X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=src%2Flogcollector%2Fread_ossecalert.c;fp=src%2Flogcollector%2Fread_ossecalert.c;h=5b669dd5fc35e9d9fd72c4bb2699d088d5476e09;hp=0000000000000000000000000000000000000000;hb=6ef2f786c6c8ead94841b5f93baf9f43421f08c8;hpb=301048b51990573e58a30dc4a5bb4ec285cad554 diff --git a/src/logcollector/read_ossecalert.c b/src/logcollector/read_ossecalert.c new file mode 100755 index 0000000..5b669dd --- /dev/null +++ b/src/logcollector/read_ossecalert.c @@ -0,0 +1,137 @@ +/* @(#) $Id: ./src/logcollector/read_ossecalert.c, 2012/03/30 dcid Exp $ + */ + +/* Copyright (C) 2012 Daniel B. Cid (http://dcid.me) + * All right reserved. + * + * This program is a free software; you can redistribute it + * and/or modify it under the terms of the GNU General Public + * License (version 2) as published by the FSF - Free Software + * Foundation + */ + +/* Read the syslog */ + + +#include "shared.h" +#include "headers/read-alert.h" +#include "logcollector.h" + + + +/* Read syslog files/snort fast/apache files */ +void *read_ossecalert(int pos, int *rc, int drop_it) +{ + alert_data *al_data; + char user_msg[256]; + char srcip_msg[256]; + + char syslog_msg[OS_SIZE_2048 +1]; + + al_data = GetAlertData(0, logff[pos].fp); + if(!al_data) + { + return(NULL); + } + + + memset(syslog_msg, '\0', OS_SIZE_2048 +1); + + + + /* Adding source ip. */ + if(!al_data->srcip || + ((al_data->srcip[0] == '(') && + (al_data->srcip[1] == 'n') && + (al_data->srcip[2] == 'o'))) + { + srcip_msg[0] = '\0'; + } + else + { + snprintf(srcip_msg, 255, " srcip: %s;", al_data->srcip); + } + + + /* Adding username. */ + if(!al_data->user || + ((al_data->user[0] == '(') && + (al_data->user[1] == 'n') && + (al_data->user[2] == 'o'))) + { + user_msg[0] = '\0'; + } + else + { + snprintf(user_msg, 255, " user: %s;", al_data->user); + } + + + if(al_data->log[1] == NULL) + { + /* Building syslog message. */ + snprintf(syslog_msg, OS_SIZE_2048, + "ossec: Alert Level: %d; Rule: %d - %s; " + "Location: %s;%s%s %s", + al_data->level, al_data->rule, al_data->comment, + al_data->location, + srcip_msg, + user_msg, + al_data->log[0]); + } + else + { + char *tmp_msg = NULL; + short int j = 0; + + while(al_data->log[j] != NULL) + { + tmp_msg = os_LoadString(tmp_msg, al_data->log[j]); + tmp_msg = os_LoadString(tmp_msg, "\n"); + if(tmp_msg == NULL) + { + FreeAlertData(al_data); + return(NULL); + } + j++; + } + if(strlen(tmp_msg) > 1596) + { + tmp_msg[1594] = '.'; + tmp_msg[1595] = '.'; + tmp_msg[1596] = '.'; + tmp_msg[1597] = '\0'; + } + snprintf(syslog_msg, OS_SIZE_2048, + "ossec: Alert Level: %d; Rule: %d - %s; " + "Location: %s;%s%s %s", + al_data->level, al_data->rule, al_data->comment, + al_data->location, + srcip_msg, + user_msg, + tmp_msg); + } + + + /* Clearing the memory */ + FreeAlertData(al_data); + + + + /* Sending message to queue */ + if(drop_it == 0) + { + if(SendMSG(logr_queue,syslog_msg,logff[pos].file, LOCALFILE_MQ) < 0) + { + merror(QUEUE_SEND, ARGV0); + if((logr_queue = StartMQ(DEFAULTQPATH,WRITE)) < 0) + { + ErrorExit(QUEUE_FATAL, ARGV0, DEFAULTQPATH); + } + } + } + + return(NULL); +} + +