-/* @(#) $Id: ossecalert_decoder.c,v 1.3 2009/06/24 17:06:24 dcid Exp $ */
-
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 3) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
- * online at: http://www.ossec.net/en/licensing.html
*/
char *oa_location;
char *oa_val;
char oa_newlocation[256];
+ char agent_file[OS_SIZE_1024 +1];
+ char tmpstr_buffer[4096 +1];
char *tmp_str = NULL;
void *rule_pointer;
+ FILE *fp;
lf->decoder_info->type = OSSEC_ALERT;
/* Checking the alert level. */
- if(strncmp("Alert Level: ", lf->log, 12) != 0)
+ if(strncmp("Alert Level: ", lf->log, 12) != 0 &&
+ strncmp("ossec: Alert Level:", lf->log, 18) != 0)
{
return(NULL);
}
rule_pointer = OSHash_Get(Config.g_rules_hash, oa_id);
if(!rule_pointer)
{
- merror("%s: WARN: Rule id '%s' not found internally.", ARGV0, oa_id);
+ *tmp_str = ' ';
+ merror("%s: WARN: Rule id '%s' not found internally: %s", ARGV0, oa_id, lf->log);
*tmp_str = ' ';
return(NULL);
}
tmp_str++;
+
+
/* Checking location. */
if(strncmp(" Location: ", tmp_str, 11) != 0)
{
*tmp_str = '\0';
+
/* Setting new location. */
oa_newlocation[255] = '\0';
+ agent_file[OS_SIZE_1024] = '\0';
- if(lf->hostname == lf->location)
- {
- snprintf(oa_newlocation, 255, "%s|%s", lf->location, oa_location);
- free(lf->location);
- os_strdup(oa_newlocation, lf->location);
- lf->hostname = lf->location;
- }
- else
+
+ snprintf(agent_file, OS_SIZE_1024, "%s/%s->%s",
+ AGENTINFO_DIR, lf->hostname, lf->location);
+
+ snprintf(oa_newlocation, 255, "%s|%s", lf->location, oa_location);
+ free(lf->location);
+ os_strdup(oa_newlocation, lf->location);
+ lf->hostname = lf->location;
+
+
+
+ /* Writting to the agent file */
+ fp = fopen(agent_file, "w");
+ if(fp)
{
- snprintf(oa_newlocation, 255, "%s->%s|%s", lf->hostname,
- lf->location, oa_location);
- free(lf->location);
- os_strdup(oa_newlocation, lf->location);
- lf->hostname = lf->location;
+ fprintf(fp, "%s\n", "Remote Syslog");
+ fclose(fp);
}
+
*tmp_str = ';';
tmp_str++;
-
+
+
+
/* Getting additional fields. */
while((*tmp_str == ' ') && (tmp_str[1] != ' '))
{
while(*tmp_str == ' ')
tmp_str++;
-
+
/* Creating new full log. */
+ tmpstr_buffer[0] = '\0';
+ tmpstr_buffer[4095] = '\0';
+ strncpy(tmpstr_buffer, tmp_str, 4094);
+
free(lf->full_log);
- os_strdup(tmp_str, lf->full_log);
+ lf->full_log = NULL;
+ os_strdup(tmpstr_buffer, lf->full_log);
lf->log = lf->full_log;