//
// return true if the event matched the rule
//
bool Session::ApplyRule(const Rule & rule, const EVENTLOGRECORD * ev) {
string test;
GetEventUser(ev, test);
if (rule.GetEventId() != 0 && rule.GetEventId() != (ev->EventID & MSG_ID_MASK))
return false;
if (ev->TimeGenerated < (m_now - rule.GetDelay())
&& rule.GetIgnore() == false) // ignore rules don't depend on delay parameters
return false;
if (rule.GetSource().length() > 0) {
string source = (LPSTR) ((LPBYTE) ev + sizeof(EVENTLOGRECORD));
std::transform(source.begin(), source.end(), source.begin(), tolower);
if (source != rule.GetSource())
return false;
}
if (rule.GetType() != 0 && rule.GetType() != ev->EventType)
return false;
if (rule.GetUser().length() > 0) {
string user;
boost::regex e(rule.GetUser(), boost::regbase::perl);
GetEventUser(ev, user);
boost::match_results<std::string::const_iterator> what;
if(boost::regex_search(user, what, e) == 0) {
return false;
}
}
if (rule.GetValue().length() > 0) {
string desc;
boost::regex e(rule.GetValue(), boost::regbase::perl);
GetEventDescription(ev, desc);
boost::match_results<std::string::const_iterator> what;
if(boost::regex_search(desc, what, e) == 0) {
return false;
}
}
return true;
}
Rule::Rule(const Rule & rule) {
m_useId = false;
m_id = rule.GetEventId();
if (m_id > 0)
m_useId = true;
m_source = rule.GetSource();
m_alarmColor = rule.GetAlarmColor();
m_ignore = rule.GetIgnore();
m_type = rule.GetType();
m_user = rule.GetUser();
m_value = rule.GetValue();
m_delay = rule.GetDelay();
m_count = rule.GetCount();
m_countTmp = 0;
m_priority = rule.GetPriority();
}