Changeset 186 for trunk/src/sh_log_evalrule.c
- Timestamp:
- Oct 31, 2008, 8:22:45 PM (16 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/sh_log_evalrule.c
r185 r186 24 24 #include "sh_log_evalrule.h" 25 25 #include "zAVLTree.h" 26 27 extern int flag_err_debug; 26 28 27 29 /* #define DEBUG_EVALRULES */ … … 91 93 struct sh_geval * nextrule; /* next rule in this group */ 92 94 struct sh_geval * next; /* next group of rules */ 95 struct sh_geval * gnext; /* grouplist next */ 93 96 }; 94 97 … … 176 179 ng->nextrule = NULL; 177 180 ng->next = NULL; 181 ng->gnext = NULL; 178 182 179 183 if (!host_open) … … 199 203 { 200 204 tmp = grouplist; 201 while (tmp-> next != NULL) { tmp = tmp->next; }202 tmp-> next = ng;205 while (tmp->gnext != NULL) { tmp = tmp->gnext; } 206 tmp->gnext = ng; 203 207 } else { 204 208 grouplist = ng; … … 319 323 } 320 324 325 if (!strcmp(splits[1], _("trash"))) /* predefined, reserved */ 326 { 327 SH_FREE(splits); 328 SH_FREE(new); 329 return -1; 330 } 331 321 332 severity = sh_error_convert_level (splits[3]); 322 333 if (severity < 0) … … 364 375 return retval; 365 376 } 377 378 static struct sh_qeval ** dummy_queue; 366 379 367 380 int sh_eval_radd (const char * str) … … 380 393 char ** splits = split_array(new, &nfields, ':', lengths); 381 394 395 dummy_queue = &queue; 396 382 397 if (nfields != 2) 383 398 { … … 419 434 rule_extra = NULL; /* pcre_study(rule, 0, &error); */ 420 435 pcre_fullinfo(rule, rule_extra, PCRE_INFO_CAPTURECOUNT, &captures); 436 437 if (flag_err_debug == SL_TRUE) 438 { 439 char * emsg = SH_ALLOC(SH_ERRBUF_SIZE); 440 sl_snprintf(emsg, SH_ERRBUF_SIZE, _("Adding rule: |%s| with %d captures"), 441 splits[1], captures); 442 SH_MUTEX_LOCK(mutex_thread_nolog); 443 sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN, 444 emsg, _("sh_eval_radd")); 445 SH_MUTEX_UNLOCK(mutex_thread_nolog); 446 SH_FREE(emsg); 447 } 421 448 422 449 DEBUG("adding rule: |%s| with %d captures\n", splits[1], captures); … … 436 463 nr->nextrule = NULL; 437 464 nr->next = NULL; 465 nr->gnext = NULL; 438 466 439 467 /* … … 443 471 if (group_open) 444 472 { 473 if (flag_err_debug == SL_TRUE) 474 { 475 char * emsg = SH_ALLOC(SH_ERRBUF_SIZE); 476 sl_snprintf(emsg, SH_ERRBUF_SIZE, _("Adding rule to group |%s|"), 477 sh_string_str(group_open->label)); 478 SH_MUTEX_LOCK(mutex_thread_nolog); 479 sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN, 480 emsg, _("sh_eval_radd")); 481 SH_MUTEX_UNLOCK(mutex_thread_nolog); 482 SH_FREE(emsg); 483 } 484 485 DEBUG("adding rule to group |%s|\n", sh_string_str(group_open->label)); 486 445 487 if (group_open->nextrule) 446 488 { … … 474 516 * Add rule as member to grouplist, to facilitate cleanup 475 517 */ 476 #if 0 518 519 DEBUG("adding solitary rule to grouplist\n"); 520 477 521 if (grouplist) 478 522 { 479 523 tmp = grouplist; 480 while (tmp-> next != NULL) { tmp = tmp->next; }481 tmp-> next = nr;524 while (tmp->gnext != NULL) { tmp = tmp->gnext; } 525 tmp->gnext = nr; 482 526 } else { 483 527 grouplist = nr; 484 528 } 485 #endif 529 486 530 487 531 /* 488 532 * Add rule to host rulegroups 489 533 */ 534 DEBUG("adding solitary rule to host rulegroups\n"); 535 490 536 if (host_open->rulegroups) 491 537 { 492 /* Second, third, ... rule go to host_open->rulegroups->next rule,493 * since test_ rules() iterates over nextrules538 /* Second, third, ... rule go to host_open->rulegroups->next, 539 * since test_grules() iterates over nextrules 494 540 */ 495 541 tmp = host_open->rulegroups; 496 while (tmp->next rule != NULL) { tmp = tmp->nextrule; }497 tmp->next rule= nr;542 while (tmp->next != NULL) { tmp = tmp->next; } 543 tmp->next = nr; 498 544 } 499 545 else … … 516 562 void sh_eval_cleanup() 517 563 { 518 struct sh_geval * tmp;519 520 564 struct sh_geval * gtmp; 521 565 struct sh_qeval * qtmp; … … 525 569 { 526 570 gtmp = grouplist; 527 grouplist = gtmp-> next;571 grouplist = gtmp->gnext; 528 572 529 573 if (gtmp->label) sh_string_destroy(&(gtmp->label)); … … 534 578 if (gtmp->ovector) 535 579 SH_FREE(gtmp->ovector); 536 580 #if 0 537 581 while (gtmp->nextrule) 538 582 { … … 548 592 SH_FREE(tmp); 549 593 } 550 594 #endif 551 595 SH_FREE(gtmp); 552 596 } … … 582 626 * filled in 583 627 */ 628 static struct sh_geval ** dummy1; 629 584 630 static struct sh_geval * test_rule (struct sh_geval * rule, sh_string *msg) 585 631 { 586 int res, count; 632 int res; 633 volatile int count; 634 635 dummy1 = &rule; 587 636 588 637 if (!rule) … … 593 642 count = 1; 594 643 do { 644 645 if (flag_err_debug == SL_TRUE) 646 { 647 char * emsg = SH_ALLOC(SH_ERRBUF_SIZE); 648 sl_snprintf(emsg, SH_ERRBUF_SIZE, _("Check rule %d for |%s|"), 649 count, sh_string_str(msg)); 650 SH_MUTEX_LOCK(mutex_thread_nolog); 651 sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN, 652 emsg, _("test_rule")); 653 SH_MUTEX_UNLOCK(mutex_thread_nolog); 654 SH_FREE(emsg); 655 } 656 595 657 DEBUG("debug: check rule %d for <%s>\n", count, msg->str); 596 658 res = pcre_exec(rule->rule, rule->rule_extra, … … 600 662 { 601 663 rule->ovecnum = res; 664 665 if (flag_err_debug == SL_TRUE) 666 { 667 char * emsg = SH_ALLOC(SH_ERRBUF_SIZE); 668 sl_snprintf(emsg, SH_ERRBUF_SIZE, _("Rule %d matches, result = %d"), 669 count, res); 670 SH_MUTEX_LOCK(mutex_thread_nolog); 671 sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN, 672 emsg, _("test_rule")); 673 SH_MUTEX_UNLOCK(mutex_thread_nolog); 674 SH_FREE(emsg); 675 } 602 676 DEBUG("debug: rule %d matches, result = %d\n", count, res); 603 677 break; /* return the matching rule; ovector is filled in */ 678 } 679 680 if (flag_err_debug == SL_TRUE) 681 { 682 char * emsg = SH_ALLOC(SH_ERRBUF_SIZE); 683 sl_snprintf(emsg, SH_ERRBUF_SIZE, _("Rule %d did not match"), 684 count); 685 SH_MUTEX_LOCK(mutex_thread_nolog); 686 sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN, 687 emsg, _("test_rule")); 688 SH_MUTEX_UNLOCK(mutex_thread_nolog); 689 SH_FREE(emsg); 604 690 } 605 691 DEBUG("debug: rule %d did not match\n", count); … … 614 700 615 701 /* Test a (struct sh_geval *), which may be single rule or a group of rules, 616 * against msg (if it's a group of rules, test against prefix first).702 * against msg 617 703 */ 704 static struct sh_geval ** dummy2; 705 static struct sh_geval ** dummy3; 706 618 707 static struct sh_geval * test_grules (struct sh_heval * host, 619 sh_string * prefix, sh_string *msg)708 sh_string *msg) 620 709 { 621 710 struct sh_geval * result = NULL; 622 struct sh_geval * rules = host->rulegroups; 623 624 if (rules && sh_string_len(prefix) < (size_t)INT_MAX) 625 { 626 DEBUG("debug: if rules\n"); 711 struct sh_geval * group = host->rulegroups; 712 713 dummy2 = &result; 714 dummy3 = &group; 715 716 if (group && sh_string_len(msg) < (size_t)INT_MAX) 717 { 718 DEBUG("debug: if group\n"); 627 719 do { 628 if( rules->label != NULL)720 if(group->label != NULL) 629 721 { 630 722 /* this is a rule group; only groups have labels */ 631 723 632 DEBUG("debug: if rules->label %s\n", rules->label->str); 633 if (pcre_exec(rules->rule, rules->rule_extra, 634 sh_string_str(prefix), (int) sh_string_len(prefix), 724 if (flag_err_debug == SL_TRUE) 725 { 726 char * emsg = SH_ALLOC(SH_ERRBUF_SIZE); 727 sl_snprintf(emsg, SH_ERRBUF_SIZE, _("Checking group |%s| of rules against |%s|"), 728 sh_string_str(group->label), sh_string_str(msg)); 729 SH_MUTEX_LOCK(mutex_thread_nolog); 730 sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN, 731 emsg, _("test_rule")); 732 SH_MUTEX_UNLOCK(mutex_thread_nolog); 733 SH_FREE(emsg); 734 } 735 736 DEBUG("debug: if group->label %s\n", sh_string_str(group->label)); 737 if (pcre_exec(group->rule, group->rule_extra, 738 sh_string_str(msg), (int) sh_string_len(msg), 635 739 0, 0, NULL, 0) >= 0) 636 740 { 637 result = test_rule( rules->nextrule, msg);741 result = test_rule(group->nextrule, msg); 638 742 if (result) 639 743 break; … … 642 746 else 643 747 { 644 /* First rule is in host->rulegroups */ 748 /* If there is no group label, the 'group' is actually a solitary 749 * rule (not within any group). 750 */ 751 752 if (flag_err_debug == SL_TRUE) 753 { 754 char * emsg = SH_ALLOC(SH_ERRBUF_SIZE); 755 sl_snprintf(emsg, SH_ERRBUF_SIZE, _("Checking solitary rules")); 756 SH_MUTEX_LOCK(mutex_thread_nolog); 757 sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN, 758 emsg, _("test_rule")); 759 SH_MUTEX_UNLOCK(mutex_thread_nolog); 760 SH_FREE(emsg); 761 } 645 762 646 763 DEBUG("debug: else (single rule)\n"); 647 result = test_rule( rules, msg);764 result = test_rule(group, msg); 648 765 if (result) 649 766 break; 650 767 } 651 rules = rules->next; /* next group of rules */652 } while ( rules);768 group = group->next; /* next group of rules */ 769 } while (group); 653 770 } 654 771 return result; … … 658 775 */ 659 776 static struct sh_geval * find_rule (sh_string *host, 660 sh_string * prefix, sh_string *msg)777 sh_string *msg) 661 778 { 662 779 struct sh_geval * result = NULL; … … 671 788 { 672 789 /* matching host, check rules/groups of rules */ 673 result = test_grules(hlist, prefix,msg);790 result = test_grules(hlist, msg); 674 791 if (result) 675 792 break; … … 681 798 } 682 799 683 static void msg_report(int severity, struct sh_logrecord * record) 684 { 685 char * tmp; 686 char * msg; 687 char * ttt; 800 /* copy the message and replace captured substrings with '___' 801 */ 802 static sh_string * replace_captures(const sh_string * message, 803 int * ovector, int ovecnum) 804 { 805 sh_string * retval = sh_string_new_from_lchar(sh_string_str(message), 806 sh_string_len(message)); 807 808 if (ovecnum > 1) 809 { 810 retval = sh_string_replace(retval, &(ovector[2]), (ovecnum-1), "___", 3); 811 } 812 return retval; 813 } 814 815 static void msg_report(int severity, struct sh_geval * rule, struct sh_logrecord * record) 816 { 817 char * tmp; 818 char * msg; 819 sh_string * mmm = NULL; 820 char * ttt; 821 822 688 823 SH_MUTEX_LOCK(mutex_thread_nolog); 824 if (rule) { 825 mmm = replace_captures(record->message, rule->ovector, 826 rule->ovecnum); 827 msg = sh_util_safe_name_keepspace (sh_string_str(mmm)); 828 } 829 else { 830 msg = sh_util_safe_name_keepspace (sh_string_str(record->message)); 831 } 689 832 tmp = sh_util_safe_name (record->filename); 690 msg = sh_util_safe_name_keepspace (sh_string_str(record->message));691 833 ttt = sh_util_safe_name_keepspace (sh_string_str(record->timestr)); 692 834 sh_error_handle (severity, FIL__, __LINE__, 0, MSG_LOGMON_REP, … … 698 840 SH_FREE(msg); 699 841 SH_FREE(tmp); 842 if (mmm) 843 sh_string_destroy(&mmm); 700 844 SH_MUTEX_UNLOCK(mutex_thread_nolog); 701 845 } … … 705 849 char * tmp; 706 850 char * msg; 851 707 852 SH_MUTEX_LOCK(mutex_thread_nolog); 708 853 tmp = sh_util_safe_name (sh_string_str(path)); … … 757 902 } 758 903 759 /* copy the message and replace captured substrings with '___'760 */761 static sh_string * replace_captures(const sh_string * message,762 int * ovector, int ovecnum)763 {764 sh_string * retval = sh_string_new_from_lchar(sh_string_str(message),765 sh_string_len(message));766 767 if (ovecnum > 1)768 {769 retval = sh_string_replace(retval, &(ovector[2]), (ovecnum-1), "___", 3);770 }771 return retval;772 }773 774 904 775 905 /* process the counter for a SUM rule … … 818 948 if (queue->policy == EVAL_REPORT) 819 949 { 820 DEBUG("debug: EVAL_REPORT host: %s, prefix: %s,message: %s\n",950 DEBUG("debug: EVAL_REPORT host: %s, message: %s\n", 821 951 sh_string_str(record->host), 822 sh_string_str(record->prefix),823 952 sh_string_str(record->message)); 824 msg_report(queue->severity, r ecord);953 msg_report(queue->severity, rule, record); 825 954 retval = 0; 826 955 } … … 830 959 struct sh_ceval * counter = 831 960 find_counter(rule, record->host, queue->interval); 832 DEBUG("debug: EVAL_SUM host: %s, prefix: %s, message: %s\n", 833 sh_string_str(record->host), 834 sh_string_str(record->prefix), 961 DEBUG("debug: EVAL_SUM host: %s, message: %s\n", 962 sh_string_str(record->host), 835 963 sh_string_str(record->message)); 836 964 if (counter) … … 857 985 if (record) 858 986 { 859 struct sh_geval * rule = find_rule (record->host, record->prefix,987 struct sh_geval * rule = find_rule (record->host, 860 988 record->message); 861 989 … … 868 996 { 869 997 DEBUG("debug: (%lu) no rule found\n", i); ++i; 870 msg_report(DEFAULT_SEVERITY, record);998 msg_report(DEFAULT_SEVERITY, NULL, record); 871 999 } 872 1000 return 0;
Note:
See TracChangeset
for help on using the changeset viewer.