source: trunk/src/sh_log_parse_syslog.c@ 414

Last change on this file since 414 was 357, checked in by katerina, 13 years ago

Fix for ticket #263 (log correlation may not work).

File size: 4.0 KB
RevLine 
[183]1/**************************************
2 **
3 ** PARSER RULES
4 **
5 ** (a) must set record->host
6 ** (eventually to dummy value)
7 **
8 ** (b) must set record->prefix
9 ** (eventually to dummy value)
10 **
11 **
12 **************************************/
13
14/* for strptime */
15#define _XOPEN_SOURCE
16
17#include "config_xor.h"
18
19#include <stdio.h>
20#include <stdlib.h>
21#include <string.h>
[292]22
23#if defined(HOST_IS_SOLARIS)
24/* For 'struct timeval' in <sys/time.h> */
25#define __EXTENSIONS__
26#endif
27
[183]28#include <sys/types.h>
29#include <time.h>
30
31#ifdef USE_LOGFILE_MONITOR
32
33#include "samhain.h"
34#include "sh_pthread.h"
35#include "sh_log_check.h"
36#include "sh_utils.h"
37#include "sh_string.h"
38
39#undef FIL__
40#define FIL__ _("sh_log_parse_syslog.c")
41
42static int hidepid = 0;
43extern int flag_err_debug;
44
45int sh_get_hidepid()
46{
47 return hidepid;
48}
49
50int sh_set_hidepid(const char *s)
51{
52 return sh_util_flagval(s, &hidepid);
53}
54
55struct sh_logrecord * sh_parse_syslog (sh_string * logline, void * fileinfo)
56{
57 static const char * format0_1 = N_("%b %d %T");
58 static const char * format0_2 = N_("%Y-%m-%dT%T");
59
60 static char format_1[16];
61 static char format_2[16];
62 static int format_init = 0;
63
64 static struct tm old_tm;
65 static time_t old_time;
66
67 const unsigned int Tpos = 10;
[199]68 volatile unsigned int tlen = 16;
[183]69
70 (void) fileinfo;
71
72 if (!format_init)
73 {
74 sl_strlcpy(format_1, _(format0_1), sizeof(format_1));
75 sl_strlcpy(format_2, _(format0_2), sizeof(format_2));
76 format_init = 1;
77 }
78
79
[265]80 if (flag_err_debug == SL_TRUE && sh_string_len(logline) > 0)
[183]81 {
82 SH_MUTEX_LOCK(mutex_thread_nolog);
83 sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN,
84 logline->str,
85 _("sh_parse_syslog"));
86 SH_MUTEX_UNLOCK(mutex_thread_nolog);
87 }
88
89 if (logline && sh_string_len(logline) > tlen)
90 {
91 struct tm btime;
92 char * ptr;
93 int flag;
94 size_t lengths[3];
95
96 memset(&btime, '\0', sizeof(struct tm));
[357]97 btime.tm_isdst = -1;
[183]98
99 /* This is RFC 3164.
100 */
101 if (logline->str[Tpos] != 'T')
102 {
103 logline->str[tlen-1] = '\0';
104 ptr = /*@i@*/strptime(logline->str, format_1, &btime);
105 }
106
107 /* RFC 3339 describes an alternative timestamp format.
108 * Unfortunately, POSIX strptime() does not support reading
109 * the TZ offset.
110 */
111 else
112 {
113 ptr = strptime(logline->str, format_2, &btime);
114 if (ptr)
115 {
116 tlen = 20;
117 if (*ptr && *ptr != ' ') {
118 do { ++ptr; ++tlen; } while (*ptr && *ptr != ' ');
119 if (*ptr == ' ') *ptr = '\0';
120 }
121 }
122 }
123
124 if (ptr && *ptr == '\0') /* no error, whole string consumed */
125 {
126 unsigned int fields = 3; /* host program(\[pid\])+: message */
127 char ** array = split_array_ws(&(logline->str[tlen]), &fields, lengths);
128
129 if (fields == 3)
130 {
131 struct sh_logrecord * record = SH_ALLOC(sizeof(struct sh_logrecord));
132
133 record->timestamp = conv_timestamp(&btime, &old_tm, &old_time);
134 record->timestr = sh_string_new_from_lchar(logline->str, (tlen-1));
135
136 /* host
137 */
138 record->host = sh_string_new_from_lchar(array[0], lengths[0]);
139
140 /* program and pid
141 */
142 if (NULL != (ptr = strchr(array[1], '[')))
143 {
144 *ptr = '\0';
145 ++ptr;
146 record->pid = (pid_t) atoi(ptr);
[186]147
[183]148 if (hidepid == 0 || !*ptr) {
149 --ptr;
150 *ptr = '[';
151 } else {
152 *ptr = '\0'; /* overwrite first digit */
153 --ptr;
154 *ptr = ':'; /* overwrite ex-':' */
155 lengths[1] = strlen(array[1]);
156 }
157 }
158 else
159 {
160 flag = 0;
161 ptr = array[1];
162 if (ptr[lengths[1]] == ':') {
163 ptr[lengths[1]] = '\0';
164 flag = 1;
165 }
166 record->pid = PID_INVALID;
167 if (flag == 1) {
168 ptr[lengths[1]] = ':';
169 }
170 }
171
172 /* message
173 */
174 record->message = sh_string_new_from_lchar3(array[1], lengths[1],
175 " ", 1,
176 array[2], lengths[2]);
177
178 SH_FREE(array);
179 return record;
180 }
181 SH_FREE(array);
182 }
183 }
184 /* corrupted logline
185 */
186 return NULL;
187}
188
189/* USE_LOGFILE_MONITOR */
190#endif
Note: See TracBrowser for help on using the repository browser.