source: trunk/src/sh_log_parse_syslog.c@ 208

Last change on this file since 208 was 199, checked in by katerina, 16 years ago

While we're at it, implement 'else' cor the config file conditionals. Also fix some compile warnings and improve docs.

File size: 3.9 KB
RevLine 
[183]1/**************************************
2 **
3 ** PARSER RULES
4 **
5 ** (a) must set record->host
6 ** (eventually to dummy value)
7 **
8 ** (b) must set record->prefix
9 ** (eventually to dummy value)
10 **
11 **
12 **************************************/
13
14/* for strptime */
15#define _XOPEN_SOURCE
16
17#include "config_xor.h"
18
19#include <stdio.h>
20#include <stdlib.h>
21#include <string.h>
22#include <sys/types.h>
23#include <time.h>
24
25#ifdef USE_LOGFILE_MONITOR
26
27#include "samhain.h"
28#include "sh_pthread.h"
29#include "sh_log_check.h"
30#include "sh_utils.h"
31#include "sh_string.h"
32
33#undef FIL__
34#define FIL__ _("sh_log_parse_syslog.c")
35
36static int hidepid = 0;
37extern int flag_err_debug;
38
39int sh_get_hidepid()
40{
41 return hidepid;
42}
43
44int sh_set_hidepid(const char *s)
45{
46 return sh_util_flagval(s, &hidepid);
47}
48
49struct sh_logrecord * sh_parse_syslog (sh_string * logline, void * fileinfo)
50{
51 static const char * format0_1 = N_("%b %d %T");
52 static const char * format0_2 = N_("%Y-%m-%dT%T");
53
54 static char format_1[16];
55 static char format_2[16];
56 static int format_init = 0;
57
58 static struct tm old_tm;
59 static time_t old_time;
60
61 const unsigned int Tpos = 10;
[199]62 volatile unsigned int tlen = 16;
[183]63
64 (void) fileinfo;
65
66 if (!format_init)
67 {
68 sl_strlcpy(format_1, _(format0_1), sizeof(format_1));
69 sl_strlcpy(format_2, _(format0_2), sizeof(format_2));
70 format_init = 1;
71 }
72
73
74 if (sh_string_len(logline) > 0 && flag_err_debug == SL_TRUE)
75 {
76 SH_MUTEX_LOCK(mutex_thread_nolog);
77 sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN,
78 logline->str,
79 _("sh_parse_syslog"));
80 SH_MUTEX_UNLOCK(mutex_thread_nolog);
81 }
82
83 if (logline && sh_string_len(logline) > tlen)
84 {
85 struct tm btime;
86 char * ptr;
87 int flag;
88 size_t lengths[3];
89
90 memset(&btime, '\0', sizeof(struct tm));
91
92 /* This is RFC 3164.
93 */
94 if (logline->str[Tpos] != 'T')
95 {
96 logline->str[tlen-1] = '\0';
97 ptr = /*@i@*/strptime(logline->str, format_1, &btime);
98 }
99
100 /* RFC 3339 describes an alternative timestamp format.
101 * Unfortunately, POSIX strptime() does not support reading
102 * the TZ offset.
103 */
104 else
105 {
106 ptr = strptime(logline->str, format_2, &btime);
107 if (ptr)
108 {
109 tlen = 20;
110 if (*ptr && *ptr != ' ') {
111 do { ++ptr; ++tlen; } while (*ptr && *ptr != ' ');
112 if (*ptr == ' ') *ptr = '\0';
113 }
114 }
115 }
116
117 if (ptr && *ptr == '\0') /* no error, whole string consumed */
118 {
119 unsigned int fields = 3; /* host program(\[pid\])+: message */
120 char ** array = split_array_ws(&(logline->str[tlen]), &fields, lengths);
121
122 if (fields == 3)
123 {
124 struct sh_logrecord * record = SH_ALLOC(sizeof(struct sh_logrecord));
125
126 record->timestamp = conv_timestamp(&btime, &old_tm, &old_time);
127 record->timestr = sh_string_new_from_lchar(logline->str, (tlen-1));
128
129 /* host
130 */
131 record->host = sh_string_new_from_lchar(array[0], lengths[0]);
132
133 /* program and pid
134 */
135 if (NULL != (ptr = strchr(array[1], '[')))
136 {
137 *ptr = '\0';
138 ++ptr;
139 record->pid = (pid_t) atoi(ptr);
[186]140
[183]141 if (hidepid == 0 || !*ptr) {
142 --ptr;
143 *ptr = '[';
144 } else {
145 *ptr = '\0'; /* overwrite first digit */
146 --ptr;
147 *ptr = ':'; /* overwrite ex-':' */
148 lengths[1] = strlen(array[1]);
149 }
150 }
151 else
152 {
153 flag = 0;
154 ptr = array[1];
155 if (ptr[lengths[1]] == ':') {
156 ptr[lengths[1]] = '\0';
157 flag = 1;
158 }
159 record->pid = PID_INVALID;
160 if (flag == 1) {
161 ptr[lengths[1]] = ':';
162 }
163 }
164
165 /* message
166 */
167 record->message = sh_string_new_from_lchar3(array[1], lengths[1],
168 " ", 1,
169 array[2], lengths[2]);
170
171 SH_FREE(array);
172 return record;
173 }
174 SH_FREE(array);
175 }
176 }
177 /* corrupted logline
178 */
179 return NULL;
180}
181
182/* USE_LOGFILE_MONITOR */
183#endif
Note: See TracBrowser for help on using the repository browser.