1 /* Copyright (C) 2009 Trend Micro Inc.
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
13 #include "logcollector.h"
16 /* Read syslog files */
17 void *read_syslog(int pos, int *rc, int drop_it)
21 char str[OS_MAXSTR + 1];
24 str[OS_MAXSTR] = '\0';
27 /* Get initial file location */
28 fgetpos(logff[pos].fp, &fp_pos);
30 while (fgets(str, OS_MAXSTR - OS_LOG_HEADER, logff[pos].fp) != NULL) {
31 /* Get the last occurrence of \n */
32 if ((p = strrchr(str, '\n')) != NULL) {
34 /* From issue #913 @ybonnamy */
35 } else if((p = strchr(str, '\0')) != NULL) {
36 /* Replace NUL with a space */
40 /* If we didn't get the new line, because the
41 * size is large, send what we got so far.
43 else if (strlen(str) >= (OS_MAXSTR - OS_LOG_HEADER - 2)) {
44 /* Message size > maximum allowed */
47 /* Message not complete. Return. */
48 debug1("%s: Message not complete. Trying again: '%s'", ARGV0, str);
49 fsetpos(logff[pos].fp, &fp_pos);
54 if ((p = strrchr(str, '\r')) != NULL) {
58 /* Look for empty string (only on Windows) */
59 if (strlen(str) <= 2) {
60 fgetpos(logff[pos].fp, &fp_pos);
64 /* Windows can have comment on their logs */
66 fgetpos(logff[pos].fp, &fp_pos);
71 debug2("%s: DEBUG: Reading syslog message: '%s'", ARGV0, str);
73 /* Send message to queue */
75 if (SendMSG(logr_queue, str, logff[pos].file,
77 merror(QUEUE_SEND, ARGV0);
78 if ((logr_queue = StartMQ(DEFAULTQPATH, WRITE)) < 0) {
79 ErrorExit(QUEUE_FATAL, ARGV0, DEFAULTQPATH);
84 /* Incorrect message size */
86 // strlen(str) >= (OS_MAXSTR - OS_LOG_HEADER - 2)
87 // truncate str before logging to ossec.log
89 char buf[OUTSIZE + 1];
91 snprintf(buf, OUTSIZE, "%s", str);
92 merror("%s: Large message size(length=%d): '%s...'", ARGV0, (int)strlen(str), buf);
93 while (fgets(str, OS_MAXSTR - 2, logff[pos].fp) != NULL) {
94 /* Get the last occurrence of \n */
95 if (strrchr(str, '\n') != NULL) {
102 fgetpos(logff[pos].fp, &fp_pos);