source: trunk/src/sh_log_parse_syslog.c@ 322

Last change on this file since 322 was 292, checked in by katerina, 14 years ago

Fix for compile problems on Solaris 10 (ticket #220).

File size: 4.0 KB
Line 
1/**************************************
2 **
3 ** PARSER RULES
4 **
5 ** (a) must set record->host
6 ** (eventually to dummy value)
7 **
8 ** (b) must set record->prefix
9 ** (eventually to dummy value)
10 **
11 **
12 **************************************/
13
14/* for strptime */
15#define _XOPEN_SOURCE
16
17#include "config_xor.h"
18
19#include <stdio.h>
20#include <stdlib.h>
21#include <string.h>
22
23#if defined(HOST_IS_SOLARIS)
24/* For 'struct timeval' in <sys/time.h> */
25#define __EXTENSIONS__
26#endif
27
28#include <sys/types.h>
29#include <time.h>
30
31#ifdef USE_LOGFILE_MONITOR
32
33#include "samhain.h"
34#include "sh_pthread.h"
35#include "sh_log_check.h"
36#include "sh_utils.h"
37#include "sh_string.h"
38
39#undef FIL__
40#define FIL__ _("sh_log_parse_syslog.c")
41
42static int hidepid = 0;
43extern int flag_err_debug;
44
45int sh_get_hidepid()
46{
47 return hidepid;
48}
49
50int sh_set_hidepid(const char *s)
51{
52 return sh_util_flagval(s, &hidepid);
53}
54
55struct sh_logrecord * sh_parse_syslog (sh_string * logline, void * fileinfo)
56{
57 static const char * format0_1 = N_("%b %d %T");
58 static const char * format0_2 = N_("%Y-%m-%dT%T");
59
60 static char format_1[16];
61 static char format_2[16];
62 static int format_init = 0;
63
64 static struct tm old_tm;
65 static time_t old_time;
66
67 const unsigned int Tpos = 10;
68 volatile unsigned int tlen = 16;
69
70 (void) fileinfo;
71
72 if (!format_init)
73 {
74 sl_strlcpy(format_1, _(format0_1), sizeof(format_1));
75 sl_strlcpy(format_2, _(format0_2), sizeof(format_2));
76 format_init = 1;
77 }
78
79
80 if (flag_err_debug == SL_TRUE && sh_string_len(logline) > 0)
81 {
82 SH_MUTEX_LOCK(mutex_thread_nolog);
83 sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN,
84 logline->str,
85 _("sh_parse_syslog"));
86 SH_MUTEX_UNLOCK(mutex_thread_nolog);
87 }
88
89 if (logline && sh_string_len(logline) > tlen)
90 {
91 struct tm btime;
92 char * ptr;
93 int flag;
94 size_t lengths[3];
95
96 memset(&btime, '\0', sizeof(struct tm));
97
98 /* This is RFC 3164.
99 */
100 if (logline->str[Tpos] != 'T')
101 {
102 logline->str[tlen-1] = '\0';
103 ptr = /*@i@*/strptime(logline->str, format_1, &btime);
104 }
105
106 /* RFC 3339 describes an alternative timestamp format.
107 * Unfortunately, POSIX strptime() does not support reading
108 * the TZ offset.
109 */
110 else
111 {
112 ptr = strptime(logline->str, format_2, &btime);
113 if (ptr)
114 {
115 tlen = 20;
116 if (*ptr && *ptr != ' ') {
117 do { ++ptr; ++tlen; } while (*ptr && *ptr != ' ');
118 if (*ptr == ' ') *ptr = '\0';
119 }
120 }
121 }
122
123 if (ptr && *ptr == '\0') /* no error, whole string consumed */
124 {
125 unsigned int fields = 3; /* host program(\[pid\])+: message */
126 char ** array = split_array_ws(&(logline->str[tlen]), &fields, lengths);
127
128 if (fields == 3)
129 {
130 struct sh_logrecord * record = SH_ALLOC(sizeof(struct sh_logrecord));
131
132 record->timestamp = conv_timestamp(&btime, &old_tm, &old_time);
133 record->timestr = sh_string_new_from_lchar(logline->str, (tlen-1));
134
135 /* host
136 */
137 record->host = sh_string_new_from_lchar(array[0], lengths[0]);
138
139 /* program and pid
140 */
141 if (NULL != (ptr = strchr(array[1], '[')))
142 {
143 *ptr = '\0';
144 ++ptr;
145 record->pid = (pid_t) atoi(ptr);
146
147 if (hidepid == 0 || !*ptr) {
148 --ptr;
149 *ptr = '[';
150 } else {
151 *ptr = '\0'; /* overwrite first digit */
152 --ptr;
153 *ptr = ':'; /* overwrite ex-':' */
154 lengths[1] = strlen(array[1]);
155 }
156 }
157 else
158 {
159 flag = 0;
160 ptr = array[1];
161 if (ptr[lengths[1]] == ':') {
162 ptr[lengths[1]] = '\0';
163 flag = 1;
164 }
165 record->pid = PID_INVALID;
166 if (flag == 1) {
167 ptr[lengths[1]] = ':';
168 }
169 }
170
171 /* message
172 */
173 record->message = sh_string_new_from_lchar3(array[1], lengths[1],
174 " ", 1,
175 array[2], lengths[2]);
176
177 SH_FREE(array);
178 return record;
179 }
180 SH_FREE(array);
181 }
182 }
183 /* corrupted logline
184 */
185 return NULL;
186}
187
188/* USE_LOGFILE_MONITOR */
189#endif
Note: See TracBrowser for help on using the repository browser.