static void __handle_data(gchar *key, gchar *value, gpointer user_data) { gpointer *args = user_data; LogMessage *msg = args[0]; JournalReaderOptions *options = args[1]; gssize value_len = MIN(strlen(value), options->max_field_size); if (strcmp(key, "MESSAGE") == 0) { log_msg_set_value(msg, LM_V_MESSAGE, value, value_len); msg_debug("Incoming log entry from journal", evt_tag_printf("message", "%.*s", (int)value_len, value), NULL); } else if (strcmp(key, "_HOSTNAME") == 0) { log_msg_set_value(msg, LM_V_HOST, value, value_len); } else if (strcmp(key, "_PID") == 0) { log_msg_set_value(msg, LM_V_PID, value, value_len); } else if (strcmp(key, "_COMM") == 0) { log_msg_set_value(msg, LM_V_PROGRAM, value, value_len); } else if (strcmp(key, "SYSLOG_IDENTIFIER") == 0) { gssize program_length; (void)log_msg_get_value(msg, LM_V_PROGRAM, &program_length); if (program_length == 0) { log_msg_set_value(msg, LM_V_PROGRAM, value, value_len); } } else if (strcmp(key, "SYSLOG_FACILITY") == 0) { msg->pri = (msg->pri & 7) | atoi(value) << 3; } else if (strcmp(key, "PRIORITY") == 0) { msg->pri = (msg->pri & ~7) | atoi(value); } else { if (!options->prefix) { log_msg_set_value_by_name(msg, key, value, value_len); } else { gchar *prefixed_key = g_strdup_printf("%s%s", options->prefix, key); log_msg_set_value_by_name(msg, prefixed_key, value, value_len); g_free(prefixed_key); } } }
static gboolean geoip_parser_process(LogParser *s, LogMessage **pmsg, const LogPathOptions *path_options, const gchar *input, gsize input_len) { GeoIPParser *self = (GeoIPParser *) s; LogMessage *msg = log_msg_make_writable(pmsg, path_options); GeoIPRecord *record; SBGString *value; if (!self->dest.country_code && !self->dest.latitude && !self->dest.longitude) return TRUE; record = GeoIP_record_by_name(self->gi, input); if (!record) { const char *country; country = GeoIP_country_code_by_name(self->gi, input); if (country) log_msg_set_value_by_name(msg, self->dest.country_code, country, strlen(country)); return TRUE; } if (record->country_code) log_msg_set_value_by_name(msg, self->dest.country_code, record->country_code, strlen(record->country_code)); value = sb_gstring_acquire(); g_string_printf(sb_gstring_string(value), "%f", record->latitude); log_msg_set_value_by_name(msg, self->dest.latitude, sb_gstring_string(value)->str, sb_gstring_string(value)->len); g_string_printf(sb_gstring_string(value), "%f", record->longitude); log_msg_set_value_by_name(msg, self->dest.longitude, sb_gstring_string(value)->str, sb_gstring_string(value)->len); GeoIPRecord_delete(record); sb_gstring_release(value); return TRUE; }
static void log_matcher_pcre_re_feed_named_substrings(LogMatcher *s, LogMessage *msg, int *matches, const gchar *value) { gchar *name_table = NULL; gint i = 0; gint namecount = 0; gint name_entry_size = 0; LogMatcherPcreRe *self = (LogMatcherPcreRe *) s; pcre_fullinfo(self->pattern, self->extra, PCRE_INFO_NAMECOUNT, &namecount); if (namecount > 0) { gchar *tabptr; /* Before we can access the substrings, we must extract the table for translating names to numbers, and the size of each entry in the table. */ pcre_fullinfo(self->pattern, self->extra, PCRE_INFO_NAMETABLE, &name_table); pcre_fullinfo(self->pattern, self->extra, PCRE_INFO_NAMEENTRYSIZE, &name_entry_size); /* Now we can scan the table and, for each entry, print the number, the name, and the substring itself. */ tabptr = name_table; for (i = 0; i < namecount; i++) { int n = (tabptr[0] << 8) | tabptr[1]; log_msg_set_value_by_name(msg, tabptr + 2, value + matches[2*n], matches[2*n+1] - matches[2*n]); tabptr += name_entry_size; } } }
static void _add_aux_nvpair(const gchar *name, const gchar *value, gsize value_len, gpointer user_data) { LogMessage *msg = (LogMessage *) user_data; log_msg_set_value_by_name(msg, name, value, value_len);; }
void synthetic_message_apply(SyntheticMessage *self, CorrellationContext *context, LogMessage *msg, GString *buffer) { gint i; if (self->tags) { for (i = 0; i < self->tags->len; i++) log_msg_set_tag_by_id(msg, g_array_index(self->tags, LogTagId, i)); } if (self->values) { for (i = 0; i < self->values->len; i++) { log_template_format_with_context(g_ptr_array_index(self->values, i), context ? (LogMessage **) context->messages->pdata : &msg, context ? context->messages->len : 1, NULL, LTZ_LOCAL, 0, context ? context->key.session_id : NULL, buffer); log_msg_set_value_by_name(msg, ((LogTemplate *) g_ptr_array_index(self->values, i))->name, buffer->str, buffer->len); } } }
static void _set_value_in_message(JournalReaderOptions *options, LogMessage *msg, gchar *key, gchar *value, gssize value_len) { gchar name_with_prefix[256]; _format_value_name_with_prefix(name_with_prefix, sizeof(name_with_prefix), options, key); log_msg_set_value_by_name(msg, name_with_prefix, value, value_len); }
static LogMessage * _construct_msg(const gchar *msg) { LogMessage *logmsg; logmsg = log_msg_new_empty(); log_msg_set_value_by_name(logmsg, "MESSAGE", msg, -1); return logmsg; }
static LogMessage * construct_merge_base_message(void) { LogMessage *msg; msg = log_msg_new_empty(); log_msg_set_value_by_name(msg, "base", "basevalue", -1); log_msg_set_tag_by_name(msg, "basetag"); return msg; }
static LogMessage * construct_merged_message(const gchar *name, const gchar *value) { LogMessage *msg; msg = log_msg_new_empty(); log_msg_set_value_by_name(msg, name, value, -1); log_msg_set_tag_by_name(msg, "mergedtag"); return msg; }
void test_value_pairs_walk_prefix_data(GlobalConfig *cfg) { ValuePairs *vp; LogMessage *msg; const char* value = "value"; log_template_options_init(&template_options, cfg); msg_format_options_init(&parse_options, cfg); vp = value_pairs_new(); value_pairs_add_glob_pattern(vp, "root.*", TRUE); msg = log_msg_new("test", 4, NULL, &parse_options); log_msg_set_value_by_name(msg, "root.test.alma", value, strlen(value)); log_msg_set_value_by_name(msg, "root.test.korte", value, strlen(value)); value_pairs_walk(vp, test_vp_obj_start, test_vp_value, test_vp_obj_stop, msg, 0, LTZ_LOCAL, &template_options, NULL); value_pairs_unref(vp); log_msg_unref(msg); };
void set_new_log_message_attributes(LogMessage *log_message) { log_msg_set_value(log_message, LM_V_HOST, "newhost", -1); log_msg_set_value(log_message, LM_V_HOST_FROM, "newhost", -1); log_msg_set_value(log_message, LM_V_MESSAGE, "newmsg", -1); log_msg_set_value(log_message, LM_V_PROGRAM, "newprogram", -1); log_msg_set_value(log_message, LM_V_PID, "newpid", -1); log_msg_set_value(log_message, LM_V_MSGID, "newmsgid", -1); log_msg_set_value(log_message, LM_V_SOURCE, "newsource", -1); log_msg_set_value_by_name(log_message, "newvalue", "newvalue", -1); }
LogMessage * create_message(void) { LogMessage *msg; const gchar *text = "<134>1 2009-10-16T11:51:56+02:00 exchange.macartney.esbjerg MSExchange_ADAccess 20208 _MSGID_ [origin ip=\"exchange.macartney.esbjerg\"][meta sequenceId=\"191732\" sysUpTime=\"68807696\"][[email protected] Data=\"MSEXCHANGEOWAAPPPOOL.CONFIG\\\" -W \\\"\\\" -M 1 -AP \\\"MSEXCHANGEOWAAPPPOOL5244fileserver.macartney.esbjerg CDG 1 7 7 1 0 1 1 7 1 mail.macartney.esbjerg CDG 1 7 7 1 0 1 1 7 1 maindc.macartney.esbjerg CD- 1 6 6 0 0 1 1 6 1 \"][[email protected] Keyword=\"Classic\"] ApplicationMSExchangeADAccess: message"; const gchar *unset_nvpair = "unset_value"; msg = log_msg_new(text, strlen(text), NULL, &parse_options); log_msg_set_tag_by_name(msg, "almafa"); log_msg_set_value_by_name(msg, unset_nvpair, "value that has been unset", -1); log_msg_unset_value_by_name(msg, unset_nvpair); return msg; }
static LogMessage * _construct_message_with_nvpair(const gchar *program, const gchar *message, const gchar *name, const gchar *value) { LogMessage *msg = log_msg_new_empty(); log_msg_set_value(msg, LM_V_MESSAGE, message, strlen(message)); log_msg_set_value(msg, LM_V_PROGRAM, program, strlen(program)); log_msg_set_value(msg, LM_V_HOST, MYHOST, strlen(MYHOST)); log_msg_set_value(msg, LM_V_PID, MYPID, strlen(MYPID)); if (name) log_msg_set_value_by_name(msg, name, value, -1); msg->timestamps[LM_TS_STAMP].tv_sec = msg->timestamps[LM_TS_RECVD].tv_sec; return msg; }
static gboolean kv_parser_process(LogParser *s, LogMessage **pmsg, const LogPathOptions *path_options, const gchar *input, gsize input_len) { KVParser *self = (KVParser *) s; log_msg_make_writable(pmsg, path_options); /* FIXME: input length */ kv_scanner_input(self->kv_scanner, input); while (kv_scanner_scan_next(self->kv_scanner)) { /* FIXME: value length */ log_msg_set_value_by_name(*pmsg, _get_formatted_key(self, kv_scanner_get_current_key(self->kv_scanner)), kv_scanner_get_current_value(self->kv_scanner), -1); } return TRUE; }
LogMessage * message_from_list(va_list ap) { char *key, *value; LogMessage *msg = create_empty_message(); if (!msg) return NULL; key = va_arg(ap, char *); while (key) { value = va_arg(ap, char *); if (!value) return msg; log_msg_set_value_by_name(msg, key, value, -1); key = va_arg(ap, char *); } return msg; }
LogMessage * init_msg(gchar *msg_string, gboolean use_syslog_protocol) { LogMessage *msg; GSockAddr *sa; if (use_syslog_protocol) parse_options.flags |= LP_SYSLOG_PROTOCOL; else parse_options.flags &= ~LP_SYSLOG_PROTOCOL; sa = g_sockaddr_inet_new("10.10.10.10", 1010); msg = log_msg_new(msg_string, strlen(msg_string), sa, &parse_options); g_sockaddr_unref(sa); log_msg_set_value_by_name(msg, "APP.VALUE", "value", 5); log_msg_set_match(msg, 0, "whole-match", 11); log_msg_set_match(msg, 1, "first-match", 11); /* fix some externally or automatically defined values */ log_msg_set_value(msg, LM_V_HOST_FROM, "kismacska", 9); msg->timestamps[LM_TS_RECVD].tv_sec = 1139684315; msg->timestamps[LM_TS_RECVD].tv_usec = 639000; msg->timestamps[LM_TS_RECVD].zone_offset = get_local_timezone_ofs(1139684315); return msg; }
LogMessage * create_sample_message(void) { LogMessage *msg; char *msg_str = "<155>2006-02-11T10:34:56+01:00 bzorp syslog-ng[23323]:árvíztűrőtükörfúrógép"; GSockAddr *saddr; saddr = g_sockaddr_inet_new("10.11.12.13", 1010); msg = log_msg_new(msg_str, strlen(msg_str), saddr, &parse_options); g_sockaddr_unref(saddr); log_msg_set_value_by_name(msg, "APP.VALUE", "value", -1); log_msg_set_value_by_name(msg, "APP.STRIP1", " value", -1); log_msg_set_value_by_name(msg, "APP.STRIP2", "value ", -1); log_msg_set_value_by_name(msg, "APP.STRIP3", " value ", -1); log_msg_set_value_by_name(msg, "APP.STRIP4", "value", -1); log_msg_set_value_by_name(msg, "APP.STRIP5", "", -1); log_msg_set_value_by_name(msg, "APP.QVALUE", "\"value\"", -1); log_msg_set_value_by_name(msg, ".unix.uid", "1000", -1); log_msg_set_value_by_name(msg, ".unix.gid", "1000", -1); log_msg_set_value_by_name(msg, ".unix.cmd", "command", -1); log_msg_set_value_by_name(msg, ".json.foo", "bar", -1); log_msg_set_value_by_name(msg, ".json.sub.value1", "subvalue1", -1); log_msg_set_value_by_name(msg, ".json.sub.value2", "subvalue2", -1); log_msg_set_value_by_name(msg, "escaping", "binary stuff follows \"\xad árvíztűrőtükörfúrógép", -1); log_msg_set_match(msg, 0, "whole-match", -1); log_msg_set_match(msg, 1, "first-match", -1); log_msg_set_tag_by_name(msg, "alma"); log_msg_set_tag_by_name(msg, "korte"); log_msg_clear_tag_by_name(msg, "narancs"); log_msg_set_tag_by_name(msg, "citrom"); msg->rcptid = 555; /* fix some externally or automatically defined values */ log_msg_set_value(msg, LM_V_HOST_FROM, "kismacska", -1); msg->timestamps[LM_TS_RECVD].tv_sec = 1139684315; msg->timestamps[LM_TS_RECVD].tv_usec = 639000; msg->timestamps[LM_TS_RECVD].zone_offset = get_local_timezone_ofs(1139684315); return msg; }
static void json_parser_process_single(struct json_object *jso, const gchar *prefix, const gchar *obj_key, LogMessage *msg) { SBGString *key, *value; gboolean parsed = FALSE; if (!jso) return; key = sb_gstring_acquire(); value = sb_gstring_acquire(); switch (json_object_get_type(jso)) { case json_type_boolean: parsed = TRUE; if (json_object_get_boolean(jso)) g_string_assign(sb_gstring_string(value), "true"); else g_string_assign(sb_gstring_string(value), "false"); break; case json_type_double: parsed = TRUE; g_string_printf(sb_gstring_string(value), "%f", json_object_get_double(jso)); break; case json_type_int: parsed = TRUE; g_string_printf(sb_gstring_string(value), "%i", json_object_get_int(jso)); break; case json_type_string: parsed = TRUE; g_string_assign(sb_gstring_string(value), json_object_get_string(jso)); break; case json_type_object: if (prefix) g_string_assign(sb_gstring_string(key), prefix); g_string_append(sb_gstring_string(key), obj_key); g_string_append_c(sb_gstring_string(key), '.'); json_parser_process_object(jso, sb_gstring_string(key)->str, msg); break; case json_type_array: { gint i, plen; g_string_assign(sb_gstring_string(key), obj_key); plen = sb_gstring_string(key)->len; for (i = 0; i < json_object_array_length(jso); i++) { g_string_truncate(sb_gstring_string(key), plen); g_string_append_printf(sb_gstring_string(key), "[%d]", i); json_parser_process_single(json_object_array_get_idx(jso, i), prefix, sb_gstring_string(key)->str, msg); } break; } case json_type_null: break; default: msg_error("JSON parser encountered an unknown type, skipping", evt_tag_str("key", obj_key), NULL); break; } if (parsed) { if (prefix) { g_string_assign(sb_gstring_string(key), prefix); g_string_append(sb_gstring_string(key), obj_key); log_msg_set_value_by_name(msg, sb_gstring_string(key)->str, sb_gstring_string(value)->str, sb_gstring_string(value)->len); } else log_msg_set_value_by_name(msg, obj_key, sb_gstring_string(value)->str, sb_gstring_string(value)->len); } sb_gstring_release(key); sb_gstring_release(value); }
LogMessage * create_sample_message(void) { LogMessage *msg = create_empty_message(); log_msg_set_value_by_name(msg, "APP.VALUE", "value", -1); log_msg_set_value_by_name(msg, "APP.STRIP1", " value", -1); log_msg_set_value_by_name(msg, "APP.STRIP2", "value ", -1); log_msg_set_value_by_name(msg, "APP.STRIP3", " value ", -1); log_msg_set_value_by_name(msg, "APP.STRIP4", "value", -1); log_msg_set_value_by_name(msg, "APP.STRIP5", "", -1); log_msg_set_value_by_name(msg, "APP.QVALUE", "\"value\"", -1); log_msg_set_value_by_name(msg, ".unix.uid", "1000", -1); log_msg_set_value_by_name(msg, ".unix.gid", "1000", -1); log_msg_set_value_by_name(msg, ".unix.cmd", "command", -1); log_msg_set_value_by_name(msg, ".json.foo", "bar", -1); log_msg_set_value_by_name(msg, ".json.sub.value1", "subvalue1", -1); log_msg_set_value_by_name(msg, ".json.sub.value2", "subvalue2", -1); log_msg_set_value_by_name(msg, "escaping", "binary stuff follows \"\xad árvíztűrőtükörfúrógép", -1); log_msg_set_value_by_name(msg, "escaping2", "\xc3", -1); log_msg_set_value_by_name(msg, "null", "binary\0stuff", 12); return msg; }