1 /* @(#) $Id: log.c,v 1.33 2009/11/20 15:38:28 dcid Exp $ */
3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 3) as published by the FSF - Free Software
16 #include "getloglocation.h"
18 #include "eventinfo.h"
22 /* Drop/allow patterns */
27 /* OS_Store: v0.2, 2005/02/10 */
28 /* Will store the events in a file
29 * The string must be null terminated and contain
30 * any necessary new lines, tabs, etc.
33 void OS_Store(Eventinfo *lf)
36 "%d %s %02d %s %s%s%s %s\n",
41 lf->hostname != lf->location?lf->hostname:"",
42 lf->hostname != lf->location?"->":"",
51 /* OS_Log: v0.3, 2006/03/04 */
52 /* _writefile: v0.2, 2005/02/09 */
53 void OS_Log(Eventinfo *lf)
55 /* Writting to the alert log file */
57 "** Alert %d.%ld:%s - %s\n"
58 "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'\n"
59 "Src IP: %s\nUser: %s\n%.1256s\n",
62 lf->generated_rule->alert_opts & DO_MAILALERT?" mail ":"",
63 lf->generated_rule->group,
68 lf->hostname != lf->location?lf->hostname:"",
69 lf->hostname != lf->location?"->":"",
71 lf->generated_rule->sigid,
72 lf->generated_rule->level,
73 lf->generated_rule->comment,
74 lf->srcip == NULL?"(none)":lf->srcip,
75 lf->dstuser == NULL?"(none)":lf->dstuser,
79 /* Printing the last events if present */
80 if(lf->generated_rule->last_events)
82 char **lasts = lf->generated_rule->last_events;
85 fprintf(_aflog,"%.1256s\n",*lasts);
88 lf->generated_rule->last_events[0] = NULL;
101 /* Initializing fw log regexes */
102 if(!OSMatch_Compile(FWDROP, &FWDROPpm, 0))
104 ErrorExit(REGEX_COMPILE, ARGV0, FWDROP,
108 if(!OSMatch_Compile(FWALLOW, &FWALLOWpm, 0))
110 ErrorExit(REGEX_COMPILE, ARGV0, FWALLOW,
117 /* FW_Log: v0.1, 2005/12/30 */
118 int FW_Log(Eventinfo *lf)
120 /* If we don't have the srcip or the
121 * action, there is no point in going
124 if(!lf->action || !lf->srcip)
130 /* Setting the actions */
133 /* discard, drop, deny, */
143 os_strdup("DROP", lf->action);
152 os_strdup("CLOSED", lf->action);
164 os_strdup("ALLOW", lf->action);
167 if(OSMatch_Execute(lf->action,strlen(lf->action),&FWDROPpm))
170 os_strdup("DROP", lf->action);
172 if(OSMatch_Execute(lf->action,strlen(lf->action),&FWALLOWpm))
175 os_strdup("ALLOW", lf->action);
180 os_strdup("UNKNOWN", lf->action);
188 "%d %s %02d %s %s%s%s %s %s %s:%s->%s:%s\n",
193 lf->hostname != lf->location?lf->hostname:"",
194 lf->hostname != lf->location?"->":"",