void
pdb_context_unref(PDBContext *self)
{
gint i;
if (--self->ref_cnt == 0)
{
for (i = 0; i < self->messages->len; i++)
{
log_msg_unref((LogMessage *) g_ptr_array_index(self->messages, i));
}
g_ptr_array_free(self->messages, TRUE);
if (self->rule)
pdb_rule_unref(self->rule);
if (self->key.host)
g_free((gchar *) self->key.host);
if (self->key.program)
g_free((gchar *) self->key.program);
if (self->key.pid)
g_free((gchar *) self->key.pid);
g_free(self->key.session_id);
g_free(self);
}
}
static void
pdb_context_free(CorrellationContext *s)
{
PDBContext *self = (PDBContext *) s;
if (self->rule)
pdb_rule_unref(self->rule);
correllation_context_free_method(s);
}
static void
_pattern_db_process_matching_rule(PatternDB *self, PDBProcessParams *process_params)
{
PDBContext *context = NULL;
PDBRule *rule = process_params->rule;
LogMessage *msg = process_params->msg;
GString *buffer = g_string_sized_new(32);
g_static_rw_lock_writer_lock(&self->lock);
_advance_time_based_on_message(self, process_params, &msg->timestamps[LM_TS_STAMP]);
if (rule->context.id_template)
{
CorrellationKey key;
log_template_format(rule->context.id_template, msg, NULL, LTZ_LOCAL, 0, NULL, buffer);
log_msg_set_value(msg, context_id_handle, buffer->str, -1);
correllation_key_setup(&key, rule->context.scope, msg, buffer->str);
context = g_hash_table_lookup(self->correllation.state, &key);
if (!context)
{
msg_debug("Correllation context lookup failure, starting a new context",
evt_tag_str("rule", rule->rule_id),
evt_tag_str("context", buffer->str),
evt_tag_int("context_timeout", rule->context.timeout),
evt_tag_int("context_expiration", timer_wheel_get_time(self->timer_wheel) + rule->context.timeout));
context = pdb_context_new(&key);
g_hash_table_insert(self->correllation.state, &context->super.key, context);
g_string_steal(buffer);
}
else
{
msg_debug("Correllation context lookup successful",
evt_tag_str("rule", rule->rule_id),
evt_tag_str("context", buffer->str),
evt_tag_int("context_timeout", rule->context.timeout),
evt_tag_int("context_expiration", timer_wheel_get_time(self->timer_wheel) + rule->context.timeout),
evt_tag_int("num_messages", context->super.messages->len));
}
g_ptr_array_add(context->super.messages, log_msg_ref(msg));
if (context->super.timer)
{
timer_wheel_mod_timer(self->timer_wheel, context->super.timer, rule->context.timeout);
}
else
{
context->super.timer = timer_wheel_add_timer(self->timer_wheel, rule->context.timeout, pattern_db_expire_entry,
correllation_context_ref(&context->super),
(GDestroyNotify) correllation_context_unref);
}
if (context->rule != rule)
{
if (context->rule)
pdb_rule_unref(context->rule);
context->rule = pdb_rule_ref(rule);
}
}
else
{
context = NULL;
}
process_params->context = context;
process_params->buffer = buffer;
synthetic_message_apply(&rule->msg, &context->super, msg, buffer);
_emit_message(self, process_params, FALSE, msg);
_execute_rule_actions(self, process_params, RAT_MATCH);
pdb_rule_unref(rule);
g_static_rw_lock_writer_unlock(&self->lock);
if (context)
log_msg_write_protect(msg);
g_string_free(buffer, TRUE);
}