static void test_simple_rule_with_rate_limited_action(void) { /* tag assigned based on "class" */ assert_msg_matches_and_has_tag("simple-message-with-rate-limited-action", ".classifier.violation", TRUE); /* messages in the output: * [0] trigger * [1] GENERATED (as rate limit was met) * [2] trigger * [3] trigger * [4] trigger * [5] GENERATED (as rate limit was met again due to advance time */ assert_msg_matches_and_output_message_nvpair_equals("simple-message-with-rate-limited-action", 1, "MESSAGE", "generated-message-rate-limit"); _dont_reset_patterndb_state_for_the_next_call(); assert_msg_matches_and_no_such_output_message("simple-message-with-rate-limited-action", 3); _dont_reset_patterndb_state_for_the_next_call(); assert_msg_matches_and_no_such_output_message("simple-message-with-rate-limited-action", 4); _dont_reset_patterndb_state_for_the_next_call(); _advance_time(120); assert_msg_matches_and_output_message_nvpair_equals("simple-message-with-rate-limited-action", 5, "MESSAGE", "generated-message-rate-limit"); }
static void test_patterndb_loads_a_syntactically_complete_xml_properly(void) { _load_pattern_db_from_string(pdb_complete_syntax); /* check we did indeed load the patterns */ assert_msg_matches_and_has_tag("simple-message", ".classifier.system", TRUE); _destroy_pattern_db(); }
static void test_simple_rule_with_action_condition(void) { /* tag assigned based on "class" */ assert_msg_matches_and_has_tag("simple-message-with-action-condition", ".classifier.violation", TRUE); assert_msg_matches_and_output_message_nvpair_equals("simple-message-with-action-condition", 1, "MESSAGE", "generated-message-on-condition"); }
static void test_correllation_rule_with_action_on_timeout(void) { /* tag assigned based on "class" */ assert_msg_matches_and_has_tag("correllated-message-with-action-on-timeout", ".classifier.violation", TRUE); assert_msg_matches_and_output_message_nvpair_equals_with_timeout("correllated-message-with-action-on-timeout", 60, 1, "MESSAGE", "generated-message-on-timeout"); }
static void test_correllation_rule_with_action_on_match(void) { /* tag assigned based on "class" */ assert_msg_matches_and_has_tag("correllated-message-with-action-on-match", ".classifier.violation", TRUE); assert_msg_matches_and_output_message_nvpair_equals("correllated-message-with-action-on-match", 1, "MESSAGE", "generated-message-on-match"); assert_msg_matches_and_output_message_nvpair_equals("correllated-message-with-action-on-match", 1, "context-id", "999"); assert_msg_matches_and_output_message_has_tag("correllated-message-with-action-on-match", 1, "correllated-msg-tag", TRUE); }
static void test_correllation_rule_without_actions(void) { /* tag assigned based on "class" */ assert_msg_matches_and_has_tag("correllated-message-based-on-pid", ".classifier.system", TRUE); assert_msg_matches_and_nvpair_equals("correllated-message-based-on-pid", "correllated-msg-context-id", MYPID); assert_msg_matches_and_nvpair_equals("correllated-message-based-on-pid", "correllated-msg-context-length", "1"); _dont_reset_patterndb_state_for_the_next_call(); assert_msg_matches_and_nvpair_equals("correllated-message-based-on-pid", "correllated-msg-context-length", "2"); _dont_reset_patterndb_state_for_the_next_call(); assert_msg_matches_and_nvpair_equals("correllated-message-based-on-pid", "correllated-msg-context-length", "3"); }
<pattern>correllated-message-that-uses-context-created-by-rule-id#12</pattern>\ </patterns>\ <values>\ <value name='triggering-message'>${MESSAGE}@1 assd</value>\ </values>\ </rule>\ <rule provider='test' id='14' class='violation' context-id='1001' context-timeout='60' context-scope='program'>\ <patterns>\ <pattern>correllated-message-with-action-to-create-context</pattern>\ </patterns>\ <values>\ <value name='rule-msg-context-id'>${.classifier.context_id}</value>\ </values>\ <actions>\ <action trigger='match'>\ <create-context context-id='1002' context-timeout='60' context-scope='program'>\ <message inherit-properties='context'>\ <values>\ <!-- we should inherit from the LogMessage matching this rule and not the to be created context -->\ <value name='MESSAGE'>context message ${rule-msg-context-id}</value>\ </values>\ </message>\ </create-context>\ </action>\ </actions>\ </rule>\ <rule provider='test' id='15' class='violation' context-id='1002' context-timeout='60' context-scope='program'>\ <patterns>\ <pattern>correllated-message-that-uses-context-created-by-rule-id#14</pattern>\ </patterns>\ <values>\ <value name='triggering-message'>${MESSAGE}@1 assd</value>\ <value name='triggering-message-context-id'>$(grep ('${rule-msg-context-id}' ne '') ${rule-msg-context-id})</value>\ </values>\ </rule>\ </rules>\ </ruleset>\ </patterndb>"; static void test_simple_rule_without_context_or_actions(void) { /* tag assigned based on "class" */ assert_msg_matches_and_has_tag("simple-message", ".classifier.system", TRUE); /* tag assignment based on <tags/> */ assert_msg_matches_and_nvpair_equals("simple-message", "TAGS", ".classifier.system,simple-msg-tag1,simple-msg-tag2"); assert_msg_matches_and_nvpair_equals("simple-message", "simple-msg-value-1", "value1"); assert_msg_matches_and_nvpair_equals("simple-message", "simple-msg-value-2", "value2"); assert_msg_matches_and_nvpair_equals("simple-message", "simple-msg-host", MYHOST); }