+ /* Active Response to the forwarder */
+ else if ((Config.ar & REMOTE_AR)) {
+ int rc;
+ /* If lf->location start with a ( was generated by remote agent and its
+ * ID is included in lf->location if missing then it must have been
+ * generated by the local analysisd, so prepend a false id tag */
+ if (lf->location[0] == '(') {
+ snprintf(exec_msg, OS_SIZE_1024,
+ "%s %c%c%c %s %s %s %s %ld.%ld %d %s %s",
+ lf->location,
+ (ar->location & ALL_AGENTS) ? ALL_AGENTS_C : NONE_C,
+ (ar->location & REMOTE_AGENT) ? REMOTE_AGENT_C : NONE_C,
+ (ar->location & SPECIFIC_AGENT) ? SPECIFIC_AGENT_C : NONE_C,
+ ar->agent_id != NULL ? ar->agent_id : "(null)",
+ ar->name,
+ user,
+ ip,
+ (long int)lf->time,
+ __crt_ftell,
+ lf->generated_rule->sigid,
+ lf->location,
+ filename);
+ } else {
+ snprintf(exec_msg, OS_SIZE_1024,
+ "(local_source) %s %c%c%c %s %s %s %s %ld.%ld %d %s %s",
+ lf->location,
+ (ar->location & ALL_AGENTS) ? ALL_AGENTS_C : NONE_C,
+ (ar->location & REMOTE_AGENT) ? REMOTE_AGENT_C : NONE_C,
+ (ar->location & SPECIFIC_AGENT) ? SPECIFIC_AGENT_C : NONE_C,
+ ar->agent_id != NULL ? ar->agent_id : "(null)",
+ ar->name,
+ user,
+ ip,
+ (long int)lf->time,
+ __crt_ftell,
+ lf->generated_rule->sigid,
+ lf->location,
+ filename);
+ }