1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
/**************************************
**
** PARSER RULES
**
** (a) must set record->host
** (eventually to dummy value)
**
** (b) must set record->prefix
** (command)
**
**
**************************************/
/* for strptime */
#define _XOPEN_SOURCE
#include "config_xor.h"
#include <string.h>
#if defined(HOST_IS_SOLARIS)
/* For 'struct timeval' in <sys/time.h> */
#define __EXTENSIONS__
#endif
#include <time.h>
#if defined(USE_LOGFILE_MONITOR)
#include "samhain.h"
#include "sh_pthread.h"
#include "sh_log_check.h"
#include "sh_string.h"
#undef FIL__
#define FIL__ _("sh_log_parse_samba.c")
sh_string * sh_read_samba (sh_string * record, struct sh_logfile * logfile)
{
return sh_cont_reader (record, logfile, " \t");
}
struct sh_logrecord * sh_parse_samba (sh_string * logline, void * fileinfo)
{
static struct tm old_tm;
static time_t old_time;
struct sh_logrecord * record = NULL;
static const char * format0_1 = N_("[%Y/%m/%d %T");
static char format_1[16];
static int format_init = 0;
(void) fileinfo;
if (!format_init)
{
sl_strlcpy(format_1, _(format0_1), sizeof(format_1));
format_init = 1;
}
if (logline && sh_string_len(logline) > 0)
{
size_t lengths[3];
unsigned int fields = 3;
char ** array;
char * p = strchr(sh_string_str(logline), ',');
*p = '\0'; ++p;
array = split_array_ws(p, &fields, lengths);
if (fields == 3)
{
struct tm btime;
char * ptr;
memset(&btime, 0, sizeof(struct tm));
btime.tm_isdst = -1;
ptr = strptime(sh_string_str(logline), format_1, &btime);
if (ptr && *ptr == '\0') /* no error, whole string consumed */
{
record = SH_ALLOC(sizeof(struct sh_logrecord));
record->timestamp = conv_timestamp(&btime, &old_tm, &old_time);
p = sh_string_str(logline); ++p;
record->timestr = sh_string_new_from_lchar(p, strlen(p));
record->message = sh_string_new_from_lchar(array[2], lengths[2]);
record->pid = 0;
record->host = sh_string_new_from_lchar(sh.host.name,
strlen(sh.host.name));
}
}
SH_FREE(array);
}
return record;
}
#endif
|