source: trunk/src/sh_log_parse_samba.c@ 290

Last change on this file since 290 was 186, checked in by katerina, 16 years ago

More fixes for log monitoring, and documentation update.

File size: 2.1 KB
Line 
1/**************************************
2 **
3 ** PARSER RULES
4 **
5 ** (a) must set record->host
6 ** (eventually to dummy value)
7 **
8 ** (b) must set record->prefix
9 ** (command)
10 **
11 **
12 **************************************/
13
14/* for strptime */
15#define _XOPEN_SOURCE
16
17#include "config_xor.h"
18#include <string.h>
19#include <time.h>
20
21#if defined(USE_LOGFILE_MONITOR)
22
23#include "samhain.h"
24#include "sh_pthread.h"
25#include "sh_log_check.h"
26#include "sh_string.h"
27
28#undef FIL__
29#define FIL__ _("sh_log_parse_samba.c")
30
31
32sh_string * sh_read_samba (sh_string * record, struct sh_logfile * logfile)
33{
34 return sh_cont_reader (record, logfile, " \t");
35}
36
37struct sh_logrecord * sh_parse_samba (sh_string * logline, void * fileinfo)
38{
39 static struct tm old_tm;
40 static time_t old_time;
41
42 struct sh_logrecord * record = NULL;
43
44 static const char * format0_1 = N_("[%Y/%m/%d %T");
45 static char format_1[16];
46 static int format_init = 0;
47
48 (void) fileinfo;
49
50 if (!format_init)
51 {
52 sl_strlcpy(format_1, _(format0_1), sizeof(format_1));
53 format_init = 1;
54 }
55
56 if (logline && sh_string_len(logline) > 0)
57 {
58 size_t lengths[3];
59 unsigned int fields = 3;
60 char ** array;
61 char * p = strchr(sh_string_str(logline), ',');
62
63 *p = '\0'; ++p;
64 array = split_array_ws(p, &fields, lengths);
65
66 if (fields == 3)
67 {
68 struct tm btime;
69 char * ptr;
70
71 memset(&btime, '\0', sizeof(struct tm));
72 ptr = strptime(sh_string_str(logline), format_1, &btime);
73
74 if (ptr && *ptr == '\0') /* no error, whole string consumed */
75 {
76 record = SH_ALLOC(sizeof(struct sh_logrecord));
77
78 record->timestamp = conv_timestamp(&btime, &old_tm, &old_time);
79
80 p = sh_string_str(logline); ++p;
81
82 record->timestr = sh_string_new_from_lchar(p, strlen(p));
83
84 record->message = sh_string_new_from_lchar(array[2], lengths[2]);
85
86 record->pid = 0;
87 record->host = sh_string_new_from_lchar(sh.host.name,
88 strlen(sh.host.name));
89 }
90 }
91 SH_FREE(array);
92 }
93 return record;
94}
95
96#endif
Note: See TracBrowser for help on using the repository browser.