check_logfiles: add "allowed folders" option

Author: sni

Changes

@@ -8,6 +8,7 @@ next:
          - add list-combine option
          - add challenge password support for csr
          - add CheckLogFile option to /modules configuration
+         - add "allowed pattern" option for check_logfiles
          - add new macro operator trim and chomp
 
 0.37     Sun Sep  7 11:41:00 CEST 2025

docs/checks/commands/check_logfile.md

@@ -6,6 +6,19 @@ title: logfile
 
 Checks logfiles or any other text format file for errors or other general patterns
 
+    In order to use this plugin, you need to enable 'CheckLogFile' in the '[/modules]' section of the snclient_local.ini.
+
+    Also, to avoid security issues, you need to set 'allowed pattern' in the '[/settings/check/logfile]'
+    section of the snclient_local.ini to a comma separated list of allowed glob patterns.
+
+    Example:
+    [/settings/check/logfile]
+    allowed pattern  = /var/log/**      # This allows all files recursively in /var/log/
+    allowed pattern += /opt/logs/*.log  # This allows all files with .log extension in /opt/logs/
+
+    See https://github.com/bmatcuk/doublestar#patterns for details on the pattern syntax.
+
+
 - [Examples](#examples)
 - [Argument Defaults](#argument-defaults)
 - [Attributes](#attributes)

docs/configuration/_index.md

@@ -113,7 +113,7 @@ allowed hosts += , 192.168.0.2,192.168.0.3
 ```
 
 Values will simply be joined as text, so in case you want to create lists, make sure you
-add a comma.
+add a comma. (Starting with v0.38 this will be done automatically)
 
 ## Inheritance
 

go.mod

@@ -5,6 +5,7 @@ go 1.24.6
 require (
 	github.com/beevik/ntp v1.5.0
 	github.com/bi-zone/go-fileversion v1.0.0
+	github.com/bmatcuk/doublestar/v4 v4.9.1
 	github.com/consol-monitoring/check_nsc_web v0.7.4
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
 	github.com/go-chi/chi/v5 v5.2.3

go.sum

@@ -8,6 +8,8 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bi-zone/go-fileversion v1.0.0 h1:N/sorBKYfWDjT5ySlUOxSJvG3g9XiaBKxXgHGfH5Wf8=
 github.com/bi-zone/go-fileversion v1.0.0/go.mod h1:evMpx4TA/iTAtufWYK271/Mbr5JAL24vlu1WNjVef6s=
+github.com/bmatcuk/doublestar/v4 v4.9.1 h1:X8jg9rRZmJd4yRy7ZeNDRnM+T3ZfHv15JiBJ/avrEXE=
+github.com/bmatcuk/doublestar/v4 v4.9.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=

packaging/snclient.ini

@@ -63,8 +63,9 @@ CheckLogFile = disabled
 
 
 [/settings/default]
-; allowed hosts - List of ips/networks/hostname allowed to connect.
-allowed hosts = 127.0.0.1, ::1
+; allowed hosts - Comma separated list of ips/networks/hostname allowed to connect.
+allowed hosts  = 127.0.0.1
+allowed hosts += ::1
 
 ; cache allowed hosts - Cache resolved dns names.
 cache allowed hosts = true
@@ -313,6 +314,16 @@ require password = true
 disabled = false
 
 
+; check_logfile settings - configure settings for check_logfile
+; do not mix up with log settings for the snclient itself which are in [/settings/log]
+[/settings/check/logfile]
+
+; allowed pattern - Comma separated list of glob pattern which are allowed to be checked by check_logfile
+allowed pattern  = /var/log/**
+allowed pattern += ${shared-path}/*.log
+allowed pattern += /var/log/snclient/snclient.log
+
+
 ; External script settings - General settings for the external scripts module (CheckExternalScripts).
 [/settings/external scripts]
 

pkg/snclient/check_logfile.go

@@ -11,6 +11,7 @@ import (
 	"slices"
 	"strings"
 
+	"github.com/bmatcuk/doublestar/v4"
 	"github.com/consol-monitoring/snclient/pkg/convert"
 )
 
@@ -45,9 +46,22 @@ func NewCheckLogFile() CheckHandler {
 
 func (c *CheckLogFile) Build() *CheckData {
 	return &CheckData{
-		implemented:  ALL,
-		name:         "check_logfile",
-		description:  "Checks logfiles or any other text format file for errors or other general patterns",
+		implemented: ALL,
+		name:        "check_logfile",
+		description: `Checks logfiles or any other text format file for errors or other general patterns
+
+    In order to use this plugin, you need to enable 'CheckLogFile' in the '[/modules]' section of the snclient_local.ini.
+
+    Also, to avoid security issues, you need to set 'allowed pattern' in the '[/settings/check/logfile]'
+    section of the snclient_local.ini to a comma separated list of allowed glob patterns.
+
+    Example:
+    [/settings/check/logfile]
+    allowed pattern  = /var/log/**      # This allows all files recursively in /var/log/
+    allowed pattern += /opt/logs/*.log  # This allows all files with .log extension in /opt/logs/
+
+    See https://github.com/bmatcuk/doublestar#patterns for details on the pattern syntax.
+`,
 		detailSyntax: "%(line | chomp | cut=200)", // cut after 200 chars
 		listCombine:  "\n",
 		okSyntax:     "%(status) - All %(count) / %(total) Lines OK",
@@ -104,10 +118,12 @@ func (c *CheckLogFile) Check(_ context.Context, snc *Agent, check *CheckData, _
 		var err error
 		patterns[parts[0]], err = regexp.Compile(parts[1])
 		if err != nil {
-			return nil, fmt.Errorf("could not compile regex from patter: %s", err.Error())
+			return nil, fmt.Errorf("could not compile regex from pattern: %s", err.Error())
 		}
 	}
 
+	allowedPattern := c.getAllowedPattern()
+
 	totalLineCount := 0
 	for _, fileName := range c.FilePath {
 		if fileName == "" {
@@ -119,6 +135,9 @@ func (c *CheckLogFile) Check(_ context.Context, snc *Agent, check *CheckData, _
 			return nil, fmt.Errorf("could not get files for pattern %s, error was: %s", fileName, err.Error())
 		}
 		for _, fileName := range files {
+			if !c.matchPattern(fileName, allowedPattern) {
+				return nil, fmt.Errorf("file %s does not match any allowed pattern", fileName)
+			}
 			tmpCount, err := c.addFile(fileName, check, patterns)
 			if err != nil {
 				return nil, fmt.Errorf("error for file %s, error was: %s", fileName, err.Error())
@@ -289,6 +308,7 @@ func (c *CheckLogFile) getCustomSplitFunction() bufio.SplitFunc {
 	}
 }
 
+// getRequiredColumnNumbers extracts all required column numbers from the check conditions
 func (c *CheckLogFile) getRequiredColumnNumbers(check *CheckData) []int {
 	// extract all required threshold numbers
 	columnNumbers := []int{}
@@ -309,3 +329,30 @@ func (c *CheckLogFile) getRequiredColumnNumbers(check *CheckData) []int {
 
 	return columnNumbers
 }
+
+// getAllowedPattern returns the list of allowed patterns from the config
+func (c *CheckLogFile) getAllowedPattern() []string {
+	allowedPatternRaw, _ := c.snc.config.Section("/settings/check/logfile").GetString("allowed pattern")
+	allowedPattern := strings.Split(allowedPatternRaw, ",")
+
+	for i := range allowedPattern {
+		allowedPattern[i] = strings.TrimSpace(allowedPattern[i])
+	}
+
+	return allowedPattern
+}
+
+// matchPattern checks if the given fileName matches any of the allowed patterns
+func (c *CheckLogFile) matchPattern(fileName string, allowedPattern []string) bool {
+	for _, pattern := range allowedPattern {
+		matched, err := doublestar.PathMatch(pattern, fileName)
+		if err != nil {
+			continue
+		}
+		if matched {
+			return true
+		}
+	}
+
+	return false
+}

pkg/snclient/check_logfile_test.go

@@ -9,6 +9,9 @@ import (
 const testLogfileConfig = `
 [/modules]
 CheckLogFile = enabled
+
+[/settings/check/logfile]
+allowed pattern  = **
 `
 
 func TestCheckLogFileDisabled(t *testing.T) {

pkg/snclient/config.go

@@ -553,6 +553,21 @@ func (config *Config) SectionsByPrefix(prefix string) map[string]*ConfigSection
 	return list
 }
 
+func (config *Config) getCombine(section, key string) (combine, trim string) {
+	switch section {
+	case "/settings/check/logfile":
+		if key == "allowed pattern" {
+			return " , ", ", "
+		}
+	default:
+		if key == "allowed hosts" {
+			return " , ", ", "
+		}
+	}
+
+	return "", ""
+}
+
 // parseString parses string from config section.
 func configParseString(val string) (string, error) {
 	val = strings.TrimSpace(val)
@@ -661,7 +676,9 @@ func (config *Config) ReplaceMacrosDefault(section *ConfigSection, timezone *tim
 		section.data[key] = val
 
 		raw := section.raw[key]
-		raw = ReplaceMacros(raw, timezone, defaultMacros)
+		for i, r := range raw {
+			raw[i] = ReplaceMacros(r, timezone, defaultMacros)
+		}
 		section.raw[key] = raw
 	}
 }
@@ -729,7 +746,7 @@ type ConfigSection struct {
 	cfg      *Config             // reference to parent config collection
 	name     string              // section name
 	data     ConfigData          // actual config data
-	raw      ConfigData          // raw config data (including quotes and such)
+	raw      map[string][]string // raw config data (including quotes and such)
 	keys     []string            // keys from config data
 	comments map[string][]string // comments sorted by config keys
 }
@@ -740,7 +757,7 @@ func NewConfigSection(cfg *Config, name string) *ConfigSection {
 		cfg:      cfg,
 		name:     name,
 		data:     make(map[string]string, 0),
-		raw:      make(map[string]string, 0),
+		raw:      make(map[string][]string, 0),
 		keys:     make([]string, 0),
 		comments: make(map[string][]string, 0),
 	}
@@ -758,13 +775,21 @@ func (cs *ConfigSection) String() string {
 		data = append(data, cs.comments[key]...)
 		val := cs.data[key]
 		raw := cs.raw[key]
-		if raw != "" {
-			val = raw
-		}
-		if val == "" {
-			data = append(data, fmt.Sprintf("%s =", key))
-		} else {
-			data = append(data, fmt.Sprintf("%s = %s", key, cs.data[key]))
+		switch len(raw) {
+		case 0, 1:
+			if val == "" {
+				data = append(data, fmt.Sprintf("%s =", key))
+			} else {
+				data = append(data, fmt.Sprintf("%s = %s", key, cs.data[key]))
+			}
+		default:
+			for i, line := range raw {
+				if i == 0 {
+					data = append(data, fmt.Sprintf("%s  = %s", key, line))
+				} else {
+					data = append(data, fmt.Sprintf("%s += %s", key, line))
+				}
+			}
 		}
 	}
 
@@ -778,6 +803,7 @@ func (cs *ConfigSection) String() string {
 // be stored as is, including quotes.
 func (cs *ConfigSection) SetRaw(key, value string) error {
 	rawValue := value
+	newRawValue := []string{rawValue}
 
 	useAppend := false
 	if strings.HasSuffix(key, "+") {
@@ -793,8 +819,13 @@ func (cs *ConfigSection) SetRaw(key, value string) error {
 	if useAppend {
 		curRaw, cur, ok := cs.GetStringRaw(key)
 		if ok {
-			value = cur + value
-			rawValue = curRaw + rawValue
+			newRawValue = append(curRaw, rawValue)
+			combine, trim := cs.cfg.getCombine(cs.name, key)
+			if combine == "" {
+				value = cur + value
+			} else {
+				value = strings.TrimRight(cur, trim) + combine + strings.TrimLeft(value, trim)
+			}
 		}
 	}
 
@@ -803,7 +834,7 @@ func (cs *ConfigSection) SetRaw(key, value string) error {
 	}
 
 	cs.data[key] = value
-	cs.raw[key] = rawValue
+	cs.raw[key] = newRawValue
 
 	return nil
 }
@@ -815,10 +846,10 @@ func (cs *ConfigSection) Set(key, value string) {
 	}
 
 	cs.data[key] = value
-	cs.raw[key] = ""
+	cs.raw[key] = []string{value}
 }
 
-// Insert is just like Set but trys to find the key in comments first and will uncomment that one
+// Insert is just like Set but tries to find the key in comments first and will uncomment that one
 func (cs *ConfigSection) Insert(key, value string) {
 	if cs.HasKey(key) {
 		cs.data[key] = value
@@ -939,11 +970,11 @@ func (cs *ConfigSection) GetString(key string) (val string, ok bool) {
 // GetStringRaw returns the raw string (including quotes)
 // along the clean string from config section.
 // it returns the value if found and sets ok to true.
-func (cs *ConfigSection) GetStringRaw(key string) (raw, val string, ok bool) {
+func (cs *ConfigSection) GetStringRaw(key string) (raw []string, val string, ok bool) {
 	raw = cs.raw[key]
 	val, ok = cs.data[key]
-	if raw == "" {
-		raw = val
+	if len(raw) == 0 {
+		raw = []string{val}
 	}
 	if ok && cs.isUsable(key, val) {
 		macros := make([]map[string]string, 0)

pkg/snclient/config_test.go

@@ -381,8 +381,14 @@ func TestConfigAppend(t *testing.T) {
 	section := cfg.Section("/settings/default")
 	allowed, _ := section.GetString("allowed hosts")
 
-	expected := "127.0.0.1, ::1, 192.168.0.1, 192.168.0.2,192.168.0.3"
-	assert.Equalf(t, expected, allowed, "reading appended config")
+	assert.Equalf(t, "127.0.0.1, ::1 , 192.168.0.1 , 192.168.0.2,192.168.0.3", allowed, "reading appended allowed hosts")
+
+	nasty, _ := section.GetString("nasty characters")
+	assert.Equalf(t, "123456", nasty, "reading appended string config")
+
+	section = cfg.Section("/settings/check/logfile")
+	allowed, _ = section.GetString("allowed pattern")
+	assert.Equalf(t, "/var/log/** , **/*.log", allowed, "reading appended allowed pattern")
 }
 
 func TestConfigLongLines(t *testing.T) {