Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add log cleanup and parsing for syslog protocol 23 logging format #2139

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Add log cleanup and parsing for syslog protocol 23 logging format #2139

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
5d32b43
Added event parsing for Syslog Protocol 23 Format
Tylerlhess Dec 11, 2024
bff5078
Handle format priority/version then proceed as normal parsing
Tylerlhess Dec 12, 2024
f2b6968
fixing magic numbers
Tylerlhess Dec 13, 2024
b17e9a7
Merge branch 'ossec:master' into master
Tylerlhess Jan 13, 2025
3c2dc88
Fixed missing pointer increment
Tylerlhess Jan 15, 2025
9cf4ace
simplified pointer control
Tylerlhess Jan 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions src/analysisd/cleanevent.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,39 @@ int OS_CleanMSG(char *msg, Eventinfo *lf)
pieces++;
}
}

/* Check for and remove syslog protocol 23 priority and versions */
if (pieces[0] == '<') {
/* Increment past the < */
pieces++;
/*move past the 1-3 digits
Increment lf->log along the way */
while (isdigit((int)*pieces)) {
pieces++;
}
if (
(pieces[0] == '>') &&
(
(pieces[1] == '1') || (pieces[1] == '2')
) &&
(pieces[2] == ' ')) {
pieces += 2;
pieces[0] = '\0';
pieces++;
lf->log = pieces;
} else {
/* Walk back to the beginning as not Syslog protocol 23 */
pieces--;
while (isdigit((int)*pieces)) {
pieces--;
}

}
}





/* Check for the syslog date format
* ( ex: Dec 29 10:00:01
Expand Down Expand Up @@ -233,6 +266,7 @@ int OS_CleanMSG(char *msg, Eventinfo *lf)
/* Valid names:
* p_name:
* p_name[pid]:
* p_name pid -
* p_name[pid]: [ID xx facility.severity]
* auth|security:info p_name:
*/
Expand Down Expand Up @@ -276,6 +310,30 @@ int OS_CleanMSG(char *msg, Eventinfo *lf)
lf->program_name = NULL;
}
}
/* Check for the third format: p_name pid */
else if ((*pieces == ' ') && (isdigit((int)pieces[1]))) {
*pieces = '\0';
pieces++;
while (isdigit((int)*pieces)) {
pieces++;
}

if (*pieces == ' ') {
pieces ++;
} else {
/* Fix for some weird log formats */
pieces--;
while (isdigit((int)*pieces)) {
pieces--;
}

if (*pieces == '\0') {
*pieces = ' ';
}
pieces = NULL;
lf->program_name = NULL;
}
}
/* AIX syslog */
else if ((*pieces == '|') && islower((int)pieces[1])) {
pieces += 2;
Expand Down