1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
#ifndef SH_LOGCHECK_H
#define SH_LOGCHECK_H
#include <sys/types.h>
#include <time.h>
/* Convert a struct tm to unix timestamp with caching
*/
time_t conv_timestamp (struct tm * btime,
struct tm * old_tm, time_t * old_time);
/* Definition of a log record entry, to be returned from parsing function.
*/
#define PID_INVALID 0
struct sh_logrecord
{
char * filename;
sh_string * host;
sh_string * timestr;
pid_t pid;
time_t timestamp;
sh_string * message;
};
#define SH_LOGFILE_MOVED (1<<0)
#define SH_LOGFILE_REWIND (1<<1)
#define SH_LOGFILE_PIPE (1<<2)
#define SH_LOGFILE_NOFILE (1<<3)
struct sh_logfile
{
FILE * fp;
int flags;
char * filename;
dev_t device_id;
ino_t inode;
fpos_t offset;
/* Info for the parser, e.g. a regular expression
*/
void * fileinfo;
/* Callback function to read the next record
*/
sh_string * (*get_record) (sh_string * record,
struct sh_logfile * logfile);
/* Callback function to parse the record into standard format
*/
struct sh_logrecord * (*parse_record)(sh_string * logline, void * fileinfo);
struct sh_logfile * next;
};
/* Generic callback function to parse fileinfo.
*/
void * sh_eval_fileinfo_generic(char * str);
/* Generic parser info.
*/
struct sh_logrecord * sh_parse_generic (sh_string * logline, void * fileinfo);
/****************************************************************
**
** Parsing and reading functions
**/
/* Open file, position at stored offset. */
int sh_open_for_reader (struct sh_logfile * logfile);
/* Simple line reader for executed shell command */
sh_string * sh_command_reader (sh_string * record,
struct sh_logfile * logfile);
/* Wrapper for sh_command_reader */
sh_string * sh_read_shell (sh_string * record, struct sh_logfile * logfile);
/* Parses a shell command reply. */
struct sh_logrecord * sh_parse_shell (sh_string * logline, void * fileinfo);
/* Simple line reader. */
sh_string * sh_default_reader (sh_string * record,
struct sh_logfile * logfile);
/* Continued line reader. */
sh_string * sh_cont_reader (sh_string * record,
struct sh_logfile * logfile, char * cont);
/* Binary reader */
sh_string * sh_binary_reader (void * s, size_t size, struct sh_logfile * logfile);
/* Parses a syslog-style line. */
struct sh_logrecord * sh_parse_syslog (sh_string * logline, void * fileinfo);
/* Format info for apache log. */
void * sh_eval_fileinfo_apache(char * str);
/* Parses a apache-style line. */
struct sh_logrecord * sh_parse_apache (sh_string * logline, void * fileinfo);
/* Get a pacct record */
sh_string * sh_read_pacct (sh_string * record, struct sh_logfile * logfile);
/* Parses a pacct record. */
struct sh_logrecord * sh_parse_pacct (sh_string * logline, void * fileinfo);
/* Get a samba record */
sh_string * sh_read_samba (sh_string * record, struct sh_logfile * logfile);
/* Parses a samba record. */
struct sh_logrecord * sh_parse_samba (sh_string * logline, void * fileinfo);
/**
*****************************************************************/
int sh_get_hidepid();
int sh_set_hidepid(const char *s);
#define SH_MAX_LCODE_SIZE 16
struct sh_logfile_type
{
char code[SH_MAX_LCODE_SIZE];
/* read callback */
/*@null@*/sh_string * (*get_record) (sh_string * record,
struct sh_logfile * logfile);
/* parsing callback */
struct sh_logrecord * (*parse_record)(sh_string * logline, void * fileinfo);
/* evaluate fileinfo */
void * (*eval_fileinfo)(char * str);
};
#endif
|
