Fixed
* Crash caused by wrong default logrotate config file location

The wrong default location cause error producing error log:
```
root@turris-test:~# sentinel-nikola
error: cannot stat /etc/logrotate.d/iptables: No such file or directory
Exception thrown: Command '('/usr/sbin/logrotate', '-f',
'/etc/logrotate.d/iptables')' returned non-zero exit status 1.
Exception traceback: [<FrameSummary file
/usr/lib/python3.7/site-packages/sentinel_nikola/__main__.py, line 65 in main>,
<FrameSummary file /usr/lib/python3.7/site-packages/sentinel_nikola/__main__.py,
line 94 in rotate_syslog_file>, <FrameSummary file
/usr/lib/python3.7/subprocess.py, line 411 in check_output>, <FrameSummary file
/usr/lib/python3.7/subprocess.py, line 512 in run>]
```
It was possible to avoid the error - by using `-r` option:
```
root@turris-test:~# sentinel-nikola -r /etc/logrotate.d/sentinel-nikola-iptables
.conf
```

Fixed
* Crash when syslog-ng was restarted by Nikola and log was send to it by
  Nikola

Changed
* Executable renamed from `nikola` to `sentinel-nikola`
* Python package renamed from `nikola` to `sentinel_nikola`
* Cron now runs shell script that checks if EULA was approved as well as
  if Nikola is enabled before running it.
* Syslog-ng now filters packets with DROP fate as well as REJECT

Nikola restarts syslog as part of its execution. It runs logrotate that
restarts syslog-ng service. It turns out that sometimes it takes
syslog-ng some time to start again back up. Nikola immediatelly after
this tries to send log to it (about time it took to rotate log). That
fails if syslog-ng is not yet running.

Solution here is to not even restart syslog and instead just reload it.
Syslog-ng clearly can catch up on moved files and create new one. This
is also suggested approach from syslog-ng's documentation about
logrotate integration. It states that reload should be invoked but at
the same time not saying that restart should not be used.

Example crash log:
    Logrotate took 0.044638 seconds
    --- Logging error ---
    Traceback (most recent call last):
      File "/usr/lib/python3.7/logging/handlers.py", line 934, in emit
    ConnectionRefusedError: [Errno 111] Connection refused

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
      File "/usr/lib/python3.7/logging/handlers.py", line 937, in emit
      File "/usr/lib/python3.7/logging/handlers.py", line 855, in _connect_unixsocket
    ConnectionRefusedError: [Errno 111] Connection refused
    Call stack:
      File "/usr/bin/nikola", line 11, in <module>
	load_entry_point('nikola==3.1.0', 'console_scripts', 'nikola')()
      File "/usr/lib/python3.7/site-packages/nikola/__main__.py", line 69, in main
    Message: 'Syslog parsing took 0.092330 seconds'
    Arguments: ()
    Syslog parsing took 0.092330 seconds
    --- Logging error ---
    Traceback (most recent call last):
      File "/usr/lib/python3.7/logging/handlers.py", line 934, in emit
    OSError: [Errno 9] Bad file descriptor

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
      File "/usr/lib/python3.7/logging/handlers.py", line 937, in emit
      File "/usr/lib/python3.7/logging/handlers.py", line 855, in _connect_unixsocket
    ConnectionRefusedError: [Errno 111] Connection refused
    Call stack:
      File "/usr/bin/nikola", line 11, in <module>
	load_entry_point('nikola==3.1.0', 'console_scripts', 'nikola')()
      File "/usr/lib/python3.7/site-packages/nikola/__main__.py", line 74, in main
    Message: 'Records parsed: 120'
    Arguments: ()
    Records parsed: 120
    --- Logging error ---
    Traceback (most recent call last):
      File "/usr/lib/python3.7/logging/handlers.py", line 934, in emit
    OSError: [Errno 9] Bad file descriptor

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
      File "/usr/lib/python3.7/logging/handlers.py", line 937, in emit
      File "/usr/lib/python3.7/logging/handlers.py", line 855, in _connect_unixsocket
    ConnectionRefusedError: [Errno 111] Connection refused
    Call stack:
      File "/usr/bin/nikola", line 11, in <module>
	load_entry_point('nikola==3.1.0', 'console_scripts', 'nikola')()
      File "/usr/lib/python3.7/site-packages/nikola/__main__.py", line 83, in main
      File "/usr/lib/python3.7/site-packages/nikola/__main__.py", line 111, in send_parsed
    Message: 'Sending records took 0.002729 seconds'
    Arguments: ()
    Sending records took 0.002729 seconds

We log and can process both terminal fates of packets so we should
filter them to iptable log for nikola to read.

This Sentinel specific Nikola so we should name is as such.

- to disable log rotate
- to disable sending data to zmq proxy socket
- to debug print parsed data

This was heavily discussed but we did not found out any usecase of
logging blocked traffice leaving router. In most cases there are going
to be no blocking rules for outgoing traffic so there are going to be no
logs for it as well. It is also questionable what exactly we would see
from such data.

This can be done on server if required but it potentially throws away
traffic in ISP's private ranges. It might be interesting to look in
those private ranges as well.

Karel Koci authored 5 years ago and Karel Koci committed 4 years ago

This now rotates log hourly. Cron calls nikola to rotate log every 15
minutes. Hour is enough buffer and much better prevents problems if
nikola fails to rotate log.

It also restarts syslog-ng instead of truncating log.

Karel Koci authored 5 years ago and Karel Koci committed 4 years ago

This instead now runs python directly.

All arguments set in script are default values in argument parser. This
means that script was just duplicating them.

This also changes default behavior to not use random sleep. The option
-n and --now are preserved but effectivelly only --random-sleep has some
effect and that is enablement of random sleep. This means that cron now
uses that argument.

Karel Koci authored 5 years ago and Karel Koci committed 4 years ago

syslog-ng config now filters new messages with new prefix that is
default logging prefix for OpenWrt's firewall3. This means that now
logging is just question of enabling logging on given zone.

Example of uci configuration:
    config zone
	option name 'wan'
	list network 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option log_limit '500/sec'
	option log '1'

The same change has to be done in syslog parser. New message format is:
REJECT wan in: IN=eth2 OUT= SRC=172.20.6.10 DST=172.20.6.255

This also removes some of the fields we do not use on server.
It is questionable if we need exact time of event so we do not send it.
Rule ID is no longer relevant as we do not match rules anymore.
Packet count was removed as well with simple package merging.
Flags are removed as they are not used on server at all.

This was hacky way to detect traffic source. We instead should use
Firewall rules to not log anything we do not want here.

1. We should add actual number of packet count even though `_parse_line`
   returns it always as one
2. We must set last line every time as the dictionary assignment and
   list append copy only a reference and hence `packet_count` always
   differs on third packet in sequence
3. We should compare only a subset of the dictionary fields of last two
   parsed lines however we find simple dictionary compare sufficient at
   the moment

Remove useless reference assignment and None compare