source: branches/samhain_3_1/src/sh_log_parse_samba.c@ 526

Last change on this file since 526 was 357, checked in by katerina, 13 years ago

Fix for ticket #263 (log correlation may not work).

File size: 2.2 KB
Line 
1/**************************************
2 **
3 ** PARSER RULES
4 **
5 ** (a) must set record->host
6 ** (eventually to dummy value)
7 **
8 ** (b) must set record->prefix
9 ** (command)
10 **
11 **
12 **************************************/
13
14/* for strptime */
15#define _XOPEN_SOURCE
16
17#include "config_xor.h"
18#include <string.h>
19
20#if defined(HOST_IS_SOLARIS)
21/* For 'struct timeval' in <sys/time.h> */
22#define __EXTENSIONS__
23#endif
24
25#include <time.h>
26
27#if defined(USE_LOGFILE_MONITOR)
28
29#include "samhain.h"
30#include "sh_pthread.h"
31#include "sh_log_check.h"
32#include "sh_string.h"
33
34#undef FIL__
35#define FIL__ _("sh_log_parse_samba.c")
36
37
38sh_string * sh_read_samba (sh_string * record, struct sh_logfile * logfile)
39{
40 return sh_cont_reader (record, logfile, " \t");
41}
42
43struct sh_logrecord * sh_parse_samba (sh_string * logline, void * fileinfo)
44{
45 static struct tm old_tm;
46 static time_t old_time;
47
48 struct sh_logrecord * record = NULL;
49
50 static const char * format0_1 = N_("[%Y/%m/%d %T");
51 static char format_1[16];
52 static int format_init = 0;
53
54 (void) fileinfo;
55
56 if (!format_init)
57 {
58 sl_strlcpy(format_1, _(format0_1), sizeof(format_1));
59 format_init = 1;
60 }
61
62 if (logline && sh_string_len(logline) > 0)
63 {
64 size_t lengths[3];
65 unsigned int fields = 3;
66 char ** array;
67 char * p = strchr(sh_string_str(logline), ',');
68
69 *p = '\0'; ++p;
70 array = split_array_ws(p, &fields, lengths);
71
72 if (fields == 3)
73 {
74 struct tm btime;
75 char * ptr;
76
77 memset(&btime, '\0', sizeof(struct tm));
78 btime.tm_isdst = -1;
79
80 ptr = strptime(sh_string_str(logline), format_1, &btime);
81
82 if (ptr && *ptr == '\0') /* no error, whole string consumed */
83 {
84 record = SH_ALLOC(sizeof(struct sh_logrecord));
85
86 record->timestamp = conv_timestamp(&btime, &old_tm, &old_time);
87
88 p = sh_string_str(logline); ++p;
89
90 record->timestr = sh_string_new_from_lchar(p, strlen(p));
91
92 record->message = sh_string_new_from_lchar(array[2], lengths[2]);
93
94 record->pid = 0;
95 record->host = sh_string_new_from_lchar(sh.host.name,
96 strlen(sh.host.name));
97 }
98 }
99 SH_FREE(array);
100 }
101 return record;
102}
103
104#endif
Note: See TracBrowser for help on using the repository browser.