gchar * value_pairs_transform_set_apply(ValuePairsTransformSet *vpts, gchar *key) { if (g_pattern_match_string(vpts->pattern, key)) { GList *l; SBGString *sb; gchar *new_key; sb = sb_gstring_acquire (); g_string_assign(sb_gstring_string(sb), key); l = vpts->transforms; while (l) { value_pairs_transform_apply((ValuePairsTransform *)l->data, sb); l = l->next; } new_key = sb_gstring_string(sb)->str; g_string_steal(sb_gstring_string(sb)); sb_gstring_release (sb); return new_key; } return g_strdup(key); }
static gboolean _is_action_within_rate_limit(PatternDB *db, PDBProcessParams *process_params) { PDBRule *rule = process_params->rule; PDBAction *action = process_params->action; LogMessage *msg = process_params->msg; GString *buffer = process_params->buffer; CorrellationKey key; PDBRateLimit *rl; guint64 now; if (action->rate == 0) return TRUE; g_string_printf(buffer, "%s:%d", rule->rule_id, action->id); correllation_key_setup(&key, rule->context.scope, msg, buffer->str); rl = g_hash_table_lookup(db->rate_limits, &key); if (!rl) { rl = pdb_rate_limit_new(&key); g_hash_table_insert(db->rate_limits, &rl->key, rl); g_string_steal(buffer); } now = timer_wheel_get_time(db->timer_wheel); if (rl->last_check == 0) { rl->last_check = now; rl->buckets = action->rate; } else { /* quick and dirty fixed point arithmetic, 8 bit fraction part */ gint new_credits = (((glong) (now - rl->last_check)) << 8) / ((((glong) action->rate_quantum) << 8) / action->rate); if (new_credits) { /* ok, enough time has passed to increase the current credit. * Deposit the new credits in bucket but make sure we don't permit * more than the maximum rate. */ rl->buckets = MIN(rl->buckets + new_credits, action->rate); rl->last_check = now; } } if (rl->buckets) { rl->buckets--; return TRUE; } return FALSE; }
static void _execute_action_create_context(PatternDB *db, PDBProcessParams *process_params) { CorrellationKey key; PDBAction *action = process_params->action; PDBRule *rule = process_params->rule; PDBContext *triggering_context = process_params->context; LogMessage *triggering_msg = process_params->msg; GString *buffer = process_params->buffer; PDBContext *new_context; LogMessage *context_msg; SyntheticContext *syn_context; SyntheticMessage *syn_message; syn_context = &action->content.create_context.context; syn_message = &action->content.create_context.message; if (triggering_context) { context_msg = synthetic_message_generate_with_context(syn_message, &triggering_context->super, buffer); log_template_format_with_context(syn_context->id_template, (LogMessage **) triggering_context->super.messages->pdata, triggering_context->super.messages->len, NULL, LTZ_LOCAL, 0, NULL, buffer); } else { context_msg = synthetic_message_generate_without_context(syn_message, triggering_msg, buffer); log_template_format(syn_context->id_template, triggering_msg, NULL, LTZ_LOCAL, 0, NULL, buffer); } msg_debug("Explicit create-context action, starting a new context", evt_tag_str("rule", rule->rule_id), evt_tag_str("context", buffer->str), evt_tag_int("context_timeout", syn_context->timeout), evt_tag_int("context_expiration", timer_wheel_get_time(db->timer_wheel) + syn_context->timeout)); correllation_key_setup(&key, syn_context->scope, context_msg, buffer->str); new_context = pdb_context_new(&key); g_hash_table_insert(db->correllation.state, &new_context->super.key, new_context); g_string_steal(buffer); g_ptr_array_add(new_context->super.messages, context_msg); new_context->super.timer = timer_wheel_add_timer(db->timer_wheel, rule->context.timeout, pattern_db_expire_entry, correllation_context_ref(&new_context->super), (GDestroyNotify) correllation_context_unref); new_context->rule = pdb_rule_ref(rule); }
ScratchBuffer * scratch_buffer_acquire(void) { ScratchBuffer *sb; sb = g_trash_stack_pop(&local_scratch_buffers); if (!sb) { sb = g_new(ScratchBuffer, 1); g_string_steal(sb_string(sb)); } else g_string_set_size(sb_string(sb), 0); return sb; }
GTrashStack * sb_gstring_acquire_buffer(void) { SBGString *sb; sb = g_trash_stack_pop(&local_sb_gstrings); if (!sb) { sb = g_new(SBGString, 1); g_string_steal(sb_gstring_string(sb)); } else g_string_set_size(sb_gstring_string(sb), 0); return (GTrashStack *) sb; }
GTrashStack * sb_th_gstring_acquire_buffer (void) { SBTHGString *sb; sb = g_trash_stack_pop(&local_sb_th_gstrings); if (!sb) { sb = g_new(SBTHGString, 1); g_string_steal(sb_th_gstring_string(sb)); sb->type_hint = TYPE_HINT_STRING; } else g_string_set_size(sb_th_gstring_string(sb), 0); return (GTrashStack *)sb; }
static void _pattern_db_process_matching_rule(PatternDB *self, PDBProcessParams *process_params) { PDBContext *context = NULL; PDBRule *rule = process_params->rule; LogMessage *msg = process_params->msg; GString *buffer = g_string_sized_new(32); g_static_rw_lock_writer_lock(&self->lock); _advance_time_based_on_message(self, process_params, &msg->timestamps[LM_TS_STAMP]); if (rule->context.id_template) { CorrellationKey key; log_template_format(rule->context.id_template, msg, NULL, LTZ_LOCAL, 0, NULL, buffer); log_msg_set_value(msg, context_id_handle, buffer->str, -1); correllation_key_setup(&key, rule->context.scope, msg, buffer->str); context = g_hash_table_lookup(self->correllation.state, &key); if (!context) { msg_debug("Correllation context lookup failure, starting a new context", evt_tag_str("rule", rule->rule_id), evt_tag_str("context", buffer->str), evt_tag_int("context_timeout", rule->context.timeout), evt_tag_int("context_expiration", timer_wheel_get_time(self->timer_wheel) + rule->context.timeout)); context = pdb_context_new(&key); g_hash_table_insert(self->correllation.state, &context->super.key, context); g_string_steal(buffer); } else { msg_debug("Correllation context lookup successful", evt_tag_str("rule", rule->rule_id), evt_tag_str("context", buffer->str), evt_tag_int("context_timeout", rule->context.timeout), evt_tag_int("context_expiration", timer_wheel_get_time(self->timer_wheel) + rule->context.timeout), evt_tag_int("num_messages", context->super.messages->len)); } g_ptr_array_add(context->super.messages, log_msg_ref(msg)); if (context->super.timer) { timer_wheel_mod_timer(self->timer_wheel, context->super.timer, rule->context.timeout); } else { context->super.timer = timer_wheel_add_timer(self->timer_wheel, rule->context.timeout, pattern_db_expire_entry, correllation_context_ref(&context->super), (GDestroyNotify) correllation_context_unref); } if (context->rule != rule) { if (context->rule) pdb_rule_unref(context->rule); context->rule = pdb_rule_ref(rule); } } else { context = NULL; } process_params->context = context; process_params->buffer = buffer; synthetic_message_apply(&rule->msg, &context->super, msg, buffer); _emit_message(self, process_params, FALSE, msg); _execute_rule_actions(self, process_params, RAT_MATCH); pdb_rule_unref(rule); g_static_rw_lock_writer_unlock(&self->lock); if (context) log_msg_write_protect(msg); g_string_free(buffer, TRUE); }