source: trunk/src/sh_log_parse_syslog.c@ 196

Last change on this file since 196 was 186, checked in by katerina, 16 years ago

More fixes for log monitoring, and documentation update.

File size: 3.8 KB
RevLine 
[183]1/**************************************
2 **
3 ** PARSER RULES
4 **
5 ** (a) must set record->host
6 ** (eventually to dummy value)
7 **
8 ** (b) must set record->prefix
9 ** (eventually to dummy value)
10 **
11 **
12 **************************************/
13
14/* for strptime */
15#define _XOPEN_SOURCE
16
17#include "config_xor.h"
18
19#include <stdio.h>
20#include <stdlib.h>
21#include <string.h>
22#include <sys/types.h>
23#include <time.h>
24
25#ifdef USE_LOGFILE_MONITOR
26
27#include "samhain.h"
28#include "sh_pthread.h"
29#include "sh_log_check.h"
30#include "sh_utils.h"
31#include "sh_string.h"
32
33#undef FIL__
34#define FIL__ _("sh_log_parse_syslog.c")
35
36static int hidepid = 0;
37extern int flag_err_debug;
38
39int sh_get_hidepid()
40{
41 return hidepid;
42}
43
44int sh_set_hidepid(const char *s)
45{
46 return sh_util_flagval(s, &hidepid);
47}
48
49struct sh_logrecord * sh_parse_syslog (sh_string * logline, void * fileinfo)
50{
51 static const char * format0_1 = N_("%b %d %T");
52 static const char * format0_2 = N_("%Y-%m-%dT%T");
53
54 static char format_1[16];
55 static char format_2[16];
56 static int format_init = 0;
57
58 static struct tm old_tm;
59 static time_t old_time;
60
61 const unsigned int Tpos = 10;
62 unsigned int tlen = 16;
63
64 (void) fileinfo;
65
66 if (!format_init)
67 {
68 sl_strlcpy(format_1, _(format0_1), sizeof(format_1));
69 sl_strlcpy(format_2, _(format0_2), sizeof(format_2));
70 format_init = 1;
71 }
72
73
74 if (sh_string_len(logline) > 0 && flag_err_debug == SL_TRUE)
75 {
76 SH_MUTEX_LOCK(mutex_thread_nolog);
77 sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN,
78 logline->str,
79 _("sh_parse_syslog"));
80 SH_MUTEX_UNLOCK(mutex_thread_nolog);
81 }
82
83 if (logline && sh_string_len(logline) > tlen)
84 {
85 struct tm btime;
86 char * ptr;
87 int flag;
88 size_t lengths[3];
89
90 memset(&btime, '\0', sizeof(struct tm));
91
92 /* This is RFC 3164.
93 */
94 if (logline->str[Tpos] != 'T')
95 {
96 logline->str[tlen-1] = '\0';
97 ptr = /*@i@*/strptime(logline->str, format_1, &btime);
98 }
99
100 /* RFC 3339 describes an alternative timestamp format.
101 * Unfortunately, POSIX strptime() does not support reading
102 * the TZ offset.
103 */
104 else
105 {
106 ptr = strptime(logline->str, format_2, &btime);
107 if (ptr)
108 {
109 tlen = 20;
110 if (*ptr && *ptr != ' ') {
111 do { ++ptr; ++tlen; } while (*ptr && *ptr != ' ');
112 if (*ptr == ' ') *ptr = '\0';
113 }
114 }
115 }
116
117 if (ptr && *ptr == '\0') /* no error, whole string consumed */
118 {
119 unsigned int fields = 3; /* host program(\[pid\])+: message */
120 char ** array = split_array_ws(&(logline->str[tlen]), &fields, lengths);
121
122 if (fields == 3)
123 {
124 struct sh_logrecord * record = SH_ALLOC(sizeof(struct sh_logrecord));
125
126 record->timestamp = conv_timestamp(&btime, &old_tm, &old_time);
127 record->timestr = sh_string_new_from_lchar(logline->str, (tlen-1));
128
129 /* host
130 */
131 record->host = sh_string_new_from_lchar(array[0], lengths[0]);
132
133 /* program and pid
134 */
135 if (NULL != (ptr = strchr(array[1], '[')))
136 {
137 *ptr = '\0';
138 ++ptr;
139 record->pid = (pid_t) atoi(ptr);
[186]140
[183]141 if (hidepid == 0 || !*ptr) {
142 --ptr;
143 *ptr = '[';
144 } else {
145 *ptr = '\0'; /* overwrite first digit */
146 --ptr;
147 *ptr = ':'; /* overwrite ex-':' */
148 lengths[1] = strlen(array[1]);
149 }
150 }
151 else
152 {
153 flag = 0;
154 ptr = array[1];
155 if (ptr[lengths[1]] == ':') {
156 ptr[lengths[1]] = '\0';
157 flag = 1;
158 }
159 record->pid = PID_INVALID;
160 if (flag == 1) {
161 ptr[lengths[1]] = ':';
162 }
163 }
164
165 /* message
166 */
167 record->message = sh_string_new_from_lchar3(array[1], lengths[1],
168 " ", 1,
169 array[2], lengths[2]);
170
171 SH_FREE(array);
172 return record;
173 }
174 SH_FREE(array);
175 }
176 }
177 /* corrupted logline
178 */
179 return NULL;
180}
181
182/* USE_LOGFILE_MONITOR */
183#endif
Note: See TracBrowser for help on using the repository browser.