Esempio n. 1
0
static void
__handle_data(gchar *key, gchar *value, gpointer user_data)
{
  gpointer *args = user_data;

  LogMessage *msg = args[0];
  JournalReaderOptions *options = args[1];
  gssize value_len = MIN(strlen(value), options->max_field_size);

  if (strcmp(key, "MESSAGE") == 0)
    {
      log_msg_set_value(msg, LM_V_MESSAGE, value, value_len);
      msg_debug("Incoming log entry from journal",
                evt_tag_printf("message", "%.*s", (int)value_len, value),
                NULL);
    }
  else if (strcmp(key, "_HOSTNAME") == 0)
    {
      log_msg_set_value(msg, LM_V_HOST, value, value_len);
    }
  else if (strcmp(key, "_PID") == 0)
    {
      log_msg_set_value(msg, LM_V_PID, value, value_len);
    }
  else if (strcmp(key, "_COMM") == 0)
    {
      log_msg_set_value(msg, LM_V_PROGRAM, value, value_len);
    }
  else if (strcmp(key, "SYSLOG_IDENTIFIER") == 0)
    {
      gssize program_length;
      (void)log_msg_get_value(msg, LM_V_PROGRAM, &program_length);
      if (program_length == 0)
        {
          log_msg_set_value(msg, LM_V_PROGRAM, value, value_len);
        }
    }
  else if (strcmp(key, "SYSLOG_FACILITY") == 0)
    {
      msg->pri = (msg->pri & 7) | atoi(value) << 3;
    }
  else if (strcmp(key, "PRIORITY") == 0)
    {
      msg->pri = (msg->pri & ~7) | atoi(value);
    }
  else
    {
      if (!options->prefix)
        {
          log_msg_set_value_by_name(msg, key, value, value_len);
        }
      else
        {
          gchar *prefixed_key = g_strdup_printf("%s%s", options->prefix, key);
          log_msg_set_value_by_name(msg, prefixed_key, value, value_len);
          g_free(prefixed_key);
        }
    }
}
Esempio n. 2
0
static gboolean
geoip_parser_process(LogParser *s, LogMessage **pmsg,
                     const LogPathOptions *path_options,
                     const gchar *input, gsize input_len)
{
  GeoIPParser *self = (GeoIPParser *) s;
  LogMessage *msg = log_msg_make_writable(pmsg, path_options);
  GeoIPRecord *record;
  SBGString *value;

  if (!self->dest.country_code &&
      !self->dest.latitude &&
      !self->dest.longitude)
    return TRUE;

  record = GeoIP_record_by_name(self->gi, input);

  if (!record)
    {
      const char *country;

      country = GeoIP_country_code_by_name(self->gi, input);
      if (country)
        log_msg_set_value_by_name(msg, self->dest.country_code,
                                  country,
                                  strlen(country));

      return TRUE;
    }

  if (record->country_code)
    log_msg_set_value_by_name(msg, self->dest.country_code,
                              record->country_code,
                              strlen(record->country_code));

  value = sb_gstring_acquire();

  g_string_printf(sb_gstring_string(value), "%f",
                  record->latitude);
  log_msg_set_value_by_name(msg, self->dest.latitude,
                            sb_gstring_string(value)->str,
                            sb_gstring_string(value)->len);

  g_string_printf(sb_gstring_string(value), "%f",
                  record->longitude);
  log_msg_set_value_by_name(msg, self->dest.longitude,
                            sb_gstring_string(value)->str,
                            sb_gstring_string(value)->len);

  GeoIPRecord_delete(record);
  sb_gstring_release(value);

  return TRUE;
}
Esempio n. 3
0
static void
log_matcher_pcre_re_feed_named_substrings(LogMatcher *s, LogMessage *msg, int *matches, const gchar *value)
{
   gchar *name_table = NULL;
   gint i = 0;
   gint namecount = 0;
   gint name_entry_size = 0;
   LogMatcherPcreRe *self = (LogMatcherPcreRe *) s;

   pcre_fullinfo(self->pattern, self->extra, PCRE_INFO_NAMECOUNT, &namecount);  
   if (namecount > 0) 
     { 
       gchar *tabptr;
       /* Before we can access the substrings, we must extract the table for
          translating names to numbers, and the size of each entry in the table. 
        */
       pcre_fullinfo(self->pattern, self->extra, PCRE_INFO_NAMETABLE, &name_table);       
       pcre_fullinfo(self->pattern, self->extra, PCRE_INFO_NAMEENTRYSIZE, &name_entry_size);
       /* Now we can scan the table and, for each entry, print the number, the name,
          and the substring itself. 
        */
       tabptr = name_table;
       for (i = 0; i < namecount; i++)
         {
           int n = (tabptr[0] << 8) | tabptr[1];
           log_msg_set_value_by_name(msg, tabptr + 2, value + matches[2*n], matches[2*n+1] - matches[2*n]);
           tabptr += name_entry_size;
         }
     }  
}
Esempio n. 4
0
static void
_add_aux_nvpair(const gchar *name, const gchar *value, gsize value_len, gpointer user_data)
{
  LogMessage *msg = (LogMessage *) user_data;

  log_msg_set_value_by_name(msg, name, value, value_len);;
}
Esempio n. 5
0
void
synthetic_message_apply(SyntheticMessage *self, CorrellationContext *context, LogMessage *msg, GString *buffer)
{
  gint i;

  if (self->tags)
    {
      for (i = 0; i < self->tags->len; i++)
        log_msg_set_tag_by_id(msg, g_array_index(self->tags, LogTagId, i));
    }

  if (self->values)
    {
      for (i = 0; i < self->values->len; i++)
        {
          log_template_format_with_context(g_ptr_array_index(self->values, i),
                                           context ? (LogMessage **) context->messages->pdata : &msg,
                                           context ? context->messages->len : 1,
                                           NULL, LTZ_LOCAL, 0, context ? context->key.session_id : NULL, buffer);
          log_msg_set_value_by_name(msg,
                                    ((LogTemplate *) g_ptr_array_index(self->values, i))->name,
                                    buffer->str,
                                    buffer->len);
        }
    }

}
Esempio n. 6
0
static void
_set_value_in_message(JournalReaderOptions *options, LogMessage *msg, gchar *key, gchar *value, gssize value_len)
{
    gchar name_with_prefix[256];

    _format_value_name_with_prefix(name_with_prefix, sizeof(name_with_prefix), options, key);
    log_msg_set_value_by_name(msg, name_with_prefix, value, value_len);
}
Esempio n. 7
0
static LogMessage *
_construct_msg(const gchar *msg)
{
  LogMessage *logmsg;

  logmsg = log_msg_new_empty();
  log_msg_set_value_by_name(logmsg, "MESSAGE", msg, -1);
  return logmsg;
}
Esempio n. 8
0
static LogMessage *
construct_merge_base_message(void)
{
  LogMessage *msg;

  msg = log_msg_new_empty();
  log_msg_set_value_by_name(msg, "base", "basevalue", -1);
  log_msg_set_tag_by_name(msg, "basetag");
  return msg;
}
Esempio n. 9
0
static LogMessage *
construct_merged_message(const gchar *name, const gchar *value)
{
  LogMessage *msg;

  msg = log_msg_new_empty();
  log_msg_set_value_by_name(msg, name, value, -1);
  log_msg_set_tag_by_name(msg, "mergedtag");
  return msg;
}
Esempio n. 10
0
void
test_value_pairs_walk_prefix_data(GlobalConfig *cfg)
{
  ValuePairs *vp;
  LogMessage *msg;
  const char* value = "value";

  log_template_options_init(&template_options, cfg);
  msg_format_options_init(&parse_options, cfg);

  vp = value_pairs_new();
  value_pairs_add_glob_pattern(vp, "root.*", TRUE);
  msg = log_msg_new("test", 4, NULL, &parse_options);

  log_msg_set_value_by_name(msg, "root.test.alma", value, strlen(value));
  log_msg_set_value_by_name(msg, "root.test.korte", value, strlen(value));

  value_pairs_walk(vp, test_vp_obj_start, test_vp_value, test_vp_obj_stop, msg, 0, LTZ_LOCAL, &template_options, NULL);
  value_pairs_unref(vp);
  log_msg_unref(msg);
};
Esempio n. 11
0
void
set_new_log_message_attributes(LogMessage *log_message)
{
  log_msg_set_value(log_message, LM_V_HOST, "newhost", -1);
  log_msg_set_value(log_message, LM_V_HOST_FROM, "newhost", -1);
  log_msg_set_value(log_message, LM_V_MESSAGE, "newmsg", -1);
  log_msg_set_value(log_message, LM_V_PROGRAM, "newprogram", -1);
  log_msg_set_value(log_message, LM_V_PID, "newpid", -1);
  log_msg_set_value(log_message, LM_V_MSGID, "newmsgid", -1);
  log_msg_set_value(log_message, LM_V_SOURCE, "newsource", -1);
  log_msg_set_value_by_name(log_message, "newvalue", "newvalue", -1);
}
Esempio n. 12
0
LogMessage *
create_message(void)
{
  LogMessage *msg;
  const gchar *text = "<134>1 2009-10-16T11:51:56+02:00 exchange.macartney.esbjerg MSExchange_ADAccess 20208 _MSGID_ [origin ip=\"exchange.macartney.esbjerg\"][meta sequenceId=\"191732\" sysUpTime=\"68807696\"][[email protected] Data=\"MSEXCHANGEOWAAPPPOOL.CONFIG\\\" -W \\\"\\\" -M 1 -AP \\\"MSEXCHANGEOWAAPPPOOL5244fileserver.macartney.esbjerg CDG 1 7 7 1 0 1 1 7 1 mail.macartney.esbjerg CDG 1 7 7 1 0 1 1 7 1 maindc.macartney.esbjerg CD- 1 6 6 0 0 1 1 6 1 \"][[email protected] Keyword=\"Classic\"] ApplicationMSExchangeADAccess: message";
  const gchar *unset_nvpair = "unset_value";

  msg = log_msg_new(text, strlen(text), NULL, &parse_options);
  log_msg_set_tag_by_name(msg, "almafa");
  log_msg_set_value_by_name(msg, unset_nvpair, "value that has been unset", -1);
  log_msg_unset_value_by_name(msg, unset_nvpair);
  return msg;
}
Esempio n. 13
0
static LogMessage *
_construct_message_with_nvpair(const gchar *program, const gchar *message, const gchar *name, const gchar *value)
{
  LogMessage *msg = log_msg_new_empty();

  log_msg_set_value(msg, LM_V_MESSAGE, message, strlen(message));
  log_msg_set_value(msg, LM_V_PROGRAM, program, strlen(program));
  log_msg_set_value(msg, LM_V_HOST, MYHOST, strlen(MYHOST));
  log_msg_set_value(msg, LM_V_PID, MYPID, strlen(MYPID));
  if (name)
    log_msg_set_value_by_name(msg, name, value, -1);
  msg->timestamps[LM_TS_STAMP].tv_sec = msg->timestamps[LM_TS_RECVD].tv_sec;

  return msg;
}
Esempio n. 14
0
static gboolean
kv_parser_process(LogParser *s, LogMessage **pmsg, const LogPathOptions *path_options, const gchar *input, gsize input_len)
{
  KVParser *self = (KVParser *) s;

  log_msg_make_writable(pmsg, path_options);
  /* FIXME: input length */
  kv_scanner_input(self->kv_scanner, input);
  while (kv_scanner_scan_next(self->kv_scanner))
    {

      /* FIXME: value length */
      log_msg_set_value_by_name(*pmsg,
                                _get_formatted_key(self, kv_scanner_get_current_key(self->kv_scanner)),
                                kv_scanner_get_current_value(self->kv_scanner), -1);
    }
  return TRUE;
}
Esempio n. 15
0
LogMessage *
message_from_list(va_list ap)
{
  char *key, *value;
  LogMessage *msg = create_empty_message();

  if (!msg)
    return NULL;

  key = va_arg(ap, char *);
  while (key)
    {
      value = va_arg(ap, char *);
      if (!value)
        return msg;

      log_msg_set_value_by_name(msg, key, value, -1);
      key = va_arg(ap, char *);
    }

  return msg;
}
Esempio n. 16
0
LogMessage *
init_msg(gchar *msg_string, gboolean use_syslog_protocol)
{
  LogMessage *msg;
  GSockAddr *sa;

  if (use_syslog_protocol)
    parse_options.flags |= LP_SYSLOG_PROTOCOL;
  else
    parse_options.flags &= ~LP_SYSLOG_PROTOCOL;
  sa = g_sockaddr_inet_new("10.10.10.10", 1010);
  msg = log_msg_new(msg_string, strlen(msg_string), sa, &parse_options);
  g_sockaddr_unref(sa);
  log_msg_set_value_by_name(msg, "APP.VALUE", "value", 5);
  log_msg_set_match(msg, 0, "whole-match", 11);
  log_msg_set_match(msg, 1, "first-match", 11);

  /* fix some externally or automatically defined values */
  log_msg_set_value(msg, LM_V_HOST_FROM, "kismacska", 9);
  msg->timestamps[LM_TS_RECVD].tv_sec = 1139684315;
  msg->timestamps[LM_TS_RECVD].tv_usec = 639000;
  msg->timestamps[LM_TS_RECVD].zone_offset = get_local_timezone_ofs(1139684315);
  return msg;
}
Esempio n. 17
0
LogMessage *
create_sample_message(void)
{
  LogMessage *msg;
  char *msg_str = "<155>2006-02-11T10:34:56+01:00 bzorp syslog-ng[23323]:árvíztűrőtükörfúrógép";
  GSockAddr *saddr;

  saddr = g_sockaddr_inet_new("10.11.12.13", 1010);
  msg = log_msg_new(msg_str, strlen(msg_str), saddr, &parse_options);
  g_sockaddr_unref(saddr);
  log_msg_set_value_by_name(msg, "APP.VALUE", "value", -1);
  log_msg_set_value_by_name(msg, "APP.STRIP1", "     value", -1);
  log_msg_set_value_by_name(msg, "APP.STRIP2", "value     ", -1);
  log_msg_set_value_by_name(msg, "APP.STRIP3", "     value     ", -1);
  log_msg_set_value_by_name(msg, "APP.STRIP4", "value", -1);
  log_msg_set_value_by_name(msg, "APP.STRIP5", "", -1);
  log_msg_set_value_by_name(msg, "APP.QVALUE", "\"value\"", -1);
  log_msg_set_value_by_name(msg, ".unix.uid", "1000", -1);
  log_msg_set_value_by_name(msg, ".unix.gid", "1000", -1);
  log_msg_set_value_by_name(msg, ".unix.cmd", "command", -1);
  log_msg_set_value_by_name(msg, ".json.foo", "bar", -1);
  log_msg_set_value_by_name(msg, ".json.sub.value1", "subvalue1", -1);
  log_msg_set_value_by_name(msg, ".json.sub.value2", "subvalue2", -1);
  log_msg_set_value_by_name(msg, "escaping", "binary stuff follows \"\xad árvíztűrőtükörfúrógép", -1);
  log_msg_set_match(msg, 0, "whole-match", -1);
  log_msg_set_match(msg, 1, "first-match", -1);
  log_msg_set_tag_by_name(msg, "alma");
  log_msg_set_tag_by_name(msg, "korte");
  log_msg_clear_tag_by_name(msg, "narancs");
  log_msg_set_tag_by_name(msg, "citrom");
  msg->rcptid = 555;

  /* fix some externally or automatically defined values */
  log_msg_set_value(msg, LM_V_HOST_FROM, "kismacska", -1);
  msg->timestamps[LM_TS_RECVD].tv_sec = 1139684315;
  msg->timestamps[LM_TS_RECVD].tv_usec = 639000;
  msg->timestamps[LM_TS_RECVD].zone_offset = get_local_timezone_ofs(1139684315);

  return msg;
}
Esempio n. 18
0
static void
json_parser_process_single(struct json_object *jso,
                                const gchar *prefix,
                                const gchar *obj_key,
                                LogMessage *msg)
{
  SBGString *key, *value;
  gboolean parsed = FALSE;

  if (!jso)
    return;

  key = sb_gstring_acquire();
  value = sb_gstring_acquire();

  switch (json_object_get_type(jso))
    {
    case json_type_boolean:
      parsed = TRUE;
      if (json_object_get_boolean(jso))
        g_string_assign(sb_gstring_string(value), "true");
      else
        g_string_assign(sb_gstring_string(value), "false");
      break;
    case json_type_double:
      parsed = TRUE;
      g_string_printf(sb_gstring_string(value), "%f",
                       json_object_get_double(jso));
      break;
    case json_type_int:
      parsed = TRUE;
      g_string_printf(sb_gstring_string(value), "%i",
                       json_object_get_int(jso));
      break;
    case json_type_string:
      parsed = TRUE;
      g_string_assign(sb_gstring_string(value),
                       json_object_get_string(jso));
      break;
    case json_type_object:
      if (prefix)
        g_string_assign(sb_gstring_string(key), prefix);
      g_string_append(sb_gstring_string(key), obj_key);
      g_string_append_c(sb_gstring_string(key), '.');
      json_parser_process_object(jso, sb_gstring_string(key)->str, msg);
      break;
    case json_type_array:
      {
        gint i, plen;

        g_string_assign(sb_gstring_string(key), obj_key);

        plen = sb_gstring_string(key)->len;

        for (i = 0; i < json_object_array_length(jso); i++)
          {
            g_string_truncate(sb_gstring_string(key), plen);
            g_string_append_printf(sb_gstring_string(key), "[%d]", i);
            json_parser_process_single(json_object_array_get_idx(jso, i),
                                            prefix,
                                            sb_gstring_string(key)->str, msg);
          }
        break;
      }
    case json_type_null:
      break;
    default:
      msg_error("JSON parser encountered an unknown type, skipping",
                 evt_tag_str("key", obj_key), NULL);
      break;
    }

  if (parsed)
    {
      if (prefix)
        {
          g_string_assign(sb_gstring_string(key), prefix);
          g_string_append(sb_gstring_string(key), obj_key);
          log_msg_set_value_by_name(msg,
                             sb_gstring_string(key)->str,
                             sb_gstring_string(value)->str,
                             sb_gstring_string(value)->len);
        }
      else
        log_msg_set_value_by_name(msg,
                           obj_key,
                           sb_gstring_string(value)->str,
                           sb_gstring_string(value)->len);
    }

  sb_gstring_release(key);
  sb_gstring_release(value);
}
Esempio n. 19
0
LogMessage *
create_sample_message(void)
{
  LogMessage *msg = create_empty_message();

  log_msg_set_value_by_name(msg, "APP.VALUE", "value", -1);
  log_msg_set_value_by_name(msg, "APP.STRIP1", "     value", -1);
  log_msg_set_value_by_name(msg, "APP.STRIP2", "value     ", -1);
  log_msg_set_value_by_name(msg, "APP.STRIP3", "     value     ", -1);
  log_msg_set_value_by_name(msg, "APP.STRIP4", "value", -1);
  log_msg_set_value_by_name(msg, "APP.STRIP5", "", -1);
  log_msg_set_value_by_name(msg, "APP.QVALUE", "\"value\"", -1);
  log_msg_set_value_by_name(msg, ".unix.uid", "1000", -1);
  log_msg_set_value_by_name(msg, ".unix.gid", "1000", -1);
  log_msg_set_value_by_name(msg, ".unix.cmd", "command", -1);
  log_msg_set_value_by_name(msg, ".json.foo", "bar", -1);
  log_msg_set_value_by_name(msg, ".json.sub.value1", "subvalue1", -1);
  log_msg_set_value_by_name(msg, ".json.sub.value2", "subvalue2", -1);
  log_msg_set_value_by_name(msg, "escaping", "binary stuff follows \"\xad árvíztűrőtükörfúrógép", -1);
  log_msg_set_value_by_name(msg, "escaping2", "\xc3", -1);
  log_msg_set_value_by_name(msg, "null", "binary\0stuff", 12);

  return msg;
}