--- /dev/null
+
+#ifdef ZEROMQ_OUTPUT
+
+#include "shared.h"
+#include "eventinfo.h"
+#include "shared.h"
+#include "rules.h"
+#include "czmq.h"
+#include "cJSON.h"
+#include "zeromq_output.h"
+
+
+
+
+static zctx_t *zeromq_context;
+static void *zeromq_pubsocket;
+
+
+void zeromq_output_start(char *uri, int argc, char **argv) {
+
+ int rc;
+
+ debug1("%s: DEBUG: New ZeroMQ Context", ARGV0);
+ zeromq_context = zctx_new();
+ if (zeromq_context == NULL) {
+ merror("%s: Unable to initialize ZeroMQ library", ARGV0);
+ return;
+ }
+
+ debug1("%s: DEBUG: New ZeroMQ Socket: ZMQ_PUB", ARGV0);
+ zeromq_pubsocket = zsocket_new(zeromq_context, ZMQ_PUB);
+ if (zeromq_pubsocket == NULL) {
+ merror("%s: Unable to initialize ZeroMQ Socket", ARGV0);
+ return;
+ }
+
+ debug1("%s: DEBUG: Listening on ZeroMQ Socket: %s", ARGV0, uri);
+ rc = zsocket_bind(zeromq_pubsocket, uri);
+ if (rc) {
+ merror("%s: Unable to bind the ZeroMQ Socket: %s.", ARGV0, uri);
+ return;
+ }
+
+
+}
+
+void zeromq_output_end() {
+ zsocket_destroy(zeromq_context, zeromq_pubsocket);
+ zctx_destroy(&zeromq_context);
+}
+
+
+void zeromq_output_event(Eventinfo *lf){
+ char *json_alert = Eventinfo_to_jsonstr(lf);
+ zmsg_t *msg = zmsg_new();
+ zmsg_addstr(msg, "ossec.alerts");
+ zmsg_addstr(msg, json_alert);
+ zmsg_send(&msg, zeromq_pubsocket);
+ free(json_alert);
+}
+
+/* Convert Eventinfo to json */
+char *Eventinfo_to_jsonstr(Eventinfo *lf) {
+ cJSON *root;
+ cJSON *rule;
+ cJSON *file_diff;
+ char *out;
+ root = cJSON_CreateObject();
+ cJSON_AddItemToObject(root, "rule", rule=cJSON_CreateObject());
+
+ cJSON_AddNumberToObject(rule, "level", lf->generated_rule->level);
+
+ if (lf->generated_rule->comment) cJSON_AddStringToObject(rule, "comment", lf->generated_rule->comment);
+ if (lf->generated_rule->sigid) cJSON_AddNumberToObject(rule, "sidid", lf->generated_rule->sigid);
+ if (lf->generated_rule->cve) cJSON_AddStringToObject(rule, "cve", lf->generated_rule->cve);
+ if (lf->generated_rule->cve) cJSON_AddStringToObject(rule, "info", lf->generated_rule->info);
+
+
+ if (lf->action) cJSON_AddStringToObject(root, "action", lf->action);
+ if (lf->srcip) cJSON_AddStringToObject(root, "srcip", lf->srcip);
+ if (lf->srcport) cJSON_AddStringToObject(root, "srcport", lf->srcport);
+ if (lf->srcuser) cJSON_AddStringToObject(root, "srcuser", lf->srcuser);
+ if (lf->dstip) cJSON_AddStringToObject(root, "dstip", lf->dstip);
+ if (lf->dstport) cJSON_AddStringToObject(root, "dstport", lf->dstport);
+ if (lf->dstuser) cJSON_AddStringToObject(root, "dstuser", lf->dstuser);
+ if (lf->location) cJSON_AddStringToObject(root, "location", lf->location);
+ if (lf->full_log) cJSON_AddStringToObject(root, "full_log", lf->full_log);
+ if (lf->filename) {
+ cJSON_AddItemToObject(root, "file", file_diff=cJSON_CreateObject());
+
+ cJSON_AddStringToObject(file_diff, "path", lf->filename);
+
+ if (lf->md5_before && lf->md5_after && strcmp(lf->md5_before, lf->md5_after) != 0 ) {
+ cJSON_AddStringToObject(file_diff,"md5_before", lf->md5_before);
+ cJSON_AddStringToObject(file_diff,"md5_after", lf->md5_after);
+ }
+ if (lf->sha1_before && lf->sha1_after && !strcmp(lf->sha1_before, lf->sha1_after) != 0) {
+ cJSON_AddStringToObject(file_diff,"sha1_before", lf->sha1_before);
+ cJSON_AddStringToObject(file_diff,"sha1_after", lf->sha1_after);
+ }
+ if (lf->owner_before && lf->owner_after && !strcmp(lf->owner_before, lf->owner_after) != 0) {
+ cJSON_AddStringToObject(file_diff,"owner_before", lf->owner_before);
+ cJSON_AddStringToObject(file_diff,"owner_after", lf->owner_after);
+ }
+ if (lf->gowner_before && lf->gowner_after && !strcmp(lf->gowner_before, lf->gowner_after) != 0 ) {
+ cJSON_AddStringToObject(file_diff,"gowner_before", lf->gowner_before);
+ cJSON_AddStringToObject(file_diff,"gowner_after", lf->gowner_after);
+ }
+ if (lf->perm_before && lf->perm_after && lf->perm_before != lf->perm_after) {
+ cJSON_AddNumberToObject(file_diff, "perm_before", lf->perm_before);
+ cJSON_AddNumberToObject(file_diff, "perm_after", lf->perm_after);
+ }
+ }
+ out=cJSON_PrintUnformatted(root);
+ cJSON_Delete(root);
+ return out;
+}
+
+
+
+
+
+
+
+
+#endif