Changeset 265 for trunk

Timestamp:

Dec 21, 2009, 8:54:07 PM (15 years ago)

Author:

katerina

Message:

Enhance logfile monitoring (tickets #183, #184, #185).

Location:

trunk

Files:

• Makefile.in (modified) (5 diffs)
• acconfig.h (modified) (1 diff)
• configure.ac (modified) (1 diff)
• depend.dep (modified) (2 diffs)
• depend.sum (modified) (1 diff)
• docs/Changelog (modified) (2 diffs)
• include/samhain.h (modified) (1 diff)
• include/sh_cat.h (modified) (1 diff)
• include/sh_error.h (modified) (1 diff)
• include/sh_error_min.h (modified) (1 diff)
• include/sh_log_correlate.h (added)
• include/sh_log_evalrule.h (modified) (1 diff)
• include/sh_log_mark.h (added)
• include/sh_log_repeat.h (added)
• include/sh_string.h (modified) (2 diffs)
• include/sh_unix.h (modified) (1 diff)
• src/samhain.c (modified) (1 diff)
• src/sh_cat.c (modified) (2 diffs)
• src/sh_inotify.c (modified) (2 diffs)
• src/sh_log_check.c (modified) (12 diffs)
• src/sh_log_correlate.c (added)
• src/sh_log_evalrule.c (modified) (18 diffs)
• src/sh_log_mark.c (added)
• src/sh_log_parse_syslog.c (modified) (1 diff)
• src/sh_log_repeat.c (added)
• src/sh_readconf.c (modified) (1 diff)
• src/sh_socket.c (modified) (1 diff)
• src/sh_string.c (modified) (5 diffs)
• src/sh_unix.c (modified) (2 diffs)

trunk/Makefile.in

@@ -123 +123 @@
         sh_mounts.h sh_userfiles.h sh_static.h sh_prelink.h \
         sh_processcheck.h sh_portcheck.h sh_pthread.h sh_string.h \
-        sh_log_check.h sh_log_evalrule.h sh_inotify.h
+        sh_log_check.h sh_log_evalrule.h sh_log_correlate.h \
+        sh_log_mark.h sh_log_repeat.h sh_inotify.h
 
 
@@ -161 +162 @@
         $(srcsrc)/sh_log_parse_samba.c \
         $(srcsrc)/sh_log_parse_apache.c $(srcsrc)/sh_log_evalrule.c \
+        $(srcsrc)/sh_log_correlate.c $(srcsrc)/sh_log_mark.c \
         $(srcsrc)/sh_log_check.c $(srcsrc)/dnmalloc.c \
-        $(srcsrc)/sh_inotify.c \
+        $(srcsrc)/sh_inotify.c $(srcsrc)/sh_log_repeat.c \
         $(srcsrc)/t-test1.c
 
@@ -179 +181 @@
         sh_log_parse_syslog.o sh_log_parse_pacct.o sh_log_parse_apache.o \
         sh_log_parse_samba.o sh_log_evalrule.o sh_log_check.o \
+        sh_log_correlate.o sh_log_mark.o sh_log_repeat.o \
         sh_pthread.o sh_string.o sh_inotify.o dnmalloc.o
 
@@ -1665 +1668 @@
 sh_files.o: $(srcsrc)/sh_files.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_error.h $(srcinc)/sh_utils.h $(srcinc)/sh_unix.h $(srcinc)/sh_files.h $(srcinc)/sh_tiger.h $(srcinc)/sh_hash.h $(srcinc)/sh_ignore.h $(srcinc)/zAVLTree.h 
 sh_getopt.o: $(srcsrc)/sh_getopt.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_error.h $(srcinc)/sh_getopt.h $(srcinc)/sh_files.h $(srcinc)/sh_utils.h $(srcinc)/sh_mail.h $(srcinc)/sh_forward.h $(srcinc)/sh_hash.h $(srcinc)/sh_extern.h 
-sh_readconf.o: $(srcsrc)/sh_readconf.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_error.h $(srcinc)/sh_database.h $(srcinc)/sh_unix.h $(srcinc)/sh_utils.h $(srcinc)/sh_files.h $(srcinc)/sh_mail.h $(srcinc)/sh_nmail.h $(srcinc)/sh_calls.h $(srcinc)/sh_tiger.h $(srcinc)/sh_forward.h $(srcinc)/sh_modules.h $(srcinc)/sh_gpg.h $(srcinc)/sh_hash.h $(srcinc)/sh_ignore.h $(srcinc)/sh_prelink.h $(srcinc)/sh_extern.h $(srcinc)/sh_tools.h $(srcinc)/sh_database.h $(srcinc)/sh_prelude.h 
+sh_readconf.o: $(srcsrc)/sh_readconf.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_calls.h $(srcinc)/sh_error.h $(srcinc)/sh_extern.h $(srcinc)/sh_files.h $(srcinc)/sh_forward.h $(srcinc)/sh_gpg.h $(srcinc)/sh_hash.h $(srcinc)/sh_ignore.h $(srcinc)/sh_database.h $(srcinc)/sh_mail.h $(srcinc)/sh_modules.h $(srcinc)/sh_nmail.h $(srcinc)/sh_prelink.h $(srcinc)/sh_prelude.h $(srcinc)/sh_tiger.h $(srcinc)/sh_tools.h $(srcinc)/sh_unix.h $(srcinc)/sh_utils.h 
 sh_tiger0.o: $(srcsrc)/sh_tiger0.c Makefile config_xor.h $(srcinc)/sh_tiger.h $(srcinc)/sh_unix.h $(srcinc)/sh_error.h $(srcinc)/sh_utils.h $(srcinc)/sh_pthread.h $(srcinc)/sh_string.h 
 sh_tiger1.o: $(srcsrc)/sh_tiger1.c Makefile config_xor.h 
@@ -1728 +1731 @@
 sh_log_parse_pacct.o: $(srcsrc)/sh_log_parse_pacct.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_log_check.h $(srcinc)/sh_utils.h $(srcinc)/sh_string.h 
 sh_log_parse_apache.o: $(srcsrc)/sh_log_parse_apache.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_log_check.h $(srcinc)/sh_utils.h $(srcinc)/sh_string.h 
-sh_log_evalrule.o: $(srcsrc)/sh_log_evalrule.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utils.h $(srcinc)/sh_string.h $(srcinc)/sh_log_check.h $(srcinc)/sh_log_evalrule.h $(srcinc)/zAVLTree.h 
-sh_log_check.o: $(srcsrc)/sh_log_check.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utils.h $(srcinc)/sh_string.h $(srcinc)/sh_log_check.h $(srcinc)/sh_log_evalrule.h $(srcinc)/sh_modules.h 
+sh_log_evalrule.o: $(srcsrc)/sh_log_evalrule.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utils.h $(srcinc)/sh_string.h $(srcinc)/sh_log_check.h $(srcinc)/sh_log_evalrule.h $(srcinc)/sh_log_correlate.h $(srcinc)/sh_log_mark.h $(srcinc)/sh_log_repeat.h $(srcinc)/zAVLTree.h 
+sh_log_check.o: $(srcsrc)/sh_log_check.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utils.h $(srcinc)/sh_unix.h $(srcinc)/sh_string.h $(srcinc)/sh_log_check.h $(srcinc)/sh_log_evalrule.h $(srcinc)/sh_log_correlate.h $(srcinc)/sh_log_mark.h $(srcinc)/sh_log_repeat.h $(srcinc)/sh_modules.h 
 sh_log_parse_samba.o: $(srcsrc)/sh_log_parse_samba.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_log_check.h $(srcinc)/sh_string.h 
 sh_nmail.o: $(srcsrc)/sh_nmail.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_mem.h $(srcinc)/sh_mail.h $(srcinc)/sh_tiger.h $(srcinc)/sh_string.h $(srcinc)/sh_utils.h $(srcinc)/sh_fifo.h $(srcinc)/sh_filter.h $(srcinc)/sh_mail_int.h $(srcinc)/zAVLTree.h 
 sh_filter.o: $(srcsrc)/sh_filter.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_utils.h $(srcinc)/sh_mem.h $(srcinc)/sh_filter.h 
 sh_inotify.o: $(srcsrc)/sh_inotify.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_calls.h $(srcinc)/sh_inotify.h $(srcinc)/sh_mem.h $(srcinc)/slib.h $(srcinc)/sh_calls.h 
+sh_log_correlate.o: $(srcsrc)/sh_log_correlate.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utils.h $(srcinc)/sh_string.h $(srcinc)/sh_log_check.h $(srcinc)/sh_log_evalrule.h 
+sh_log_mark.o: $(srcsrc)/sh_log_mark.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_mem.h $(srcinc)/sh_string.h $(srcinc)/sh_error_min.h $(srcinc)/sh_log_check.h $(srcinc)/sh_log_evalrule.h $(srcinc)/zAVLTree.h 
+sh_log_repeat.o: $(srcsrc)/sh_log_repeat.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utils.h $(srcinc)/sh_string.h $(srcinc)/sh_log_check.h $(srcinc)/sh_log_evalrule.h 

trunk/acconfig.h

@@ -342 +342 @@
 /* Define if UINT64 is 32 bits.                 */
 #undef UINT64_IS_32
+
+/* Define if you have uint64_t.               */
+#undef HAVE_UINT16_T
 
 /* Define if you have uint64_t.               */

trunk/configure.ac

@@ -495 +495 @@
 AC_C_LONG_DOUBLE
 SH_CHECK_TYPEDEF(long long, HAVE_LONG_LONG)
+SH_CHECK_TYPEDEF(uint16_t, HAVE_UINT16_T)
 SH_CHECK_TYPEDEF(uint64_t, HAVE_UINT64_T)
 if test "$sh_HAVE_LONG_LONG" = "yes"; then

trunk/depend.dep

@@ -7 +7 @@
 sh_files.o: $(srcsrc)/sh_files.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_error.h $(srcinc)/sh_utils.h $(srcinc)/sh_unix.h $(srcinc)/sh_files.h $(srcinc)/sh_tiger.h $(srcinc)/sh_hash.h $(srcinc)/sh_ignore.h $(srcinc)/zAVLTree.h 
 sh_getopt.o: $(srcsrc)/sh_getopt.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_error.h $(srcinc)/sh_getopt.h $(srcinc)/sh_files.h $(srcinc)/sh_utils.h $(srcinc)/sh_mail.h $(srcinc)/sh_forward.h $(srcinc)/sh_hash.h $(srcinc)/sh_extern.h 
-sh_readconf.o: $(srcsrc)/sh_readconf.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_error.h $(srcinc)/sh_database.h $(srcinc)/sh_unix.h $(srcinc)/sh_utils.h $(srcinc)/sh_files.h $(srcinc)/sh_mail.h $(srcinc)/sh_nmail.h $(srcinc)/sh_calls.h $(srcinc)/sh_tiger.h $(srcinc)/sh_forward.h $(srcinc)/sh_modules.h $(srcinc)/sh_gpg.h $(srcinc)/sh_hash.h $(srcinc)/sh_ignore.h $(srcinc)/sh_prelink.h $(srcinc)/sh_extern.h $(srcinc)/sh_tools.h $(srcinc)/sh_database.h $(srcinc)/sh_prelude.h 
+sh_readconf.o: $(srcsrc)/sh_readconf.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_calls.h $(srcinc)/sh_error.h $(srcinc)/sh_extern.h $(srcinc)/sh_files.h $(srcinc)/sh_forward.h $(srcinc)/sh_gpg.h $(srcinc)/sh_hash.h $(srcinc)/sh_ignore.h $(srcinc)/sh_database.h $(srcinc)/sh_mail.h $(srcinc)/sh_modules.h $(srcinc)/sh_nmail.h $(srcinc)/sh_prelink.h $(srcinc)/sh_prelude.h $(srcinc)/sh_tiger.h $(srcinc)/sh_tools.h $(srcinc)/sh_unix.h $(srcinc)/sh_utils.h 
 sh_tiger0.o: $(srcsrc)/sh_tiger0.c Makefile config_xor.h $(srcinc)/sh_tiger.h $(srcinc)/sh_unix.h $(srcinc)/sh_error.h $(srcinc)/sh_utils.h $(srcinc)/sh_pthread.h $(srcinc)/sh_string.h 
 sh_tiger1.o: $(srcsrc)/sh_tiger1.c Makefile config_xor.h 
@@ -72 +72 @@
 sh_log_parse_pacct.o: $(srcsrc)/sh_log_parse_pacct.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_log_check.h $(srcinc)/sh_utils.h $(srcinc)/sh_string.h 
 sh_log_parse_apache.o: $(srcsrc)/sh_log_parse_apache.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_log_check.h $(srcinc)/sh_utils.h $(srcinc)/sh_string.h 
-sh_log_evalrule.o: $(srcsrc)/sh_log_evalrule.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utils.h $(srcinc)/sh_string.h $(srcinc)/sh_log_check.h $(srcinc)/sh_log_evalrule.h $(srcinc)/zAVLTree.h 
-sh_log_check.o: $(srcsrc)/sh_log_check.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utils.h $(srcinc)/sh_string.h $(srcinc)/sh_log_check.h $(srcinc)/sh_log_evalrule.h $(srcinc)/sh_modules.h 
+sh_log_evalrule.o: $(srcsrc)/sh_log_evalrule.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utils.h $(srcinc)/sh_string.h $(srcinc)/sh_log_check.h $(srcinc)/sh_log_evalrule.h $(srcinc)/sh_log_correlate.h $(srcinc)/sh_log_mark.h $(srcinc)/sh_log_repeat.h $(srcinc)/zAVLTree.h 
+sh_log_check.o: $(srcsrc)/sh_log_check.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utils.h $(srcinc)/sh_unix.h $(srcinc)/sh_string.h $(srcinc)/sh_log_check.h $(srcinc)/sh_log_evalrule.h $(srcinc)/sh_log_correlate.h $(srcinc)/sh_log_mark.h $(srcinc)/sh_log_repeat.h $(srcinc)/sh_modules.h 
 sh_log_parse_samba.o: $(srcsrc)/sh_log_parse_samba.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_log_check.h $(srcinc)/sh_string.h 
 sh_nmail.o: $(srcsrc)/sh_nmail.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_mem.h $(srcinc)/sh_mail.h $(srcinc)/sh_tiger.h $(srcinc)/sh_string.h $(srcinc)/sh_utils.h $(srcinc)/sh_fifo.h $(srcinc)/sh_filter.h $(srcinc)/sh_mail_int.h $(srcinc)/zAVLTree.h 
 sh_filter.o: $(srcsrc)/sh_filter.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_utils.h $(srcinc)/sh_mem.h $(srcinc)/sh_filter.h 
 sh_inotify.o: $(srcsrc)/sh_inotify.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_calls.h $(srcinc)/sh_inotify.h $(srcinc)/sh_mem.h $(srcinc)/slib.h $(srcinc)/sh_calls.h 
+sh_log_correlate.o: $(srcsrc)/sh_log_correlate.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utils.h $(srcinc)/sh_string.h $(srcinc)/sh_log_check.h $(srcinc)/sh_log_evalrule.h 
+sh_log_mark.o: $(srcsrc)/sh_log_mark.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_mem.h $(srcinc)/sh_string.h $(srcinc)/sh_error_min.h $(srcinc)/sh_log_check.h $(srcinc)/sh_log_evalrule.h $(srcinc)/zAVLTree.h 
+sh_log_repeat.o: $(srcsrc)/sh_log_repeat.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utils.h $(srcinc)/sh_string.h $(srcinc)/sh_log_check.h $(srcinc)/sh_log_evalrule.h 

trunk/depend.sum

@@ -1 @@
-188553029
+968635974

trunk/docs/Changelog

@@ -1 @@
-2.6.1:
+2.6.1 (21-12-2009):
+        * add a routine to log monitoring module to guess the proper year 
+          for timestamps without year (standard syslog)
+        * add feature to automatically detect and report bursts of
+          similar messages in log monitoring module
+        * add feature to check for missing heartbeat messages in
+          log monitoring module
+        * cache UIDs/GIDs to reduce the number of lookups
         * use inotify to track login/logout (sh_inotify.c, sh_utmp.c)
         * support event correlation in log monitoring module
@@ -7 +14 @@
           sh_unix_count_mlock() (reported by Remco Landegge).
         
-2.6.0:
+2.6.0 (01-11-2009):
         * don't use statvfs() for process checking on FreeBSD
         * fix bug with parallel compilation of cutest in Makefile 

trunk/include/samhain.h

@@ -106 +106 @@
 #ifdef HAVE_STDINT_H
 #include <stdint.h>
+#endif
+
+#if !defined(HAVE_UINT16_T)
+#define UINT16 unsigned short
+#else
+#define UINT16 uint16_t
 #endif
 

trunk/include/sh_cat.h

@@ -168 +168 @@
  MSG_LOGMON_SUM,
  MSG_LOGMON_COR,
+ MSG_LOGMON_MARK,
+ MSG_LOGMON_BURST,
 #endif
 

trunk/include/sh_error.h

@@ -109 +109 @@
 void sh_error_fixup(void);
 
-/* convert a string to a numeric priority
- */ 
-int sh_error_convert_level (const char * str_s);
-
 /* only to stderr (GOOD/BAD)
  */

trunk/include/sh_error_min.h

@@ -25 +25 @@
                       long errnum, unsigned long  msg_index, ...);
 
+/* convert a string to a numeric priority
+ */ 
+int sh_error_convert_level (const char * str_s);
+
 #endif

trunk/include/sh_log_evalrule.h

@@ -39 +39 @@
 int sh_eval_process_msg(struct sh_logrecord * record);
 
-/* Match correlated rules
- */
-void sh_keep_match();
+enum policies {
+  EVAL_REPORT,
+  EVAL_SUM
+};
+
+struct sh_qeval  /* Queue with definitions */
+{
+  sh_string       * label;
+  enum policies     policy;
+  int               severity;
+  time_t            interval;        /* if EVAL_SUM, interval   */ 
+  struct sh_qeval * next;
+};
+
+struct sh_qeval * sh_log_find_queue(const char * str);
+
+int sh_log_lookup_severity(const char * str);
 
 #endif

trunk/include/sh_string.h

@@ -2 +2 @@
 #define SH_STRING_H
 
+#include <stdio.h>
 
 /* String definition and utility functions.
@@ -84 +85 @@
 char ** split_array_list(char *line, unsigned int * nfields, size_t * lengths);
 
+/* Same as above, but split on delimiter list (token)
+ */ 
+char ** split_array_token (char *line, 
+                           unsigned int * nfields, size_t * lengths,
+                           const char * token);
+
 /* Return a split_array_list() of a list contained in 'PREFIX\s*( list ).*'
  */

trunk/include/sh_unix.h

@@ -219 +219 @@
 void sh_unix_closeall (int fd, int except, int inchild);
 
+/* Check whether directory for pid file exists
+ */
+int sh_unix_check_piddir (char * pidpath);
 
 /* write lock for filename

trunk/src/samhain.c

@@ -753 +753 @@
 #endif
   delete_cache();
+  sh_userid_destroy ();
   sh_mem_stat();
 #endif

trunk/src/sh_cat.c

@@ -159 +159 @@
   { MSG_LOGMON_REP,  SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [Logfile] %s\" time=\"%s\" host=\"%s\" path=\"%s\"") },
   { MSG_LOGMON_SUM,  SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [Logfile] %s\" host=\"%s\" path=\"%s\"") },
-  { MSG_LOGMON_COR,  SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [Logfile] Correlated events %s\"") },
+  { MSG_LOGMON_COR,  SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [Logfile] Correlation event %s occured %d time(s)\"") },
+  { MSG_LOGMON_MARK, SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [Logfile] Event %s missing for %lu seconds\"") },
+  { MSG_LOGMON_BURST, SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [Logfile] Repeated %d times: %s\" host=\"%s\"") },
 #endif
 
@@ -487 +489 @@
   { MSG_LOGMON_EOPEN,SH_ERR_ERR,     RUN,   N_("msg=<Cannot open logfile %s>") },
   { MSG_LOGMON_EREAD,SH_ERR_ERR,     RUN,   N_("msg=<Error while reading logfile %s>") },
-  { MSG_LOGMON_REP,  SH_ERR_SEVERE,  EVENT, N_("msg=<POLICY [Logfile] %s> time=<%s> host=<%s> path=<%s>") },
+  { MSG_LOGMON_REP,  SH_ERR_SEVERE,  EVENT, N_("msg=<POLICY [Logfile] %s> time=<%s>, host=<%s>, path=<%s>") },
   { MSG_LOGMON_SUM,  SH_ERR_SEVERE,  EVENT, N_("msg=<POLICY [Logfile] %s> host=<%s> path=<%s>") },
-  { MSG_LOGMON_COR,  SH_ERR_SEVERE,  EVENT, N_("msg=<POLICY [Logfile] Correlated events %s>") },
+  { MSG_LOGMON_COR,  SH_ERR_SEVERE,  EVENT, N_("msg=<POLICY [Logfile] Correlation event %s occured %d time(s)>") },
+  { MSG_LOGMON_MARK, SH_ERR_SEVERE,  EVENT, N_("msg=<POLICY [Logfile] Event %s missing for %lu seconds>") },
+  { MSG_LOGMON_BURST, SH_ERR_SEVERE, EVENT, N_("msg=<POLICY [Logfile] Repeated %d times: %s>, host=<%s> ") },
 #endif
 

trunk/src/sh_inotify.c

@@ -304 +304 @@
       } while (len < 0 || errno == EINTR);
 
-      fprintf (stderr, "FIXME buflen=%ld\n", (long int) len);
-
       if (len > 0)
         {
@@ -317 +315 @@
             event = (struct inotify_event *) &buffer[i];
 
-            fprintf (stderr, "FIXME wd=%d mask=%u cookie=%u len=%u\n",
-                    event->wd, event->mask,
-                    event->cookie, event->len);
-
-            if (event->len > 0)
-              fprintf (stderr, "FIXME name=%s\n", event->name);
-
             for (j = 0; j < watches->count; ++j)
               {
-                fprintf (stderr, "FIXME %d watch=%d file=%s\n", 
-                         j, watches->watch[j], watches->file[j]);
-
                 if (watches->watch[j] == event->wd)
                   {
-                    
-                    fprintf (stderr, "FIXME wd=%d mask=%u\n",
-                             event->wd, event->mask);
-
                     if (event->mask & IN_MODIFY)
                       {

trunk/src/sh_log_check.c

@@ -23 +23 @@
 #include "sh_pthread.h"
 #include "sh_utils.h"
+#include "sh_unix.h"
 #include "sh_string.h"
 #include "sh_log_check.h"
 #include "sh_log_evalrule.h"
+#include "sh_log_correlate.h"
+#include "sh_log_mark.h"
+#include "sh_log_repeat.h"
 
 /* List of supported logfile types, format is
@@ -52 +56 @@
   ino_t  inode;
   fpos_t offset;
-  /* FIXME include filename hash */
 };
 
-const char * save_dir = NULL;
+static char * save_dir = NULL;
 
 static void * sh_dummy_path = NULL;
@@ -105 +108 @@
   if (path)
     {
+      if (0 != sh_unix_check_piddir (path))
+        {
+          SH_FREE(path);
+          return;
+        }
+
       fd = fopen(path, "wb");
       if (fd)
@@ -771 +780 @@
  **********************************************************/
 
+/* Return current year, unless that would result
+ * in a date far in the future. If that happens,
+ * return last year.
+ */
+static int year_guess (struct tm * btime)
+{
+  int           year;
+  struct tm     ts;
+  time_t        now    = time(NULL);
+  time_t        check;
+
+  memcpy(&ts, localtime(&now), sizeof(struct tm));
+  year = ts.tm_year;
+
+  /* Check result to detect year wrap
+   * (logfile entry from last year).
+   */
+  btime->tm_year = year;
+  check = mktime(btime);
+  if (check > (now + (86400*30)))
+    --year;
+
+  return year;
+}
+
 time_t conv_timestamp (struct tm * btime, 
                        struct tm * old_tm, time_t * old_time)
@@ -776 +810 @@
   time_t timestamp;
   long   offtime;
+
 
   /* timestamp - mktime is slooow, thus cache result
@@ -788 +823 @@
         (btime->tm_min  - old_tm->tm_min)  * 60   +
         (btime->tm_sec  - old_tm->tm_sec);
+
       *old_time += offtime;
       memcpy(old_tm, btime, sizeof(struct tm));
@@ -794 +830 @@
   else
     {
+      int year_btime = btime->tm_year;
+
+      if (btime->tm_year == 0)
+        btime->tm_year = year_guess(btime);
       timestamp = mktime(btime);
+      btime->tm_year = year_btime;
+
       *old_time  = timestamp;
       memcpy(old_tm, btime, sizeof(struct tm));
@@ -866 +908 @@
       sh_check_watches();
       sh_keep_match();
+      sh_log_mark_check();
     }
   SH_MUTEX_UNLOCK(mutex_logmon_check);
@@ -892 +935 @@
 int sh_log_check_cleanup(void) 
 {
+  sh_log_mark_destroy();
   return sh_log_check_reconf();
 }
@@ -907 +951 @@
 static int sh_logmon_add_rule  (const char * str);
 extern int sh_set_hidepid(const char *s);
+static int sh_logmon_set_save_dir(const char *s);
 
 sh_rconf sh_log_check_table[] = {
@@ -948 +993 @@
         N_("logmonhidepid"),
         sh_set_hidepid,
+    },
+    {
+        N_("logmonsavedir"),
+        sh_logmon_set_save_dir,
+    },
+    {
+        N_("logmonmarkseverity"),
+        sh_logmon_set_save_dir,
+    },
+    {
+        N_("logmonburstthreshold"),
+        sh_repeat_set_trigger,
+    },
+    {
+        N_("logmonburstqueue"),
+        sh_repeat_set_queue,
+    },
+    {
+        N_("logmonburstcron"),
+        sh_repeat_set_cron,
     },
     {
@@ -966 +1031 @@
 
   SL_RETURN((value), _("sh_logmon_set_active"));
+}
+
+static int sh_logmon_set_save_dir(const char *str) 
+{
+  int retval = -1;
+    
+  SL_ENTER(_("sh_logmon_set_save_dir"));
+
+  if (str && str[0] == '/')
+    {
+      if (save_dir)
+        {
+          SH_FREE(save_dir);
+          save_dir = NULL;
+        }
+      save_dir = sh_util_strdup(str);
+      retval = 0;
+    }
+
+  SL_RETURN((retval), _("sh_logmon_set_save_dir"));
 }
 

trunk/src/sh_log_evalrule.c

@@ -5 +5 @@
 #include <stdarg.h>
 #include <string.h>
+#include <ctype.h>
 #include <time.h>
 #include <limits.h>
@@ -31 +32 @@
 #include "sh_log_check.h"
 #include "sh_log_evalrule.h"
+#include "sh_log_correlate.h"
+#include "sh_log_mark.h"
+#include "sh_log_repeat.h"
 #include "zAVLTree.h"
 
@@ -38 +42 @@
 
 #ifdef DEBUG_EVALRULES
-void DEBUG(const char *fmt, ...)
+static void DEBUG(const char *fmt, ...)
 {
   va_list ap;
@@ -47 +51 @@
 }
 #else
-void DEBUG(const char *fmt, ...)
+static void DEBUG(const char *fmt, ...)
 {
   (void) fmt;
@@ -53 +57 @@
 }
 #endif
-
-enum policies {
-  EVAL_REPORT,
-  EVAL_SUM
-};
 
 struct sh_ceval    /* Counter for summarizing    */
@@ -80 +79 @@
 }
 
-struct sh_qeval  /* Queue with definitions */
-{
-  sh_string       * label;
-  enum policies     policy;
-  int               severity;
-  time_t            interval;        /* if EVAL_SUM, interval   */ 
-  struct sh_qeval * next;
-};
-
 enum {
   RFL_ISRULE  = 1 << 0,
   RFL_ISGROUP = 1 << 1,
-  RFL_KEEP    = 1 << 2
+  RFL_KEEP    = 1 << 2,
+  RFL_MARK    = 1 << 3
 };
 
-/*--------------------------------------------------------------*/
-
-struct sh_keep
-{
-  sh_string       * label;           /* label of keep rule   */
-  unsigned long     delay;           /* valid delay             */
-  time_t            last;            /* seen at                 */
-  struct sh_keep *  next; 
-};
-
-static struct sh_keep * keeplist  = NULL;
-static struct sh_keep * keeplast  = NULL;
-static unsigned long    keepcount = 0;
-
-static void sh_keep_free(void * item)
-{
-  struct sh_keep * keep = (struct sh_keep *) item;
-  if (!keep)
-    return;
-  sh_string_destroy(&(keep->label));
-  SH_FREE(keep);
-}
-
-static void sh_keep_destroy()
-{
-  struct sh_keep * keep;
-
-  while (keeplist)
-    {
-      keep = keeplist;
-      keeplist = keep->next;
-      sh_keep_free(keep);
-      --keepcount;
-    }
-  keeplist  = NULL;
-  keeplast  = NULL;
-  keepcount = 0;
-}
-
-static int sh_keep_add(sh_string * label, unsigned long delay, time_t last)
-{
-  struct sh_keep * keep = SH_ALLOC(sizeof(struct sh_keep));
-
-  keep->label = sh_string_copy(label);
-  keep->delay = delay;
-  keep->last  = last;
-  keep->next  = NULL;
-
-  if (keeplast && keeplist)
-    {
-      keeplast->next = keep;
-      keeplast       = keep;
-    }
-  else
-    {
-      keeplist = keep;
-      keeplast = keeplist;
-    }
-  ++keepcount;
-  return 0;
-}
-
-int sh_keep_comp(const void * a, const void * b)
-{
-  return ( (int)(((struct sh_keep *)a)->last) - 
-           (int)(((struct sh_keep *)b)->last) );
-}
-
-static sh_string * sh_keep_eval()
-{
-  unsigned long count   = 0;
-  sh_string * res       = NULL;
-  time_t now            = time(NULL);
-  struct sh_keep * keep = keeplist;
-  struct sh_keep * prev = keeplist;
-  struct sh_keep * arr;
-
-  if (keepcount > 0)
-    {
-      arr = SH_ALLOC (keepcount * sizeof(struct sh_keep));
-
-      while (count < keepcount && keep)
-        {
-          if ((now > keep->last) && ((unsigned long)(now - keep->last) <= keep->delay))
-            {
-              memcpy(&(arr[count]), keep, sizeof(struct sh_keep));
-              ++count;
-              prev = keep;
-              keep = keep->next;
-            }
-          else /* Too old or in future, delete it */
-            {
-              if (keep != keeplist)
-                {
-                  prev->next = keep->next;
-                  sh_keep_free(keep);
-                  keep = prev->next;
-                  --keepcount;
-                }
-              else /* list head */
-                {
-                  keeplist = keep->next;
-                  prev     = keeplist;
-                  sh_keep_free(keep);
-                  keep     = keeplist;
-                  --keepcount;
-                }
-            }
-        }
-
-      if (count > 0)
-        {
-          unsigned long i;
-          qsort(arr, count, sizeof(struct sh_keep), sh_keep_comp);
-          res = sh_string_copy(arr[0].label);
-          for (i = 1; i < count; ++i)
-            res = sh_string_add(res, arr[i].label);
-        }
-      SH_FREE(arr);
-    }
-  return res;
-}
-
-struct sh_mkeep
-{
-  sh_string       * label;           /* label of match rule     */
-  pcre            * rule;            /* compiled regex for rule */
-  struct sh_qeval * queue;           /* assigned queue          */
-  struct sh_mkeep * next; 
-};
-
-struct sh_mkeep * mkeep_list = NULL;
-
-static struct sh_qeval * find_queue(const char * str);
-
-static int sh_keep_match_add(const char * str, const char * queue, const char * pattern)
-{
-  unsigned int nfields = 1; /* seconds:label */
-  size_t       lengths[1];
-  char *       new    = sh_util_strdup(str);
-  char **      splits = split_array_braced(new, _("CORRELATE"), &nfields, lengths);
-
-  if (nfields == 1 && lengths[0] > 0)
-    {
-      struct sh_mkeep * mkeep = SH_ALLOC(sizeof(struct sh_mkeep));
-      const char * error;
-      int          erroffset;
-      struct sh_qeval * rqueue = NULL;
-
-      mkeep->rule = pcre_compile(pattern, PCRE_NO_AUTO_CAPTURE, 
-                             &error, &erroffset, NULL);
-      if (!(mkeep->rule))
-        {
-          sh_string * msg =  sh_string_new(0);
-          sh_string_add_from_char(msg, _("Bad regex: "));
-          sh_string_add_from_char(msg, pattern);
-          
-          SH_MUTEX_LOCK(mutex_thread_nolog);
-          sh_error_handle(SH_ERR_ERR, FIL__, __LINE__, 0, MSG_E_SUBGEN,
-                          sh_string_str(msg),
-                          _("sh_keep_match_add"));
-          SH_MUTEX_UNLOCK(mutex_thread_nolog);
-          sh_string_destroy(&msg);
-          
-          SH_FREE(splits);
-          SH_FREE(mkeep);
-          SH_FREE(new);
-          return -1;
-        }
-
-      if (0 != strcmp(queue, _("trash")))
-        {
-
-          rqueue = find_queue(queue);
-          if (!rqueue)
-            {
-              pcre_free(mkeep->rule);
-              SH_FREE(splits);
-              SH_FREE(mkeep);
-              SH_FREE(new);
-              return -1;
-            }
-        }
-
-      mkeep->queue = rqueue;
-      mkeep->label = sh_string_new_from_lchar(splits[0], strlen(splits[0]));
-      mkeep->next  = mkeep_list;
-      mkeep_list   = mkeep;
-    }
-  SH_FREE(new);
-  return 0;
-}
-
-static void sh_keep_match_del()
-{
-  struct sh_mkeep * mkeep = mkeep_list;
-  while (mkeep)
-    {
-      mkeep_list = mkeep->next;
-      sh_string_destroy(&(mkeep->label));
-      pcre_free(mkeep->rule);
-      mkeep = mkeep_list;
-    }
-  mkeep_list = NULL;
-}
-
-static struct sh_mkeep ** dummy_mkeep;
-
-void sh_keep_match()
-{
-  if (mkeep_list)
-    {
-      sh_string       * res = sh_keep_eval();
-
-      if (res)
-        {
-          struct sh_mkeep * mkeep = mkeep_list;
-
-          dummy_mkeep = &mkeep;
-
-          while (mkeep)
-            {
-              int val = pcre_exec(mkeep->rule, NULL, 
-                                  sh_string_str(res), (int)sh_string_len(res), 
-                                  0, 0, NULL, 0);
-              if (val >= 0)
-                {
-                  char * tmp;
-                  SH_MUTEX_LOCK(mutex_thread_nolog);
-                  tmp = sh_util_safe_name (sh_string_str(mkeep->label));
-                  sh_error_handle (mkeep->queue->severity, FIL__, __LINE__, 0, 
-                                   MSG_LOGMON_COR, tmp);
-                  SH_FREE(tmp);
-                  SH_MUTEX_UNLOCK(mutex_thread_nolog);
-                }
-              mkeep = mkeep->next;
-            }
-          sh_string_destroy(&res);
-        }
-    }
-  return;
-}
-
-/*--------------------------------------------------------------*/
+
+/*--------------------------------------------------------------
+ *
+ *   Adding rules/groups/hosts
+ *
+ *--------------------------------------------------------------*/
 
 struct sh_geval  /* Group of rules (may be a single rule) */
@@ -623 +376 @@
 }
 
-static struct sh_qeval * find_queue(const char * str)
+struct sh_qeval * sh_log_find_queue(const char * str)
 {
   struct sh_qeval * retval = queuelist;
@@ -639 +392 @@
 }
 
-char * get_keep(char * str, unsigned long * seconds)
+int sh_log_lookup_severity(const char * str)
+{
+  struct sh_qeval * queue;
+
+  if (str)
+    {
+      if (0 != strcmp(str, _("trash")))
+        {
+          queue = sh_log_find_queue(str);
+          
+          if (queue)
+            return queue->severity;
+        }
+    }
+  return SH_ERR_SEVERE;
+}
+
+static char * get_label_and_time(const char * inprefix, char * str, 
+                                 unsigned long * seconds)
 {
   char       * res    = NULL;
@@ -646 +417 @@
   unsigned int nfields = 2; /* seconds:label */
   size_t       lengths[2];
+  char *       prefix = sh_util_strdup(inprefix);
   char *       new    = sh_util_strdup(str);
-  char **      splits = split_array_braced(new, _("KEEP"), &nfields, lengths);
-
-  if (nfields == 2 && lengths[0] > 0 && lengths[1] > 0)
+  char **      splits = split_array_braced(new, prefix, &nfields, lengths);
+
+  if (splits && nfields == 2 && lengths[0] > 0 && lengths[1] > 0)
     {
       *seconds = strtoul(splits[0], &endptr, 10);
@@ -660 +432 @@
     SH_FREE(splits);
   SH_FREE(new);
+  SH_FREE(prefix);
   return res;
 }
@@ -677 +450 @@
   int          captures = 0;
   unsigned int nfields = 2; /* queue:regex */
-  size_t       lengths[2];
+  size_t       lengths[3];
   char *       new    = sh_util_strdup(str);
-  char **      splits = split_array(new, &nfields, ':', lengths);
-
-  int           qpos = 0;
-  volatile int  rpos = 1;
-  unsigned long dsec = 0;
-  char *        dstr = NULL;
+  char **      splits;
+
+  int           qpos  = 0;
+  volatile int  rpos  = 1;
+  unsigned long dsec  = 0;
+  char *        dstr  = NULL;
+  char *        s     = new;
+  volatile char pflag = '-';
+
+  while ( *s && isspace((int)*s) ) ++s;
+  if (0 == strncmp(s, _("KEEP"), 4)      || 
+      0 == strncmp(s, _("CORRELATE"), 9) ||
+      0 == strncmp(s, _("MARK"), 4))
+    {
+      pflag   = s[0];
+      nfields = 3;
+    }
+
+  splits = split_array(new, &nfields, ':', lengths);
 
   dummy_queue = &queue;
@@ -698 +484 @@
   if (nfields == 3)
     {
-      /* KEEP(nsec):queue:regex
-       */
-      dstr = get_keep(splits[0], &dsec);
-      if (!dstr)
-        {
-          /* CORRELATE:queue:regex 
+      if (pflag == 'K')
+        {
+          /* KEEP(nsec,label):queue:regex
+           */
+          dstr = get_label_and_time(_("KEEP"), splits[0], &dsec);
+          if (!dstr)
+            {
+              SH_FREE(splits);
+              SH_FREE(new);
+              return -1;
+            }
+        }
+      else if (pflag == 'C')
+        {
+          /* CORRELATE(description):queue:regex 
            */
           int retval = sh_keep_match_add(splits[0], splits[1], splits[2]);
@@ -710 +505 @@
           return retval;
         }
+      else if (pflag == 'M')
+        {
+          /* MARK(description, interval):queue:regex 
+           */
+          int retval = -1;
+
+          dstr = get_label_and_time(_("MARK"), splits[0], &dsec);
+          if (dstr)
+            {
+              retval = sh_log_mark_add(dstr, dsec, splits[1]);
+            }
+          if (retval != 0)
+            {
+              SH_FREE(splits);
+              SH_FREE(new);
+              return retval;
+            }
+        }
       ++qpos; ++rpos;
     }
@@ -715 +528 @@
   if (0 != strcmp(splits[qpos], _("trash")))
     {
-      queue = find_queue(splits[qpos]);
+      queue = sh_log_find_queue(splits[qpos]);
       if (!queue)
         {
@@ -784 +597 @@
 
 
-  if (dstr)
+  if (pflag == 'K')
     {
       nr->label   = sh_string_new_from_lchar(dstr, strlen(dstr));
       nr->flags  |= RFL_KEEP;
+      nr->delay   = dsec;
+      SH_FREE(dstr);
+    }
+  else if (pflag == 'M')
+    {
+      nr->label   = sh_string_new_from_lchar(dstr, strlen(dstr));
+      nr->flags  |= RFL_MARK;
       nr->delay   = dsec;
       SH_FREE(dstr);
@@ -1005 +825 @@
                   sl_snprintf(emsg,  SH_ERRBUF_SIZE, _("Rule %d matches, result = %d (keep)"), 
                               count, res);
+                else if ( rule->flags & RFL_MARK )
+                  sl_snprintf(emsg,  SH_ERRBUF_SIZE, _("Rule %d matches, result = %d (mark)"), 
+                              count, res);
                 else
                   sl_snprintf(emsg,  SH_ERRBUF_SIZE, _("Rule %d matches, result = %d"), 
@@ -1020 +843 @@
                 sh_keep_add(rule->label, rule->delay, 
                             timestamp == 0 ? time(NULL) : timestamp);
+              }
+
+            else if ( rule->flags & RFL_MARK )
+              {
+                DEBUG("debug: rule %d matches (mark)\n", count);
+                sh_log_mark_update(rule->label,
+                                   timestamp == 0 ? time(NULL) : timestamp);
               }
 
@@ -1349 +1179 @@
           msg_report(DEFAULT_SEVERITY, NULL, record);
         }
+
+      sh_repeat_message_check(record->host, 
+                              record->message, 
+                              record->timestamp);
+                              
       return 0;
     }

trunk/src/sh_log_parse_syslog.c

@@ -72 +72 @@
 
 
-  if (sh_string_len(logline) > 0 && flag_err_debug == SL_TRUE)
+  if (flag_err_debug == SL_TRUE && sh_string_len(logline) > 0)
     {
       SH_MUTEX_LOCK(mutex_thread_nolog);

trunk/src/sh_readconf.c

@@ -28 +28 @@
 
 #include "samhain.h"
+#include "sh_calls.h"
 #include "sh_error.h"
-#include "sh_database.h"
-#include "sh_unix.h"
-#include "sh_utils.h"
+#include "sh_extern.h"
 #include "sh_files.h"
-#include "sh_mail.h"
-#include "sh_nmail.h"
-#include "sh_calls.h"
-#include "sh_tiger.h"
 #include "sh_forward.h"
-#include "sh_modules.h"
 #include "sh_gpg.h"
 #include "sh_hash.h"
 #include "sh_ignore.h"
+#include "sh_database.h"
+#include "sh_mail.h"
+#include "sh_modules.h"
+#include "sh_nmail.h"
 #include "sh_prelink.h"
-#include "sh_extern.h"
-#include "sh_tools.h"
-
-#ifdef WITH_DATABASE
-#include "sh_database.h"
-#endif
-
 #ifdef HAVE_LIBPRELUDE
 #include "sh_prelude.h"
 #endif
+#include "sh_tiger.h"
+#include "sh_tools.h"
+#include "sh_unix.h"
+#include "sh_utils.h"
+
 
 extern int set_reverse_lookup (const char * c);

trunk/src/sh_socket.c

@@ -385 +385 @@
     }
 
+  if (0 != sh_unix_check_piddir (sh_sockname))
+    {
+      SH_FREE(sh_sockname);
+      SL_RETURN((-1),_("sh_socket_open_int"));
+    }
 
   pf_unix_fd = socket (PF_UNIX, SOCK_STREAM, 0);

trunk/src/sh_string.c

@@ -133 +133 @@
 char ** split_array_ws_int (char *line, 
                             unsigned int * nfields, size_t * lengths,
-                            int isList)
+                            const char *delim, int isList)
 {
   char *a, *e, *s;
@@ -161 +161 @@
       else
         {
-          if ( *s && (*s == ' ' || *s == '\t' || *s == ','))
-            {
-              do {
-                ++s;
-              } while ( *s && (*s == ' ' || *s == '\t' || *s == ','));
-            }
+          if ( *s && strchr(delim, (int)*s))
+            {
+              do {
+                ++s;
+              } while ( *s && strchr(delim, (int)*s));
+            }
+
         }
 
@@ -183 +184 @@
           else
             {
-              do {
-                a++;
-              } while ( *a && (*a != ' ' && *a != '\t' && *a != ','));
+              do {
+                a++;
+              } while ( *a && NULL == strchr(delim, (int)*a));
             }
 
@@ -231 +232 @@
                         unsigned int * nfields, size_t * lengths)
 {
-  return split_array_ws_int (line, nfields, lengths, SH_SPLIT_WS);
+  return split_array_ws_int (line, nfields, lengths, NULL, SH_SPLIT_WS);
 }
 
@@ -237 +238 @@
                           unsigned int * nfields, size_t * lengths)
 {
-  return split_array_ws_int (line, nfields, lengths, SH_SPLIT_LIST);
+  return split_array_ws_int (line, nfields, lengths, ", \t", SH_SPLIT_LIST);
+}
+
+char ** split_array_token (char *line, 
+                           unsigned int * nfields, size_t * lengths,
+                           const char * token)
+{
+  return split_array_ws_int (line, nfields, lengths, token, SH_SPLIT_LIST);
 }
 

trunk/src/sh_unix.c

@@ -4235 +4235 @@
 }
 
-int sh_unix_check_piddir (char * pidfile)
+int sh_unix_check_piddir (char * pidpath)
 {
   static        struct stat   buf;
@@ -4243 +4243 @@
   SL_ENTER(_("sh_unix_check_piddir"));
 
-  pid_dir = sh_util_dirname (pidfile);
+  pid_dir = sh_util_dirname (pidpath);
 
   status = retry_lstat (FIL__, __LINE__, pid_dir, &buf);