LogMessage *
create_empty_message(void)
{
LogMessage *msg;
char *msg_str = "<155>2006-02-11T10:34:56+01:00 bzorp syslog-ng[23323]:árvíztűrőtükörfúrógép";
GSockAddr *saddr;
saddr = g_sockaddr_inet_new("10.11.12.13", 1010);
msg = log_msg_new(msg_str, strlen(msg_str), saddr, &parse_options);
g_sockaddr_unref(saddr);
log_msg_set_match(msg, 0, "whole-match", -1);
log_msg_set_match(msg, 1, "first-match", -1);
log_msg_set_tag_by_name(msg, "alma");
log_msg_set_tag_by_name(msg, "korte");
log_msg_clear_tag_by_name(msg, "narancs");
log_msg_set_tag_by_name(msg, "citrom");
msg->rcptid = 555;
msg->host_id = 0xcafebabe;
/* fix some externally or automatically defined values */
log_msg_set_value(msg, LM_V_HOST_FROM, "kismacska", -1);
msg->timestamps[LM_TS_RECVD].tv_sec = 1139684315;
msg->timestamps[LM_TS_RECVD].tv_usec = 639000;
msg->timestamps[LM_TS_RECVD].zone_offset = get_local_timezone_ofs(1139684315);
return msg;
}
static gboolean
_parse_timestamp(SnmpTrapdHeaderParser *self)
{
GTimeVal now;
cached_g_current_time(&now);
time_t now_tv_sec = (time_t) now.tv_sec;
LogStamp *stamp = &self->nv_context->msg->timestamps[LM_TS_STAMP];
stamp->tv_usec = 0;
stamp->zone_offset = -1;
/* NOTE: we initialize various unportable fields in tm using a
* localtime call, as the value of tm_gmtoff does matter but it does
* not exist on all platforms and 0 initializing it causes trouble on
* time-zone barriers */
struct tm tm;
cached_localtime(&now_tv_sec, &tm);
if (!scan_std_timestamp(self->input, (gint *)self->input_len, &tm))
return FALSE;
tm.tm_isdst = -1;
stamp->tv_sec = cached_mktime(&tm);
stamp->zone_offset = get_local_timezone_ofs(stamp->tv_sec);
return TRUE;
}
static inline time_t
__get_normalized_time(LogStamp const timestamp, gint const normalized_hour, gint const unnormalized_hour)
{
return timestamp.tv_sec
+ get_local_timezone_ofs(timestamp.tv_sec)
- (normalized_hour - unnormalized_hour) * 3600
- timestamp.zone_offset;
}
static inline void
__set_zone_offset(LogStamp * const timestamp, glong const assumed_timezone)
{
if(timestamp->zone_offset == -1)
{
timestamp->zone_offset = assumed_timezone;
}
if (timestamp->zone_offset == -1)
{
timestamp->zone_offset = get_local_timezone_ofs(timestamp->tv_sec);
}
}
static void
_set_message_timestamp(JournalReader *self, LogMessage *msg)
{
guint64 ts;
journald_get_realtime_usec(self->journal, &ts);
msg->timestamps[LM_TS_STAMP].tv_sec = ts / 1000000;
msg->timestamps[LM_TS_STAMP].tv_usec = ts % 1000000;
msg->timestamps[LM_TS_STAMP].zone_offset = time_zone_info_get_offset(self->options->recv_time_zone_info, msg->timestamps[LM_TS_STAMP].tv_sec);
if (msg->timestamps[LM_TS_STAMP].zone_offset == -1)
{
msg->timestamps[LM_TS_STAMP].zone_offset = get_local_timezone_ofs(msg->timestamps[LM_TS_STAMP].tv_sec);
}
}
LogMessage *
create_sample_message(void)
{
LogMessage *msg;
char *msg_str = "<155>2006-02-11T10:34:56+01:00 bzorp syslog-ng[23323]:árvíztűrőtükörfúrógép";
GSockAddr *saddr;
saddr = g_sockaddr_inet_new("10.11.12.13", 1010);
msg = log_msg_new(msg_str, strlen(msg_str), saddr, &parse_options);
g_sockaddr_unref(saddr);
log_msg_set_value_by_name(msg, "APP.VALUE", "value", -1);
log_msg_set_value_by_name(msg, "APP.STRIP1", " value", -1);
log_msg_set_value_by_name(msg, "APP.STRIP2", "value ", -1);
log_msg_set_value_by_name(msg, "APP.STRIP3", " value ", -1);
log_msg_set_value_by_name(msg, "APP.STRIP4", "value", -1);
log_msg_set_value_by_name(msg, "APP.STRIP5", "", -1);
log_msg_set_value_by_name(msg, "APP.QVALUE", "\"value\"", -1);
log_msg_set_value_by_name(msg, ".unix.uid", "1000", -1);
log_msg_set_value_by_name(msg, ".unix.gid", "1000", -1);
log_msg_set_value_by_name(msg, ".unix.cmd", "command", -1);
log_msg_set_value_by_name(msg, ".json.foo", "bar", -1);
log_msg_set_value_by_name(msg, ".json.sub.value1", "subvalue1", -1);
log_msg_set_value_by_name(msg, ".json.sub.value2", "subvalue2", -1);
log_msg_set_value_by_name(msg, "escaping", "binary stuff follows \"\xad árvíztűrőtükörfúrógép", -1);
log_msg_set_match(msg, 0, "whole-match", -1);
log_msg_set_match(msg, 1, "first-match", -1);
log_msg_set_tag_by_name(msg, "alma");
log_msg_set_tag_by_name(msg, "korte");
log_msg_clear_tag_by_name(msg, "narancs");
log_msg_set_tag_by_name(msg, "citrom");
msg->rcptid = 555;
/* fix some externally or automatically defined values */
log_msg_set_value(msg, LM_V_HOST_FROM, "kismacska", -1);
msg->timestamps[LM_TS_RECVD].tv_sec = 1139684315;
msg->timestamps[LM_TS_RECVD].tv_usec = 639000;
msg->timestamps[LM_TS_RECVD].zone_offset = get_local_timezone_ofs(1139684315);
return msg;
}
LogMessage *
init_msg(gchar *msg_string, gboolean use_syslog_protocol)
{
LogMessage *msg;
GSockAddr *sa;
if (use_syslog_protocol)
parse_options.flags |= LP_SYSLOG_PROTOCOL;
else
parse_options.flags &= ~LP_SYSLOG_PROTOCOL;
sa = g_sockaddr_inet_new("10.10.10.10", 1010);
msg = log_msg_new(msg_string, strlen(msg_string), sa, &parse_options);
g_sockaddr_unref(sa);
log_msg_set_value_by_name(msg, "APP.VALUE", "value", 5);
log_msg_set_match(msg, 0, "whole-match", 11);
log_msg_set_match(msg, 1, "first-match", 11);
/* fix some externally or automatically defined values */
log_msg_set_value(msg, LM_V_HOST_FROM, "kismacska", 9);
msg->timestamps[LM_TS_RECVD].tv_sec = 1139684315;
msg->timestamps[LM_TS_RECVD].tv_usec = 639000;
msg->timestamps[LM_TS_RECVD].zone_offset = get_local_timezone_ofs(1139684315);
return msg;
}
void
simulate_log_readers_effect_on_timezone_offset(LogMessage *message)
{
if (message->timestamps[LM_TS_STAMP].zone_offset == -1)
message->timestamps[LM_TS_STAMP].zone_offset = get_local_timezone_ofs(message->timestamps[LM_TS_STAMP].tv_sec);
}
/* FIXME: this function should really be exploded to a lot of smaller functions... (Bazsi) */
static gboolean
log_msg_parse_date(LogMessage *self, const guchar **data, gint *length, guint parse_flags, glong assume_timezone)
{
const guchar *src = *data;
gint left = *length;
GTimeVal now;
struct tm tm;
gint unnormalized_hour;
cached_g_current_time(&now);
if ((parse_flags & LP_SYSLOG_PROTOCOL) == 0)
{
/* Cisco timestamp extensions, the first '*' indicates that the clock is
* unsynced, '.' if it is known to be synced */
if (G_UNLIKELY(src[0] == '*'))
{
log_msg_set_value(self, is_synced, "0", 1);
src++;
left--;
}
else if (G_UNLIKELY(src[0] == '.'))
{
log_msg_set_value(self, is_synced, "1", 1);
src++;
left--;
}
}
/* If the next chars look like a date, then read them as a date. */
if (left >= 19 && src[4] == '-' && src[7] == '-' && src[10] == 'T' && src[13] == ':' && src[16] == ':')
{
/* RFC3339 timestamp, expected format: YYYY-MM-DDTHH:MM:SS[.frac]<+/->ZZ:ZZ */
gint hours, mins;
time_t now_tv_sec = (time_t)now.tv_sec;
self->timestamps[LM_TS_STAMP].tv_usec = 0;
/* NOTE: we initialize various unportable fields in tm using a
* localtime call, as the value of tm_gmtoff does matter but it does
* not exist on all platforms and 0 initializing it causes trouble on
* time-zone barriers */
cached_localtime(&now_tv_sec, &tm);
if (!scan_iso_timestamp((const gchar **) &src, &left, &tm))
{
goto error;
}
self->timestamps[LM_TS_STAMP].tv_usec = 0;
if (left > 0 && *src == '.')
{
gulong frac = 0;
gint div = 1;
/* process second fractions */
src++;
left--;
while (left > 0 && div < 10e5 && isdigit(*src))
{
frac = 10 * frac + (*src) - '0';
div = div * 10;
src++;
left--;
}
while (isdigit(*src))
{
src++;
left--;
}
self->timestamps[LM_TS_STAMP].tv_usec = frac * (1000000 / div);
}
if (left > 0 && *src == 'Z')
{
/* Z is special, it means UTC */
self->timestamps[LM_TS_STAMP].zone_offset = 0;
src++;
left--;
}
else if (left >= 5 && (*src == '+' || *src == '-') &&
isdigit(*(src+1)) && isdigit(*(src+2)) && *(src+3) == ':' && isdigit(*(src+4)) && isdigit(*(src+5)) && !isdigit(*(src+6)))
{
/* timezone offset */
gint sign = *src == '-' ? -1 : 1;
hours = (*(src+1) - '0') * 10 + *(src+2) - '0';
mins = (*(src+4) - '0') * 10 + *(src+5) - '0';
self->timestamps[LM_TS_STAMP].zone_offset = sign * (hours * 3600 + mins * 60);
src += 6;
left -= 6;
}
/* we convert it to UTC */
tm.tm_isdst = -1;
unnormalized_hour = tm.tm_hour;
self->timestamps[LM_TS_STAMP].tv_sec = cached_mktime(&tm);
}
else if ((parse_flags & LP_SYSLOG_PROTOCOL) == 0)
{
if (left >= 21 && src[3] == ' ' && src[6] == ' ' && src[11] == ' ' && src[14] == ':' && src[17] == ':' && (src[20] == ':' || src[20] == ' ') &&
(isdigit(src[7]) && isdigit(src[8]) && isdigit(src[9]) && isdigit(src[10])))
{
/* PIX timestamp, expected format: MMM DD YYYY HH:MM:SS: */
/* ASA timestamp, expected format: MMM DD YYYY HH:MM:SS */
time_t now_tv_sec = (time_t)now.tv_sec;
cached_localtime(&now_tv_sec, &tm);
if (!scan_pix_timestamp((const gchar **) &src, &left, &tm))
goto error;
if (*src == ':')
{
src++;
left--;
}
tm.tm_isdst = -1;
/* NOTE: no timezone information in the message, assume it is local time */
unnormalized_hour = tm.tm_hour;
self->timestamps[LM_TS_STAMP].tv_sec = cached_mktime(&tm);
self->timestamps[LM_TS_STAMP].tv_usec = 0;
}
else if (left >= 21 && src[3] == ' ' && src[6] == ' ' && src[9] == ':' && src[12] == ':' && src[15] == ' ' &&
isdigit(src[16]) && isdigit(src[17]) && isdigit(src[18]) && isdigit(src[19]) && isspace(src[20]))
{
/* LinkSys timestamp, expected format: MMM DD HH:MM:SS YYYY */
time_t now_tv_sec = (time_t)now.tv_sec;
cached_localtime(&now_tv_sec, &tm);
if (!scan_linksys_timestamp((const gchar **) &src, &left, &tm))
goto error;
tm.tm_isdst = -1;
/* NOTE: no timezone information in the message, assume it is local time */
unnormalized_hour = tm.tm_hour;
self->timestamps[LM_TS_STAMP].tv_sec = cached_mktime(&tm);
self->timestamps[LM_TS_STAMP].tv_usec = 0;
}
else if (left >= 15 && src[3] == ' ' && src[6] == ' ' && src[9] == ':' && src[12] == ':')
{
/* RFC 3164 timestamp, expected format: MMM DD HH:MM:SS ... */
struct tm nowtm;
glong usec = 0;
time_t now_tv_sec = (time_t)now.tv_sec;
cached_localtime(&now_tv_sec, &nowtm);
tm = nowtm;
if (!scan_bsd_timestamp((const gchar **) &src, &left, &tm))
goto error;
if (left > 0 && src[0] == '.')
{
gulong frac = 0;
gint div = 1;
gint i = 1;
/* gee, funny Cisco extension, BSD timestamp with fraction of second support */
while (i < left && div < 10e5 && isdigit(src[i]))
{
frac = 10 * frac + (src[i]) - '0';
div = div * 10;
i++;
}
while (i < left && isdigit(src[i]))
i++;
usec = frac * (1000000 / div);
left -= i;
src += i;
}
/* detect if the message is coming from last year. If current
* month is January, and the message comes from December, the
* year of the message is inferred to be last year.
* Conversely, if current month is December, and message comes
* from January, year of message is inferred to be next year.
*/
if (tm.tm_mon == 11 && nowtm.tm_mon == 0)
tm.tm_year--;
else if (tm.tm_mon == 0 && nowtm.tm_mon == 11)
tm.tm_year++;
/* NOTE: no timezone information in the message, assume it is local time */
unnormalized_hour = tm.tm_hour;
self->timestamps[LM_TS_STAMP].tv_sec = cached_mktime(&tm);
self->timestamps[LM_TS_STAMP].tv_usec = usec;
}
else
{
goto error;
}
}
else
{
if (left >= 1 && src[0] == '-')
{
/* NILVALUE */
self->timestamps[LM_TS_STAMP] = self->timestamps[LM_TS_RECVD];
*length = --left;
*data = ++src;
return TRUE;
}
else
return FALSE;
}
/* NOTE: mktime() returns the time assuming that the timestamp we
* received was in local time. This is not true, as there's a
* zone_offset in the timestamp as well. We need to adjust this offset
* by adding the local timezone offset at the specific time to get UTC,
* which means that tv_sec becomes as if tm was in the 00:00 timezone.
* Also we have to take into account that at the zone barriers an hour
* might be skipped or played twice this is what the
* (tm.tm_hour - * unnormalized_hour) part fixes up. */
if (self->timestamps[LM_TS_STAMP].zone_offset == -1)
{
self->timestamps[LM_TS_STAMP].zone_offset = assume_timezone;
}
if (self->timestamps[LM_TS_STAMP].zone_offset == -1)
{
self->timestamps[LM_TS_STAMP].zone_offset = get_local_timezone_ofs(self->timestamps[LM_TS_STAMP].tv_sec);
}
self->timestamps[LM_TS_STAMP].tv_sec = self->timestamps[LM_TS_STAMP].tv_sec +
get_local_timezone_ofs(self->timestamps[LM_TS_STAMP].tv_sec) -
(tm.tm_hour - unnormalized_hour) * 3600 - self->timestamps[LM_TS_STAMP].zone_offset;
*data = src;
*length = left;
return TRUE;
error:
/* no recognizable timestamp, use current time */
self->timestamps[LM_TS_STAMP] = self->timestamps[LM_TS_RECVD];
return FALSE;
}
