unified2: nostamp and file rotation

Give unified2 a nostamp option which will create the file
without the timestamp suffix (like Snort's nostamp option).

Also register for rotation notification on SIGHUP so the file
will be recreated if it is removed by an external rotation
program (only when nostamp is used).
pull/2572/head
Jason Ish 9 years ago committed by Victor Julien
parent 2c01985e73
commit 82f6103149

@ -225,7 +225,7 @@ static int Unified2IPv4TypeAlert(ThreadVars *, const Packet *, void *);
static int Unified2IPv6TypeAlert(ThreadVars *, const Packet *, void *);
static int Unified2PacketTypeAlert(Unified2AlertThread *, const Packet *, uint32_t, int);
void Unified2RegisterTests(void);
int Unified2AlertOpenFileCtx(LogFileCtx *, const char *);
static int Unified2AlertOpenFileCtx(LogFileCtx *, const char *, bool);
static void Unified2AlertDeInitCtx(OutputCtx *);
int Unified2Condition(ThreadVars *tv, const Packet *p);
@ -263,15 +263,15 @@ static int Unified2AlertCloseFile(Unified2AlertThread *aun)
* \retval 0 on succces
* \retval -1 on failure
*/
static int Unified2AlertRotateFile(Unified2AlertThread *aun)
static int Unified2AlertRotateFile(Unified2AlertThread *aun, bool truncate)
{
if (Unified2AlertCloseFile(aun) < 0) {
SCLogError(SC_ERR_UNIFIED2_ALERT_GENERIC,
"Error: Unified2AlertCloseFile failed");
return -1;
}
if (Unified2AlertOpenFileCtx(aun->unified2alert_ctx->file_ctx,aun->unified2alert_ctx->
file_ctx->prefix) < 0) {
if (Unified2AlertOpenFileCtx(aun->unified2alert_ctx->file_ctx,
aun->unified2alert_ctx->file_ctx->prefix, truncate) < 0) {
SCLogError(SC_ERR_UNIFIED2_ALERT_GENERIC,
"Error: Unified2AlertOpenFileCtx, open new log file failed");
return -1;
@ -787,6 +787,7 @@ static int Unified2PacketTypeAlert(Unified2AlertThread *aun, const Packet *p, ui
static int Unified2IPv6TypeAlert(ThreadVars *t, const Packet *p, void *data)
{
Unified2AlertThread *aun = (Unified2AlertThread *)data;
LogFileCtx *file_ctx = aun->unified2alert_ctx->file_ctx;
Unified2AlertFileHeader hdr;
AlertIPv6Unified2 *phdr;
AlertIPv6Unified2 gphdr;
@ -921,19 +922,22 @@ static int Unified2IPv6TypeAlert(ThreadVars *t, const Packet *p, void *data)
phdr->classification_id = htonl(pa->s->class);
phdr->priority_id = htonl(pa->s->prio);
SCMutexLock(&aun->unified2alert_ctx->file_ctx->fp_mutex);
if ((aun->unified2alert_ctx->file_ctx->size_current + length) >
aun->unified2alert_ctx->file_ctx->size_limit) {
if (Unified2AlertRotateFile(aun) < 0) {
SCMutexLock(&file_ctx->fp_mutex);
bool truncate = (file_ctx->size_current + length) > file_ctx->size_limit
? true : false;
if (truncate || file_ctx->rotation_flag) {
if (Unified2AlertRotateFile(aun, truncate) < 0) {
aun->unified2alert_ctx->file_ctx->alerts += i;
SCMutexUnlock(&aun->unified2alert_ctx->file_ctx->fp_mutex);
SCMutexUnlock(&file_ctx->fp_mutex);
return -1;
}
file_ctx->rotation_flag = 0;
}
if (Unified2Write(aun) != 1) {
aun->unified2alert_ctx->file_ctx->alerts += i;
SCMutexUnlock(&aun->unified2alert_ctx->file_ctx->fp_mutex);
file_ctx->alerts += i;
SCMutexUnlock(&file_ctx->fp_mutex);
return -1;
}
@ -972,6 +976,7 @@ static int Unified2IPv6TypeAlert(ThreadVars *t, const Packet *p, void *data)
static int Unified2IPv4TypeAlert (ThreadVars *tv, const Packet *p, void *data)
{
Unified2AlertThread *aun = (Unified2AlertThread *)data;
LogFileCtx *file_ctx = aun->unified2alert_ctx->file_ctx;
Unified2AlertFileHeader hdr;
AlertIPv4Unified2 *phdr;
AlertIPv4Unified2 gphdr;
@ -1097,20 +1102,22 @@ static int Unified2IPv4TypeAlert (ThreadVars *tv, const Packet *p, void *data)
phdr->priority_id = htonl(pa->s->prio);
/* check and enforce the filesize limit */
SCMutexLock(&aun->unified2alert_ctx->file_ctx->fp_mutex);
if ((aun->unified2alert_ctx->file_ctx->size_current + length) >
aun->unified2alert_ctx->file_ctx->size_limit) {
if (Unified2AlertRotateFile(aun) < 0) {
aun->unified2alert_ctx->file_ctx->alerts += i;
SCMutexUnlock(&aun->unified2alert_ctx->file_ctx->fp_mutex);
SCMutexLock(&file_ctx->fp_mutex);
bool truncate = (file_ctx->size_current + length) > file_ctx->size_limit
? true : false;
if (truncate || file_ctx->rotation_flag) {
if (Unified2AlertRotateFile(aun, truncate) < 0) {
file_ctx->alerts += i;
SCMutexUnlock(&file_ctx->fp_mutex);
return -1;
}
file_ctx->rotation_flag = 0;
}
if (Unified2Write(aun) != 1) {
aun->unified2alert_ctx->file_ctx->alerts += i;
SCMutexUnlock(&aun->unified2alert_ctx->file_ctx->fp_mutex);
file_ctx->alerts += i;
SCMutexUnlock(&file_ctx->fp_mutex);
return -1;
}
@ -1226,6 +1233,7 @@ OutputCtx *Unified2AlertInitCtx(ConfNode *conf)
LogFileCtx* file_ctx = NULL;
OutputCtx* output_ctx = NULL;
HttpXFFCfg *xff_cfg = NULL;
int nostamp = 0;
file_ctx = LogFileNewCtx();
if (file_ctx == NULL) {
@ -1279,6 +1287,13 @@ OutputCtx *Unified2AlertInitCtx(ConfNode *conf)
exit(EXIT_FAILURE);
}
}
if (ConfGetChildValueBool(conf, "nostamp", &nostamp)) {
if (nostamp) {
SCLogConfig("Disabling unified2 timestamp.");
file_ctx->nostamp = true;
}
}
}
uint32_t flags = UNIFIED2_ALERT_FLAGS_EMIT_PACKET;
@ -1295,10 +1310,15 @@ OutputCtx *Unified2AlertInitCtx(ConfNode *conf)
}
}
ret = Unified2AlertOpenFileCtx(file_ctx, filename);
ret = Unified2AlertOpenFileCtx(file_ctx, filename, false);
if (ret < 0)
goto error;
/* Only register for file rotation if theout is non-timestamped. */
if (nostamp) {
OutputRegisterFileRotationFlag(&file_ctx->rotation_flag);
}
output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL))
goto error;
@ -1367,7 +1387,8 @@ static void Unified2AlertDeInitCtx(OutputCtx *output_ctx)
* \param prefix Prefix of the log file.
* \return -1 if failure, 0 if succesful
* */
int Unified2AlertOpenFileCtx(LogFileCtx *file_ctx, const char *prefix)
static int Unified2AlertOpenFileCtx(LogFileCtx *file_ctx, const char *prefix,
bool truncate)
{
int ret = 0;
char *filename = NULL;
@ -1396,9 +1417,17 @@ int Unified2AlertOpenFileCtx(LogFileCtx *file_ctx, const char *prefix)
char *log_dir;
log_dir = ConfigGetLogDirectory();
if (file_ctx->nostamp) {
snprintf(filename, PATH_MAX, "%s/%s", log_dir, prefix);
} else {
snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32, log_dir, prefix, (uint32_t)ts.tv_sec);
}
if (truncate) {
file_ctx->fp = fopen(filename, "wb");
} else {
file_ctx->fp = fopen(filename, "ab");
}
if (file_ctx->fp == NULL) {
SCLogError(SC_ERR_FOPEN, "failed to open %s: %s", filename,
strerror(errno));
@ -1916,7 +1945,7 @@ static int Unified2TestRotate01(void)
TimeSetIncrementTime(1);
ret = Unified2AlertRotateFile(data);
ret = Unified2AlertRotateFile(data, false);
if (ret == -1)
goto error;

@ -123,6 +123,9 @@ typedef struct LogFileCtx_ {
/* Flag set when file rotation notification is received. */
int rotation_flag;
/* Set to true if the filename should not be timestamped. */
bool nostamp;
} LogFileCtx;
/* Min time (msecs) before trying to reconnect a Unix domain socket */

@ -250,6 +250,11 @@ outputs:
# is parsed as bytes.
#limit: 32mb
# By default unified2 log files have the file creation time (in
# unix epoch format) appended to the filename. Set this to yes to
# disable this behaviour.
#nostamp: no
# Sensor ID field of unified2 alerts.
#sensor-id: 0

Loading…
Cancel
Save