-/* @(#) $Id$ */
+/* @(#) $Id: ./src/logcollector/logcollector.c, 2012/03/28 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
char keepalive[1024];
-
+
/* To check for inode changes */
struct stat tmp_stat;
-
-
+
+
#ifndef WIN32
-
+
int int_error = 0;
struct timeval fp_timeout;
-
+
#else
-
+
/* Checking if we are on vista. */
checkVista();
{
win_read_vista_sec();
}
-
+
#endif
debug1("%s: DEBUG: Entering LogCollectorStart().", ARGV0);
-
-
+
+
/* Initializing each file and structure */
for(i = 0;;i++)
{
{
if(logff[r].file && strcmp(logff[i].file, logff[r].file) == 0)
{
- merror("%s: WARN: Duplicated log file given: '%s'.",
+ merror("%s: WARN: Duplicated log file given: '%s'.",
ARGV0, logff[i].file);
logff[i].file = NULL;
logff[i].command = NULL;
{
/* do nothing, duplicated entry. */
}
-
+
else if(strcmp(logff[i].logformat,"eventlog") == 0)
{
#ifdef WIN32
-
+
verbose(READING_EVTLOG, ARGV0, logff[i].file);
win_startel(logff[i].file);
-
+
#endif
logff[i].file = NULL;
logff[i].command = NULL;
}
else
{
- merror("%s: ERROR: Missing command argument. Ignoring it.",
+ merror("%s: ERROR: Missing command argument. Ignoring it.",
ARGV0);
}
}
else
{
merror("%s: ERROR: Missing command argument. Ignoring it.",
- ARGV0);
+ ARGV0);
}
}
-
+
else
{
logff[i].command = NULL;
- /* Initializing the files */
+ /* Initializing the files */
if(logff[i].ffile)
{
/* Day must be zero for all files to be initialized */
{
ErrorExit(PARSE_ERROR, ARGV0, logff[i].ffile);
}
-
+
}
else
{
handle_file(i, 1, 1);
}
-
+
verbose(READING_FILE, ARGV0, logff[i].file);
-
+
/* Getting the log type */
if(strcmp("snort-full", logff[i].logformat) == 0)
{
logff[i].read = (void *)read_snortfull;
}
+ #ifndef WIN32
+ if(strcmp("ossecalert", logff[i].logformat) == 0)
+ {
+ logff[i].read = (void *)read_ossecalert;
+ }
+ #endif
else if(strcmp("nmapg", logff[i].logformat) == 0)
{
logff[i].read = (void *)read_nmapg;
/* Start up message */
verbose(STARTUP_MSG, ARGV0, (int)getpid());
-
+
max_file = i -1;
{
max_file = 0;
}
-
-
+
+
/* Daemon loop */
while(1)
{
fp_timeout.tv_sec = loop_timeout;
fp_timeout.tv_usec = 0;
- /* Waiting for the select timeout */
+ /* Waiting for the select timeout */
if ((r = select(0, NULL, NULL, NULL, &fp_timeout)) < 0)
{
merror(SELECT_ERROR, ARGV0);
continue;
}
#else
-
+
/* Windows don't like select that way */
sleep(loop_timeout + 2);
-
+
/* Check for messages in the event viewer */
win_readel();
#endif
-
+
f_check++;
-
+
/* Checking which file is available */
for(i = 0; i <= max_file; i++)
{
logff[i].ign++;
continue;
}
-
+
#ifdef WIN32
logff[i].read(i, &r, 1);
#endif
}
}
-
+
/* Only check bellow if check > VCHECK_FILES */
if(f_check <= VCHECK_FILES)
continue;
-
+
/* Send keep alive message */
rand_keepalive_str(keepalive, 700);
SendMSG(logr_queue, keepalive, "ossec-keepalive", LOCALFILE_MQ);
- /* Zeroing f_check */
+ /* Zeroing f_check */
f_check = 0;
/* These are the windows logs or ignored files */
if(!logff[i].file)
continue;
-
-
+
+
/* Files with date -- check for day change */
if(logff[i].ffile)
{
continue;
}
}
-
-
+
+
/* Check for file change -- if the file is open already */
if(logff[i].fp)
{
{
fclose(logff[i].fp);
logff[i].fp = NULL;
-
+
merror(FILE_ERROR, ARGV0, logff[i].file);
}
snprintf(msg_alert, 512, "ossec: File rotated (inode "
"changed): '%s'.",
logff[i].file);
-
+
/* Send message about log rotated */
- SendMSG(logr_queue, msg_alert,
+ SendMSG(logr_queue, msg_alert,
"ossec-logcollector", LOCALFILE_MQ);
-
+
debug1("%s: DEBUG: File inode changed. %s",
ARGV0, logff[i].file);
-
+
fclose(logff[i].fp);
#ifdef WIN32
CloseHandle(logff[i].h);
CloseHandle(h1);
#endif
-
+
logff[i].fp = NULL;
handle_file(i, 0, 1);
continue;
snprintf(msg_alert, 512, "ossec: File size reduced "
"(inode remained): '%s'.",
logff[i].file);
-
+
/* Send message about log rotated */
- SendMSG(logr_queue, msg_alert,
+ SendMSG(logr_queue, msg_alert,
"ossec-logcollector", LOCALFILE_MQ);
-
+
debug1("%s: DEBUG: File size reduced. %s",
ARGV0, logff[i].file);
CloseHandle(logff[i].h);
CloseHandle(h1);
#endif
-
+
logff[i].fp = NULL;
handle_file(i, 1, 1);
}
}
#endif
}
-
-
- /* Too many errors for the file */
+
+
+ /* Too many errors for the file */
if(logff[i].ign > open_file_attempts)
{
/* 999 Maximum ignore */
{
continue;
}
-
+
merror(LOGC_FILE_ERROR, ARGV0, logff[i].file);
if(logff[i].fp)
{
CloseHandle(logff[i].h);
#endif
}
-
+
logff[i].fp = NULL;
logff[i].ign = 999;
continue;
}
-
-
- /* File not opened */
+
+
+ /* File not opened */
if(!logff[i].fp)
{
if(logff[i].ign >= 999)
{
struct tm *p;
time_t __ctime = time(0);
-
+
char lfile[OS_FLSIZE + 1];
size_t ret;
p = localtime(&__ctime);
-
+
/* Handle file */
if(p->tm_mday == _cday)
{
ErrorExit(PARSE_ERROR, ARGV0, logff[i].ffile);
}
-
-
+
+
/* Update the file name */
if(strcmp(lfile, logff[i].file) != 0)
{
os_free(logff[i].file);
- os_strdup(lfile, logff[i].file);
+ os_strdup(lfile, logff[i].file);
verbose(VAR_LOG_MON, ARGV0, logff[i].file);
-
+
/* Setting cday to zero because other files may need
* to be changed.
*/
{
int fd;
struct stat stat_fd;
-
+
/* We must be able to open the file, fseek and get the
* time of change from it.
*/
logff[i].fp = NULL;
return(-1);
}
-
+
logff[i].fd = stat_fd.st_ino;
logff[i].size = stat_fd.st_size;
-
+
#else
BY_HANDLE_FILE_INFORMATION lpFileInformation;
}
#endif
}
-
+
/* Setting ignore to zero */
logff[i].ign = 0;