source: trunk/src/sh_log_evalrule.c@ 185

Last change on this file since 185 was 185, checked in by katerina, 16 years ago

Bugfixes for log monitoring, samba logfile parser.
File size: 20.1 KB
RevLine 
[183]1
2#include "config_xor.h"
3
4#include <stdio.h>
5#include <stdarg.h>
6#include <string.h>
7#include <time.h>
8#include <limits.h>
9#include <sys/types.h>
10
11#ifdef USE_LOGFILE_MONITOR
12
13#undef FIL__
14#define FIL__ _("sh_log_evalrule.c")
15
16/* Debian/Ubuntu: libpcre3-dev */
17#include <pcre.h>
18
19#include "samhain.h"
20#include "sh_pthread.h"
21#include "sh_utils.h"
22#include "sh_string.h"
23#include "sh_log_check.h"
24#include "sh_log_evalrule.h"
25#include "zAVLTree.h"
26
27/* #define DEBUG_EVALRULES */
28
29#ifdef DEBUG_EVALRULES
30void DEBUG(const char *fmt, ...)
31{
32 va_list ap;
33 va_start(ap, fmt);
34 vfprintf(stderr, fmt, ap); /* flawfinder: ignore *//* we control fmt string */
35 va_end(ap);
36 return;
37}
38#else
39void DEBUG(const char *fmt, ...)
40{
41 (void) fmt;
42 return;
43}
44#endif
45
46enum policies {
47 EVAL_REPORT,
48 EVAL_SUM
49};
50
51struct sh_ceval /* Counter for summarizing */
52{
53 sh_string * hostname;
54 sh_string * counted_str;
55 sh_string * filename;
56 unsigned long count;
57 time_t start;
58 time_t interval;
59};
60
61void sh_ceval_free(void * item)
62{
63 struct sh_ceval * counter = (struct sh_ceval *) item;
64 if (!counter)
65 return;
66 sh_string_destroy(&(counter->hostname));
67 sh_string_destroy(&(counter->counted_str));
68 sh_string_destroy(&(counter->filename));
69 SH_FREE(counter);
70}
71
72struct sh_qeval /* Queue with definitions */
73{
74 sh_string * label;
75 enum policies policy;
76 int severity;
77 time_t interval; /* if EVAL_SUM, interval */
78 struct sh_qeval * next;
79};
80
81struct sh_geval /* Group of rules (may be a single rule) */
82{
83 sh_string * label; /* label for this group */
84 pcre * rule; /* compiled regex for rule */
85 pcre_extra * rule_extra;
86 int * ovector; /* captured substrings */
87 int ovecnum; /* how many captured */
88 int captures; /* (captures+1)*3 required */
89 zAVLTree * counterlist; /* counters if EVAL_SUM */
90 struct sh_qeval * queue; /* queue for this rule */
91 struct sh_geval * nextrule; /* next rule in this group */
92 struct sh_geval * next; /* next group of rules */
93};
94
95struct sh_heval /* host-specific rules */
96{
97 pcre * hostname; /* compiled regex for hostname */
98 pcre_extra * hostname_extra;
99 struct sh_geval * rulegroups; /* list of group of rules */
100 struct sh_heval * next;
101};
102
103static struct sh_heval * hostlist = NULL;
104static struct sh_qeval * queuelist = NULL;
105static struct sh_geval * grouplist = NULL;
106
107/* These flags are set if we are within
108 * the define of a host/rule group.
109 */
110static struct sh_heval * host_open = NULL;
111static struct sh_geval * group_open = NULL;
112
113int sh_eval_gend (const char * str)
114{
115 (void) str;
116 if (group_open) {
117 group_open = NULL;
118 return 0;
119 }
120 return -1;
121}
122
123int sh_eval_gadd (const char * str)
124{
125 struct sh_geval * ng;
126 struct sh_geval * tmp;
127 pcre * group;
128 pcre_extra * group_extra;
129 const char * error;
130 int erroffset;
131 unsigned int nfields = 2;
132 size_t lengths[2];
133 char * new = sh_util_strdup(str);
134 char ** splits = split_array(new, &nfields, ':', lengths);
135
136 if (group_open)
137 group_open = NULL;
138
139 if (nfields != 2)
140 {
141 SH_FREE(splits);
142 SH_FREE(new);
143 return -1;
144 }
145
146 group = pcre_compile(splits[1], PCRE_NO_AUTO_CAPTURE,
147 &error, &erroffset, NULL);
148 if (!group)
149 {
150 sh_string * msg = sh_string_new(0);
151 sh_string_add_from_char(msg, _("Bad regex: "));
152 sh_string_add_from_char(msg, splits[1]);
153
154 SH_MUTEX_LOCK(mutex_thread_nolog);
155 sh_error_handle(SH_ERR_ERR, FIL__, __LINE__, 0, MSG_E_SUBGEN,
156 sh_string_str(msg),
157 _("sh_eval_gadd"));
158 SH_MUTEX_UNLOCK(mutex_thread_nolog);
159 sh_string_destroy(&msg);
160
161 SH_FREE(splits);
162 SH_FREE(new);
163 return -1;
164 }
165 group_extra = NULL; /* pcre_study(group, 0, &error); */
166
167 ng = SH_ALLOC(sizeof(struct sh_geval));
168 ng->label = sh_string_new_from_lchar(splits[0], lengths[0]);
169 ng->rule = group;
170 ng->rule_extra = group_extra;
171 ng->ovector = NULL;
[185]172 ng->ovecnum = 0;
[183]173 ng->captures = 0;
174 ng->counterlist = NULL;
175 ng->queue = NULL;
176 ng->nextrule = NULL;
[185]177 ng->next = NULL;
[183]178
179 if (!host_open)
180 {
181 if (0 != sh_eval_hadd("^.*"))
182 {
183 pcre_free(group);
184 sh_string_destroy(&(ng->label));
185 SH_FREE(splits);
186 SH_FREE(new);
187 SH_FREE(ng);
188 return -1;
189 }
190 }
191
192 /*
[185]193 * Insert at end, to keep user-defined order
194 */
195
[183]196 if (host_open)
197 {
[185]198 if (grouplist)
199 {
200 tmp = grouplist;
201 while (tmp->next != NULL) { tmp = tmp->next; }
202 tmp->next = ng;
203 } else {
204 grouplist = ng;
205 }
206
207
208 /*
209 * If there is an open host group, add it to its
210 * rulegroups
211 */
212
[183]213 if (host_open->rulegroups)
214 {
215 tmp = host_open->rulegroups;
216 while (tmp->next != NULL) { tmp = tmp->next; }
217 tmp->next = ng;
218 } else {
219 host_open->rulegroups = ng;
[185]220 }
[183]221 }
222
223 group_open = ng;
224 SH_FREE(splits);
225 SH_FREE(new);
226 return 0;
227}
228
229int sh_eval_hend (const char * str)
230{
231 (void) str;
232 if (host_open) {
233 host_open = NULL;
234 return 0;
235 }
236 return -1;
237}
238
239int sh_eval_hadd (const char * str)
240{
241 struct sh_heval * nh;
242 struct sh_heval * tmp;
243 pcre * host;
244 pcre_extra * host_extra;
245 const char * error;
246 int erroffset;
247
248 if (host_open)
249 host_open = NULL;
250
251 host = pcre_compile(str, PCRE_NO_AUTO_CAPTURE,
252 &error, &erroffset, NULL);
253 if (!host)
254 {
255 sh_string * msg = sh_string_new(0);
256 sh_string_add_from_char(msg, _("Bad regex: "));
257 sh_string_add_from_char(msg, str);
258
259 SH_MUTEX_LOCK(mutex_thread_nolog);
260 sh_error_handle(SH_ERR_ERR, FIL__, __LINE__, 0, MSG_E_SUBGEN,
261 sh_string_str(msg),
262 _("sh_eval_hadd"));
263 SH_MUTEX_UNLOCK(mutex_thread_nolog);
264 sh_string_destroy(&msg);
265
266 return -1;
267 }
268 host_extra = NULL; /* pcre_study(host, 0, &error); */
269
270 nh = SH_ALLOC(sizeof(struct sh_heval));
271 nh->hostname = host;
272 nh->hostname_extra = host_extra;
273 nh->rulegroups = NULL;
274
275 /*
276 * Insert at end, to keep user-defined order
277 */
278 nh->next = NULL;
279 if (hostlist) {
280 tmp = hostlist;
281 while (tmp->next != NULL) { tmp = tmp->next; }
282 tmp->next = nh;
283 } else {
284 hostlist = nh;
285 }
286 host_open = nh;
287
288 return 0;
289}
290
291int sh_eval_qadd (const char * str)
292{
293 struct sh_qeval * nq;
294 int severity;
295 unsigned int nfields = 4; /* label:interval:(report|sum):severity */
296 size_t lengths[4];
297 char * new = sh_util_strdup(str);
298 char ** splits = split_array(new, &nfields, ':', lengths);
299
300 if (nfields != 4)
301 {
302 SH_FREE(splits);
303 SH_FREE(new);
304 return -1;
305 }
306
307 if (strcmp(splits[2], _("sum")) && strcmp(splits[2], _("report")))
308 {
309 SH_FREE(splits);
310 SH_FREE(new);
311 return -1;
312 }
313
314 if (!strcmp(splits[2], _("sum")) && atoi(splits[1]) < 0)
315 {
316 SH_FREE(splits);
317 SH_FREE(new);
318 return -1;
319 }
320
321 severity = sh_error_convert_level (splits[3]);
322 if (severity < 0)
323 {
324 SH_FREE(splits);
325 SH_FREE(new);
326 return -1;
327 }
328
329 nq = SH_ALLOC(sizeof(struct sh_qeval));
330 nq->label = sh_string_new_from_lchar(splits[0], lengths[0]);
331
332 DEBUG("debug: splits[2] = %s, policy = %d\n",splits[2],nq->policy);
333 if (0 == strcmp(splits[2], _("report"))) {
334 nq->policy = EVAL_REPORT;
335 nq->interval = 0;
336 }
337 else {
338 nq->policy = EVAL_SUM;
339 nq->interval = (time_t) atoi(splits[1]);
340 }
341
342 nq->severity = severity;
343 nq->next = queuelist;
344 queuelist = nq;
345
346 SH_FREE(splits);
347 SH_FREE(new);
348 return 0;
349}
350
351static struct sh_qeval * find_queue(const char * str)
352{
353 struct sh_qeval * retval = queuelist;
354
355 if (!str)
356 return NULL;
357
358 while (retval)
359 {
360 if (0 == strcmp(str, sh_string_str(retval->label)))
361 break;
362 retval = retval->next;
363 }
364 return retval;
365}
366
367int sh_eval_radd (const char * str)
368{
369 struct sh_geval * nr;
370 struct sh_geval * tmp;
371 struct sh_qeval * queue = NULL;
372 pcre * rule;
373 pcre_extra * rule_extra;
374 const char * error;
375 int erroffset;
376 int captures = 0;
377 unsigned int nfields = 2; /* queue:regex */
378 size_t lengths[2];
379 char * new = sh_util_strdup(str);
380 char ** splits = split_array(new, &nfields, ':', lengths);
381
382 if (nfields != 2)
383 {
384 SH_FREE(splits);
385 SH_FREE(new);
386 return -1;
387 }
388
389 if (0 != strcmp(splits[0], _("trash")))
390 {
391 queue = find_queue(splits[0]);
392 if (!queue)
393 {
394 SH_FREE(splits);
395 SH_FREE(new);
396 return -1;
397 }
398 }
399
400 rule = pcre_compile(splits[1], 0,
401 &error, &erroffset, NULL);
402 if (!rule)
403 {
404 sh_string * msg = sh_string_new(0);
405 sh_string_add_from_char(msg, _("Bad regex: "));
406 sh_string_add_from_char(msg, splits[1]);
407
408 SH_MUTEX_LOCK(mutex_thread_nolog);
409 sh_error_handle(SH_ERR_ERR, FIL__, __LINE__, 0, MSG_E_SUBGEN,
410 sh_string_str(msg),
411 _("sh_eval_radd"));
412 SH_MUTEX_UNLOCK(mutex_thread_nolog);
413 sh_string_destroy(&msg);
414
415 SH_FREE(splits);
416 SH_FREE(new);
417 return -1;
418 }
419 rule_extra = NULL; /* pcre_study(rule, 0, &error); */
420 pcre_fullinfo(rule, rule_extra, PCRE_INFO_CAPTURECOUNT, &captures);
421
422 DEBUG("adding rule: |%s| with %d captures\n", splits[1], captures);
423
424 SH_FREE(splits);
425 SH_FREE(new);
426
427 nr = SH_ALLOC(sizeof(struct sh_geval));
428 nr->label = NULL;
429 nr->rule = rule;
430 nr->rule_extra = rule_extra;
431 nr->captures = captures;
432 nr->ovector = SH_ALLOC(sizeof(int) * (captures+1) * 3);
[185]433 nr->ovecnum = 0;
[183]434 nr->counterlist = NULL;
435 nr->queue = queue;
436 nr->nextrule = NULL;
437 nr->next = NULL;
438
439 /*
440 * If there is an open group, add it to its
441 * rules
442 */
443 if (group_open)
444 {
445 if (group_open->nextrule)
446 {
447 tmp = group_open->nextrule;
[185]448 while (tmp->nextrule != NULL) { tmp = tmp->nextrule; } /* next -> nextrule */
449 tmp->nextrule = nr; /* next -> nextrule */
[183]450 } else {
451 group_open->nextrule = nr;
452 }
453 }
454
455 /*
456 * ..else, add it to the currently open host (open the
457 * default host, if there is no open one)
458 */
459 else
460 {
461 if (!host_open)
462 {
463 if (0 != sh_eval_hadd("^.*"))
464 {
[185]465 SH_FREE(nr->ovector);
[183]466 SH_FREE(nr);
467 return -1;
468 }
469 }
470
471 if (host_open)
472 {
[185]473 /*
474 * Add rule as member to grouplist, to facilitate cleanup
475 */
476#if 0
477 if (grouplist)
478 {
479 tmp = grouplist;
480 while (tmp->next != NULL) { tmp = tmp->next; }
481 tmp->next = nr;
482 } else {
483 grouplist = nr;
484 }
485#endif
486
487 /*
488 * Add rule to host rulegroups
489 */
[183]490 if (host_open->rulegroups)
491 {
492 /* Second, third, ... rule go to host_open->rulegroups->nextrule,
493 * since test_rules() iterates over nextrules
494 */
495 tmp = host_open->rulegroups;
496 while (tmp->nextrule != NULL) { tmp = tmp->nextrule; }
497 tmp->nextrule = nr;
[185]498 }
499 else
500 {
[183]501 /* First rule goes to host_open->rulegroups */
502 host_open->rulegroups = nr;
503 }
504 }
505 else
506 {
[185]507 SH_FREE(nr->ovector);
[183]508 SH_FREE(nr);
509 return -1;
510 }
511 }
512
513 return 0;
514}
515
516void sh_eval_cleanup()
517{
518 struct sh_geval * tmp;
519
520 struct sh_geval * gtmp;
521 struct sh_qeval * qtmp;
522 struct sh_heval * htmp;
523
[185]524 while (grouplist)
[183]525 {
[185]526 gtmp = grouplist;
527 grouplist = gtmp->next;
528
[183]529 if (gtmp->label) sh_string_destroy(&(gtmp->label));
530 if (gtmp->rule_extra) (*pcre_free)(gtmp->rule_extra);
531 if (gtmp->rule) (*pcre_free)(gtmp->rule);
532 if (gtmp->counterlist)
533 zAVLFreeTree(gtmp->counterlist, sh_ceval_free);
534 if (gtmp->ovector)
535 SH_FREE(gtmp->ovector);
[185]536
537 while (gtmp->nextrule)
[183]538 {
[185]539 tmp = gtmp->nextrule;
540 gtmp->nextrule = tmp->nextrule;
541
542 if (tmp->rule_extra) (*pcre_free)(tmp->rule_extra);
543 if (tmp->rule) (*pcre_free)(tmp->rule);
544 if (tmp->counterlist)
545 zAVLFreeTree(tmp->counterlist, sh_ceval_free);
546 if (tmp->ovector)
547 SH_FREE(tmp->ovector);
548 SH_FREE(tmp);
[183]549 }
[185]550
[183]551 SH_FREE(gtmp);
552 }
553
554 qtmp = queuelist;
555 while (qtmp)
556 {
557 if (qtmp->label) sh_string_destroy(&(qtmp->label));
558 queuelist = qtmp->next;
559 SH_FREE(qtmp);
560 qtmp = queuelist;
561 }
562
563 htmp = hostlist;
564 while (htmp)
565 {
566 if (htmp->hostname_extra) (*pcre_free)(htmp->hostname_extra);
567 if (htmp->hostname) (*pcre_free)(htmp->hostname);
568 hostlist = htmp->next;
569 SH_FREE(htmp);
570 htmp = hostlist;
571 }
572
573}
574
575/**********************************************************************
576 *
577 * Actual rule processing
578 *
579 **********************************************************************/
580
581/* Test a list of rules against msg; return matched rule, with ovector
582 * filled in
583 */
584static struct sh_geval * test_rule (struct sh_geval * rule, sh_string *msg)
585{
586 int res, count;
587
588 if (!rule)
589 DEBUG("debug: (NULL) rule\n");
590
591 if (rule && sh_string_len(msg) < (size_t)INT_MAX)
592 {
593 count = 1;
594 do {
595 DEBUG("debug: check rule %d for <%s>\n", count, msg->str);
596 res = pcre_exec(rule->rule, rule->rule_extra,
597 sh_string_str(msg), (int)sh_string_len(msg), 0,
598 0, rule->ovector, (3*(1+rule->captures)));
599 if (res >= 0)
600 {
601 rule->ovecnum = res;
602 DEBUG("debug: rule %d matches, result = %d\n", count, res);
603 break; /* return the matching rule; ovector is filled in */
604 }
605 DEBUG("debug: rule %d did not match\n", count);
606 rule = rule->nextrule; ++count;
607 } while (rule);
608 }
609 if (!rule)
610 DEBUG("debug: no match found\n");
611 /* If there was no match, this is NULL */
612 return rule;
613}
614
615/* Test a (struct sh_geval *), which may be single rule or a group of rules,
616 * against msg (if it's a group of rules, test against prefix first).
617 */
618static struct sh_geval * test_grules (struct sh_heval * host,
619 sh_string *prefix, sh_string *msg)
620{
621 struct sh_geval * result = NULL;
622 struct sh_geval * rules = host->rulegroups;
623
624 if (rules && sh_string_len(prefix) < (size_t)INT_MAX)
625 {
626 DEBUG("debug: if rules\n");
627 do {
628 if(rules->label != NULL)
629 {
630 /* this is a rule group; only groups have labels */
631
632 DEBUG("debug: if rules->label %s\n", rules->label->str);
633 if (pcre_exec(rules->rule, rules->rule_extra,
634 sh_string_str(prefix), (int) sh_string_len(prefix),
635 0, 0, NULL, 0) >= 0)
636 {
637 result = test_rule(rules->nextrule, msg);
638 if (result)
639 break;
640 }
641 }
642 else
643 {
644 /* First rule is in host->rulegroups */
645
646 DEBUG("debug: else (single rule)\n");
647 result = test_rule(rules, msg);
648 if (result)
649 break;
650 }
651 rules = rules->next; /* next group of rules */
652 } while (rules);
653 }
654 return result;
655}
656
657/* Top-level find_rule() function
658 */
659static struct sh_geval * find_rule (sh_string *host,
660 sh_string *prefix, sh_string *msg)
661{
662 struct sh_geval * result = NULL;
663 struct sh_heval * hlist = hostlist;
664
665 if (hlist && sh_string_len(host) < (size_t)INT_MAX)
666 {
667 do {
668 if (pcre_exec(hlist->hostname, hlist->hostname_extra,
669 sh_string_str(host), (int) sh_string_len(host),
670 0, 0, NULL, 0) >= 0)
671 {
672 /* matching host, check rules/groups of rules */
673 result = test_grules(hlist, prefix, msg);
674 if (result)
675 break;
676 }
677 hlist = hlist->next;
678 } while (hlist);
679 }
680 return result;
681}
682
683static void msg_report(int severity, struct sh_logrecord * record)
684{
685 char * tmp;
686 char * msg;
687 char * ttt;
688 SH_MUTEX_LOCK(mutex_thread_nolog);
689 tmp = sh_util_safe_name (record->filename);
[185]690 msg = sh_util_safe_name_keepspace (sh_string_str(record->message));
691 ttt = sh_util_safe_name_keepspace (sh_string_str(record->timestr));
[183]692 sh_error_handle (severity, FIL__, __LINE__, 0, MSG_LOGMON_REP,
693 msg,
694 ttt,
695 sh_string_str(record->host),
696 tmp);
697 SH_FREE(ttt);
698 SH_FREE(msg);
699 SH_FREE(tmp);
700 SH_MUTEX_UNLOCK(mutex_thread_nolog);
701}
702
703static void sum_report(int severity, sh_string * host, sh_string * message, sh_string * path)
704{
705 char * tmp;
706 char * msg;
707 SH_MUTEX_LOCK(mutex_thread_nolog);
708 tmp = sh_util_safe_name (sh_string_str(path));
[185]709 msg = sh_util_safe_name_keepspace (sh_string_str(message));
[183]710 sh_error_handle (severity, FIL__, __LINE__, 0, MSG_LOGMON_SUM,
711 msg,
712 sh_string_str(host),
713 tmp);
714 SH_FREE(msg);
715 SH_FREE(tmp);
716 SH_MUTEX_UNLOCK(mutex_thread_nolog);
717}
718
719static zAVLKey sh_eval_getkey(void const *item)
720{
721 return ((struct sh_ceval *)item)->hostname->str;
722}
723
724/* Find the counter, or initialize one if there is none already
725 */
726static struct sh_ceval * find_counter(struct sh_geval * rule,
727 sh_string * host, time_t interval)
728{
729 struct sh_ceval * counter;
730
731 if (!(rule->counterlist))
732 {
733 DEBUG("debug: allocate new counterlist AVL tree\n");
734 rule->counterlist = zAVLAllocTree(sh_eval_getkey);
735 }
736
737 counter = (struct sh_ceval *) zAVLSearch (rule->counterlist,
738 sh_string_str(host));
739
740 if (!counter)
741 {
742 DEBUG("debug: no counter found\n");
743
744 counter = SH_ALLOC(sizeof(struct sh_ceval));
745 counter->hostname = sh_string_new_from_lchar(sh_string_str(host),
746 sh_string_len(host));
747 counter->counted_str = NULL;
748 counter->filename = NULL;
749 counter->count = 0;
750 counter->start = time(NULL);
751 counter->interval = interval;
752
753 zAVLInsert(rule->counterlist, counter);
754 }
755 return counter;
756
757}
758
759/* copy the message and replace captured substrings with '___'
760 */
761static sh_string * replace_captures(const sh_string * message,
762 int * ovector, int ovecnum)
763{
764 sh_string * retval = sh_string_new_from_lchar(sh_string_str(message),
765 sh_string_len(message));
766
767 if (ovecnum > 1)
768 {
769 retval = sh_string_replace(retval, &(ovector[2]), (ovecnum-1), "___", 3);
770 }
771 return retval;
772}
773
774
775/* process the counter for a SUM rule
776 */
777static int process_counter(struct sh_ceval * counter,
778 struct sh_geval * rule, struct sh_logrecord * record)
779{
780 int retval = -1;
781 time_t now;
782
783 if (!(counter->counted_str))
784 {
785 counter->counted_str = replace_captures(record->message, rule->ovector,
786 rule->ovecnum);
787 counter->filename = sh_string_new_from_lchar(record->filename,
788 strlen(record->filename));
789 DEBUG("debug: counted_str after replace: %s\n",
790 sh_string_str(counter->counted_str));
791 }
792
793 ++(counter->count);
794 now = time(NULL); now -= counter->start;
795 DEBUG("debug: count %lu, interval %lu, time %lu\n",
796 counter->count, counter->interval, now);
797 if (now >= counter->interval)
798 {
799 DEBUG("debug: report count\n");
800 sum_report(rule->queue->severity, counter->hostname,
801 counter->counted_str, counter->filename);
802 counter->start = time(NULL);
803 counter->count = 0;
804 }
805 return retval;
806}
807
808/* Process a rule
809 */
810static int process_rule(struct sh_geval * rule, struct sh_logrecord * record)
811{
812 int retval = -1;
813 struct sh_qeval * queue = rule->queue;
814
815 if (queue)
816 {
817 DEBUG("debug: queue policy = %d found\n", queue->policy);
818 if (queue->policy == EVAL_REPORT)
819 {
820 DEBUG("debug: EVAL_REPORT host: %s, prefix: %s, message: %s\n",
821 sh_string_str(record->host),
822 sh_string_str(record->prefix),
823 sh_string_str(record->message));
824 msg_report(queue->severity, record);
825 retval = 0;
826 }
827 else if (queue->policy == EVAL_SUM)
828 {
829
830 struct sh_ceval * counter =
831 find_counter(rule, record->host, queue->interval);
832 DEBUG("debug: EVAL_SUM host: %s, prefix: %s, message: %s\n",
833 sh_string_str(record->host),
834 sh_string_str(record->prefix),
835 sh_string_str(record->message));
836 if (counter)
837 {
838 DEBUG("debug: counter found\n");
839 retval = process_counter(counter, rule, record);
840 }
841 }
842 }
843 else
844 {
845 DEBUG("debug: no queue found -- trash\n");
846 /* No queue means 'trash' */
847 retval = 0;
848 }
849 return retval;
850}
851
852#define DEFAULT_SEVERITY (-1)
853
854int sh_eval_process_msg(struct sh_logrecord * record)
855{
856 static unsigned long i = 0;
857 if (record)
858 {
859 struct sh_geval * rule = find_rule (record->host, record->prefix,
860 record->message);
861
862 if (rule)
863 {
864 DEBUG("debug: (%lu) rule found\n", i); ++i;
865 return process_rule(rule, record);
866 }
867 else
868 {
869 DEBUG("debug: (%lu) no rule found\n", i); ++i;
870 msg_report(DEFAULT_SEVERITY, record);
871 }
872 return 0;
873 }
874 return -1;
875}
876
877#endif
Note: See TracBrowser for help on using the repository browser.