/
lognorm.bif
105 lines (91 loc) · 2.82 KB
/
lognorm.bif
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
module Lognorm;
%%{
#include "LogNormalizer.h"
using namespace plugin::Bro_Lognorm;
static EventHandlerPtr to_event(Val* evt_val)
{
Func* evt = evt_val ? evt_val->AsFunc() : NULL;
if ( evt )
{
// Make sure the event is prototyped as expected
FuncType* evt_type = evt->FType()->AsFuncType();
if ( evt_type->Flavor() != FUNC_FLAVOR_EVENT )
{
reporter->Error("event is a function, not an event");
return NULL;
}
const RecordType* evt_args = evt_type->Args();
if ( (evt_args->NumFields() != 1) ||
(! IsString(evt_args->FieldType(0)->Tag())) )
{
reporter->Error("event must take a single argument of type string");
return NULL;
}
return event_registry->Lookup(evt->Name());
}
return NULL;
}
%%}
## Creates a log normalizer.
##
## Returns: A log normalizer handle.
##
## .. bro:see:: lognormalizer_normalize
function lognormalizer_init%(%) : opaque of lognormalizer
%{
return new LogNormalizerVal(new LogNormalizer());
%}
## Creates a log normalizer that allows to handle unparsed log
## lines using a custom event.
##
## evt: An event to handle unparsed log lines. The event receives
## a single argument of type string, containing the log line.
##
## Returns: A log normalizer handle.
##
## .. bro:see:: lognormalizer_normalize
function lognormalizer_init_ex%(evt: any%) : opaque of lognormalizer
%{
LogNormalizer* ln = new LogNormalizer(to_event(evt));
return new LogNormalizerVal(ln);
%}
## Loads a rule file in liblognorm format.
##
## ln: The lognormalizer handle.
##
## fn: The rule file name.
##
## Returns: A bool value indicating success.
##
## .. bro:see:: lognormalizer_init lognormalizer_normalize
function lognormalizer_load_rules%(ln: opaque of lognormalizer,
fn: string%) : bool
%{
LogNormalizerVal* lnv = static_cast<LogNormalizerVal*>(ln);
LogNormalizer* l = lnv->GetNormalizer();
if ( l )
{
bool succ = l->LoadRules(fn->CheckString());
return new Val(succ, TYPE_BOOL);
}
return new Val(false, TYPE_BOOL);
%}
## Normalizes a log line. For each tag the matching rule defines,
## the corresponding event will be scheduled. Each field the rule
## defines, will be passed as parameter to the event.
##
## ln: The lognormalizer handle.
##
## s: The log line to normalize.
##
## Returns: A bool value indicating success.
##
## .. bro:see:: lognormalizer_init lognormalizer_load_rules
function lognormalizer_normalize%(ln: opaque of lognormalizer,
s: string%): bool
%{
LogNormalizerVal* lnv = static_cast<LogNormalizerVal*>(ln);
LogNormalizer* l = lnv->GetNormalizer();
bool succ = l->Normalize(s->CheckString());
return new Val(succ, TYPE_BOOL);
%}