forked from nutscloud/log-input
-
Notifications
You must be signed in to change notification settings - Fork 0
/
parse_auditlog.c.brk
122 lines (97 loc) · 2.73 KB
/
parse_auditlog.c.brk
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include "log.h"
#define AUDITLOG_BUFSIZE 2048
char auditlog_buf[AUDITLOG_BUFSIZE];
static void parse_part_a(char *start, char *end)
{
char *str;
str = start;
while (str <= end) {
if ()
str++;
}
}
static void parse_part_b(char *start, char *end)
{}
static void parse_part_c(char *start, char *end)
{}
static void parse_part_e(char *start, char *end)
{}
static void parse_part_f(char *start, char *end)
{}
static void parse_part_h(char *start, char *end)
{}
int parse_auditlog(char *fname)
{
int fd;
int n, count = 0;
char *buf;
char part;
char prev_part = 0;
char *part_a_start = NULL, *part_a_end = NULL;
char *part_b_start = NULL, *part_b_end = NULL;
char *part_c_start = NULL, *part_c_end = NULL;
char *part_e_start = NULL, *part_e_end = NULL;
char *part_f_start = NULL, *part_f_end = NULL;
char *part_h_start = NULL, *part_h_end = NULL;
if ((fd = open(fname, O_RDONLY)) == -1) {
logg("[parse_auditlog]failed to open %s", fname);
return -1;
}
buf = auditlog_buf;
while ((n = read(fd, buf, AUDITLOG_BUFSIZE)) > 0) {
buf += n;
count += n;
}
if (n == -1 || auditlog_buf[count - 4] != 'Z') {
logg("[parse_auditlog]failed to read %s", fname);
return -1;
}
buf = auditlog_buf;
while (buf < auditlog_buf + count) {
char *start;
/* for example: --11e8642c-F-- */
if (*buf == '-' && *(buf + 1) == '-' && *(buf + 10) == '-' && *(buf + 12) == '-' && *(buf + 13) == '-') {
part = *(buf + 11);
switch (prev_part) {
case 'A': part_a_end = buf - 1; break;
case 'B': part_b_end = buf - 1; break;
case 'C': part_c_end = buf - 1; break;
case 'E': part_e_end = buf - 1; break;
case 'F': part_f_end = buf - 1; break;
case 'H': part_h_end = buf - 1; break;
case 0 : break;
default : goto out;
}
buf += 15;
switch (part) {
case 'A': part_a_start = buf; break;
case 'B': part_b_start = buf; break;
case 'C': part_c_start = buf; break;
case 'E': part_e_start = buf; break;
case 'F': part_f_start = buf; break;
case 'H': part_h_start = buf; break;
case 'Z': break;
}
prev_part = part;
}
buf++;
}
if (part_a_start != NULL && part_a_end != NULL)
parse_part_a(part_a_start, part_a_end);
if (part_b_start != NULL && part_b_end != NULL)
parse_part_b(part_b_start, part_b_end);
if (part_c_start != NULL && part_c_end != NULL)
parse_part_c(part_c_start, part_c_end);
if (part_e_start != NULL && part_e_end != NULL)
parse_part_e(part_e_start, part_e_end);
if (part_f_start != NULL && part_f_end != NULL)
parse_part_f(part_f_start, part_f_end);
if (part_h_start != NULL && part_h_end != NULL)
parse_part_h(part_h_start, part_h_end);
out: ;
}