ossec-hids: read_mssql_log.c (NEW) logcollector.c (HEAD) logcollector.h (HEAD) [dcid]
OSSEC CVS
Changes by: dcid 09/06/04 19:08:15
Modified files:
logcollector.c logcollector.h
Added files:
read_mssql_log.c
Log message:
Description: Adding mssql log reader and fixing bugs on windows.
Reviewed by: dcid
Bug:
--- NEW FILE: read_mssql_log.c ---
/* @(#) $Id: read_mssql_log.c,v 1.1 2009/06/04 22:08:15 dcid Exp $ */
/* Copyright (C) 2008 Third Brigade, Inc.
* All rights reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
* License (version 3) as published by the FSF - Free Software
* Foundation.
*
* License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
/* Read MSSQL logs */
#include "shared.h"
#include "logcollector.h"
/* Send mssql message and check the return code.
*/
void __send_mssql_msg(int pos, int drop_it, char *buffer)
{
debug2("%s: DEBUG: Reading MSSQL message: '%s'", ARGV0, buffer);
if(drop_it == 0)
{
if(SendMSG(logr_queue, buffer, logff[pos].file, LOCALFILE_MQ) < 0)
{
merror(QUEUE_SEND, ARGV0);
if((logr_queue = StartMQ(DEFAULTQPATH,WRITE)) < 0)
{
ErrorExit(QUEUE_FATAL, ARGV0, DEFAULTQPATH);
}
}
}
}
/* Read PostgreSQL log files */
void *read_mssql_log(int pos, int *rc, int drop_it)
{
int str_len = 0;
int need_clear = 0;
char *p;
char str[OS_MAXSTR + 1];
char buffer[OS_MAXSTR + 1];
/* Zeroing buffer and str */
buffer[0] = '\0';
buffer[OS_MAXSTR] = '\0';
str[OS_MAXSTR]= '\0';
*rc = 0;
/* Getting new entry */
while(fgets(str, OS_MAXSTR - OS_LOG_HEADER, logff[pos].fp) != NULL)
{
/* Getting buffer size */
str_len = strlen(str);
/* Checking str_len size. Very useless, but just to make sure.. */
if(str_len >= sizeof(buffer) -2)
{
str_len = sizeof(buffer) -10;
}
/* Getting the last occurence of \n */
if ((p = strrchr(str, '\n')) != NULL)
{
*p = '\0';
/* If need clear is set, we just get the line and ignore it. */
if(need_clear)
{
need_clear = 0;
continue;
}
}
else
{
need_clear = 1;
}
#ifdef WIN32
if ((p = strrchr(str, '\r')) != NULL)
{
*p = '\0';
}
/* Looking for empty string (only on windows) */
if(str_len <= 1)
{
continue;
}
/* Windows can have comment on their logs */
if(str[0] == '#')
{
continue;
}
#endif
/* MSSQL messages have the following formats:
* 2009-03-25 04:47:30.01 Server
* 2003-10-09 00:00:06.68 sys1
* 2009-02-06 11:48:59 Server
*/
if((str_len > 19) &&
(str[4] == '-') &&
(str[7] == '-') &&
(str[10] == ' ') &&
(str[13] == ':') &&
(str[16] == ':') &&
isdigit((int)str[0]) &&
isdigit((int)str[1]) &&
isdigit((int)str[2]) &&
isdigit((int)str[3]))
{
/* If the saved message is empty, set it and continue. */
if(buffer[0] == '\0')
{
strncpy(buffer, str, str_len + 2);
continue;
}
/* If not, send the saved one and store the new one for later */
else
{
__send_mssql_msg(pos, drop_it, buffer);
/* Storing current one at the buffer */
strncpy(buffer, str, str_len + 2);
}
}
/* Query logs can be in multiple lines.
* They always start with a tab in the additional ones.
*/
else if((str_len > 2) && (buffer[0] != '\0'))
{
/* Size of the buffer */
int buffer_len = strlen(buffer);
p = str;
/* Removing extra spaces and tabs */
while(*p == ' ' || *p == '\t')
{
p++;
}
/* Adding additional message to the saved buffer. */
if(sizeof(buffer) - buffer_len > str_len +256)
{
/* Here we make sure that the size of the buffer
* minus what was used (strlen) is greater than
* the length of the received message.
*/
buffer[buffer_len] = ' ';
buffer[buffer_len +1] = '\0';
strncat(buffer, str, str_len +3);
}
}
continue;
}
/* Send whatever is stored. */
if(buffer[0] != '\0')
{
__send_mssql_msg(pos, drop_it, buffer);
}
return(NULL);
}
/* EOF */
Index: logcollector.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/logcollector/logcollector.c,v
diff -u -r1.49 -r1.50
--- logcollector.c 15 Aug 2008 21:03:05 -0000 1.49
+++ logcollector.c 4 Jun 2009 22:08:15 -0000 1.50
@@ -110,6 +110,10 @@
{
logff[i].read = (void *)read_mysql_log;
}
+ else if(strcmp("mssql_log", logff[i].logformat) == 0)
+ {
+ logff[i].read = (void *)read_mssql_log;
+ }
else if(strcmp("postgresql_log", logff[i].logformat) == 0)
{
logff[i].read = (void *)read_postgresql_log;
Index: logcollector.h
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/logcollector/logcollector.h,v
diff -u -r1.25 -r1.26
--- logcollector.h 21 Jul 2008 00:59:57 -0000 1.25
+++ logcollector.h 4 Jun 2009 22:08:15 -0000 1.26
@@ -51,6 +51,9 @@
/* Read mysql log format */
void *read_mysql_log(int pos, int *rc, int drop_it);
+/* Read mysql log format */
+void *read_mssql_log(int pos, int *rc, int drop_it);
+
/* Read postgresql log format */
void *read_postgresql_log(int pos, int *rc, int drop_it);