Changeset 8c7d67f in nscp

Timestamp:

03/05/08 07:48:16 (5 years ago)

Author:

Michael Medin <michael@…>

Branches:

master, 0.4.0, 0.4.1, 0.4.2, stable

Children:

c3057cd

Parents:

6d3bbc1

Message:

+ Added debug to new section [Eventlog], when enabled it will (log) wat lines matched what, this is a pretty big performance overhead so dont run with this one.

+ Added syntax to new section [Eventlog] used as a shorthand for the syntax to use as "default" (when no syntax=... option is given)

• Fixed an issue with eventlog and . matching. + Added shorthand ! for != in "all" numeric filters (eventlog)

Files:

• changelog (modified) (1 diff)
• include/config.h (modified) (1 diff)
• include/filter_framework.hpp (modified) (9 diffs)
• modules/CheckEventLog/CheckEventLog-2005.vcproj (modified) (1 diff)
• modules/CheckEventLog/CheckEventLog.cpp (modified) (6 diffs)
• modules/CheckEventLog/CheckEventLog.h (modified) (1 diff)

changelog

@@ -7 +7 @@
  * "The message is blocked by User Interface Privilege Isolation, Administrative applications that need to see it can allow it through by calling ChangeWindowMessageFilter after making sure the necessary security precautions are in place. "
 
+2008-03-05 MickeM
+ + Added debug to new section [Eventlog], when enabled it will (log) wat lines matched what, this is a pretty big performance overhead so dont run with this one.
+ + Added syntax to new section [Eventlog] used as a shorthand for the syntax to use as "default" (when no syntax=... option is given)
+ * Fixed an issue with eventlog and . matching.
+ + Added shorthand ! for != in "all" numeric filters (eventlog)
+ 
 2008-02-26 MickeM
  + Added installer

include/config.h

@@ -150 +150 @@
 
 
+#define EVENTLOG_SECTION_TITLE _T("Eventlog")
+#define EVENTLOG_DEBUG _T("debug")
+#define EVENTLOG_DEBUG_DEFAULT 0
+#define EVENTLOG_SYNTAX _T("syntax")
+#define EVENTLOG_SYNTAX_DEFAULT _T("")
+
 #define NSCA_AGENT_SECTION_TITLE _T("NSCA Agent")
 #define NSCA_CMD_SECTION_TITLE _T("NSCA Commands")

include/filter_framework.hpp

@@ -187 +187 @@
     TFilterType filter;
     bool hasFilter_;
+    std::wstring value_;
     filter_one() : hasFilter_(false) {}
     filter_one(const filter_one &other) : hasFilter_(other.hasFilter_), filter(other.filter) {
@@ -198 +199 @@
     }
     const filter_one & operator=(std::wstring value) {
+      value_ = value;
       hasFilter_ = false;
       try {
@@ -207 +209 @@
       return *this;
     }
+    std::wstring getValue() const {
+      return value_;
+    }
   };
 
@@ -218 +223 @@
     sub_string_filter sub;
     exact_string_filter exact;
+    std::wstring value_;
 #ifndef NO_BOOST_DEP
     regexp_string_filter regexp;
@@ -241 +247 @@
       return false;
     }
+    std::wstring getValue() const {
+      return value_;
+    }
     const filter_all_strings & operator=(std::wstring value) {
+      value_ = value;
       strEx::token t = strEx::getToken(value, ':', false);
       if (t.first == _T("substr")) {
@@ -264 +274 @@
     filter_one<TType, TType, THandler, filter::numeric_nequals_filter<TType> > neq;
     filter_one<std::list<TType>, TType, handlers::numeric_list_handler<TType, THandler>, filter::numeric_inlist_filter<std::list<TType>, TType> > inList;
+    std::wstring value_;
 
     filter_all_numeric() {}
@@ -290 +301 @@
     }
     const filter_all_numeric& operator=(std::wstring value) {
+      value_ = value;
       if (value.substr(0,1) == _T(">")) {
         max = value.substr(1);
@@ -298 +310 @@
       } else if (value.substr(0,2) == _T("!=")) {
         neq = value.substr(2);
+      } else if (value.substr(0,1) == _T("!")) {
+        neq = value.substr(1);
       } else if (value.substr(0,3) == _T("in:")) {
         inList = value.substr(3);
@@ -304 +318 @@
       }
       return *this;
+    }
+    std::wstring getValue() const {
+      return value_;
     }
   };

modules/CheckEventLog/CheckEventLog-2005.vcproj

@@ -1794 +1794 @@
       </File>
       <File
+        RelativePath="..\..\include\checkHelpers.hpp"
+        >
+      </File>
+      <File
         RelativePath="..\..\include\filter_framework.hpp"
         >

modules/CheckEventLog/CheckEventLog.cpp

@@ -47 +47 @@
   try {
     NSCModuleHelper::registerCommand(_T("CheckEventLog"), _T("Check for errors in the event logger!"));
+    debug_ = NSCModuleHelper::getSettingsInt(EVENTLOG_SECTION_TITLE, EVENTLOG_DEBUG, EVENTLOG_DEBUG_DEFAULT)==1;
+    syntax_ = NSCModuleHelper::getSettingsString(EVENTLOG_SECTION_TITLE, EVENTLOG_SYNTAX, EVENTLOG_SYNTAX_DEFAULT);
   } catch (NSCModuleHelper::NSCMHExcpetion &e) {
     NSC_LOG_ERROR_STD(_T("Failed to register command: ") + e.msg_);
@@ -339 +341 @@
   filters::filter_all_times timeGenerated;
   filters::filter_all_numeric<DWORD, filters::handlers::eventtype_handler> eventID;
+  std::wstring value_;
 
   inline bool hasFilter() {
     return eventSource.hasFilter() || eventType.hasFilter() || eventID.hasFilter() || eventSeverity.hasFilter() || message.hasFilter() || 
       timeWritten.hasFilter() || timeGenerated.hasFilter();
+  }
+  std::wstring getValue() const {
+    if (eventSource.hasFilter())
+      return eventSource.getValue();
+    if (eventType.hasFilter())
+      return eventType.getValue();
+    if (eventSeverity.hasFilter())
+      return eventSeverity.getValue();
+    if (eventID.hasFilter())
+      return eventID.getValue();
+    if (message.hasFilter())
+      return message.getValue();
+    if (timeWritten.hasFilter())
+      return timeWritten.getValue();
+    if (timeGenerated.hasFilter())
+      return timeGenerated.getValue();
+    return _T("UNknown...");
   }
   bool matchFilter(const EventLogRecord &value) const {
@@ -389 +409 @@
   bool unique = false;
   unsigned int truncate = 0;
-  std::wstring syntax;
+  std::wstring syntax = syntax_;
   const int filter_plus = 1;
   const int filter_minus = 2;
@@ -477 +497 @@
       while (dwRead > 0) 
       { 
-        bool bMatch = bFilterAll;
+        //bool bMatch = bFilterAll;
+        bool bMatch = !bFilterIn;
         EventLogRecord record((*cit2), pevlr, ltime);
 
@@ -487 +508 @@
 
         for (filterlist_type::const_iterator cit3 = filter_chain.begin(); cit3 != filter_chain.end(); ++cit3 ) {
+          std::wstring reason;
           int mode = (*cit3).first;
           bool bTmpMatched = (*cit3).second.matchFilter(record);
@@ -504 +526 @@
             if ((mode == filter_minus)&&(bTmpMatched)) {
               // a -<filter> hit so thrash item and bail out!
+              if (debug_)
+                NSC_DEBUG_MSG_STD(_T("Matched: - ") + (*cit3).second.getValue() + _T(" for: ") + record.render(bShowDescriptions, syntax));
               bMatch = false;
               break;
             } else if ((mode == filter_plus)&&(!bTmpMatched)) {
-                // a +<filter> missed hit so thrash item and bail out!
-                bMatch = false;
-                break;
+              // a +<filter> missed hit so thrash item and bail out!
+              if (debug_)
+                NSC_DEBUG_MSG_STD(_T("Matched: + ") + (*cit3).second.getValue() + _T(" for: ") + record.render(bShowDescriptions, syntax));
+              bMatch = false;
+              break;
             } else if (bTmpMatched) {
+              if (debug_)
+                NSC_DEBUG_MSG_STD(_T("Matched: . (contiunue): ") + (*cit3).second.getValue() + _T(" for: ") + record.render(bShowDescriptions, syntax));
               bMatch = true;
             }

modules/CheckEventLog/CheckEventLog.h

@@ -29 +29 @@
 class CheckEventLog {
 private:
+  bool debug_;
+  std::wstring syntax_;
 
 public: