source: branches/samhain_3_1/include/sh_log_check.h@ 587

Last change on this file since 587 was 276, checked in by katerina, 16 years ago

Fix for bugs in log monitoring (tickets #196, #199), and allow shell command monitoring (ticket #197).

File size: 3.5 KB
Line 
1#ifndef SH_LOGCHECK_H
2#define SH_LOGCHECK_H
3
4#include <sys/types.h>
5#include <time.h>
6
7/* Convert a struct tm to unix timestamp with caching
8 */
9time_t conv_timestamp (struct tm * btime,
10 struct tm * old_tm, time_t * old_time);
11
12/* Definition of a log record entry, to be returned from parsing function.
13 */
14#define PID_INVALID 0
15struct sh_logrecord
16{
17 char * filename;
18 sh_string * host;
19 sh_string * timestr;
20 pid_t pid;
21 time_t timestamp;
22 sh_string * message;
23};
24
25#define SH_LOGFILE_MOVED (1<<0)
26#define SH_LOGFILE_REWIND (1<<1)
27#define SH_LOGFILE_PIPE (1<<2)
28#define SH_LOGFILE_NOFILE (1<<3)
29
30struct sh_logfile
31{
32 FILE * fp;
33 int flags;
34 char * filename;
35 dev_t device_id;
36 ino_t inode;
37 fpos_t offset;
38
39 /* Info for the parser, e.g. a regular expression
40 */
41 void * fileinfo;
42
43 /* Callback function to read the next record
44 */
45 sh_string * (*get_record) (sh_string * record,
46 struct sh_logfile * logfile);
47
48 /* Callback function to parse the record into standard format
49 */
50 struct sh_logrecord * (*parse_record)(sh_string * logline, void * fileinfo);
51
52 struct sh_logfile * next;
53};
54
55/* Generic callback function to parse fileinfo.
56 */
57void * sh_eval_fileinfo_generic(char * str);
58
59/* Generic parser info.
60 */
61struct sh_logrecord * sh_parse_generic (sh_string * logline, void * fileinfo);
62
63
64/****************************************************************
65 **
66 ** Parsing and reading functions
67 **/
68
69/* Open file, position at stored offset. */
70int sh_open_for_reader (struct sh_logfile * logfile);
71
72/* Simple line reader for executed shell command */
73sh_string * sh_command_reader (sh_string * record,
74 struct sh_logfile * logfile);
75
76/* Wrapper for sh_command_reader */
77sh_string * sh_read_shell (sh_string * record, struct sh_logfile * logfile);
78
79/* Parses a shell command reply. */
80struct sh_logrecord * sh_parse_shell (sh_string * logline, void * fileinfo);
81
82/* Simple line reader. */
83sh_string * sh_default_reader (sh_string * record,
84 struct sh_logfile * logfile);
85
86/* Continued line reader. */
87sh_string * sh_cont_reader (sh_string * record,
88 struct sh_logfile * logfile, char * cont);
89
90/* Binary reader */
91sh_string * sh_binary_reader (void * s, size_t size, struct sh_logfile * logfile);
92
93/* Parses a syslog-style line. */
94struct sh_logrecord * sh_parse_syslog (sh_string * logline, void * fileinfo);
95
96/* Format info for apache log. */
97void * sh_eval_fileinfo_apache(char * str);
98
99/* Parses a apache-style line. */
100struct sh_logrecord * sh_parse_apache (sh_string * logline, void * fileinfo);
101
102/* Get a pacct record */
103sh_string * sh_read_pacct (sh_string * record, struct sh_logfile * logfile);
104
105/* Parses a pacct record. */
106struct sh_logrecord * sh_parse_pacct (sh_string * logline, void * fileinfo);
107
108/* Get a samba record */
109sh_string * sh_read_samba (sh_string * record, struct sh_logfile * logfile);
110
111/* Parses a samba record. */
112struct sh_logrecord * sh_parse_samba (sh_string * logline, void * fileinfo);
113
114
115/**
116*****************************************************************/
117
118int sh_get_hidepid();
119int sh_set_hidepid(const char *s);
120
121#define SH_MAX_LCODE_SIZE 16
122
123struct sh_logfile_type
124{
125 char code[SH_MAX_LCODE_SIZE];
126
127 /* read callback */
128 /*@null@*/sh_string * (*get_record) (sh_string * record,
129 struct sh_logfile * logfile);
130 /* parsing callback */
131 struct sh_logrecord * (*parse_record)(sh_string * logline, void * fileinfo);
132
133 /* evaluate fileinfo */
134 void * (*eval_fileinfo)(char * str);
135};
136
137
138#endif
Note: See TracBrowser for help on using the repository browser.