void Sagan_Search (_SaganProcSyslog *SaganProcSyslog_LOCAL, int type ) {
int i;
char ip_src[MAXIP] = { 0 };
char ip_dst[MAXIP] = { 0 };
int src_port = 0;
int dst_port = 0;
int proto = 0;
if ( type == 1 ) {
for (i=0; i<counters->search_nocase_count; i++) {
ip_src[0] = '0';
ip_src[1] = '\0';
ip_dst[0] = '0';
ip_dst[1] = '\0';
if (strcasestr(SaganProcSyslog_LOCAL->syslog_message, SaganNocaseSearchlist[i].search )) {
counters->search_nocase_hit_count++;
#ifdef HAVE_LIBLOGNORM
if ( config->search_nocase_lognorm) {
pthread_mutex_lock(&Lognorm_Mutex);
sagan_normalize_liblognorm(SaganProcSyslog_LOCAL->syslog_message);
if (SaganNormalizeLiblognorm->ip_src[0] != '0')
strlcpy(ip_src, SaganNormalizeLiblognorm->ip_src, sizeof(ip_src));
if (SaganNormalizeLiblognorm->ip_dst[0] != '0')
strlcpy(ip_dst, SaganNormalizeLiblognorm->ip_dst, sizeof(ip_dst));
src_port = SaganNormalizeLiblognorm->src_port;
dst_port = SaganNormalizeLiblognorm->dst_port;
pthread_mutex_unlock(&Lognorm_Mutex);
if ( ip_src[0] == '0' ) strlcpy(ip_src, SaganProcSyslog_LOCAL->syslog_host, sizeof(ip_src));
if ( ip_dst[0] == '0' ) strlcpy(ip_dst, SaganProcSyslog_LOCAL->syslog_host, sizeof(ip_dst));
}
#endif
if ( src_port == 0 ) src_port = config->sagan_port;
if ( dst_port == 0 ) dst_port = config->sagan_port;
if ( config->search_nocase_parse_src && ip_src[0] == '0' ) {
strlcpy(ip_src, parse_ip(SaganProcSyslog_LOCAL->syslog_message, config->search_nocase_parse_src), sizeof(ip_src));
if ( ip_src[0] == '0' ) strlcpy(ip_src, SaganProcSyslog_LOCAL->syslog_host, sizeof(ip_src));
}
if ( config->search_nocase_parse_dst && ip_dst[0] == '0' ) {
strlcpy(ip_dst, parse_ip(SaganProcSyslog_LOCAL->syslog_message, config->search_nocase_parse_dst), sizeof(ip_dst));
if ( ip_dst[0] == '0' ) strlcpy(ip_dst, SaganProcSyslog_LOCAL->syslog_host, sizeof(ip_dst));
}
if ( config->search_nocase_parse_proto ) proto = parse_proto(SaganProcSyslog_LOCAL->syslog_message);
if ( config->search_nocase_parse_proto_program ) proto = parse_proto_program(SaganProcSyslog_LOCAL->syslog_program);
if ( proto == 0 ) proto = config->sagan_proto;
Sagan_Send_Alert(SaganProcSyslog_LOCAL, processor_info_search, ip_src, ip_dst, proto, 1, src_port, dst_port);
}
}
} else {
for (i=0; i<counters->search_case_count; i++) {
ip_src[0] = '0';
ip_src[1] = '\0';
ip_dst[0] = '0';
ip_dst[1] = '\0';
if (strstr(SaganProcSyslog_LOCAL->syslog_message, SaganCaseSearchlist[i].search )) {
counters->search_case_hit_count++;
#ifdef HAVE_LIBLOGNORM
if ( config->search_case_lognorm) {
pthread_mutex_lock(&Lognorm_Mutex);
sagan_normalize_liblognorm(SaganProcSyslog_LOCAL->syslog_message);
if (SaganNormalizeLiblognorm->ip_src[0] != '0')
strlcpy(ip_src, SaganNormalizeLiblognorm->ip_src, sizeof(ip_src));
if (SaganNormalizeLiblognorm->ip_dst[0] != '0')
strlcpy(ip_dst, SaganNormalizeLiblognorm->ip_dst, sizeof(ip_dst));
src_port = SaganNormalizeLiblognorm->src_port;
dst_port = SaganNormalizeLiblognorm->dst_port;
pthread_mutex_unlock(&Lognorm_Mutex);
}
#endif
if ( src_port == 0 ) src_port = config->sagan_port;
if ( dst_port == 0 ) dst_port = config->sagan_port;
if ( config->search_case_parse_src && ip_src[0] == '0') {
strlcpy(ip_src, parse_ip(SaganProcSyslog_LOCAL->syslog_message, config->search_nocase_parse_src), sizeof(ip_src));
if ( ip_src[0] =='0' ) strlcpy(ip_src, SaganProcSyslog_LOCAL->syslog_host, sizeof(ip_src));
}
if ( config->search_case_parse_dst && ip_dst[0] == '0' ) {
strlcpy(ip_dst, parse_ip(SaganProcSyslog_LOCAL->syslog_message, config->search_nocase_parse_dst), sizeof(ip_dst));
if ( ip_dst[0] == '0' ) strlcpy(ip_dst, SaganProcSyslog_LOCAL->syslog_host, sizeof(ip_dst));
}
if ( config->search_nocase_parse_proto ) proto = parse_proto(SaganProcSyslog_LOCAL->syslog_message);
if ( config->search_case_parse_proto_program ) proto = parse_proto_program(SaganProcSyslog_LOCAL->syslog_program);
if ( proto == 0 ) proto = config->sagan_proto;
Sagan_Send_Alert(SaganProcSyslog_LOCAL, processor_info_search, ip_src, ip_dst, config->sagan_proto, 2, src_port, dst_port);
}
}
}
}
void Sagan_Report_Clients ( void )
{
for(;;)
{
struct _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL = NULL;
int alertid;
int i;
char *tmp_ip = NULL;
char utime_tmp[20] = { 0 };
time_t t;
struct tm *now;
uintmax_t utime_u64;
t = time(NULL);
now=localtime(&t);
strftime(utime_tmp, sizeof(utime_tmp), "%s", now);
utime_u64 = atol(utime_tmp);
struct in_addr ip_addr_syslog;
int expired_time = config->pp_sagan_track_clients * 60;
/* We populate this later for output plugins */
SaganProcSyslog_LOCAL = malloc(sizeof(struct _Sagan_Proc_Syslog));
if ( SaganProcSyslog_LOCAL == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to allocate memory for SaganProcSyslog_LOCAL. Abort!", __FILE__, __LINE__);
}
/*********************************/
/* Look through "known" system */
for (i=0; i<counters_ipc->track_clients_client_count; i++)
{
/* Check if host is in a down state */
if ( SaganTrackClients_ipc[i].status == 1 )
{
/* If host was done, verify host last seen time is still not an expired time */
if ( ( utime_u64 - SaganTrackClients_ipc[i].utime ) < expired_time )
{
/* Update status and seen time */
Sagan_File_Lock(config->shm_track_clients);
SaganTrackClients_ipc[i].status = 0;
Sagan_File_Unlock(config->shm_track_clients);
/* Update counters */
Sagan_File_Lock(config->shm_counters);
counters_ipc->track_clients_down--;
Sagan_File_Unlock(config->shm_counters);
tmp_ip = Bit2IP(SaganTrackClients_ipc[i].host_u32);
Sagan_Log(S_WARN, "[Processor: %s] Logs are being received from %s again.", PROCESSOR_NAME, tmp_ip );
/* Populate SaganProcSyslog_LOCAL for output plugins */
strlcpy(SaganProcSyslog_LOCAL->syslog_host, tmp_ip, sizeof(SaganProcSyslog_LOCAL->syslog_host));
strlcpy(SaganProcSyslog_LOCAL->syslog_facility, PROCESSOR_FACILITY, sizeof(SaganProcSyslog_LOCAL->syslog_facility));
strlcpy(SaganProcSyslog_LOCAL->syslog_priority, PROCESSOR_PRIORITY, sizeof(SaganProcSyslog_LOCAL->syslog_priority));
strlcpy(SaganProcSyslog_LOCAL->syslog_level, "info", sizeof(SaganProcSyslog_LOCAL->syslog_level));
strlcpy(SaganProcSyslog_LOCAL->syslog_tag, "00", sizeof(SaganProcSyslog_LOCAL->syslog_tag));
strlcpy(SaganProcSyslog_LOCAL->syslog_program, PROCESSOR_NAME, sizeof(SaganProcSyslog_LOCAL->syslog_program));
snprintf(SaganProcSyslog_LOCAL->syslog_date, sizeof(SaganProcSyslog_LOCAL->syslog_date), "%s", Sagan_Return_Date(utime_u64));
snprintf(SaganProcSyslog_LOCAL->syslog_time, sizeof(SaganProcSyslog_LOCAL->syslog_time), "%s", Sagan_Return_Time(utime_u64));
snprintf(SaganProcSyslog_LOCAL->syslog_message, sizeof(SaganProcSyslog_LOCAL->syslog_message)-1, "The IP address %s was previously not sending logs. The system appears to be sending logs again at %s", tmp_ip, ctime(&SaganTrackClients_ipc[i].utime) );
alertid=101; /* See gen-msg.map */
/* Send alert to output plugins */
Sagan_Send_Alert(SaganProcSyslog_LOCAL,
processor_info_track_client,
SaganProcSyslog_LOCAL->syslog_host,
config->sagan_host,
"\0",
"\0",
config->sagan_proto,
alertid,
config->sagan_port,
config->sagan_port,
0);
} /* End last seen check time */
}
else
{
/**** Check if last seen time of host has exceeded track time meaning it's down! ****/
if ( ( utime_u64 - SaganTrackClients_ipc[i].utime ) >= expired_time )
{
/* Update status and utime */
Sagan_File_Lock(config->shm_track_clients);
SaganTrackClients_ipc[i].status = 1;
Sagan_File_Unlock(config->shm_track_clients);
/* Update counters */
Sagan_File_Lock(config->shm_counters);
counters_ipc->track_clients_down++;
Sagan_File_Unlock(config->shm_counters);
tmp_ip = Bit2IP(SaganTrackClients_ipc[i].host_u32);
Sagan_Log(S_WARN, "[Processor: %s] Logs have not been seen from %s for %d minute(s).", PROCESSOR_NAME, tmp_ip, config->pp_sagan_track_clients);
/* Populate SaganProcSyslog_LOCAL for output plugins */
strlcpy(SaganProcSyslog_LOCAL->syslog_host, tmp_ip, sizeof(SaganProcSyslog_LOCAL->syslog_host));
strlcpy(SaganProcSyslog_LOCAL->syslog_facility, PROCESSOR_FACILITY, sizeof(SaganProcSyslog_LOCAL->syslog_facility));
strlcpy(SaganProcSyslog_LOCAL->syslog_priority, PROCESSOR_PRIORITY, sizeof(SaganProcSyslog_LOCAL->syslog_priority));
strlcpy(SaganProcSyslog_LOCAL->syslog_level, "info", sizeof(SaganProcSyslog_LOCAL->syslog_level));
strlcpy(SaganProcSyslog_LOCAL->syslog_tag, "00", sizeof(SaganProcSyslog_LOCAL->syslog_tag));
strlcpy(SaganProcSyslog_LOCAL->syslog_program, PROCESSOR_NAME, sizeof(SaganProcSyslog_LOCAL->syslog_program));
snprintf(SaganProcSyslog_LOCAL->syslog_date, sizeof(SaganProcSyslog_LOCAL->syslog_date), "%s", Sagan_Return_Date(utime_u64));
snprintf(SaganProcSyslog_LOCAL->syslog_time, sizeof(SaganProcSyslog_LOCAL->syslog_time), "%s", Sagan_Return_Time(utime_u64));
snprintf(SaganProcSyslog_LOCAL->syslog_message, sizeof(SaganProcSyslog_LOCAL->syslog_message)-1, "Sagan has not recieved any logs from the IP address %s in over %d minute(s). Last log was seen at %s. This could be an indication that the system is down.", tmp_ip, config->pp_sagan_track_clients, ctime(&SaganTrackClients_ipc[i].utime) );
alertid=100; /* See gen-msg.map */
/* Send alert to output plugins */
Sagan_Send_Alert(SaganProcSyslog_LOCAL,
processor_info_track_client,
SaganProcSyslog_LOCAL->syslog_host,
config->sagan_host,
"\0",
"\0",
config->sagan_proto,
alertid,
config->sagan_port,
config->sagan_port,
0);
} /* End of existing utime check */
} /* End of else */
} /* End for 'for' loop */
free(SaganProcSyslog_LOCAL);
sleep(60);
} /* End Ifinite Loop */
} /* End Sagan_report_clients */
