Index: /trunk/docs/Changelog =================================================================== --- /trunk/docs/Changelog (revision 356) +++ /trunk/docs/Changelog (revision 357) @@ -1,3 +1,5 @@ 2.8.6: + * Fix problems with timestamp handling in logfile correlation + (problem reported by D. Dearmore) * List the policy under which a directory/file is checked * Option to use a textfile with a list of files for update Index: /trunk/src/sh_log_check.c =================================================================== --- /trunk/src/sh_log_check.c (revision 356) +++ /trunk/src/sh_log_check.c (revision 357) @@ -896,6 +896,4 @@ status = (int) sh_string_read(s, logfile->fp, 8192); - /* fprintf(stderr, "FIXME: %s\n", sh_string_str(s)); */ - /* restore old signal handler */ @@ -1106,5 +1104,4 @@ long offtime; - /* timestamp - mktime is slooow, thus cache result */ @@ -1131,5 +1128,4 @@ timestamp = mktime(btime); btime->tm_year = year_btime; - *old_time = timestamp; memcpy(old_tm, btime, sizeof(struct tm)); Index: /trunk/src/sh_log_correlate.c =================================================================== --- /trunk/src/sh_log_correlate.c (revision 356) +++ /trunk/src/sh_log_correlate.c (revision 357) @@ -57,4 +57,5 @@ { struct sh_keep * keep = (struct sh_keep *) item; + if (!keep) return; @@ -125,5 +126,5 @@ while (count < keepcount && keep) { - if ((now > keep->last) && + if ((now >= keep->last) && ((unsigned long)(now - keep->last) <= keep->delay)) { @@ -163,4 +164,5 @@ SH_FREE(arr); } + return res; } @@ -172,4 +174,5 @@ sh_string * label; /* label of match rule */ pcre * rule; /* compiled regex for rule */ + time_t reported; /* last reported */ struct sh_qeval * queue; /* assigned queue */ struct sh_mkeep * next; @@ -232,4 +235,5 @@ mkeep->queue = rqueue; mkeep->label = sh_string_new_from_lchar(splits[0], strlen(splits[0])); + mkeep->reported = 0; mkeep->next = mkeep_list; mkeep_list = mkeep; @@ -297,19 +301,27 @@ { sh_string * alias; - SH_MUTEX_LOCK(mutex_thread_nolog); - sh_error_handle (mkeep->queue->severity, FIL__, __LINE__, 0, - MSG_LOGMON_COR, sh_string_str(mkeep->label), - val); - - alias = mkeep->queue->alias; - if (alias) + time_t now = time(NULL); + + if ((mkeep->reported < now) && + (60 < (now - mkeep->reported))) { - sh_error_mail (sh_string_str(alias), - mkeep->queue->severity, FIL__, __LINE__, 0, - MSG_LOGMON_COR, sh_string_str(mkeep->label), - val); + mkeep->reported = now; + + SH_MUTEX_LOCK(mutex_thread_nolog); + sh_error_handle (mkeep->queue->severity, FIL__, __LINE__, 0, + MSG_LOGMON_COR, sh_string_str(mkeep->label), + val); + + alias = mkeep->queue->alias; + if (alias) + { + sh_error_mail (sh_string_str(alias), + mkeep->queue->severity, FIL__, __LINE__, 0, + MSG_LOGMON_COR, sh_string_str(mkeep->label), + val); + } + + SH_MUTEX_UNLOCK(mutex_thread_nolog); } - - SH_MUTEX_UNLOCK(mutex_thread_nolog); } mkeep = mkeep->next; Index: /trunk/src/sh_log_evalrule.c =================================================================== --- /trunk/src/sh_log_evalrule.c (revision 356) +++ /trunk/src/sh_log_evalrule.c (revision 357) @@ -885,5 +885,5 @@ if ( rule->flags & RFL_KEEP ) { - DEBUG("debug: rule %d matches (keep)\n", count); + DEBUG("debug: rule %d matches (keep), timestamp = %lu\n", count, timestamp); sh_keep_add(rule->label, rule->delay, timestamp == 0 ? time(NULL) : timestamp); Index: /trunk/src/sh_log_parse_apache.c =================================================================== --- /trunk/src/sh_log_parse_apache.c (revision 356) +++ /trunk/src/sh_log_parse_apache.c (revision 357) @@ -351,4 +351,7 @@ struct tm btime; char * ptr = NULL; + + memset(&btime, '\0', sizeof(struct tm)); + btime.tm_isdst = -1; /* example: 01/Jun/2008:07:55:28 +0200 */ Index: /trunk/src/sh_log_parse_samba.c =================================================================== --- /trunk/src/sh_log_parse_samba.c (revision 356) +++ /trunk/src/sh_log_parse_samba.c (revision 357) @@ -76,4 +76,6 @@ memset(&btime, '\0', sizeof(struct tm)); + btime.tm_isdst = -1; + ptr = strptime(sh_string_str(logline), format_1, &btime); Index: /trunk/src/sh_log_parse_syslog.c =================================================================== --- /trunk/src/sh_log_parse_syslog.c (revision 356) +++ /trunk/src/sh_log_parse_syslog.c (revision 357) @@ -95,4 +95,5 @@ memset(&btime, '\0', sizeof(struct tm)); + btime.tm_isdst = -1; /* This is RFC 3164.