void
check_val_in_hash_clone(gchar *msg, LogMessage *self,LogMessage *msg_clone , const gchar* pair[2])
{
const gchar * a1 = log_msg_get_value(self, log_msg_get_value_handle(pair[0]), NULL);
const gchar * a2 = log_msg_get_value(msg_clone, log_msg_get_value_handle(pair[0]), NULL);
TEST_ASSERT(strcmp( a1, pair[1]) == 0 && strcmp(a2, pair[1] ) == 0, "%s", a1, a2);
}
int
testcase_replace(const gchar *log, const gchar *re, gchar *replacement, const gchar *expected_result, const gint matcher_flags, LogMatcher *m)
{
LogMessage *msg;
LogTemplate *r;
gchar *result;
gssize length;
gchar buf[1024];
gssize msglen;
NVHandle nonasciiz = log_msg_get_value_handle("NON-ASCIIZ");
const gchar *value;
GSockAddr *sa;
sa = g_sockaddr_inet_new("10.10.10.10", 1010);
msg = log_msg_new(log, strlen(log), sa, &parse_options);
g_sockaddr_unref(sa);
/* NOTE: we test how our matchers cope with non-zero terminated values. We don't change message_len, only the value */
g_snprintf(buf, sizeof(buf), "%sAAAAAAAAAAAA", log_msg_get_value(msg, LM_V_MESSAGE, &msglen));
log_msg_set_value(msg, log_msg_get_value_handle("MESSAGE2"), buf, -1);
/* add a non-zero terminated indirect value which contains the whole message */
log_msg_set_value_indirect(msg, nonasciiz, log_msg_get_value_handle("MESSAGE2"), 0, 0, msglen);
log_matcher_set_flags(m, matcher_flags);
log_matcher_compile(m, re);
r = log_template_new(configuration, NULL);
log_template_compile(r, replacement, NULL);
NVTable *nv_table = nv_table_ref(msg->payload);
value = log_msg_get_value(msg, nonasciiz, &msglen);
result = log_matcher_replace(m, msg, nonasciiz, value, msglen, r, &length);
value = log_msg_get_value(msg, nonasciiz, &msglen);
nv_table_unref(nv_table);
if (strncmp(result ? result : value, expected_result, result ? length : msglen) != 0)
{
fprintf(stderr, "Testcase failure. pattern=%s, result=%.*s, expected=%s\n", re, (gint) length, result ? result : value, expected_result);
exit(1);
}
g_free(result);
log_template_unref(r);
log_matcher_unref(m);
log_msg_unref(msg);
return 0;
}
static void
test_kv_parser_basics(void)
{
LogMessage *msg;
msg = parse_kv_into_log_message("foo=bar");
assert_log_message_value(msg, log_msg_get_value_handle("foo"), "bar");
log_msg_unref(msg);
kv_parser_set_prefix(kv_parser, ".prefix.");
msg = parse_kv_into_log_message("foo=bar");
assert_log_message_value(msg, log_msg_get_value_handle(".prefix.foo"), "bar");
log_msg_unref(msg);
}
static void
test_geoip_parser_basics(void)
{
LogMessage *msg;
msg = parse_geoip_into_log_message("217.20.130.99");
assert_log_message_value(msg, log_msg_get_value_handle(".geoip.country_code"), "HU");
log_msg_unref(msg);
geoip_parser_set_prefix(geoip_parser, ".prefix.");
msg = parse_geoip_into_log_message("217.20.130.99");
assert_log_message_value(msg, log_msg_get_value_handle(".prefix.country_code"), "HU");
log_msg_unref(msg);
}
LogMessage *
construct_log_message_with_all_bells_and_whistles(void)
{
LogMessage *msg = construct_log_message();
nv_handle = log_msg_get_value_handle("foo");
sd_handle = log_msg_get_value_handle(".SDATA.foo.bar");
log_msg_set_value(msg, nv_handle, "value", -1);
log_msg_set_value(msg, sd_handle, "value", -1);
msg->saddr = g_sockaddr_inet_new("1.2.3.4", 5050);
log_msg_set_tag_by_name(msg, tag_name);
return msg;
}
void
test_rule_value_without_clean(const gchar *program, const gchar *pattern,
const gchar *name, const gchar *value)
{
gboolean result;
LogMessage *msg = log_msg_new_empty();
gboolean found = FALSE;
const gchar *val;
gssize len;
PDBInput input;
log_msg_set_value(msg, LM_V_MESSAGE, pattern, strlen(pattern));
log_msg_set_value(msg, LM_V_PROGRAM, program, 5);
log_msg_set_value(msg, LM_V_HOST, MYHOST, strlen(MYHOST));
log_msg_set_value(msg, LM_V_PID, MYPID, strlen(MYPID));
result = pattern_db_process(patterndb, PDB_INPUT_WRAP_MESSAGE(&input, msg));
val = log_msg_get_value(msg, log_msg_get_value_handle(name), &len);
if (value)
found = strcmp(val, value) == 0;
if (!!value ^ (len > 0))
test_fail("Value '%s' is %smatching for pattern '%s' (%d)\n", name, found ? "" : "not ", pattern, !!result);
log_msg_unref(msg);
}
static void
pdb_message_apply(PDBMessage *self, PDBContext *context, LogMessage *msg, GString *buffer)
{
gint i;
if (self->tags)
{
for (i = 0; i < self->tags->len; i++)
log_msg_set_tag_by_id(msg, g_array_index(self->tags, LogTagId, i));
}
if (self->values)
{
for (i = 0; i < self->values->len; i++)
{
log_template_format_with_context(g_ptr_array_index(self->values, i),
context ? (LogMessage **) context->messages->pdata : &msg,
context ? context->messages->len : 1,
NULL, LTZ_LOCAL, 0, context ? context->key.session_id : NULL, buffer);
log_msg_set_value(msg,
log_msg_get_value_handle(((LogTemplate *) g_ptr_array_index(self->values, i))->name),
buffer->str, buffer->len);
}
}
}
//FIXME use log msg value lookup
void
check_val_in_hash(gchar *msg, LogMessage *self, const gchar* pair[2])
{
const gchar *a = log_msg_get_value(self, log_msg_get_value_handle(pair[0]), NULL);
TEST_ASSERT(strcmp(a, pair[1]) == 0, "%s", a, pair[1]);
}
FilterExprNode *
filter_in_list_new(const gchar *list_file, const gchar *property)
{
FilterInList *self;
FILE *stream;
gchar line[16384];
stream = fopen(list_file, "r");
if (!stream)
{
msg_error("Error opening in-list filter list file",
evt_tag_str("file", list_file),
evt_tag_errno("errno", errno),
NULL);
return NULL;
}
self = g_new0(FilterInList, 1);
filter_expr_node_init_instance(&self->super);
self->value_handle = log_msg_get_value_handle(property);
self->tree = g_tree_new_full((GCompareDataFunc)strcmp, NULL, g_free, NULL);
while (fgets(line, sizeof(line), stream) != NULL)
{
line[strlen(line) - 1] = '\0';
if (line[0])
g_tree_insert(self->tree, g_strdup(line), GINT_TO_POINTER(1));
}
fclose(stream);
self->super.eval = filter_in_list_eval;
self->super.free_fn = filter_in_list_free;
return &self->super;
}
static void
assert_log_kmsg_value(LogMessage *message, const gchar *key,
const gchar *expected_value)
{
const gchar *actual_value = log_msg_get_value(message,
log_msg_get_value_handle(key),
NULL);
assert_string(actual_value, expected_value, NULL);
}
void
assert_log_message_sdata_pairs(LogMessage *message, const gchar *expected_sd_pairs[][2])
{
gint i;
for (i = 0; expected_sd_pairs && expected_sd_pairs[i][0] != NULL;i++)
{
const gchar *actual_value = log_msg_get_value(message, log_msg_get_value_handle(expected_sd_pairs[i][0]), NULL);
assert_string(actual_value, expected_sd_pairs[i][1], NULL);
}
}
void
__test_other_has_prefix(TestCase *self, LogMessage *msg)
{
gchar *requested_name = g_strdup_printf("%s%s", (gchar *) self->user_data, "_CMDLINE");
NVHandle handle = log_msg_get_value_handle(requested_name);
gssize value_len;
const gchar *value = log_msg_get_value(msg, handle, &value_len);
assert_string(value, "sshd: foo_user [priv]", ASSERTION_ERROR("Bad value for prefixed key"));
g_free(requested_name);
}
void
__test_message_has_no_prefix(TestCase *self, LogMessage *msg)
{
gchar *requested_name = g_strdup_printf("%s%s", (gchar *)self->user_data, "MESSAGE");
NVHandle handle = log_msg_get_value_handle(requested_name);
gssize value_len;
log_msg_get_value(msg, handle, &value_len);
assert_gint(value_len, 0, ASSERTION_ERROR("MESSAGE has prefix"));
g_free(requested_name);
}
void
set_new_log_message_attributes(LogMessage *log_message)
{
log_msg_set_value(log_message, LM_V_HOST, "newhost", -1);
log_msg_set_value(log_message, LM_V_HOST_FROM, "newhost", -1);
log_msg_set_value(log_message, LM_V_MESSAGE, "newmsg", -1);
log_msg_set_value(log_message, LM_V_PROGRAM, "newprogram", -1);
log_msg_set_value(log_message, LM_V_PID, "newpid", -1);
log_msg_set_value(log_message, LM_V_MSGID, "newmsgid", -1);
log_msg_set_value(log_message, LM_V_SOURCE, "newsource", -1);
log_msg_set_value(log_message, log_msg_get_value_handle("newvalue"), "newvalue", -1);
}
static void
affile_sd_queue(LogPipe *s, LogMessage *msg, const LogPathOptions *path_options, gpointer user_data)
{
AFFileSourceDriver *self = (AFFileSourceDriver *) s;
static NVHandle filename_handle = 0;
if (!filename_handle)
filename_handle = log_msg_get_value_handle("FILE_NAME");
log_msg_set_value(msg, filename_handle, self->filename->str, self->filename->len);
log_src_driver_queue_method(s, msg, path_options, user_data);
}
static void
assert_msg_doesnot_match(const gchar *message)
{
LogMessage *msg;
gboolean result;
msg = _construct_message("prog1", message);
result = _process(msg);
assert_false(result, "patterndb expected to match but it didn't");
assert_log_message_value(msg, log_msg_get_value_handle(".classifier.class"), "unknown");
assert_log_message_has_tag(msg, ".classifier.unknown");
log_msg_unref(msg);
}
static void
assert_msg_with_program_matches_and_nvpair_equals(const gchar *program, const gchar *message,
const gchar *name, const gchar *expected_value)
{
LogMessage *msg;
gboolean result;
msg = _construct_message(program, message);
result = _process(msg);
assert_true(result, "patterndb expected to match but it didn't");
assert_log_message_value(msg, log_msg_get_value_handle(name), expected_value);
log_msg_unref(msg);
}
static void
affile_sd_queue(LogPipe *s, LogMessage *msg, const LogPathOptions *path_options)
{
AFFileSourceDriver *self = (AFFileSourceDriver *) s;
static NVHandle filename_handle = 0;
if (!filename_handle)
filename_handle = log_msg_get_value_handle("FILE_NAME");
log_msg_set_value(msg, filename_handle, self->filename->str, self->filename->len);
log_pipe_forward_msg(s, msg, path_options);
}
void test_value_pairs_walk_prefix_data(GlobalConfig *cfg)
{
ValuePairs *vp;
LogMessage *msg;
const char* value = "value";
NVHandle handle;
log_template_options_init(&template_options, cfg);
msg_format_options_init(&parse_options, cfg);
vp = value_pairs_new();
value_pairs_add_glob_pattern(vp, "root.*", TRUE);
msg = log_msg_new("test",4, NULL, &parse_options);
handle = log_msg_get_value_handle("root.test.alma");
log_msg_set_value(msg, handle, value, strlen(value));
handle = log_msg_get_value_handle("root.test.korte");
log_msg_set_value(msg, handle, value, strlen(value));
value_pairs_walk(vp, test_vp_obj_start, test_vp_value, test_vp_obj_stop, msg, 0, LTZ_LOCAL, &template_options, NULL);
};
int
testcase_match(const gchar *log, const gchar *pattern, gint matcher_flags, gboolean expected_result, LogMatcher *m)
{
LogMessage *msg;
gboolean result;
gchar buf[1024];
NVHandle nonasciiz = log_msg_get_value_handle("NON-ASCIIZ");
gssize msglen;
const gchar *value;
GSockAddr *sa;
sa = g_sockaddr_inet_new("10.10.10.10", 1010);
msg = log_msg_new(log, strlen(log), sa, &parse_options);
g_sockaddr_unref(sa);
g_snprintf(buf, sizeof(buf), "%sAAAAAAAAAAAA", log_msg_get_value(msg, LM_V_MESSAGE, &msglen));
log_msg_set_value(msg, log_msg_get_value_handle("MESSAGE2"), buf, -1);
/* add a non-zero terminated indirect value which contains the whole message */
log_msg_set_value_indirect(msg, nonasciiz, log_msg_get_value_handle("MESSAGE2"), 0, 0, msglen);
log_matcher_set_flags(m, matcher_flags);
log_matcher_compile(m, pattern);
value = log_msg_get_value(msg, nonasciiz, &msglen);
result = log_matcher_match(m, msg, nonasciiz, value, msglen);
if (result != expected_result)
{
fprintf(stderr, "Testcase match failure. pattern=%s, result=%d, expected=%d\n", pattern, result, expected_result);
exit(1);
}
log_matcher_unref(m);
log_msg_unref(msg);
return 0;
}
static PyObject *
py_log_message_getattr(PyLogMessage *self, gchar *name)
{
NVHandle handle;
const gchar *value;
handle = log_msg_get_value_handle(name);
value = log_msg_get_value(self->msg, handle, NULL);
if (!value)
{
PyErr_SetString(PyExc_AttributeError, "No such attribute");
return NULL;
}
return PyBytes_FromString(value);
}
static void
test_log_msg_get_value_with_time_related_macro(void)
{
LogMessage *msg;
gssize value_len;
NVHandle handle;
const char *date_value;
msg = log_msg_new_empty();
msg->timestamps[LM_TS_STAMP].tv_sec = 1389783444;
handle = log_msg_get_value_handle("ISODATE");
date_value = log_msg_get_value(msg, handle, &value_len);
assert_string(date_value, "2014-01-15T10:57:23-00:00", "ISODATE macro value does not match!");
log_msg_unref(msg);
}
static void
testcase(gchar *msg, gchar *timezone, gchar *format, gchar *expected)
{
LogTemplate *templ;
LogMessage *logmsg;
LogParser *parser;
gboolean success;
GString *res = g_string_sized_new(128);
parser = date_parser_new (configuration);
if (format != NULL) date_parser_set_format(parser, format);
if (timezone != NULL) date_parser_set_timezone(parser, timezone);
log_pipe_init(&parser->super);
logmsg = log_msg_new_empty();
logmsg->timestamps[LM_TS_RECVD].tv_sec = 1451473200; /* Dec 30 2015 */
log_msg_set_value(logmsg, log_msg_get_value_handle("MESSAGE"), msg, -1);
success = log_parser_process(parser, &logmsg, NULL, log_msg_get_value(logmsg, LM_V_MESSAGE, NULL), -1);
if (!success && expected)
{
fprintf(stderr, "unable to parse format=%s msg=%s\n", format, msg);
exit(1);
}
else if (success && !expected)
{
fprintf(stderr, "successfully parsed but expected failure, format=%s msg=%s\n", format, msg);
exit(1);
}
else if (expected)
{
/* Convert to ISODATE */
templ = compile_template("${ISODATE}", FALSE);
log_template_format(templ, logmsg, NULL, LTZ_LOCAL, -1, NULL, res);
assert_nstring(res->str, res->len, expected, strlen(expected),
"incorrect date parsed msg=%s format=%s",
msg, format);
log_template_unref(templ);
}
g_string_free(res, TRUE);
log_pipe_unref(&parser->super);
log_msg_unref(logmsg);
return;
}
LogMessage *
create_message_with_fields(const char *field_name, ...)
{
va_list args;
const char* arg;
LogMessage *msg = log_msg_new_empty();
arg = field_name;
va_start(args, field_name);
while (arg != NULL)
{
NVHandle handle = log_msg_get_value_handle(arg);
arg = va_arg(args, char*);
log_msg_set_value(msg, handle, arg, -1);
arg = va_arg(args, char*);
}
va_end(args);
return msg;
}
static int
lua_message_metatable__index(lua_State *state)
{
gssize value_len;
LogMessage *m = lua_check_and_convert_userdata(state, 1, LUA_MESSAGE_TYPE);
const char *key = lua_tostring(state, 2);
NVHandle handle = log_msg_get_value_handle(key);
const char *value = log_msg_get_value(m, handle, &value_len);
msg_trace("Getting value from lua message",
evt_tag_str("key",key),
evt_tag_str("value",value),
NULL);
lua_pushlstring(state, value, value_len);
return 1;
}
static void
log_template_add_value_elem(LogTemplateCompiler *self, gchar *value_name, gsize value_name_len, gchar *default_value)
{
LogTemplateElem *e;
gchar *dup;
e = g_new0(LogTemplateElem, 1);
e->type = LTE_VALUE;
e->text_len = self->text ? self->text->len : 0;
e->text = self->text ? g_strndup(self->text->str, self->text->len) : NULL;
/* value_name is not NUL terminated */
dup = g_strndup(value_name, value_name_len);
e->value_handle = log_msg_get_value_handle(dup);
g_free(dup);
e->default_value = default_value;
e->msg_ref = self->msg_ref;
self->result = g_list_prepend(self->result, e);
}
static void
testcase(gchar *msg, goffset offset, gchar *timezone, gchar *format, gchar *expected)
{
LogTemplate *templ;
LogMessage *logmsg;
NVTable *nvtable;
GlobalConfig *cfg = cfg_new (0x302);
LogParser *parser = date_parser_new (cfg);
gboolean success;
const gchar *context_id = "test-context-id";
GString *res = g_string_sized_new(128);
date_parser_set_offset(parser, offset);
if (format != NULL) date_parser_set_format(parser, format);
if (timezone != NULL) date_parser_set_timezone(parser, timezone);
parse_options.flags = 0;
logmsg = log_msg_new_empty();
logmsg->timestamps[LM_TS_RECVD].tv_sec = 1438793384; /* Wed Aug 5 2015 */
log_msg_set_value(logmsg, log_msg_get_value_handle("MESSAGE"), msg, -1);
nvtable = nv_table_ref(logmsg->payload);
success = log_parser_process(parser, &logmsg, NULL, log_msg_get_value(logmsg, LM_V_MESSAGE, NULL), -1);
nv_table_unref(nvtable);
if (!success)
{
fprintf(stderr, "unable to parse offset=%d format=%s msg=%s\n", offset, format, msg);
exit(1);
}
/* Convert to ISODATE */
templ = compile_template("${ISODATE}", FALSE);
log_template_format(templ, logmsg, NULL, LTZ_LOCAL, 999, context_id, res);
assert_nstring(res->str, res->len, expected, strlen(expected),
"incorrect date parsed msg=%s offset=%d format=%s",
msg, offset, format);
log_template_unref(templ);
g_string_free(res, TRUE);
log_pipe_unref(&parser->super);
log_msg_unref(logmsg);
return;
}
gboolean
assert_msg_field_equals_non_fatal(LogMessage *msg, gchar *field_name, gchar *expected_value, gssize expected_value_len, const gchar *error_message, ...)
{
gssize actual_value_len;
const gchar* actual_value;
va_list args;
gboolean result;
if (expected_value_len < 0)
expected_value_len = strlen(expected_value);
NVHandle handle = log_msg_get_value_handle(field_name);
actual_value = log_msg_get_value(msg, handle, &actual_value_len);
va_start(args, error_message);
result = assert_nstring_non_fatal_va(actual_value, actual_value_len, expected_value, expected_value_len, error_message, args);
va_end(args);
return result;
};
FilterExprNode *
filter_in_list_new(const gchar *list_file, const gchar *property)
{
FilterInList *self;
FILE *stream;
size_t n;
gchar *line = NULL;
stream = fopen(list_file, "r");
if (!stream)
{
msg_error("Error opening in-list filter list file",
evt_tag_str("file", list_file),
evt_tag_errno("errno", errno),
NULL);
return NULL;
}
self = g_new0(FilterInList, 1);
filter_expr_node_init(&self->super);
self->value_handle = log_msg_get_value_handle(property);
self->tree = g_tree_new((GCompareFunc) strcmp);
while (getline(&line, &n, stream) != -1)
{
line[strlen(line) - 1] = '\0';
if (line[0])
g_tree_insert(self->tree, line, GINT_TO_POINTER(1));
line = NULL;
}
fclose(stream);
self->super.eval = filter_in_list_eval;
self->super.free_fn = filter_in_list_free;
return &self->super;
}
void
test_rule_action_message_value(const gchar *pattern, gint timeout, gint ndx, const gchar *name, const gchar *value)
{
LogMessage *msg = log_msg_new_empty();
gboolean found = FALSE, result;
const gchar *val;
gssize len;
PDBInput input;
log_msg_set_value(msg, LM_V_MESSAGE, pattern, strlen(pattern));
log_msg_set_value(msg, LM_V_PROGRAM, "prog2", 5);
log_msg_set_value(msg, LM_V_HOST, MYHOST, strlen(MYHOST));
log_msg_set_value(msg, LM_V_PID, MYPID, strlen(MYPID));
msg->timestamps[LM_TS_STAMP].tv_sec = msg->timestamps[LM_TS_RECVD].tv_sec;
result = pattern_db_process(patterndb, PDB_INPUT_WRAP_MESSAGE(&input, msg));
if (timeout)
timer_wheel_set_time(patterndb->timer_wheel, timer_wheel_get_time(patterndb->timer_wheel) + timeout + 1);
if (ndx >= messages->len)
{
test_fail("Expected the %d. message, but no such message was returned by patterndb\n", ndx);
goto exit;
}
val = log_msg_get_value((LogMessage *) g_ptr_array_index(messages, ndx), log_msg_get_value_handle(name), &len);
if (value)
found = strcmp(val, value) == 0;
if (!!value ^ (len > 0))
test_fail("Value '%s' is %smatching for pattern '%s' (%d) index %d\n", name, found ? "" : "not ", pattern, !!result, ndx);
exit:
log_msg_unref(msg);
test_clean_state();
}
