/*
* logtool - a logfile parsing/monitoring/manipulation utility
*
* Copyright (C) Y2K (2000) A.L.Lambert
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2, or (at your option)
* any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
/* someday this function will someday hold all the 'while' read loop for all logtool */
int lt_loop() {
int fmt;
int dpv = 0;
/* some modules we may or may not use */
int mod_snort = FALSE;
int mod_iptables = FALSE;
int mod_syslog = FALSE;
mod_syslog = mod_varcheck("modsys_use");
mod_snort = mod_varcheck("modsn_use");
mod_iptables = mod_varcheck("modipt_use");
/* some sanity checking for CSV output module */
if(cf.outfmt == OUTPUT_CSV) {
/* until we get CSV tweaked to understand funky modules, we just revert
* back to syslog processing */
mod_snort = FALSE;
mod_iptables = FALSE;
}
/* Open up stdin and read the input one line at a time till EOF */
while(fgets(event.raw, LSIZE, stdin) != NULL) {
/*
* this function will see if it's a multilog generated file, and
* do a quick pre-parse into syslog format if it is
*/
lt_parse_multilog();
/* Figure out what format of log-line we were given (bomb out if really bad) */
if((fmt = lt_fmtcheck(event.raw)) == -1) {
/* if we got an error, we need to stop now */
continue;
}
/* do our regex checking - we may be excluding this line of text */
if(lt_do_regexcheck() == FALSE) continue;
/* if it's not an unknown event, parse it and store value of dpv */
if (fmt != EVENT_UNKNOWN) {
dpv = lt_do_parse();
}
/* if we couldn't parse this properly, then we continue */
if (dpv == -1 || dpv == FALSE) {
continue;
}
/* depending what the format was, call the appropriate module */
switch(fmt) {
/* these functions should set event.pmsg with the appro */
/* the appropriate \033 escape sequences (see the file */
/* logtool.h for a listing of how we interpet these) */
/* later in the parsing process. */
case EVENT_UNKNOWN:
ltm_unknown();
break;
/*
* from here down, we fallback to other processing
* if the module in question is turned off in config
*/
case EVENT_SYSLOG:
if(mod_syslog == TRUE) ltm_syslog();
else ltm_unknown();
break;
/*
* we're doing double fallbacks here, since syslog
* would be second best to what we got, but if
* user disabled it, we want to go all the way down
* to 'unknown' processing; Ugly, I know it...
*/
case EVENT_SNORT:
if(mod_snort == TRUE)
ltm_snort();
else if(mod_syslog == TRUE)
ltm_syslog();
else
ltm_unknown();
break;
case EVENT_IPTABLES:
if(mod_iptables == TRUE)
ltm_iptables();
else if(mod_syslog == TRUE)
ltm_syslog();
else
ltm_unknown();
break;
/*
* these are our only modules to date. I need to either
* write more, or get some friggin contributors. :)
*/
default:
continue;
}
/* now, event.pmsg should be ready to be fed to the appropo output module */
switch(cf.outfmt) {
case OUTPUT_ANSI:
lto_ansi();
break;
case OUTPUT_ASCII:
lto_ascii();
break;
case OUTPUT_CSV:
/* we only do syslog's and unknown's here */
lto_csv();
break;
case OUTPUT_HTML:
lto_html();
break;
case OUTPUT_RAW:
lto_raw();
break;
case OUTPUT_CURSES:
/*
* in truth, we'll probably never be here, as a curses
* module is likely going to have to be a standalone
*
* Oh, did I mention none of this is written yet? :)
*/
break;
default:
break;
}
}
return 0;
}
syntax highlighted by Code2HTML, v. 0.9.1