static void
test_simple_rule_with_rate_limited_action(void)
{
/* tag assigned based on "class" */
assert_msg_matches_and_has_tag("simple-message-with-rate-limited-action", ".classifier.violation", TRUE);
/* messages in the output:
* [0] trigger
* [1] GENERATED (as rate limit was met)
* [2] trigger
* [3] trigger
* [4] trigger
* [5] GENERATED (as rate limit was met again due to advance time */
assert_msg_matches_and_output_message_nvpair_equals("simple-message-with-rate-limited-action", 1, "MESSAGE",
"generated-message-rate-limit");
_dont_reset_patterndb_state_for_the_next_call();
assert_msg_matches_and_no_such_output_message("simple-message-with-rate-limited-action", 3);
_dont_reset_patterndb_state_for_the_next_call();
assert_msg_matches_and_no_such_output_message("simple-message-with-rate-limited-action", 4);
_dont_reset_patterndb_state_for_the_next_call();
_advance_time(120);
assert_msg_matches_and_output_message_nvpair_equals("simple-message-with-rate-limited-action", 5, "MESSAGE",
"generated-message-rate-limit");
}
static void
test_patterndb_loads_a_syntactically_complete_xml_properly(void)
{
_load_pattern_db_from_string(pdb_complete_syntax);
/* check we did indeed load the patterns */
assert_msg_matches_and_has_tag("simple-message", ".classifier.system", TRUE);
_destroy_pattern_db();
}
static void
test_simple_rule_with_action_condition(void)
{
/* tag assigned based on "class" */
assert_msg_matches_and_has_tag("simple-message-with-action-condition", ".classifier.violation", TRUE);
assert_msg_matches_and_output_message_nvpair_equals("simple-message-with-action-condition", 1, "MESSAGE", "generated-message-on-condition");
}
static void
test_correllation_rule_with_action_on_timeout(void)
{
/* tag assigned based on "class" */
assert_msg_matches_and_has_tag("correllated-message-with-action-on-timeout", ".classifier.violation", TRUE);
assert_msg_matches_and_output_message_nvpair_equals_with_timeout("correllated-message-with-action-on-timeout", 60, 1, "MESSAGE", "generated-message-on-timeout");
}
static void
test_correllation_rule_with_action_on_match(void)
{
/* tag assigned based on "class" */
assert_msg_matches_and_has_tag("correllated-message-with-action-on-match", ".classifier.violation", TRUE);
assert_msg_matches_and_output_message_nvpair_equals("correllated-message-with-action-on-match", 1, "MESSAGE", "generated-message-on-match");
assert_msg_matches_and_output_message_nvpair_equals("correllated-message-with-action-on-match", 1, "context-id", "999");
assert_msg_matches_and_output_message_has_tag("correllated-message-with-action-on-match", 1, "correllated-msg-tag", TRUE);
}
static void
test_correllation_rule_without_actions(void)
{
/* tag assigned based on "class" */
assert_msg_matches_and_has_tag("correllated-message-based-on-pid", ".classifier.system", TRUE);
assert_msg_matches_and_nvpair_equals("correllated-message-based-on-pid", "correllated-msg-context-id", MYPID);
assert_msg_matches_and_nvpair_equals("correllated-message-based-on-pid", "correllated-msg-context-length", "1");
_dont_reset_patterndb_state_for_the_next_call();
assert_msg_matches_and_nvpair_equals("correllated-message-based-on-pid", "correllated-msg-context-length", "2");
_dont_reset_patterndb_state_for_the_next_call();
assert_msg_matches_and_nvpair_equals("correllated-message-based-on-pid", "correllated-msg-context-length", "3");
}
<pattern>correllated-message-that-uses-context-created-by-rule-id#12</pattern>\
</patterns>\
<values>\
<value name='triggering-message'>${MESSAGE}@1 assd</value>\
</values>\
</rule>\
<rule provider='test' id='14' class='violation' context-id='1001' context-timeout='60' context-scope='program'>\
<patterns>\
<pattern>correllated-message-with-action-to-create-context</pattern>\
</patterns>\
<values>\
<value name='rule-msg-context-id'>${.classifier.context_id}</value>\
</values>\
<actions>\
<action trigger='match'>\
<create-context context-id='1002' context-timeout='60' context-scope='program'>\
<message inherit-properties='context'>\
<values>\
<!-- we should inherit from the LogMessage matching this rule and not the to be created context -->\
<value name='MESSAGE'>context message ${rule-msg-context-id}</value>\
</values>\
</message>\
</create-context>\
</action>\
</actions>\
</rule>\
<rule provider='test' id='15' class='violation' context-id='1002' context-timeout='60' context-scope='program'>\
<patterns>\
<pattern>correllated-message-that-uses-context-created-by-rule-id#14</pattern>\
</patterns>\
<values>\
<value name='triggering-message'>${MESSAGE}@1 assd</value>\
<value name='triggering-message-context-id'>$(grep ('${rule-msg-context-id}' ne '') ${rule-msg-context-id})</value>\
</values>\
</rule>\
</rules>\
</ruleset>\
</patterndb>";
static void
test_simple_rule_without_context_or_actions(void)
{
/* tag assigned based on "class" */
assert_msg_matches_and_has_tag("simple-message", ".classifier.system", TRUE);
/* tag assignment based on <tags/> */
assert_msg_matches_and_nvpair_equals("simple-message", "TAGS", ".classifier.system,simple-msg-tag1,simple-msg-tag2");
assert_msg_matches_and_nvpair_equals("simple-message", "simple-msg-value-1", "value1");
assert_msg_matches_and_nvpair_equals("simple-message", "simple-msg-value-2", "value2");
assert_msg_matches_and_nvpair_equals("simple-message", "simple-msg-host", MYHOST);
}
