- snprintf(exec_msg, OS_SIZE_1024,
- "%s %c%c%c %s %s %s %s %d.%ld %d %s",
- lf->location,
- (ar->location & ALL_AGENTS)?ALL_AGENTS_C:NONE_C,
- (ar->location & REMOTE_AGENT)?REMOTE_AGENT_C:NONE_C,
- (ar->location & SPECIFIC_AGENT)?SPECIFIC_AGENT_C:NONE_C,
- ar->agent_id != NULL? ar->agent_id: "(null)",
- ar->name,
- user,
- ip,
- lf->time,
- __crt_ftell,
- lf->generated_rule->sigid,
- lf->location);
-
- if((rc = OS_SendUnix(*arq, exec_msg, 0)) < 0)
- {
- if(rc == OS_SOCKBUSY)
- {
+ /* If lf->location start with a ( was generated by remote agent and its
+ * ID is included in lf->location if missing then it must have been
+ * generated by the local analysisd, so prepend a false id tag */
+ if (lf->location[0] == '(') {
+ snprintf(exec_msg, OS_SIZE_1024,
+ "%s %c%c%c %s %s %s %s %ld.%ld %d %s %s",
+ lf->location,
+ (ar->location & ALL_AGENTS) ? ALL_AGENTS_C : NONE_C,
+ (ar->location & REMOTE_AGENT) ? REMOTE_AGENT_C : NONE_C,
+ (ar->location & SPECIFIC_AGENT) ? SPECIFIC_AGENT_C : NONE_C,
+ ar->agent_id != NULL ? ar->agent_id : "(null)",
+ ar->name,
+ user,
+ ip,
+ (long int)lf->time,
+ __crt_ftell,
+ lf->generated_rule->sigid,
+ lf->location,
+ filename);
+ } else {
+ snprintf(exec_msg, OS_SIZE_1024,
+ "(local_source) %s %c%c%c %s %s %s %s %ld.%ld %d %s %s",
+ lf->location,
+ (ar->location & ALL_AGENTS) ? ALL_AGENTS_C : NONE_C,
+ (ar->location & REMOTE_AGENT) ? REMOTE_AGENT_C : NONE_C,
+ (ar->location & SPECIFIC_AGENT) ? SPECIFIC_AGENT_C : NONE_C,
+ ar->agent_id != NULL ? ar->agent_id : "(null)",
+ ar->name,
+ user,
+ ip,
+ (long int)lf->time,
+ __crt_ftell,
+ lf->generated_rule->sigid,
+ lf->location,
+ filename);
+ }
+
+ if ((rc = OS_SendUnix(arq, exec_msg, 0)) < 0) {
+ if (rc == OS_SOCKBUSY) {