Ignore:
Timestamp:
Oct 31, 2008, 8:22:45 PM (16 years ago)
Author:
katerina
Message:

More fixes for log monitoring, and documentation update.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/sh_log_evalrule.c

    r185 r186  
    2424#include "sh_log_evalrule.h"
    2525#include "zAVLTree.h"
     26
     27extern int flag_err_debug;
    2628
    2729/* #define DEBUG_EVALRULES */
     
    9193  struct sh_geval * nextrule;        /* next rule in this group */
    9294  struct sh_geval * next;            /* next group of rules     */
     95  struct sh_geval * gnext;           /* grouplist next          */
    9396};
    9497
     
    176179  ng->nextrule    = NULL;
    177180  ng->next        = NULL;
     181  ng->gnext       = NULL;
    178182
    179183  if (!host_open)
     
    199203        {
    200204          tmp = grouplist;
    201           while (tmp->next != NULL) { tmp = tmp->next; }
    202           tmp->next = ng;
     205          while (tmp->gnext != NULL) { tmp = tmp->gnext; }
     206          tmp->gnext = ng;
    203207        } else {
    204208          grouplist = ng;
     
    319323    }
    320324 
     325  if (!strcmp(splits[1], _("trash"))) /* predefined, reserved */
     326    {
     327      SH_FREE(splits);
     328      SH_FREE(new);
     329      return -1;
     330    }
     331 
    321332  severity = sh_error_convert_level (splits[3]);
    322333  if (severity < 0)
     
    364375  return retval;
    365376}
     377
     378static struct sh_qeval ** dummy_queue;
    366379
    367380int sh_eval_radd (const char * str)
     
    380393  char **      splits = split_array(new, &nfields, ':', lengths);
    381394
     395  dummy_queue = &queue;
     396
    382397  if (nfields != 2)
    383398    {
     
    419434  rule_extra = NULL; /* pcre_study(rule, 0, &error); */
    420435  pcre_fullinfo(rule, rule_extra, PCRE_INFO_CAPTURECOUNT, &captures);
     436
     437  if (flag_err_debug == SL_TRUE)
     438    {
     439      char * emsg = SH_ALLOC(SH_ERRBUF_SIZE);
     440      sl_snprintf(emsg,  SH_ERRBUF_SIZE, _("Adding rule: |%s| with %d captures"),
     441                  splits[1], captures);
     442      SH_MUTEX_LOCK(mutex_thread_nolog);
     443      sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN,
     444                      emsg, _("sh_eval_radd"));
     445      SH_MUTEX_UNLOCK(mutex_thread_nolog);
     446      SH_FREE(emsg);
     447    }
    421448
    422449  DEBUG("adding rule: |%s| with %d captures\n", splits[1], captures);
     
    436463  nr->nextrule    = NULL;
    437464  nr->next        = NULL;
     465  nr->gnext       = NULL;
    438466
    439467  /*
     
    443471  if (group_open)
    444472    {
     473      if (flag_err_debug == SL_TRUE)
     474        {
     475          char * emsg = SH_ALLOC(SH_ERRBUF_SIZE);
     476          sl_snprintf(emsg,  SH_ERRBUF_SIZE, _("Adding rule to group |%s|"),
     477                      sh_string_str(group_open->label));
     478          SH_MUTEX_LOCK(mutex_thread_nolog);
     479          sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN,
     480                          emsg, _("sh_eval_radd"));
     481          SH_MUTEX_UNLOCK(mutex_thread_nolog);
     482          SH_FREE(emsg);
     483        }
     484
     485      DEBUG("adding rule to group |%s|\n", sh_string_str(group_open->label));
     486
    445487      if (group_open->nextrule)
    446488        {
     
    474516           * Add rule as member to grouplist, to facilitate cleanup
    475517           */
    476 #if 0
     518
     519          DEBUG("adding solitary rule to grouplist\n");
     520
    477521          if (grouplist)
    478522            {
    479523              tmp = grouplist;
    480               while (tmp->next != NULL) { tmp = tmp->next; }
    481               tmp->next = nr;
     524              while (tmp->gnext != NULL) { tmp = tmp->gnext; }
     525              tmp->gnext = nr;
    482526            } else {
    483527              grouplist = nr;
    484528            }
    485 #endif
     529
    486530
    487531          /*
    488532           * Add rule to host rulegroups
    489533           */
     534          DEBUG("adding solitary rule to host rulegroups\n");
     535
    490536          if (host_open->rulegroups)
    491537            {
    492               /* Second, third, ... rule go to host_open->rulegroups->nextrule,
    493                * since test_rules() iterates over nextrules
     538              /* Second, third, ... rule go to host_open->rulegroups->next,
     539               * since test_grules() iterates over nextrules
    494540               */
    495541              tmp = host_open->rulegroups;
    496               while (tmp->nextrule != NULL) { tmp = tmp->nextrule; }
    497               tmp->nextrule = nr;
     542              while (tmp->next != NULL) { tmp = tmp->next; }
     543              tmp->next = nr;
    498544            }
    499545          else
     
    516562void sh_eval_cleanup()
    517563{
    518   struct sh_geval * tmp;
    519 
    520564  struct sh_geval * gtmp;
    521565  struct sh_qeval * qtmp;
     
    525569    {
    526570      gtmp      = grouplist;
    527       grouplist = gtmp->next;
     571      grouplist = gtmp->gnext;
    528572
    529573      if (gtmp->label)      sh_string_destroy(&(gtmp->label));
     
    534578      if (gtmp->ovector)
    535579        SH_FREE(gtmp->ovector);
    536 
     580#if 0
    537581      while (gtmp->nextrule)
    538582        {
     
    548592          SH_FREE(tmp);
    549593        }
    550 
     594#endif
    551595      SH_FREE(gtmp);
    552596    }
     
    582626 * filled in
    583627 */
     628static struct sh_geval ** dummy1;
     629
    584630static struct sh_geval * test_rule (struct sh_geval * rule, sh_string *msg)
    585631{
    586   int res, count;
     632  int res;
     633  volatile int count;
     634
     635  dummy1 = &rule;
    587636
    588637  if (!rule)
     
    593642      count = 1;
    594643      do {
     644
     645        if (flag_err_debug == SL_TRUE)
     646          {
     647            char * emsg = SH_ALLOC(SH_ERRBUF_SIZE);
     648            sl_snprintf(emsg,  SH_ERRBUF_SIZE, _("Check rule %d for |%s|"),
     649                        count, sh_string_str(msg));
     650            SH_MUTEX_LOCK(mutex_thread_nolog);
     651            sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN,
     652                            emsg, _("test_rule"));
     653            SH_MUTEX_UNLOCK(mutex_thread_nolog);
     654            SH_FREE(emsg);
     655          }
     656
    595657        DEBUG("debug: check rule %d for <%s>\n", count, msg->str);
    596658        res = pcre_exec(rule->rule, rule->rule_extra,
     
    600662          {
    601663            rule->ovecnum = res;
     664
     665            if (flag_err_debug == SL_TRUE)
     666              {
     667                char * emsg = SH_ALLOC(SH_ERRBUF_SIZE);
     668                sl_snprintf(emsg,  SH_ERRBUF_SIZE, _("Rule %d matches, result = %d"),
     669                            count, res);
     670                SH_MUTEX_LOCK(mutex_thread_nolog);
     671                sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN,
     672                                emsg, _("test_rule"));
     673                SH_MUTEX_UNLOCK(mutex_thread_nolog);
     674                SH_FREE(emsg);
     675              }
    602676            DEBUG("debug: rule %d matches, result = %d\n", count, res);
    603677            break; /* return the matching rule; ovector is filled in */
     678          }
     679
     680        if (flag_err_debug == SL_TRUE)
     681          {
     682            char * emsg = SH_ALLOC(SH_ERRBUF_SIZE);
     683            sl_snprintf(emsg,  SH_ERRBUF_SIZE, _("Rule %d did not match"),
     684                        count);
     685            SH_MUTEX_LOCK(mutex_thread_nolog);
     686            sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN,
     687                            emsg, _("test_rule"));
     688            SH_MUTEX_UNLOCK(mutex_thread_nolog);
     689            SH_FREE(emsg);
    604690          }
    605691        DEBUG("debug: rule %d did not match\n", count);
     
    614700 
    615701/* Test a (struct sh_geval *), which may be single rule or a group of rules,
    616  * against msg (if it's a group of rules, test against prefix first).
     702 * against msg
    617703 */
     704static struct sh_geval ** dummy2;
     705static struct sh_geval ** dummy3;
     706
    618707static struct sh_geval * test_grules (struct sh_heval * host,
    619                                       sh_string *prefix, sh_string *msg)
     708                                      sh_string *msg)
    620709{
    621710  struct sh_geval * result = NULL;
    622   struct sh_geval * rules = host->rulegroups;
    623 
    624   if (rules && sh_string_len(prefix) < (size_t)INT_MAX)
    625     {
    626       DEBUG("debug: if rules\n");
     711  struct sh_geval * group  = host->rulegroups;
     712
     713  dummy2 = &result;
     714  dummy3 = &group;
     715
     716  if (group && sh_string_len(msg) < (size_t)INT_MAX)
     717    {
     718      DEBUG("debug: if group\n");
    627719      do {
    628         if(rules->label != NULL)
     720        if(group->label != NULL)
    629721          {
    630722            /* this is a rule group; only groups have labels */
    631723
    632             DEBUG("debug: if rules->label %s\n", rules->label->str);
    633             if (pcre_exec(rules->rule, rules->rule_extra,
    634                           sh_string_str(prefix), (int) sh_string_len(prefix),
     724            if (flag_err_debug == SL_TRUE)
     725              {
     726                char * emsg = SH_ALLOC(SH_ERRBUF_SIZE);
     727                sl_snprintf(emsg,  SH_ERRBUF_SIZE, _("Checking group |%s| of rules against |%s|"),
     728                            sh_string_str(group->label), sh_string_str(msg));
     729                SH_MUTEX_LOCK(mutex_thread_nolog);
     730                sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN,
     731                                emsg, _("test_rule"));
     732                SH_MUTEX_UNLOCK(mutex_thread_nolog);
     733                SH_FREE(emsg);
     734              }
     735
     736            DEBUG("debug: if group->label %s\n", sh_string_str(group->label));
     737            if (pcre_exec(group->rule, group->rule_extra,
     738                          sh_string_str(msg), (int) sh_string_len(msg),
    635739                          0, 0, NULL, 0) >= 0)
    636740              {
    637                 result = test_rule(rules->nextrule, msg);
     741                result = test_rule(group->nextrule, msg);
    638742                if (result)
    639743                  break;
     
    642746        else
    643747          {
    644             /* First rule is in host->rulegroups */
     748            /* If there is no group label, the 'group' is actually a solitary
     749             * rule (not within any group).
     750             */
     751
     752            if (flag_err_debug == SL_TRUE)
     753              {
     754                char * emsg = SH_ALLOC(SH_ERRBUF_SIZE);
     755                sl_snprintf(emsg,  SH_ERRBUF_SIZE, _("Checking solitary rules"));
     756                SH_MUTEX_LOCK(mutex_thread_nolog);
     757                sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN,
     758                                emsg, _("test_rule"));
     759                SH_MUTEX_UNLOCK(mutex_thread_nolog);
     760                SH_FREE(emsg);
     761              }
    645762
    646763            DEBUG("debug: else (single rule)\n");
    647             result = test_rule(rules, msg);
     764            result = test_rule(group, msg);
    648765            if (result)
    649766              break;
    650767          }
    651         rules = rules->next; /* next group of rules */
    652       } while (rules);
     768        group = group->next; /* next group of rules */
     769      } while (group);
    653770    }
    654771  return result;
     
    658775 */
    659776static struct sh_geval * find_rule (sh_string *host,
    660                                     sh_string *prefix, sh_string *msg)
     777                                    sh_string *msg)
    661778{
    662779  struct sh_geval * result = NULL;
     
    671788          {
    672789            /* matching host, check rules/groups of rules */
    673             result = test_grules(hlist, prefix, msg);
     790            result = test_grules(hlist, msg);
    674791            if (result)
    675792              break;
     
    681798}
    682799
    683 static void msg_report(int severity, struct sh_logrecord * record)
    684 {
    685   char * tmp;
    686   char * msg;
    687   char * ttt;
     800/* copy the message and replace captured substrings with '___'
     801 */
     802static sh_string * replace_captures(const sh_string * message,
     803                                    int * ovector, int ovecnum)
     804{
     805  sh_string * retval = sh_string_new_from_lchar(sh_string_str(message),
     806                                                sh_string_len(message));
     807
     808  if (ovecnum > 1)
     809    {
     810      retval = sh_string_replace(retval, &(ovector[2]), (ovecnum-1), "___", 3);
     811    }
     812  return retval;
     813}
     814
     815static void msg_report(int severity, struct sh_geval * rule, struct sh_logrecord * record)
     816{
     817  char      * tmp;
     818  char      * msg;
     819  sh_string * mmm = NULL;
     820  char      * ttt;
     821
     822
    688823  SH_MUTEX_LOCK(mutex_thread_nolog);
     824  if (rule) {
     825    mmm = replace_captures(record->message, rule->ovector,
     826                           rule->ovecnum);
     827    msg = sh_util_safe_name_keepspace (sh_string_str(mmm));
     828  }
     829  else {
     830    msg = sh_util_safe_name_keepspace (sh_string_str(record->message));
     831  }
    689832  tmp = sh_util_safe_name (record->filename);
    690   msg = sh_util_safe_name_keepspace (sh_string_str(record->message));
    691833  ttt = sh_util_safe_name_keepspace (sh_string_str(record->timestr));
    692834  sh_error_handle (severity, FIL__, __LINE__, 0, MSG_LOGMON_REP,
     
    698840  SH_FREE(msg);
    699841  SH_FREE(tmp);
     842  if (mmm)
     843    sh_string_destroy(&mmm);
    700844  SH_MUTEX_UNLOCK(mutex_thread_nolog);
    701845}
     
    705849  char * tmp;
    706850  char * msg;
     851
    707852  SH_MUTEX_LOCK(mutex_thread_nolog);
    708853  tmp = sh_util_safe_name (sh_string_str(path));
     
    757902}
    758903
    759 /* copy the message and replace captured substrings with '___'
    760  */
    761 static sh_string * replace_captures(const sh_string * message,
    762                                     int * ovector, int ovecnum)
    763 {
    764   sh_string * retval = sh_string_new_from_lchar(sh_string_str(message),
    765                                                 sh_string_len(message));
    766 
    767   if (ovecnum > 1)
    768     {
    769       retval = sh_string_replace(retval, &(ovector[2]), (ovecnum-1), "___", 3);
    770     }
    771   return retval;
    772 }
    773 
    774904
    775905/* process the counter for a SUM rule
     
    818948      if (queue->policy == EVAL_REPORT)
    819949        {
    820           DEBUG("debug: EVAL_REPORT host: %s, prefix: %s, message: %s\n",
     950          DEBUG("debug: EVAL_REPORT host: %s, message: %s\n",
    821951                 sh_string_str(record->host),
    822                  sh_string_str(record->prefix),
    823952                 sh_string_str(record->message));
    824           msg_report(queue->severity, record);
     953          msg_report(queue->severity, rule, record);
    825954          retval = 0;
    826955        }
     
    830959          struct sh_ceval * counter =
    831960            find_counter(rule, record->host, queue->interval);
    832           DEBUG("debug: EVAL_SUM host: %s, prefix: %s, message: %s\n",
    833                  sh_string_str(record->host),
    834                  sh_string_str(record->prefix),
     961          DEBUG("debug: EVAL_SUM host: %s, message: %s\n",
     962                 sh_string_str(record->host),
    835963                 sh_string_str(record->message));
    836964          if (counter)
     
    857985  if (record)
    858986    {
    859       struct sh_geval * rule = find_rule (record->host, record->prefix,
     987      struct sh_geval * rule = find_rule (record->host,
    860988                                          record->message);
    861989
     
    868996        {
    869997          DEBUG("debug: (%lu) no rule found\n", i); ++i;
    870           msg_report(DEFAULT_SEVERITY, record);
     998          msg_report(DEFAULT_SEVERITY, NULL, record);
    871999        }
    8721000      return 0;
Note: See TracChangeset for help on using the changeset viewer.