Merge pull request #750 from dcid/master

Multiple changes to logcollector config + saner defaults
ossec · Feb 26, 2016 · 886eb17 · 886eb17
2 parents 52698a0 + 155c089
commit 886eb17
Show file tree

Hide file tree

Showing 4 changed files with 178 additions and 103 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -0,0 +1,8 @@
+OSSEC changelog.
+
+
+Changes at the -latest version
+   * Feature: Added hourly and daily options to the logcollecor frequency.
+   * Bug fix: Glob() implementation on logcollector.
+
+
diff --git a/etc/internal_options.conf b/etc/internal_options.conf
@@ -14,11 +14,11 @@
 # Analysisd default rule timeframe.
 analysisd.default_timeframe=360
 # Analysisd stats maximum diff.
-analysisd.stats_maxdiff=25000
+analysisd.stats_maxdiff=999000
 # Analysisd stats minimum diff.
-analysisd.stats_mindiff=250
+analysisd.stats_mindiff=1250
 # Analysisd stats percentage (how much to differ from average)
-analysisd.stats_percent_diff=30
+analysisd.stats_percent_diff=150
 # Analysisd FTS list size.
 analysisd.fts_list_size=32
 # Analysisd FTS minimum string size.    

diff --git a/src/analysisd/decoders/plugins/ossecalert_decoder.c b/src/analysisd/decoders/plugins/ossecalert_decoder.c
@@ -5,147 +5,199 @@
  * and/or modify it under the terms of the GNU General Public
  * License (version 2) as published by the FSF - Free Software
  * Foundation.
+ *
  */
 
-#include "../plugin_decoders.h"
 
 #include "shared.h"
 #include "eventinfo.h"
 #include "config.h"
 
 
+
+
+/* OSSECAlert decoder init */
 void *OSSECAlert_Decoder_Init()
 {
     debug1("%s: Initializing OSSECAlert decoder.", ARGV0);
 
+
     /* There is nothing else to do over here */
-    return (NULL);
+    return(NULL);
 }
 
+
+
 #define oa_strchr(x,y,z) z = strchr(x,y); if(!z){ return(NULL); }
 
-/* Extract the rule_id and point back to the original rule
- * Will also extract srcip and username if available
- */
+/* OSSECAlert decoder 
+ * Will extract the rule_id and point back to the original rule.
+ * Will also extract srcip and username if available.
+ * Examples:
+ * 
+ */                             
 void *OSSECAlert_Decoder_Exec(Eventinfo *lf)
 {
-    const char *oa_id = NULL;
-    const char *oa_location;
-    const char *oa_val;
+    char *oa_id = 0;
+    char *oa_location;
+    char *oa_val;
     char oa_newlocation[256];
-    char tmpstr_buffer[4096 + 1];
+    char agent_file[OS_SIZE_1024 +1];
+    char tmpstr_buffer[4096 +1];
     char *tmp_str = NULL;
-    RuleInfo *rule_pointer;
+    void *rule_pointer;
+    FILE *fp;
+
 
     lf->decoder_info->type = OSSEC_ALERT;
 
-    /* Check the alert level */
-    if (strncmp("Alert Level: ", lf->log, 12) != 0 &&
-            strncmp("ossec: Alert Level:", lf->log, 18) != 0) {
-        return (NULL);
+
+    /* Checking the alert level. */
+    if(strncmp("Alert Level: ", lf->log, 12) != 0 &&
+       strncmp("ossec: Alert Level:", lf->log, 18) != 0)
+    {
+        return(NULL);
     }
 
-    /* Going past the level */
+
+    /* Going past the level. */
     oa_strchr(lf->log, ';', tmp_str);
     tmp_str++;
 
-    /* Get rule id */
+
+    /* Getting rule id. */
     oa_strchr(tmp_str, ':', tmp_str);
     tmp_str++;
-    if (*tmp_str != ' ') {
-        return (NULL);
-    }
+    if(*tmp_str != ' ')
+    {
+        return(NULL);
+    }    
     tmp_str++;
 
-    /* Get id */
+
+    /* Getting id. */
     oa_id = tmp_str;
     oa_strchr(tmp_str, ' ', tmp_str);
     *tmp_str = '\0';
 
-    /* Get rule structure */
-    rule_pointer = (RuleInfo *) OSHash_Get(Config.g_rules_hash, oa_id);
-    if (!rule_pointer) {
-        merror("%s: WARN: Rule id '%s' not found internally.", ARGV0, oa_id);
+
+    /* Getting rule structure. */
+    rule_pointer = OSHash_Get(Config.g_rules_hash, oa_id);
+    if(!rule_pointer)
+    {
         *tmp_str = ' ';
-        return (NULL);
+        merror("%s: WARN: Rule id '%s' not found internally: %s", ARGV0, oa_id, lf->log);
+        *tmp_str = ' ';
+        return(NULL);
     }
     *tmp_str = ' ';
     oa_strchr(tmp_str, ';', tmp_str);
     tmp_str++;
 
-    /* Check location */
-    if (strncmp(" Location: ", tmp_str, 11) != 0) {
-        return (NULL);
+
+
+
+    /* Checking location. */
+    if(strncmp(" Location: ", tmp_str, 11) != 0)
+    {
+        return(NULL);
     }
-    tmp_str += 11;
+    tmp_str+=11;
 
-    /* Set location */
+
+    /* Setting location; */
     oa_location = tmp_str;
+
 
     oa_strchr(tmp_str, ';', tmp_str);
     *tmp_str = '\0';
 
-    /* Set new location */
+
+
+    /* Setting new location. */
     oa_newlocation[255] = '\0';
+    agent_file[OS_SIZE_1024] = '\0';
+
+
+    snprintf(agent_file, OS_SIZE_1024, "%s/%s->%s",
+             AGENTINFO_DIR, lf->hostname, lf->location);
 
-    if (lf->hostname == lf->location) {
-        snprintf(oa_newlocation, 255, "%s|%s", lf->location, oa_location);
-        free(lf->location);
-        os_strdup(oa_newlocation, lf->location);
-        lf->hostname = lf->location;
-    } else {
-        snprintf(oa_newlocation, 255, "%s->%s|%s", lf->hostname,
-                 lf->location, oa_location);
-        free(lf->location);
-        os_strdup(oa_newlocation, lf->location);
-        lf->hostname = lf->location;
+    snprintf(oa_newlocation, 255, "%s|%s", lf->location, oa_location);
+    free(lf->location);
+    os_strdup(oa_newlocation, lf->location);
+    lf->hostname = lf->location;
+
+
+
+    /* Writting to the agent file */
+    fp = fopen(agent_file, "w");
+    if(fp)
+    {
+        fprintf(fp, "%s\n", "Remote Syslog");
+        fclose(fp);
     }
 
+
     *tmp_str = ';';
     tmp_str++;
 
-    /* Get additional fields */
-    while ((*tmp_str == ' ') && (tmp_str[1] != ' ')) {
+
+
+
+    /* Getting additional fields. */
+    while((*tmp_str == ' ') && (tmp_str[1] != ' '))
+    {
         tmp_str++;
         oa_val = tmp_str;
 
         tmp_str = strchr(tmp_str, ';');
-        if (!tmp_str) {
-            return (NULL);
+        if(!tmp_str)
+        {
+            return(NULL);
         }
         *tmp_str = '\0';
 
-        if (strncmp(oa_val, "srcip: ", 7) == 0) {
+        if(strncmp(oa_val, "srcip: ", 7) == 0)
+        {
             os_strdup(oa_val + 7, lf->srcip);
+            #ifdef GEOIP
+            if(!lf->srcgeoip && lf->srcip)
+            {
+                lf->srcgeoip = GetGeoInfobyIP(lf->srcip);
+            }
+            #endif
         }
-        if (strncmp(oa_val, "user: ", 6) == 0) {
+        if(strncmp(oa_val, "user: ", 6) == 0)
+        {
             os_strdup(oa_val + 6, lf->dstuser);
         }
 
         *tmp_str = ';';
         tmp_str++;
     }
+
 
-    /* Remove space */
-    while (*tmp_str == ' ') {
+    /* Removing space. */
+    while(*tmp_str == ' ')
         tmp_str++;
-    }
+
 
-    /* Create new full log */
+    /* Creating new full log. */
     tmpstr_buffer[0] = '\0';
     tmpstr_buffer[4095] = '\0';
     strncpy(tmpstr_buffer, tmp_str, 4094);
 
-
     free(lf->full_log);
     lf->full_log = NULL;
     os_strdup(tmpstr_buffer, lf->full_log);
-
     lf->log = lf->full_log;
+
 
-    /* Rule that generated */
+    /* Rule that generated. */
     lf->generated_rule = rule_pointer;
 
-    return (NULL);
+
+    return(NULL);
 }
 
+/* END Decoder */