Index: trunk/include/sh_cat.h =================================================================== --- trunk/include/sh_cat.h (revision 174) +++ trunk/include/sh_cat.h (revision 183) @@ -157,4 +157,14 @@ #ifdef SH_USE_USERFILES MSG_USERFILES_SUMMARY, +#endif + +#ifdef USE_LOGFILE_MONITOR + MSG_LOGMON_CHKS, + MSG_LOGMON_CHKE, + MSG_LOGMON_MISS, + MSG_LOGMON_EOPEN, + MSG_LOGMON_EREAD, + MSG_LOGMON_REP, + MSG_LOGMON_SUM, #endif Index: trunk/include/sh_log_check.h =================================================================== --- trunk/include/sh_log_check.h (revision 183) +++ trunk/include/sh_log_check.h (revision 183) @@ -0,0 +1,107 @@ +#ifndef SH_LOGCHECK_H +#define SH_LOGCHECK_H + +#include +#include + +/* Convert a struct tm to unix timestamp with caching + */ +time_t conv_timestamp (struct tm * btime, + struct tm * old_tm, time_t * old_time); + +/* Definition of a log record entry, to be returned from parsing function. + */ +#define PID_INVALID 0 +struct sh_logrecord +{ + char * filename; + sh_string * prefix; /* actually a string to group messages */ + sh_string * host; + sh_string * timestr; + pid_t pid; + time_t timestamp; + sh_string * message; +}; + +#define SH_LOGFILE_MOVED (1<<0) +#define SH_LOGFILE_REWIND (1<<1) + +struct sh_logfile +{ + FILE * fp; + int flags; + char * filename; + dev_t device_id; + ino_t inode; + fpos_t offset; + + /* Info for the parser, e.g. a regular expression + */ + void * fileinfo; + + /* Callback function to read the next record + */ + sh_string * (*get_record) (sh_string * record, + struct sh_logfile * logfile); + + /* Callback function to parse the record into standard format + */ + struct sh_logrecord * (*parse_record)(sh_string * logline, void * fileinfo); + + struct sh_logfile * next; +}; + +/**************************************************************** + ** + ** Parsing and reading functions + **/ + +/* Open file, position at stored offset. */ +int sh_open_for_reader (struct sh_logfile * logfile); + +/* Simple line reader. */ +sh_string * sh_default_reader (sh_string * record, + struct sh_logfile * logfile); + +/* Binary reader */ +sh_string * sh_binary_reader (void * s, size_t size, struct sh_logfile * logfile); + +/* Parses a syslog-style line. */ +struct sh_logrecord * sh_parse_syslog (sh_string * logline, void * fileinfo); + +/* Format info for apache log. */ +void * sh_eval_fileinfo_apache(char * str); + +/* Parses a apache-style line. */ +struct sh_logrecord * sh_parse_apache (sh_string * logline, void * fileinfo); + +/* Get a pacct record */ +sh_string * sh_read_pacct (sh_string * record, struct sh_logfile * logfile); + +/* Parses a pacct record. */ +struct sh_logrecord * sh_parse_pacct (sh_string * logline, void * fileinfo); + +/** +*****************************************************************/ + +int sh_get_hidepid(); +int sh_set_hidepid(const char *s); + +#define SH_MAX_LCODE_SIZE 16 + +struct sh_logfile_type +{ + char code[SH_MAX_LCODE_SIZE]; + + /* read callback */ + /*@null@*/sh_string * (*get_record) (sh_string * record, + struct sh_logfile * logfile); + /* parsing callback */ + struct sh_logrecord * (*parse_record)(sh_string * logline, void * fileinfo); + + /* evaluate fileinfo */ + void * (*eval_fileinfo)(char * str); +}; + + +#endif Index: trunk/include/sh_log_evalrule.h =================================================================== --- trunk/include/sh_log_evalrule.h (revision 183) +++ trunk/include/sh_log_evalrule.h (revision 183) @@ -0,0 +1,38 @@ +#ifndef SH_EVALRULE_H +#define SH_EVALRULE_H + +/* Clean up everything. + */ +void sh_eval_cleanup(); + +/* Define a new reporting queue, str := label:interval:(report|sum):severity + */ +int sh_eval_qadd (const char * str); + +/* Add a new rule, str := queue:regex + * If there is an open group, add it to its rules. + * ..else, add it to the currently open host (open the + * default host, if there is no open one) + */ +int sh_eval_radd (const char * str); + +/* Open a new host group definition. + */ +int sh_eval_hadd (const char * str); +/* + * End the host definition + */ +int sh_eval_hend (const char * str); + + +/* Open a new group definition. If a host is currently open, + * the new group will automatically be added to that host. + */ +int sh_eval_gadd (const char * str); +/* + * End the group definition + */ +int sh_eval_gend (const char * str); + +int sh_eval_process_msg(struct sh_logrecord * record); +#endif Index: trunk/include/sh_logmon.h =================================================================== --- trunk/include/sh_logmon.h (revision 183) +++ trunk/include/sh_logmon.h (revision 183) @@ -0,0 +1,12 @@ +#ifndef SH_LOGMON_H +#define SH_LOGMON_H + +extern sh_rconf sh_log_check_table[]; + +int sh_log_check_init (struct mod_type * arg); +int sh_log_check_timer(time_t tcurrent); +int sh_log_check_check(void); +int sh_log_check_reconf(void); +int sh_log_check_cleanup(void); + +#endif Index: trunk/include/sh_string.h =================================================================== --- trunk/include/sh_string.h (revision 174) +++ trunk/include/sh_string.h (revision 183) @@ -19,21 +19,25 @@ /* concat string to sh_string */ -sh_string * sh_string_cat_lchar(sh_string * s, char * str, size_t len); +sh_string * sh_string_cat_lchar(sh_string * s, const char * str, size_t len); + +/* add char array to end of string */ +sh_string * sh_string_add_from_char(sh_string * s, const char * str); /* set sh_string from string */ -sh_string * sh_string_set_from_char(sh_string * s, char * str); +sh_string * sh_string_set_from_char(sh_string * s, const char * str); /* create new sh_string from array of given length */ -sh_string * sh_string_new_from_lchar(char * str, size_t len); +sh_string * sh_string_new_from_lchar(const char * str, size_t len); -#define sh_string_copy(a) ((a) ? sh_string_new_from_lchar(((a)->str), ((a)->len)) : NULL) +#define sh_string_copy(a) ((a) ? sh_string_new_from_lchar(((a)->str), ((a)->len)) : NULL) +#define sh_string_add(a,b) ((a && b) ? sh_string_add_from_lchar((a), ((b)->str), ((b)->len)) : NULL) /* create new sh_string from three arrays of given length */ -sh_string * sh_string_new_from_lchar3(char * str1, size_t len1, - char * str2, size_t len2, - char * str3, size_t len3); +sh_string * sh_string_new_from_lchar3(const char * str1, size_t len1, + const char * str2, size_t len2, + const char * str3, size_t len3); /* Truncate to desired length. @@ -45,3 +49,37 @@ sh_string * sh_string_grow(sh_string * s, size_t increase); +/* Read a string from a file, with maxlen. Return 0 on EOF, + * -1 on error, and -2 if a line exceeds maxlen. + */ +size_t sh_string_read(sh_string * s, FILE * fp, size_t maxlen); + +/* Split array at delim in at most nfields fields. + * Empty fields are returned as empty (zero-length) strings. + * Leading and trailing WS are removed from token. + * The number of fields is returned in 'nfields', their + * lengths in 'lengths'. + * A single delimiter will return two empty fields. + */ +char ** split_array(char *line, unsigned int * nfields, + char delim, size_t * lengths); + +/* Split array at whitespace in at most nfields fields. + * Multiple whitespaces are collapsed. + * Empty fields are returned as empty (zero-length) strings. + * The number of fields is returned in nfields. + * An empty string will return zero fields. + * If nfields < actual fields, last string will be remainder. + */ +char ** split_array_ws(char *line, unsigned int * nfields, size_t * lengths); + +/* Replaces fields in s with 'replacement'. Fields are given + * in the ordered array ovector, comprising ovecnum pairs + * ovector[i], ovector[i+1] which list offset of first char + * of field, offset of first char after field (this is how + * the pcre library does it). + */ +sh_string * sh_string_replace(const sh_string * s, + const int * ovector, int ovecnum, + const char * replacement, size_t rlen); + #endif Index: trunk/include/sh_unix.h =================================================================== --- trunk/include/sh_unix.h (revision 174) +++ trunk/include/sh_unix.h (revision 183) @@ -243,5 +243,5 @@ /* check a file */ -int tf_trust_check (char * file, int mode); +int tf_trust_check (const char * file, int mode); /* initialize group vector Index: trunk/include/slib.h =================================================================== --- trunk/include/slib.h (revision 174) +++ trunk/include/slib.h (revision 183) @@ -405,9 +405,9 @@ /* Check whether file is trustworthy. */ - int sl_trustfile(char * path, uid_t * ok, uid_t * bad); + int sl_trustfile(const char * path, uid_t * ok, uid_t * bad); /* Check whether file is trustworthy. */ - int sl_trustfile_euid(char * filename, uid_t euid); + int sl_trustfile_euid(const char * filename, uid_t euid); /* purge list of trusted users