Index: trunk/src/sh_log_check.c =================================================================== --- trunk/src/sh_log_check.c (revision 185) +++ trunk/src/sh_log_check.c (revision 186) @@ -382,6 +382,4 @@ if (logrecord->host) sh_string_destroy(&(logrecord->host)); - if (logrecord->prefix) - sh_string_destroy(&(logrecord->prefix)); if (logrecord->timestr) sh_string_destroy(&(logrecord->timestr)); Index: trunk/src/sh_log_evalrule.c =================================================================== --- trunk/src/sh_log_evalrule.c (revision 185) +++ trunk/src/sh_log_evalrule.c (revision 186) @@ -24,4 +24,6 @@ #include "sh_log_evalrule.h" #include "zAVLTree.h" + +extern int flag_err_debug; /* #define DEBUG_EVALRULES */ @@ -91,4 +93,5 @@ struct sh_geval * nextrule; /* next rule in this group */ struct sh_geval * next; /* next group of rules */ + struct sh_geval * gnext; /* grouplist next */ }; @@ -176,4 +179,5 @@ ng->nextrule = NULL; ng->next = NULL; + ng->gnext = NULL; if (!host_open) @@ -199,6 +203,6 @@ { tmp = grouplist; - while (tmp->next != NULL) { tmp = tmp->next; } - tmp->next = ng; + while (tmp->gnext != NULL) { tmp = tmp->gnext; } + tmp->gnext = ng; } else { grouplist = ng; @@ -319,4 +323,11 @@ } + if (!strcmp(splits[1], _("trash"))) /* predefined, reserved */ + { + SH_FREE(splits); + SH_FREE(new); + return -1; + } + severity = sh_error_convert_level (splits[3]); if (severity < 0) @@ -364,4 +375,6 @@ return retval; } + +static struct sh_qeval ** dummy_queue; int sh_eval_radd (const char * str) @@ -380,4 +393,6 @@ char ** splits = split_array(new, &nfields, ':', lengths); + dummy_queue = &queue; + if (nfields != 2) { @@ -419,4 +434,16 @@ rule_extra = NULL; /* pcre_study(rule, 0, &error); */ pcre_fullinfo(rule, rule_extra, PCRE_INFO_CAPTURECOUNT, &captures); + + if (flag_err_debug == SL_TRUE) + { + char * emsg = SH_ALLOC(SH_ERRBUF_SIZE); + sl_snprintf(emsg, SH_ERRBUF_SIZE, _("Adding rule: |%s| with %d captures"), + splits[1], captures); + SH_MUTEX_LOCK(mutex_thread_nolog); + sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN, + emsg, _("sh_eval_radd")); + SH_MUTEX_UNLOCK(mutex_thread_nolog); + SH_FREE(emsg); + } DEBUG("adding rule: |%s| with %d captures\n", splits[1], captures); @@ -436,4 +463,5 @@ nr->nextrule = NULL; nr->next = NULL; + nr->gnext = NULL; /* @@ -443,4 +471,18 @@ if (group_open) { + if (flag_err_debug == SL_TRUE) + { + char * emsg = SH_ALLOC(SH_ERRBUF_SIZE); + sl_snprintf(emsg, SH_ERRBUF_SIZE, _("Adding rule to group |%s|"), + sh_string_str(group_open->label)); + SH_MUTEX_LOCK(mutex_thread_nolog); + sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN, + emsg, _("sh_eval_radd")); + SH_MUTEX_UNLOCK(mutex_thread_nolog); + SH_FREE(emsg); + } + + DEBUG("adding rule to group |%s|\n", sh_string_str(group_open->label)); + if (group_open->nextrule) { @@ -474,26 +516,30 @@ * Add rule as member to grouplist, to facilitate cleanup */ -#if 0 + + DEBUG("adding solitary rule to grouplist\n"); + if (grouplist) { tmp = grouplist; - while (tmp->next != NULL) { tmp = tmp->next; } - tmp->next = nr; + while (tmp->gnext != NULL) { tmp = tmp->gnext; } + tmp->gnext = nr; } else { grouplist = nr; } -#endif + /* * Add rule to host rulegroups */ + DEBUG("adding solitary rule to host rulegroups\n"); + if (host_open->rulegroups) { - /* Second, third, ... rule go to host_open->rulegroups->nextrule, - * since test_rules() iterates over nextrules + /* Second, third, ... rule go to host_open->rulegroups->next, + * since test_grules() iterates over nextrules */ tmp = host_open->rulegroups; - while (tmp->nextrule != NULL) { tmp = tmp->nextrule; } - tmp->nextrule = nr; + while (tmp->next != NULL) { tmp = tmp->next; } + tmp->next = nr; } else @@ -516,6 +562,4 @@ void sh_eval_cleanup() { - struct sh_geval * tmp; - struct sh_geval * gtmp; struct sh_qeval * qtmp; @@ -525,5 +569,5 @@ { gtmp = grouplist; - grouplist = gtmp->next; + grouplist = gtmp->gnext; if (gtmp->label) sh_string_destroy(&(gtmp->label)); @@ -534,5 +578,5 @@ if (gtmp->ovector) SH_FREE(gtmp->ovector); - +#if 0 while (gtmp->nextrule) { @@ -548,5 +592,5 @@ SH_FREE(tmp); } - +#endif SH_FREE(gtmp); } @@ -582,7 +626,12 @@ * filled in */ +static struct sh_geval ** dummy1; + static struct sh_geval * test_rule (struct sh_geval * rule, sh_string *msg) { - int res, count; + int res; + volatile int count; + + dummy1 = &rule; if (!rule) @@ -593,4 +642,17 @@ count = 1; do { + + if (flag_err_debug == SL_TRUE) + { + char * emsg = SH_ALLOC(SH_ERRBUF_SIZE); + sl_snprintf(emsg, SH_ERRBUF_SIZE, _("Check rule %d for |%s|"), + count, sh_string_str(msg)); + SH_MUTEX_LOCK(mutex_thread_nolog); + sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN, + emsg, _("test_rule")); + SH_MUTEX_UNLOCK(mutex_thread_nolog); + SH_FREE(emsg); + } + DEBUG("debug: check rule %d for <%s>\n", count, msg->str); res = pcre_exec(rule->rule, rule->rule_extra, @@ -600,6 +662,30 @@ { rule->ovecnum = res; + + if (flag_err_debug == SL_TRUE) + { + char * emsg = SH_ALLOC(SH_ERRBUF_SIZE); + sl_snprintf(emsg, SH_ERRBUF_SIZE, _("Rule %d matches, result = %d"), + count, res); + SH_MUTEX_LOCK(mutex_thread_nolog); + sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN, + emsg, _("test_rule")); + SH_MUTEX_UNLOCK(mutex_thread_nolog); + SH_FREE(emsg); + } DEBUG("debug: rule %d matches, result = %d\n", count, res); break; /* return the matching rule; ovector is filled in */ + } + + if (flag_err_debug == SL_TRUE) + { + char * emsg = SH_ALLOC(SH_ERRBUF_SIZE); + sl_snprintf(emsg, SH_ERRBUF_SIZE, _("Rule %d did not match"), + count); + SH_MUTEX_LOCK(mutex_thread_nolog); + sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN, + emsg, _("test_rule")); + SH_MUTEX_UNLOCK(mutex_thread_nolog); + SH_FREE(emsg); } DEBUG("debug: rule %d did not match\n", count); @@ -614,26 +700,44 @@ /* Test a (struct sh_geval *), which may be single rule or a group of rules, - * against msg (if it's a group of rules, test against prefix first). + * against msg */ +static struct sh_geval ** dummy2; +static struct sh_geval ** dummy3; + static struct sh_geval * test_grules (struct sh_heval * host, - sh_string *prefix, sh_string *msg) + sh_string *msg) { struct sh_geval * result = NULL; - struct sh_geval * rules = host->rulegroups; - - if (rules && sh_string_len(prefix) < (size_t)INT_MAX) - { - DEBUG("debug: if rules\n"); + struct sh_geval * group = host->rulegroups; + + dummy2 = &result; + dummy3 = &group; + + if (group && sh_string_len(msg) < (size_t)INT_MAX) + { + DEBUG("debug: if group\n"); do { - if(rules->label != NULL) + if(group->label != NULL) { /* this is a rule group; only groups have labels */ - DEBUG("debug: if rules->label %s\n", rules->label->str); - if (pcre_exec(rules->rule, rules->rule_extra, - sh_string_str(prefix), (int) sh_string_len(prefix), + if (flag_err_debug == SL_TRUE) + { + char * emsg = SH_ALLOC(SH_ERRBUF_SIZE); + sl_snprintf(emsg, SH_ERRBUF_SIZE, _("Checking group |%s| of rules against |%s|"), + sh_string_str(group->label), sh_string_str(msg)); + SH_MUTEX_LOCK(mutex_thread_nolog); + sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN, + emsg, _("test_rule")); + SH_MUTEX_UNLOCK(mutex_thread_nolog); + SH_FREE(emsg); + } + + DEBUG("debug: if group->label %s\n", sh_string_str(group->label)); + if (pcre_exec(group->rule, group->rule_extra, + sh_string_str(msg), (int) sh_string_len(msg), 0, 0, NULL, 0) >= 0) { - result = test_rule(rules->nextrule, msg); + result = test_rule(group->nextrule, msg); if (result) break; @@ -642,13 +746,26 @@ else { - /* First rule is in host->rulegroups */ + /* If there is no group label, the 'group' is actually a solitary + * rule (not within any group). + */ + + if (flag_err_debug == SL_TRUE) + { + char * emsg = SH_ALLOC(SH_ERRBUF_SIZE); + sl_snprintf(emsg, SH_ERRBUF_SIZE, _("Checking solitary rules")); + SH_MUTEX_LOCK(mutex_thread_nolog); + sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN, + emsg, _("test_rule")); + SH_MUTEX_UNLOCK(mutex_thread_nolog); + SH_FREE(emsg); + } DEBUG("debug: else (single rule)\n"); - result = test_rule(rules, msg); + result = test_rule(group, msg); if (result) break; } - rules = rules->next; /* next group of rules */ - } while (rules); + group = group->next; /* next group of rules */ + } while (group); } return result; @@ -658,5 +775,5 @@ */ static struct sh_geval * find_rule (sh_string *host, - sh_string *prefix, sh_string *msg) + sh_string *msg) { struct sh_geval * result = NULL; @@ -671,5 +788,5 @@ { /* matching host, check rules/groups of rules */ - result = test_grules(hlist, prefix, msg); + result = test_grules(hlist, msg); if (result) break; @@ -681,12 +798,37 @@ } -static void msg_report(int severity, struct sh_logrecord * record) -{ - char * tmp; - char * msg; - char * ttt; +/* copy the message and replace captured substrings with '___' + */ +static sh_string * replace_captures(const sh_string * message, + int * ovector, int ovecnum) +{ + sh_string * retval = sh_string_new_from_lchar(sh_string_str(message), + sh_string_len(message)); + + if (ovecnum > 1) + { + retval = sh_string_replace(retval, &(ovector[2]), (ovecnum-1), "___", 3); + } + return retval; +} + +static void msg_report(int severity, struct sh_geval * rule, struct sh_logrecord * record) +{ + char * tmp; + char * msg; + sh_string * mmm = NULL; + char * ttt; + + SH_MUTEX_LOCK(mutex_thread_nolog); + if (rule) { + mmm = replace_captures(record->message, rule->ovector, + rule->ovecnum); + msg = sh_util_safe_name_keepspace (sh_string_str(mmm)); + } + else { + msg = sh_util_safe_name_keepspace (sh_string_str(record->message)); + } tmp = sh_util_safe_name (record->filename); - msg = sh_util_safe_name_keepspace (sh_string_str(record->message)); ttt = sh_util_safe_name_keepspace (sh_string_str(record->timestr)); sh_error_handle (severity, FIL__, __LINE__, 0, MSG_LOGMON_REP, @@ -698,4 +840,6 @@ SH_FREE(msg); SH_FREE(tmp); + if (mmm) + sh_string_destroy(&mmm); SH_MUTEX_UNLOCK(mutex_thread_nolog); } @@ -705,4 +849,5 @@ char * tmp; char * msg; + SH_MUTEX_LOCK(mutex_thread_nolog); tmp = sh_util_safe_name (sh_string_str(path)); @@ -757,19 +902,4 @@ } -/* copy the message and replace captured substrings with '___' - */ -static sh_string * replace_captures(const sh_string * message, - int * ovector, int ovecnum) -{ - sh_string * retval = sh_string_new_from_lchar(sh_string_str(message), - sh_string_len(message)); - - if (ovecnum > 1) - { - retval = sh_string_replace(retval, &(ovector[2]), (ovecnum-1), "___", 3); - } - return retval; -} - /* process the counter for a SUM rule @@ -818,9 +948,8 @@ if (queue->policy == EVAL_REPORT) { - DEBUG("debug: EVAL_REPORT host: %s, prefix: %s, message: %s\n", + DEBUG("debug: EVAL_REPORT host: %s, message: %s\n", sh_string_str(record->host), - sh_string_str(record->prefix), sh_string_str(record->message)); - msg_report(queue->severity, record); + msg_report(queue->severity, rule, record); retval = 0; } @@ -830,7 +959,6 @@ struct sh_ceval * counter = find_counter(rule, record->host, queue->interval); - DEBUG("debug: EVAL_SUM host: %s, prefix: %s, message: %s\n", - sh_string_str(record->host), - sh_string_str(record->prefix), + DEBUG("debug: EVAL_SUM host: %s, message: %s\n", + sh_string_str(record->host), sh_string_str(record->message)); if (counter) @@ -857,5 +985,5 @@ if (record) { - struct sh_geval * rule = find_rule (record->host, record->prefix, + struct sh_geval * rule = find_rule (record->host, record->message); @@ -868,5 +996,5 @@ { DEBUG("debug: (%lu) no rule found\n", i); ++i; - msg_report(DEFAULT_SEVERITY, record); + msg_report(DEFAULT_SEVERITY, NULL, record); } return 0; Index: trunk/src/sh_log_parse_apache.c =================================================================== --- trunk/src/sh_log_parse_apache.c (revision 185) +++ trunk/src/sh_log_parse_apache.c (revision 186) @@ -47,5 +47,5 @@ int pos_status; int pos_time; - int format_time; + char * format_time; }; @@ -60,4 +60,5 @@ */ static void * sh_dummy_new = NULL; +static void * sh_dummy_fti = NULL; void * sh_eval_fileinfo_apache(char * str) @@ -75,5 +76,5 @@ volatile int p_status = -1; volatile int p_time = -1; - volatile int f_time = -1; + char * f_time = NULL; const char * error; int erroffset; @@ -83,4 +84,5 @@ */ sh_dummy_new = (void*) &new; + sh_dummy_fti = (void*) &f_time; if (0 == strncmp("common", str, 6)) @@ -149,34 +151,70 @@ strstr(token, _("{User-Agent}")) == 0) { - p = _("\"([^\"\\\\]*(?:\\\\.[^\"\\\\]*)*)\""); + /* + p = "\"([^\"\\\\]*(?:\\\\.[^\"\\\\]*)*)\""; sh_string_add_from_char(re_string, p); + */ + sh_string_add_from_char(re_string, "\"([^"); + sh_string_add_from_char(re_string, "\"\\\\"); + sh_string_add_from_char(re_string, "]*"); + sh_string_add_from_char(re_string, "(?:"); + sh_string_add_from_char(re_string, "\\\\."); + sh_string_add_from_char(re_string, "[^\""); + sh_string_add_from_char(re_string, "\\\\]*"); + sh_string_add_from_char(re_string, ")*)\""); } else { - p = _("(\\S+)"); - sh_string_add_from_char(re_string, p); + sh_string_add_from_char(re_string, "("); + sh_string_add_from_char(re_string, "\\S+"); + sh_string_add_from_char(re_string, ")"); } } else if (token[0] == '%' && token[strlen(token)-1] == 't') { - p = _("\\[([^\\]]+)\\]"); + char * lb = strchr(token, '{'); + char * rb = strchr(token, '}'); + + sh_string_add_from_char(re_string, "\\["); + sh_string_add_from_char(re_string, "([^"); + sh_string_add_from_char(re_string, "(\\]"); + sh_string_add_from_char(re_string, "]+)"); + sh_string_add_from_char(re_string, "\\]"); + + p_time = i+1; + if (lb && rb) + { + ++lb; *rb = '\0'; + f_time = sh_util_strdup(lb); + } + else + { + f_time = sh_util_strdup(_("%d/%b/%Y:%T")); + } + } + else if (token[0] == '%' && token[1] == 'e' && 0 == strcmp(token, _("%error"))) + { + sh_string_add_from_char(re_string, "\\["); + sh_string_add_from_char(re_string, "([^"); + sh_string_add_from_char(re_string, "]"); + sh_string_add_from_char(re_string, "]+)"); + sh_string_add_from_char(re_string, "\\]"); + + p_time = i+1; f_time = sh_util_strdup(_("%a %b %d %T %Y")); ++i; + sh_string_add_from_char(re_string, " "); + + sh_string_add_from_char(re_string, "\\["); + sh_string_add_from_char(re_string, "([^"); + sh_string_add_from_char(re_string, "]"); + sh_string_add_from_char(re_string, "]+)"); + sh_string_add_from_char(re_string, "\\]"); + + p_status = i+1; + sh_string_add_from_char(re_string, " "); + + p = "(.+)"; sh_string_add_from_char(re_string, p); - p_time = i+1; - f_time = 1; - } - else if (token[0] == '%' && token[1] == 'e' && 0 == strcmp(token, _("%error"))) - { - p = _("\\[([^\\]]+)\\]"); - sh_string_add_from_char(re_string, p); - p_time = i+1; f_time = 2; ++i; - - sh_string_add_from_char(re_string, " "); - p = _("\\[([^\\]]+)\\]"); - sh_string_add_from_char(re_string, p); - p_status = i+1; - - sh_string_add_from_char(re_string, " "); - p = _("(.*)"); - sh_string_add_from_char(re_string, p); + + nfields = 3; break; @@ -184,6 +222,7 @@ else { - p = _("(\\S+)"); - sh_string_add_from_char(re_string, p); + sh_string_add_from_char(re_string, "("); + sh_string_add_from_char(re_string, "\\S+"); + sh_string_add_from_char(re_string, ")"); if (token[0] == '%' && token[strlen(token)-1] == 's') p_status = i+1; @@ -288,5 +327,5 @@ res = 0; timestamp = 0; - info->format_time = 1; + info->format_time = sh_util_strdup(_("%d/%b/%Y:%T")); sl_strlcpy(tstr, _("01/Jan/1970:00:00:00"), sizeof(tstr)); } @@ -295,21 +334,11 @@ { struct tm btime; - char * ptr = NULL, * q; + char * ptr = NULL; /* example: 01/Jun/2008:07:55:28 +0200 */ - if (info->format_time == 1) - { - q = strchr(tstr, ' '); - if (q) *q = '\0'; - - ptr = /*@i@*/strptime(tstr, "%d/%b/%Y:%T", &btime); - } - else if (info->format_time == 2) - { - ptr = /*@i@*/strptime(tstr, "%a %b %d %T %Y", &btime); - } - - if (ptr && *ptr == '\0') + ptr = /*@i@*/strptime(tstr, info->format_time, &btime); + + if (ptr) { timestamp = conv_timestamp(&btime, &old_tm, &old_time); @@ -349,5 +378,4 @@ record->timestamp = timestamp; record->timestr = sh_string_new_from_lchar(tstr, strlen(tstr)); - record->prefix = sh_string_new_from_lchar(sstr, strlen(sstr)); if (hstr) Index: trunk/src/sh_log_parse_pacct.c =================================================================== --- trunk/src/sh_log_parse_pacct.c (revision 185) +++ trunk/src/sh_log_parse_pacct.c (revision 186) @@ -325,5 +325,4 @@ record->timestamp = ltime; record->timestr = sh_string_new_from_lchar(array[6], lengths[6]); - record->prefix = sh_string_new_from_lchar(array[0], lengths[0]); record->message = message; record->pid = 0; Index: trunk/src/sh_log_parse_samba.c =================================================================== --- trunk/src/sh_log_parse_samba.c (revision 185) +++ trunk/src/sh_log_parse_samba.c (revision 186) @@ -42,5 +42,5 @@ struct sh_logrecord * record = NULL; - static const char * format0_1 = N_("%Y/%m/%d %T"); + static const char * format0_1 = N_("[%Y/%m/%d %T"); static char format_1[16]; static int format_init = 0; @@ -70,9 +70,8 @@ memset(&btime, '\0', sizeof(struct tm)); - ptr = strptime(sh_string_str(logline), _("%Y/%m/%d %T"), &btime); + ptr = strptime(sh_string_str(logline), format_1, &btime); if (ptr && *ptr == '\0') /* no error, whole string consumed */ { - record = SH_ALLOC(sizeof(struct sh_logrecord)); @@ -85,8 +84,4 @@ record->message = sh_string_new_from_lchar(array[2], lengths[2]); - p = array[2]; while (*p != ' ' && *p != '\0') ++p; - p = '\0'; - record->prefix = sh_string_new_from_lchar(array[2], lengths[2]); - record->pid = 0; record->host = sh_string_new_from_lchar(sh.host.name, Index: trunk/src/sh_log_parse_syslog.c =================================================================== --- trunk/src/sh_log_parse_syslog.c (revision 185) +++ trunk/src/sh_log_parse_syslog.c (revision 186) @@ -138,5 +138,5 @@ ++ptr; record->pid = (pid_t) atoi(ptr); - record->prefix = sh_string_new_from_lchar(array[1], lengths[1]); + if (hidepid == 0 || !*ptr) { --ptr; @@ -158,5 +158,4 @@ } record->pid = PID_INVALID; - record->prefix = sh_string_new_from_lchar(array[1], lengths[1]); if (flag == 1) { ptr[lengths[1]] = ':'; Index: trunk/src/sh_modules.c =================================================================== --- trunk/src/sh_modules.c (revision 185) +++ trunk/src/sh_modules.c (revision 186) @@ -141,5 +141,5 @@ sh_log_check_reconf, - N_("[LogMon]"), + N_("[Logmon]"), sh_log_check_table, PTHREAD_MUTEX_INITIALIZER, Index: trunk/src/sh_readconf.c =================================================================== --- trunk/src/sh_readconf.c (revision 185) +++ trunk/src/sh_readconf.c (revision 186) @@ -1122,4 +1122,6 @@ static const char *closing[] = { N_("closecommand"), + N_("logmonendgroup"), + N_("logmonendhost"), NULL };