/**
* Special parser for iptables-like name/value pairs.
* The pull multiple fields. Note that once this parser has been selected,
* it is very unlikely to be left, as it is *very* generic. This parser is
* required because practice shows that already-structured data like iptables
* can otherwise not be processed by liblognorm in a meaningful way.
*
* @param[in] tree current tree to process
* @param[in] str string to be matched against (the to-be-normalized data)
* @param[in] strLen length of str
* @param[in/out] offs start position in input data, on exit first unparsed position
* @param[in/out] event handle to event that is being created during normalization
*
* @return 0 if parser was successfully, something else on error
*/
static int
ln_iptablesParser(struct ln_ptree *tree, const char *str, size_t strLen, size_t *offs,
struct json_object *json)
{
int r;
size_t o = *offs;
es_str_t *fname;
es_str_t *fval;
const char *pstr;
const char *end;
struct json_object *value;
ln_dbgprintf(tree->ctx, "%zu enter iptables parser, len %zu", *offs, strLen);
if(o == strLen) {
r = -1; /* can not be, we have no n/v pairs! */
goto done;
}
end = str + strLen;
pstr = str + o;
while(pstr < end) {
while(pstr < end && isspace(*pstr))
++pstr;
CHKN(fname = es_newStr(16));
while(pstr < end && !isspace(*pstr) && *pstr != '=') {
es_addChar(&fname, *pstr);
++pstr;
}
if(pstr < end && *pstr == '=') {
CHKN(fval = es_newStr(16));
++pstr;
/* error on space */
while(pstr < end && !isspace(*pstr)) {
es_addChar(&fval, *pstr);
++pstr;
}
} else {
CHKN(fval = es_newStrFromCStr("[*PRESENT*]",
sizeof("[*PRESENT*]")-1));
}
char *cn, *cv;
CHKN(cn = ln_es_str2cstr(&fname));
CHKN(cv = ln_es_str2cstr(&fval));
if (tree->ctx->debug) {
ln_dbgprintf(tree->ctx, "iptables parser extracts %s=%s", cn, cv);
}
CHKN(value = json_object_new_string(cv));
json_object_object_add(json, cn, value);
es_deleteStr(fval);
es_deleteStr(fname);
}
r = 0;
*offs = strLen;
done:
ln_dbgprintf(tree->ctx, "%zu iptables parser returns %d", *offs, r);
return r;
}
int
ln_fmtEventToRFC5424(struct json_object *json, es_str_t **str)
{
int r = -1;
struct json_object *tags;
assert(json != NULL);
assert(json_object_is_type(json, json_type_object));
if((*str = es_newStr(256)) == NULL)
goto done;
es_addBuf(str, "[cee@115", 8);
if(json_object_object_get_ex(json, "event.tags", &tags)) {
CHKR(ln_addTags_Syslog(tags, str));
}
struct json_object_iterator it = json_object_iter_begin(json);
struct json_object_iterator itEnd = json_object_iter_end(json);
while (!json_object_iter_equal(&it, &itEnd)) {
char *const name = (char*)json_object_iter_peek_name(&it);
if (strcmp(name, "event.tags")) {
es_addChar(str, ' ');
ln_addField_Syslog(name, json_object_iter_peek_value(&it), str);
}
json_object_iter_next(&it);
}
es_addChar(str, ']');
done:
return r;
}
void
ln_displayPTree(struct ln_ptree *tree, int level)
{
int i;
int nChildLit;
int nChildField;
es_str_t *str;
char *cstr;
ln_fieldList_t *node;
char indent[2048];
if(level > 1023)
level = 1023;
memset(indent, ' ', level * 2);
indent[level * 2] = '\0';
nChildField = 0;
for(node = tree->froot ; node != NULL ; node = node->next ) {
++nChildField;
}
nChildLit = 0;
for(i = 0 ; i < 256 ; ++i) {
if(tree->subtree[i] != NULL) {
nChildLit++;
}
}
str = es_newStr(sizeof(tree->prefix));
es_addBuf(&str, (char*) prefixBase(tree), tree->lenPrefix);
cstr = es_str2cstr(str, NULL);
es_deleteStr(str);
ln_dbgprintf(tree->ctx, "%ssubtree%s %p (prefix: '%s', children: %d literals, %d fields)",
indent, tree->flags.isTerminal ? " TERM" : "", tree, cstr, nChildLit, nChildField);
free(cstr);
/* display char subtrees */
for(i = 0 ; i < 256 ; ++i) {
if(tree->subtree[i] != NULL) {
ln_dbgprintf(tree->ctx, "%schar %2.2x(%c):", indent, i, i);
ln_displayPTree(tree->subtree[i], level + 1);
}
}
/* display field subtrees */
for(node = tree->froot ; node != NULL ; node = node->next ) {
cstr = es_str2cstr(node->name, NULL);
ln_dbgprintf(tree->ctx, "%sfield %s:", indent, cstr);
free(cstr);
ln_displayPTree(node->subtree, level + 1);
}
}
int
ee_fmtEventToJSON(struct ee_event *event, es_str_t **str)
{
int r = -1;
struct ee_fieldbucket_listnode *node;
int bNeedComma = 0;
assert(event != NULL);assert(event->objID == ObjID_EVENT);
if((*str = es_newStr(256)) == NULL) goto done;
es_addChar(str, '{');
if( event->ctx->flags & EE_CTX_FLAG_INCLUDE_FLAT_TAGS
&& event->tags != NULL) {
CHKR(ee_addTags_JSON(event->tags, str));
bNeedComma = 1;
}
if(event->fields != NULL) {
for(node = event->fields->root ; node != NULL ; node = node->next) {
assert(node->field->objID == ObjID_FIELD);
if(bNeedComma) {
CHKR(es_addBuf(str, ", ", 2));
} else {
bNeedComma = 1;
}
#ifdef NO_EMPTY_FIELDS
if(ee_addField_JSON(node->field, str) == 1)
continue;
#else
ee_addField_JSON(node->field, str);
#endif
}
}
es_addChar(str, '}');
done:
return r;
}
