lf->log = lf->full_log+loglen;
strncpy(lf->log, pieces, loglen);
-
+ /* check if month contains an umlaut and repair
+ * umlaute are non-ASCII and use 2 slots in the char array
+ * repair to only one slot so we can detect the correct date format in the next step
+ * ex: Mär 02 17:30:52
+ */
+ if (pieces[1] == (char) 195) {
+ if (pieces[2] == (char) 164) {
+ pieces[0] = '\0';
+ pieces[1] = 'M';
+ pieces[2] = 'a';
+ pieces++;
+ }
+ }
/* Checking for the syslog date format.
* ( ex: Dec 29 10:00:01
* or 2007-06-14T15:48:55-04:00 for syslog-ng isodate
* or 2009-05-22T09:36:46.214994-07:00 for rsyslog )
- */
+ */
if(
(
(loglen > 17) &&
lf->log+=23;
}
+ /* Checking for suricata (new) date format
+ * ex: 01/28/1979-09:13:16.240702 [**]
+ */
+ else if( (loglen > 26) &&
+ (pieces[2] == '/') &&
+ (pieces[5] == '/') &&
+ (pieces[10] == '-') &&
+ (pieces[13] == ':') &&
+ (pieces[16]== ':') &&
+ (pieces[19]== '.') &&
+ (pieces[26] == ' ') )
+ {
+ lf->log+=28;
+ }
+
+
/* Checking for apache log format */
/* [Fri Feb 11 18:06:35 2004] [warn] */
else if( (loglen > 27) &&
*/
else if((loglen > 32) &&
(pieces[0] == '1') &&
+ (isdigit((int)pieces[1])) &&
+ (isdigit((int)pieces[2])) &&
+ (isdigit((int)pieces[3])) &&
(pieces[10] == '.') &&
- (pieces[14] == ' ') &&
(isdigit((int)pieces[13])) &&
- (isdigit((int)pieces[1])) &&
+ (pieces[14] == ' ') &&
((pieces[21] == ' ')||(pieces[22] == ' ')))
{
lf->log+=14;
projects / ossec-hids.git / blobdiff