1 /* @(#) $Id: ./src/logcollector/logcollector.c, 2012/03/28 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
18 #include "logcollector.h"
21 int update_fname(int i);
24 char *rand_keepalive_str(char *dst, int size)
26 static const char text[] = "abcdefghijklmnopqrstuvwxyz"
27 "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
29 "!@#$%^&*()_+-=;'[],./?";
30 int i, len = rand() % (size - 10);
31 strncpy(dst, "--MARK--: ", 12);
32 for ( i = 10; i < len; ++i )
34 dst[i] = text[rand() % (sizeof text - 1)];
40 /** void LogCollectorStart() v0.4
41 * Handle file management.
43 void LogCollectorStart()
53 /* To check for inode changes */
60 struct timeval fp_timeout;
64 /* Checking if we are on vista. */
68 /* Reading vista descriptions. */
76 debug1("%s: DEBUG: Entering LogCollectorStart().", ARGV0);
79 /* Initializing each file and structure */
82 if(logff[i].file == NULL)
86 /* Removing duplicate entries. */
87 for(r = 0; r < i; r++)
89 if(logff[r].file && strcmp(logff[i].file, logff[r].file) == 0)
91 merror("%s: WARN: Duplicated log file given: '%s'.",
92 ARGV0, logff[i].file);
94 logff[i].command = NULL;
101 if(logff[i].file == NULL)
103 /* do nothing, duplicated entry. */
106 else if(strcmp(logff[i].logformat,"eventlog") == 0)
110 verbose(READING_EVTLOG, ARGV0, logff[i].file);
111 win_startel(logff[i].file);
114 logff[i].file = NULL;
115 logff[i].command = NULL;
119 else if(strcmp(logff[i].logformat, "command") == 0)
121 logff[i].file = NULL;
127 logff[i].read = (void *)read_command;
129 verbose("%s: INFO: Monitoring output of command(%d): %s", ARGV0, logff[i].ign, logff[i].command);
133 os_strdup(logff[i].command, logff[i].alias);
138 merror("%s: ERROR: Missing command argument. Ignoring it.",
142 else if(strcmp(logff[i].logformat, "full_command") == 0)
144 logff[i].file = NULL;
149 logff[i].read = (void *)read_fullcommand;
151 verbose("%s: INFO: Monitoring full output of command(%d): %s", ARGV0, logff[i].ign, logff[i].command);
154 os_strdup(logff[i].command, logff[i].alias);
158 merror("%s: ERROR: Missing command argument. Ignoring it.",
165 logff[i].command = NULL;
168 /* Initializing the files */
171 /* Day must be zero for all files to be initialized */
175 handle_file(i, 1, 1);
179 ErrorExit(PARSE_ERROR, ARGV0, logff[i].ffile);
185 handle_file(i, 1, 1);
188 verbose(READING_FILE, ARGV0, logff[i].file);
190 /* Getting the log type */
191 if(strcmp("snort-full", logff[i].logformat) == 0)
193 logff[i].read = (void *)read_snortfull;
196 if(strcmp("ossecalert", logff[i].logformat) == 0)
198 logff[i].read = (void *)read_ossecalert;
201 else if(strcmp("nmapg", logff[i].logformat) == 0)
203 logff[i].read = (void *)read_nmapg;
205 else if(strcmp("mysql_log", logff[i].logformat) == 0)
207 logff[i].read = (void *)read_mysql_log;
209 else if(strcmp("mssql_log", logff[i].logformat) == 0)
211 logff[i].read = (void *)read_mssql_log;
213 else if(strcmp("postgresql_log", logff[i].logformat) == 0)
215 logff[i].read = (void *)read_postgresql_log;
217 else if(strcmp("djb-multilog", logff[i].logformat) == 0)
219 if(!init_djbmultilog(i))
221 merror(INV_MULTILOG, ARGV0, logff[i].file);
227 logff[i].file = NULL;
229 logff[i].read = (void *)read_djbmultilog;
231 else if(logff[i].logformat[0] >= '0' && logff[i].logformat[0] <= '9')
233 logff[i].read = (void *)read_multiline;
237 logff[i].read = (void *)read_syslog;
240 /* More tweaks for Windows. For some reason IIS places
241 * some wierd characters at the end of the files and getc
242 * always returns 0 (even after clearerr).
247 logff[i].read(i, &r, 1);
255 while(logff[i].alias[ii] != '\0')
257 if(logff[i].alias[ii] == ':')
259 logff[i].alias[ii] = '\\';
267 /* Start up message */
268 verbose(STARTUP_MSG, ARGV0, (int)getpid());
284 fp_timeout.tv_sec = loop_timeout;
285 fp_timeout.tv_usec = 0;
287 /* Waiting for the select timeout */
288 if ((r = select(0, NULL, NULL, NULL, &fp_timeout)) < 0)
290 merror(SELECT_ERROR, ARGV0);
295 ErrorExit(SYSTEM_ERROR, ARGV0);
301 /* Windows don't like select that way */
302 sleep(loop_timeout + 2);
305 /* Check for messages in the event viewer */
312 /* Checking which file is available */
313 for(i = 0; i <= max_file; i++)
317 /* Run the command. */
318 if(logff[i].command && (f_check %2))
321 if((curr_time - logff[i].size) >= logff[i].ign)
323 logff[i].size = curr_time;
324 logff[i].read(i, &r, 0);
330 /* Windows with IIS logs is very strange.
331 * For some reason it always returns 0 (not EOF)
332 * the fgetc. To solve this problem, we always
333 * pass it to the function pointer directly.
336 /* We check for the end of file. If is returns EOF,
337 * we don't attempt to read it.
339 if((r = fgetc(logff[i].fp)) == EOF)
341 clearerr(logff[i].fp);
346 /* If it is not EOF, we need to return the read character */
347 ungetc(r, logff[i].fp);
351 /* Finally, send to the function pointer to read it */
352 logff[i].read(i, &r, 0);
355 /* Checking for error */
356 if(!ferror(logff[i].fp))
359 clearerr(logff[i].fp);
367 /* If ferror is set */
370 merror(FREAD_ERROR, ARGV0, logff[i].file);
372 if(fseek(logff[i].fp, 0, SEEK_END) < 0)
379 merror(FSEEK_ERROR, ARGV0, logff[i].file);
382 /* Closing the file */
387 CloseHandle(logff[i].h);
393 /* Trying to open it again */
394 if(handle_file(i, 1, 1) != 0)
401 logff[i].read(i, &r, 1);
405 /* Increase the error count */
407 clearerr(logff[i].fp);
412 /* Only check bellow if check > VCHECK_FILES */
413 if(f_check <= VCHECK_FILES)
417 /* Send keep alive message */
419 rand_keepalive_str(keepalive, 700);
420 SendMSG(logr_queue, keepalive, "ossec-keepalive", LOCALFILE_MQ);
423 /* Zeroing f_check */
427 /* Checking if any file has been renamed/removed */
428 for(i = 0; i <= max_file; i++)
430 /* These are the windows logs or ignored files */
435 /* Files with date -- check for day change */
444 CloseHandle(logff[i].h);
448 handle_file(i, 0, 1);
452 /* Variable file name */
453 else if(!logff[i].fp)
455 handle_file(i, 0, 0);
461 /* Check for file change -- if the file is open already */
465 if(stat(logff[i].file, &tmp_stat) == -1)
470 merror(FILE_ERROR, ARGV0, logff[i].file);
474 BY_HANDLE_FILE_INFORMATION lpFileInformation;
477 h1 = CreateFile(logff[i].file, GENERIC_READ,
478 FILE_SHARE_DELETE|FILE_SHARE_READ|FILE_SHARE_WRITE,
479 NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
480 if(h1 == INVALID_HANDLE_VALUE)
483 CloseHandle(logff[i].h);
485 merror(FILE_ERROR, ARGV0, logff[i].file);
487 else if(GetFileInformationByHandle(h1, &lpFileInformation) == 0)
490 CloseHandle(logff[i].h);
493 merror(FILE_ERROR, ARGV0, logff[i].file);;
499 else if(logff[i].fd != (lpFileInformation.nFileIndexLow + lpFileInformation.nFileIndexHigh))
501 else if(logff[i].fd != tmp_stat.st_ino)
504 char msg_alert[512 +1];
506 snprintf(msg_alert, 512, "ossec: File rotated (inode "
510 /* Send message about log rotated */
511 SendMSG(logr_queue, msg_alert,
512 "ossec-logcollector", LOCALFILE_MQ);
514 debug1("%s: DEBUG: File inode changed. %s",
515 ARGV0, logff[i].file);
520 CloseHandle(logff[i].h);
525 handle_file(i, 0, 1);
529 else if(logff[i].size > (lpFileInformation.nFileSizeHigh + lpFileInformation.nFileSizeLow))
531 else if(logff[i].size > tmp_stat.st_size)
534 char msg_alert[512 +1];
536 snprintf(msg_alert, 512, "ossec: File size reduced "
537 "(inode remained): '%s'.",
540 /* Send message about log rotated */
541 SendMSG(logr_queue, msg_alert,
542 "ossec-logcollector", LOCALFILE_MQ);
544 debug1("%s: DEBUG: File size reduced. %s",
545 ARGV0, logff[i].file);
548 /* Fixing size so we don't alert more than once */
549 logff[i].size = tmp_stat.st_size;
552 /* Getting new file. */
556 CloseHandle(logff[i].h);
561 handle_file(i, 1, 1);
572 /* Too many errors for the file */
573 if(logff[i].ign > open_file_attempts)
575 /* 999 Maximum ignore */
576 if(logff[i].ign == 999)
581 merror(LOGC_FILE_ERROR, ARGV0, logff[i].file);
586 CloseHandle(logff[i].h);
593 /* If the file has a variable date, ignore it for
598 /* Variable log files should always be attempted
601 //logff[i].file = NULL;
608 /* File not opened */
611 if(logff[i].ign >= 999)
615 /* Try for a few times to open the file */
616 if(handle_file(i, 1, 1) < 0)
629 /**int update_fname(int i): updates file name */
630 int update_fname(int i)
633 time_t __ctime = time(0);
635 char lfile[OS_FLSIZE + 1];
639 p = localtime(&__ctime);
643 if(p->tm_mday == _cday)
649 lfile[OS_FLSIZE] = '\0';
650 ret = strftime(lfile, OS_FLSIZE, logff[i].ffile, p);
653 ErrorExit(PARSE_ERROR, ARGV0, logff[i].ffile);
657 /* Update the file name */
658 if(strcmp(lfile, logff[i].file) != 0)
660 os_free(logff[i].file);
662 os_strdup(lfile, logff[i].file);
664 verbose(VAR_LOG_MON, ARGV0, logff[i].file);
666 /* Setting cday to zero because other files may need
678 /* handle_file: Open, get the fileno, seek to the end and update mtime */
679 int handle_file(int i, int do_fseek, int do_log)
684 /* We must be able to open the file, fseek and get the
685 * time of change from it.
688 logff[i].fp = fopen(logff[i].file, "r");
693 merror(FOPEN_ERROR, ARGV0, logff[i].file);
697 /* Getting inode number for fp */
698 fd = fileno(logff[i].fp);
699 if(fstat(fd, &stat_fd) == -1)
701 merror(FILE_ERROR,ARGV0,logff[i].file);
707 logff[i].fd = stat_fd.st_ino;
708 logff[i].size = stat_fd.st_size;
712 BY_HANDLE_FILE_INFORMATION lpFileInformation;
715 logff[i].h = CreateFile(logff[i].file, GENERIC_READ,
716 FILE_SHARE_DELETE|FILE_SHARE_READ|FILE_SHARE_WRITE,
717 NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
718 if(logff[i].h == INVALID_HANDLE_VALUE)
722 merror(FOPEN_ERROR, ARGV0, logff[i].file);
726 fd = _open_osfhandle((long)logff[i].h, 0);
729 merror(FOPEN_ERROR, ARGV0, logff[i].file);
730 CloseHandle(logff[i].h);
733 logff[i].fp = _fdopen(fd, "r");
734 if(logff[i].fp == NULL)
736 merror(FOPEN_ERROR, ARGV0, logff[i].file);
737 CloseHandle(logff[i].h);
742 /* On windows, we also need the real inode, which is the combination
743 * of the index low + index high numbers.
745 if(GetFileInformationByHandle(logff[i].h, &lpFileInformation) == 0)
747 merror("%s: Unable to get file information by handle.", ARGV0);
749 CloseHandle(logff[i].h);
754 logff[i].fd = (lpFileInformation.nFileIndexLow + lpFileInformation.nFileIndexHigh);
755 logff[i].size = (lpFileInformation.nFileSizeHigh + lpFileInformation.nFileSizeLow);
760 /* Only seek the end of the file if set to. */
761 if(do_fseek == 1 && S_ISREG(stat_fd.st_mode))
763 /* Windows and fseek causes some weird issues.. */
765 if(fseek(logff[i].fp, 0, SEEK_END) < 0)
767 merror(FSEEK_ERROR, ARGV0,logff[i].file);
776 /* Setting ignore to zero */
projects / ossec-hids.git / blob