| 1 | /************************************** | 
|---|
| 2 | ** | 
|---|
| 3 | ** PARSER RULES | 
|---|
| 4 | ** | 
|---|
| 5 | ** (a) must set record->host | 
|---|
| 6 | **     (eventually to dummy value) | 
|---|
| 7 | ** | 
|---|
| 8 | ** (b) must set record->prefix | 
|---|
| 9 | **     (eventually to dummy value) | 
|---|
| 10 | ** | 
|---|
| 11 | ** | 
|---|
| 12 | **************************************/ | 
|---|
| 13 |  | 
|---|
| 14 | /* for strptime */ | 
|---|
| 15 | #define _XOPEN_SOURCE | 
|---|
| 16 |  | 
|---|
| 17 | #include "config_xor.h" | 
|---|
| 18 |  | 
|---|
| 19 | #include <stdio.h> | 
|---|
| 20 | #include <stdlib.h> | 
|---|
| 21 | #include <string.h> | 
|---|
| 22 |  | 
|---|
| 23 | #if defined(HOST_IS_SOLARIS) | 
|---|
| 24 | /* For 'struct timeval' in <sys/time.h> */ | 
|---|
| 25 | #define __EXTENSIONS__ | 
|---|
| 26 | #endif | 
|---|
| 27 |  | 
|---|
| 28 | #include <sys/types.h> | 
|---|
| 29 | #include <time.h> | 
|---|
| 30 |  | 
|---|
| 31 | #ifdef USE_LOGFILE_MONITOR | 
|---|
| 32 |  | 
|---|
| 33 | #include "samhain.h" | 
|---|
| 34 | #include "sh_pthread.h" | 
|---|
| 35 | #include "sh_log_check.h" | 
|---|
| 36 | #include "sh_utils.h" | 
|---|
| 37 | #include "sh_string.h" | 
|---|
| 38 |  | 
|---|
| 39 | #undef  FIL__ | 
|---|
| 40 | #define FIL__  _("sh_log_parse_syslog.c") | 
|---|
| 41 |  | 
|---|
| 42 | static int hidepid = 0; | 
|---|
| 43 | extern int flag_err_debug; | 
|---|
| 44 |  | 
|---|
| 45 | int sh_get_hidepid() | 
|---|
| 46 | { | 
|---|
| 47 | return hidepid; | 
|---|
| 48 | } | 
|---|
| 49 |  | 
|---|
| 50 | int sh_set_hidepid(const char *s) | 
|---|
| 51 | { | 
|---|
| 52 | return sh_util_flagval(s, &hidepid); | 
|---|
| 53 | } | 
|---|
| 54 |  | 
|---|
| 55 | struct sh_logrecord * sh_parse_syslog (sh_string * logline, void * fileinfo) | 
|---|
| 56 | { | 
|---|
| 57 | static const char *    format0_1 = N_("%b %d %T"); | 
|---|
| 58 | static const char *    format0_2 = N_("%Y-%m-%dT%T"); | 
|---|
| 59 |  | 
|---|
| 60 | static char   format_1[16]; | 
|---|
| 61 | static char   format_2[16]; | 
|---|
| 62 | static int    format_init = 0; | 
|---|
| 63 |  | 
|---|
| 64 | static struct tm old_tm; | 
|---|
| 65 | static time_t    old_time; | 
|---|
| 66 |  | 
|---|
| 67 | const unsigned int Tpos = 10; | 
|---|
| 68 | volatile unsigned int tlen = 16; | 
|---|
| 69 |  | 
|---|
| 70 | (void) fileinfo; | 
|---|
| 71 |  | 
|---|
| 72 | if (!format_init) | 
|---|
| 73 | { | 
|---|
| 74 | sl_strlcpy(format_1, _(format0_1), sizeof(format_1)); | 
|---|
| 75 | sl_strlcpy(format_2, _(format0_2), sizeof(format_2)); | 
|---|
| 76 | format_init = 1; | 
|---|
| 77 | } | 
|---|
| 78 |  | 
|---|
| 79 |  | 
|---|
| 80 | if (flag_err_debug == SL_TRUE && sh_string_len(logline) > 0) | 
|---|
| 81 | { | 
|---|
| 82 | SH_MUTEX_LOCK(mutex_thread_nolog); | 
|---|
| 83 | sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN, | 
|---|
| 84 | logline->str, | 
|---|
| 85 | _("sh_parse_syslog")); | 
|---|
| 86 | SH_MUTEX_UNLOCK(mutex_thread_nolog); | 
|---|
| 87 | } | 
|---|
| 88 |  | 
|---|
| 89 | if (logline && sh_string_len(logline) > tlen) | 
|---|
| 90 | { | 
|---|
| 91 | struct tm btime; | 
|---|
| 92 | char * ptr; | 
|---|
| 93 | int    flag; | 
|---|
| 94 | size_t lengths[3]; | 
|---|
| 95 |  | 
|---|
| 96 | memset(&btime, '\0', sizeof(struct tm)); | 
|---|
| 97 | btime.tm_isdst = -1; | 
|---|
| 98 |  | 
|---|
| 99 | /* This is RFC 3164. | 
|---|
| 100 | */ | 
|---|
| 101 | if (logline->str[Tpos] != 'T') | 
|---|
| 102 | { | 
|---|
| 103 | logline->str[tlen-1] = '\0'; | 
|---|
| 104 | ptr = /*@i@*/strptime(logline->str, format_1, &btime); | 
|---|
| 105 | } | 
|---|
| 106 |  | 
|---|
| 107 | /* RFC 3339 describes an alternative timestamp format. | 
|---|
| 108 | * Unfortunately, POSIX strptime() does not support reading | 
|---|
| 109 | * the TZ offset. | 
|---|
| 110 | */ | 
|---|
| 111 | else | 
|---|
| 112 | { | 
|---|
| 113 | ptr = strptime(logline->str, format_2, &btime); | 
|---|
| 114 | if (ptr) | 
|---|
| 115 | { | 
|---|
| 116 | tlen = 20; | 
|---|
| 117 | if (*ptr && *ptr != ' ') { | 
|---|
| 118 | do { ++ptr; ++tlen; } while (*ptr && *ptr != ' '); | 
|---|
| 119 | if (*ptr == ' ') *ptr = '\0'; | 
|---|
| 120 | } | 
|---|
| 121 | } | 
|---|
| 122 | } | 
|---|
| 123 |  | 
|---|
| 124 | if (ptr && *ptr == '\0') /* no error, whole string consumed */ | 
|---|
| 125 | { | 
|---|
| 126 | unsigned int  fields = 3; /* host program(\[pid\])+: message */ | 
|---|
| 127 | char ** array  = split_array_ws(&(logline->str[tlen]), &fields, lengths); | 
|---|
| 128 |  | 
|---|
| 129 | if (fields == 3) | 
|---|
| 130 | { | 
|---|
| 131 | struct sh_logrecord * record = SH_ALLOC(sizeof(struct sh_logrecord)); | 
|---|
| 132 |  | 
|---|
| 133 | record->timestamp = conv_timestamp(&btime, &old_tm, &old_time); | 
|---|
| 134 | record->timestr   = sh_string_new_from_lchar(logline->str, (tlen-1)); | 
|---|
| 135 |  | 
|---|
| 136 | /* host | 
|---|
| 137 | */ | 
|---|
| 138 | record->host = sh_string_new_from_lchar(array[0], lengths[0]); | 
|---|
| 139 |  | 
|---|
| 140 | /* program and pid | 
|---|
| 141 | */ | 
|---|
| 142 | if (NULL != (ptr = strchr(array[1], '['))) | 
|---|
| 143 | { | 
|---|
| 144 | *ptr = '\0'; | 
|---|
| 145 | ++ptr; | 
|---|
| 146 | record->pid = (pid_t) atoi(ptr); | 
|---|
| 147 |  | 
|---|
| 148 | if (hidepid == 0 || !*ptr) { | 
|---|
| 149 | --ptr; | 
|---|
| 150 | *ptr = '['; | 
|---|
| 151 | } else { | 
|---|
| 152 | *ptr = '\0'; /* overwrite first digit */ | 
|---|
| 153 | --ptr; | 
|---|
| 154 | *ptr = ':';  /* overwrite ex-':' */ | 
|---|
| 155 | lengths[1] = strlen(array[1]); | 
|---|
| 156 | } | 
|---|
| 157 | } | 
|---|
| 158 | else | 
|---|
| 159 | { | 
|---|
| 160 | flag = 0; | 
|---|
| 161 | ptr = array[1]; | 
|---|
| 162 | if (ptr[lengths[1]] == ':') { | 
|---|
| 163 | ptr[lengths[1]] = '\0'; | 
|---|
| 164 | flag = 1; | 
|---|
| 165 | } | 
|---|
| 166 | record->pid = PID_INVALID; | 
|---|
| 167 | if (flag == 1) { | 
|---|
| 168 | ptr[lengths[1]] = ':'; | 
|---|
| 169 | } | 
|---|
| 170 | } | 
|---|
| 171 |  | 
|---|
| 172 | /* message | 
|---|
| 173 | */ | 
|---|
| 174 | record->message = sh_string_new_from_lchar3(array[1], lengths[1], | 
|---|
| 175 | " ", 1, | 
|---|
| 176 | array[2], lengths[2]); | 
|---|
| 177 |  | 
|---|
| 178 | SH_FREE(array); | 
|---|
| 179 | return record; | 
|---|
| 180 | } | 
|---|
| 181 | SH_FREE(array); | 
|---|
| 182 | } | 
|---|
| 183 | } | 
|---|
| 184 | /* corrupted logline | 
|---|
| 185 | */ | 
|---|
| 186 | return NULL; | 
|---|
| 187 | } | 
|---|
| 188 |  | 
|---|
| 189 | /* USE_LOGFILE_MONITOR */ | 
|---|
| 190 | #endif | 
|---|