PostfixScriptEvent> {
        let mut base = self.create_base_event(message);
        base.log_level = PostfixLogLevel::Warning;

        if let Some(caps) = self.not_owned_regex.captures(message) {
            let expected_owner = caps
                .get(1)
                .map(|m| m.as_str().to_string())
                .unwrap_or_else(|| "unknown".to_string());
            let path = caps
                .get(2)
                .map(|m| m.as_str().to_string())
                .unwrap_or_else(|| "unknown".to_string());
            return Some(PostfixScriptEvent::Warning {
                base,
                warning: PostfixScriptWarningType::NotOwnedBy {
                    path,
                    expected_owner,
                },
            });
        }

        if let Some(caps) = self.group_writable_regex.captures(message) {
            let path = caps
                .get(1)
                .map(|m| m.as_str().to_string())
                .unwrap_or_else(|| "unknown".to_string());
            return Some(PostfixScriptEvent::Warning {
                base,
                warning: PostfixScriptWarningType::GroupWritable { path },
            });
        }

        if let Some(caps) = self.symlink_leaves_regex.captures(message) {
            let path = caps
                .get(1)
                .map(|m| m.as_str().to_string())
                .unwrap_or_else(|| "unknown".to_string());
            return Some(PostfixScriptEvent::Warning {
                base,
                warning: PostfixScriptWarningType::SymlinkLeaves { path },
            });
        }

        // Generic warning
        Some(PostfixScriptEvent::Warning {
            base,
            warning: PostfixScriptWarningType::Other {
                message: message.to_string(),
            },
        })
    }
}

impl ComponentParser for PostfixScriptParser {
    fn parse(&self, message: &str) -> Result<ComponentEvent, ParseError> {
        // Try to detect log level from message content
        if message.contains("fatal:") || message.contains("cannot execute") {
            if let Some(event) = self.parse_fatal_error(message) {
                return Ok(ComponentEvent::PostfixScript(event));
            }
        }

        if message.contains("warning:")
            || message.contains("not owned by")
            || message.contains("group or other writable")
        {
            if let Some(event) = self.parse_warning(message) {
                return Ok(ComponentEvent::PostfixScript(event));
            }
        }

        // Try system operations
        if let Some(event) = self.parse_system_operation(message) {
            return Ok(ComponentEvent::PostfixScript(event));
        }

        Err(ParseError::ComponentParseError {
            component: "postfix-script".to_string(),
            reason: format!("Unsupported message format: {}", message),
        })
    }

    fn component_name(&self) -> &'static str {
        "postfix-script"
    }

    fn can_parse(&self, component: &str) -> bool {
        component == "postfix-script"
    }
}

impl Default for PostfixScriptParser {
    fn default() -> Self {
        Self::new()
    }
}