feat(dgw): emit syslogs and Windows events for important events

Issue: DGW-63
Security: yes

Author: CBenoit

.cargo/mutants.toml

@@ -0,0 +1,2 @@
+skip_calls = ["emit_to_syslog", "emit_to_event_log"]
+exclude_re = ["impl Debug"]

Cargo.lock

@@ -6,6 +6,7 @@ members = [
     "devolutions-gateway",
     "devolutions-session",
     "jetsocat",
+    "testsuite",
     "tools/generate-openapi",
 ]
 default-members = [
@@ -36,6 +37,10 @@ strip = "symbols"
 tracing-appender = { git = "https://github.com/CBenoit/tracing.git", rev = "42097daf92e683cf18da7639ddccb056721a796c" }
 
 [workspace.lints.rust]
+# Declare the custom cfgs.
+unexpected_cfgs = { level = "warn", check-cfg = [
+  'cfg(build_profile, values("dev","release","production"))',
+]}
 
 # == Safer unsafe == #
 unsafe_op_in_unsafe_fn = "warn"
@@ -55,6 +60,9 @@ noop_method_call = "warn"
 unused_crate_dependencies = "warn"
 unused_macro_rules = "warn"
 
+[workspace.dependencies]
+proptest = "1.0"
+
 [workspace.lints.clippy]
 
 # == Safer unsafe == #

Cargo.toml

@@ -276,10 +276,8 @@ impl From<io::ErrorKind> for Socks5FailureCode {
         match kind {
             io::ErrorKind::ConnectionRefused => Socks5FailureCode::ConnectionRefused,
             io::ErrorKind::TimedOut => Socks5FailureCode::TtlExpired,
-            #[cfg(feature = "nightly")] // https://github.com/rust-lang/rust/issues/86442
-            std::io::ErrorKind::HostUnreachable => Socks5FailureCode::HostUnreachable,
-            #[cfg(feature = "nightly")] // https://github.com/rust-lang/rust/issues/86442
-            std::io::ErrorKind::NetworkUnreachable => Socks5FailureCode::NetworkUnreachable,
+            io::ErrorKind::HostUnreachable => Socks5FailureCode::HostUnreachable,
+            io::ErrorKind::NetworkUnreachable => Socks5FailureCode::NetworkUnreachable,
             _ => Socks5FailureCode::GeneralSocksServerFailure,
         }
     }

crates/proxy-socks/src/socks5.rs

@@ -0,0 +1,13 @@
+[package]
+name = "sysevent-codes"
+version = "0.0.0"
+edition = "2024"
+authors = ["Devolutions Inc. <infos@devolutions.net>"]
+license = "MIT OR Apache-2.0"
+publish = false
+
+[lints]
+workspace = true
+
+[dependencies]
+sysevent.path = "../sysevent"

crates/sysevent-codes/Cargo.toml

@@ -0,0 +1,189 @@
+use sysevent::{Entry, Severity};
+
+// 1000-1099 **Service/Lifecycle**
+
+/// Fired after `GatewayService::start()`
+pub const SERVICE_STARTED: u32 = 1000;
+/// Graceful stop received
+pub const SERVICE_STOPPING: u32 = 1001;
+/// Failed to init config
+pub const INVALID_CONFIG: u32 = 1010;
+/// Top-level start failure
+pub const START_FAILED: u32 = 1020;
+
+pub fn service_started(version: impl ToString) -> Entry {
+    Entry::new("Service started")
+        .event_code(SERVICE_STARTED)
+        .severity(Severity::Info)
+        .field("version", version)
+}
+
+pub fn service_stopping() -> Entry {
+    Entry::new("Service stopping")
+        .event_code(SERVICE_STOPPING)
+        .severity(Severity::Info)
+}
+
+pub fn invalid_config(error: &dyn std::fmt::Display) -> Entry {
+    Entry::new(format!("Invalid config: {error:#}"))
+        .event_code(INVALID_CONFIG)
+        .severity(Severity::Critical)
+}
+
+pub fn start_failed(error: &dyn std::fmt::Display) -> Entry {
+    Entry::new(format!("Start failure: {error:#}"))
+        .event_code(START_FAILED)
+        .severity(Severity::Error)
+}
+
+// 2000-2099 **Listeners & Networking**
+
+// Fires with listener start.
+pub const LISTENER_STARTED: u32 = 2000;
+// Bind failure with OS error.
+pub const LISTENER_BIND_FAILED: u32 = 2001;
+
+pub fn listener_started(message: impl Into<String>) -> Entry {
+    Entry::new(message)
+        .event_code(LISTENER_STARTED)
+        .severity(Severity::Info)
+}
+
+pub fn listener_bind_failed(message: impl Into<String>) -> Entry {
+    Entry::new(message)
+        .event_code(LISTENER_BIND_FAILED)
+        .severity(Severity::Error)
+}
+
+// 3000-3099 **TLS / Certificates**
+
+/// TLS configured (includes which source: file vs system store)
+pub const TLS_CONFIGURED: u32 = 3000;
+/// Strict verification off (compat mode).
+pub const TLS_VERIFY_STRICT_DISABLED: u32 = 3001;
+/// Missing SAN or EKU=serverAuth.
+pub const TLS_CERTIFICATE_REJECTED: u32 = 3002;
+/// Thumbprint/subject; selection criteria.
+pub const SYSTEM_CERT_SELECTED: u32 = 3003;
+pub const TLS_CERTIFICATE_NAME_MISMATCH: u32 = 3004;
+
+pub fn tls_configured() -> Entry {
+    Entry::new("TLS configured")
+        .event_code(TLS_CONFIGURED)
+        .severity(Severity::Info)
+}
+
+pub fn tls_verify_strict_disabled(message: impl Into<String>) -> Entry {
+    Entry::new(message)
+        .event_code(TLS_VERIFY_STRICT_DISABLED)
+        .severity(Severity::Notice)
+}
+
+pub fn tls_certificate_rejected(message: impl Into<String>) -> Entry {
+    Entry::new(message)
+        .event_code(TLS_CERTIFICATE_REJECTED)
+        .severity(Severity::Critical)
+}
+
+pub fn system_cert_selected(message: impl Into<String>) -> Entry {
+    Entry::new(message)
+        .event_code(SYSTEM_CERT_SELECTED)
+        .severity(Severity::Info)
+}
+
+pub fn tls_certificate_name_mismatch(message: impl Into<String>) -> Entry {
+    Entry::new(message)
+        .event_code(TLS_CERTIFICATE_NAME_MISMATCH)
+        .severity(Severity::Notice)
+}
+
+// 4000-4099 **Sessions, Tokens & Recording**
+
+pub const TOKEN_REUSE_LIMIT_EXCEEDED: u32 = 4012;
+pub const RECORDING_ERROR: u32 = 4032;
+
+pub fn token_reuse_limit_exceeded(message: impl Into<String>) -> Entry {
+    Entry::new(message)
+        .event_code(TOKEN_REUSE_LIMIT_EXCEEDED)
+        .severity(Severity::Warning)
+}
+
+pub fn recording_error(message: impl Into<String>) -> Entry {
+    Entry::new(message)
+        .event_code(RECORDING_ERROR)
+        .severity(Severity::Error)
+}
+
+// 5000-5099 **Authentication / Authorization**
+
+/// Signature/Expiry/Audience failure.
+pub const JWT_REJECTED: u32 = 5001;
+/// Rule evaluation result.
+pub const AUTHORIZATION_DENIED: u32 = 5010;
+
+pub fn jwt_rejected(message: impl Into<String>) -> Entry {
+    Entry::new(message).event_code(JWT_REJECTED).severity(Severity::Warning)
+}
+
+pub fn authorization_denied(message: impl Into<String>) -> Entry {
+    Entry::new(message)
+        .event_code(AUTHORIZATION_DENIED)
+        .severity(Severity::Warning)
+}
+
+// 6000-6099 **Agent Integration**
+
+/// `DevolutionsSession.exe` started in session; include session id & kind (console/remote).
+pub const USER_SESSION_PROCESS_STARTED: u32 = 6000;
+/// Exit code; who triggered.
+pub const USER_SESSION_PROCESS_TERMINATED: u32 = 6001;
+pub const UPDATER_TASK_ENABLED: u32 = 6010;
+pub const UPDATER_ERROR: u32 = 6011;
+pub const PEDM_ENABLED: u32 = 6020;
+
+pub fn user_session_process_started(message: impl Into<String>) -> Entry {
+    Entry::new(message)
+        .event_code(USER_SESSION_PROCESS_STARTED)
+        .severity(Severity::Info)
+}
+
+pub fn user_session_process_terminated(message: impl Into<String>) -> Entry {
+    Entry::new(message)
+        .event_code(USER_SESSION_PROCESS_TERMINATED)
+        .severity(Severity::Info)
+}
+
+pub fn updater_task_enabled(message: impl Into<String>) -> Entry {
+    Entry::new(message)
+        .event_code(UPDATER_TASK_ENABLED)
+        .severity(Severity::Info)
+}
+
+pub fn updater_error(message: impl Into<String>) -> Entry {
+    Entry::new(message)
+        .event_code(UPDATER_ERROR)
+        .severity(Severity::Warning)
+}
+
+pub fn pedm_enabled(message: impl Into<String>) -> Entry {
+    Entry::new(message).event_code(PEDM_ENABLED).severity(Severity::Info)
+}
+
+// 7000-7099 **Health**
+
+// 9000-9099 **Diagnostics**
+
+pub const DEBUG_OPTIONS_ENABLED: u32 = 9001;
+pub const XMF_NOT_FOUND: u32 = 9002;
+
+pub fn debug_options_enabled(message: impl Into<String>) -> Entry {
+    Entry::new(message)
+        .event_code(DEBUG_OPTIONS_ENABLED)
+        .severity(Severity::Notice)
+}
+
+pub fn xmf_not_found(message: impl Into<String>) -> Entry {
+    Entry::new(message)
+        .event_code(XMF_NOT_FOUND)
+        .severity(Severity::Warning)
+}

crates/sysevent-codes/src/lib.rs

@@ -0,0 +1,19 @@
+[package]
+name = "sysevent-syslog"
+version = "0.0.0"
+edition = "2024"
+authors = ["Devolutions Inc. <infos@devolutions.net>"]
+description = "Syslog backend for system-wide critical event logging"
+license = "MIT OR Apache-2.0"
+repository = "https://github.com/Devolutions/devolutions-gateway"
+publish = false
+
+[dependencies]
+sysevent.path = "../sysevent"
+libc = "0.2"
+
+[dev-dependencies]
+proptest.workspace = true
+
+[lints]
+workspace = true

crates/sysevent-syslog/Cargo.toml

@@ -0,0 +1,30 @@
+# sysevent-syslog
+
+Syslog backend for system-wide critical event logging.
+
+This crate provides Unix/Linux syslog implementation using standard libc calls.
+
+## Platform Requirements
+
+- Unix/Linux systems with syslog facilities
+- Standard C library with openlog/syslog/closelog functions
+- Thread-safe operation across concurrent emission calls
+
+## Examples
+
+```rust,no_run
+use sysevent::{Entry, Severity, Facility, SystemEventSink};
+use sysevent_syslog::{Syslog, SyslogOptions};
+
+let options = SyslogOptions::default()
+    .facility(Facility::Daemon)
+    .log_pid(true);
+
+let syslog = Syslog::new(c"myapp", options)?;
+
+let entry = Entry::new("Database connection failed")
+    .severity(Severity::Critical);
+
+syslog.emit(entry)?;
+# Ok::<(), sysevent::SysEventError>(())
+```