diff options
author | Rainer Gerhards <rgerhards@adiscon.com> | 2011-04-13 14:21:18 +0200 |
---|---|---|
committer | Rainer Gerhards <rgerhards@adiscon.com> | 2011-04-13 14:21:18 +0200 |
commit | 209ab60f85001fcb4763fd125de879a00bb1b87f (patch) | |
tree | d4cc054ac1fb225bac86a56dd4502a195059c0a7 | |
parent | 92a782dd2fc85c233f7144d86970321f2bfee588 (diff) | |
download | rsyslog-209ab60f85001fcb4763fd125de879a00bb1b87f.tar.gz rsyslog-209ab60f85001fcb4763fd125de879a00bb1b87f.tar.xz rsyslog-209ab60f85001fcb4763fd125de879a00bb1b87f.zip |
added log classification capabilities (via mmnormalize & tags)
-rw-r--r-- | ChangeLog | 1 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | plugins/mmnormalize/mmnormalize.c | 6 | ||||
-rw-r--r-- | runtime/msg.c | 29 |
4 files changed, 18 insertions, 20 deletions
@@ -1,5 +1,6 @@ --------------------------------------------------------------------------- Version 6.1.7 [DEVEL] (rgerhards), 2011-03-?? +- added log classification capabilities (via mmnormalize & tags) - speeded up tcp forwarding by reducing number of API calls - somewhat improved documentation index --------------------------------------------------------------------------- diff --git a/configure.ac b/configure.ac index 4a2e354a..310f83ce 100644 --- a/configure.ac +++ b/configure.ac @@ -37,7 +37,7 @@ PKG_PROG_PKG_CONFIG # modules we require PKG_CHECK_MODULES(LIBESTR, libestr >= 0.1.0) -PKG_CHECK_MODULES(LIBEE, libee >= 0.1.0) +PKG_CHECK_MODULES(LIBEE, libee >= 0.3.1) case "${host}" in *-*-linux*) diff --git a/plugins/mmnormalize/mmnormalize.c b/plugins/mmnormalize/mmnormalize.c index 8db4ad45..9c23afde 100644 --- a/plugins/mmnormalize/mmnormalize.c +++ b/plugins/mmnormalize/mmnormalize.c @@ -65,7 +65,7 @@ typedef struct _instanceData { } instanceData; typedef struct configSettings_s { - uchar *rulebase; /**< name of sample db to use */ + uchar *rulebase; /**< name of normalization rulebase to use */ sbool bUseRawMsg; /**< use %rawmsg% instead of %msg% */ } configSettings_t; @@ -150,7 +150,7 @@ CODE_STD_STRING_REQUESTparseSelectorAct(1) } if(cs.rulebase == NULL) { - errmsg.LogError(0, RS_RET_NO_RULESET, "error: no sample database was specified, use " + errmsg.LogError(0, RS_RET_NO_RULESET, "error: no normalization rulebase was specified, use " "$MMNormalizeSampleDB directive first!"); ABORT_FINALIZE(RS_RET_NO_RULESET); } @@ -182,7 +182,7 @@ CODE_STD_STRING_REQUESTparseSelectorAct(1) } ln_setEECtx(pData->ctxln, pData->ctxee); if(ln_loadSamples(pData->ctxln, (char*) cs.rulebase) != 0) { - errmsg.LogError(0, RS_RET_NO_RULESET, "error: sample db '%s' could not be loaded " + errmsg.LogError(0, RS_RET_NO_RULESET, "error: normalization rulebase '%s' could not be loaded " "cannot activate action", cs.rulebase); ee_exitCtx(pData->ctxee); ln_exitCtx(pData->ctxln); diff --git a/runtime/msg.c b/runtime/msg.c index d2612437..c5cbb5c8 100644 --- a/runtime/msg.c +++ b/runtime/msg.c @@ -2256,20 +2256,20 @@ static uchar *getNOW(eNOWType eNow) static inline void getCEEPropVal(msg_t *pMsg, es_str_t *propName, uchar **pRes, int *buflen, unsigned short *pbMustBeFreed) { - struct ee_field *field; - es_str_t *str; + es_str_t *str = NULL; + int r; if(*pbMustBeFreed) free(*pRes); *pRes = NULL; if(pMsg->event == NULL) goto finalize_it; - if((field = ee_getEventField(pMsg->event, propName)) == NULL) - goto finalize_it; - /* right now, we always extract data from the first field value. A reason for this - * is that as of now (2010-12-01) liblognorm never populates more than one ;) - */ - if((str = ee_getFieldValueAsStr(field, 0)) == NULL) goto finalize_it; + r = ee_getEventFieldAsString(pMsg->event, propName, &str); + + if(r != EE_OK) { + DBGPRINTF("msgGtCEEVar: libee error %d during ee_getEventFieldAsString\n", r); + FINALIZE; + } *pRes = (unsigned char*) es_str2cstr(str, "#000"); es_deleteStr(str); *buflen = (int) ustrlen(*pRes); @@ -2489,6 +2489,7 @@ uchar *MsgGetProp(msg_t *pMsg, struct templateEntry *pTpe, break; case PROP_CEE: getCEEPropVal(pMsg, propName, &pRes, &bufLen, pbMustBeFreed); + break; case PROP_SYS_BOM: if(*pbMustBeFreed == 1) free(pRes); @@ -3110,7 +3111,7 @@ msgGetCEEVar(msg_t *pMsg, cstr_t *propName, var_t **ppVar) cstr_t *pstrProp; es_str_t *str = NULL; es_str_t *epropName = NULL; - struct ee_field *field; + int r; ISOBJ_TYPE_assert(pMsg, msg); ASSERT(propName != NULL); @@ -3121,14 +3122,10 @@ msgGetCEEVar(msg_t *pMsg, cstr_t *propName, var_t **ppVar) CHKiRet(var.ConstructFinalize(pVar)); epropName = es_newStrFromBuf((char*)propName->pBuf, propName->iStrLen); - if((field = ee_getEventField(pMsg->event, epropName)) != NULL) { - /* right now, we always extract data from the first field value. A reason for this - * is that as of now (2010-12-01) liblognorm never populates more than one ;) - */ - str = ee_getFieldValueAsStr(field, 0); - } + r = ee_getEventFieldAsString(pMsg->event, epropName, &str); - if(str == NULL) { + if(r != EE_OK) { + DBGPRINTF("msgGtCEEVar: libee error %d during ee_getEventFieldAsString\n", r); CHKiRet(cstrConstruct(&pstrProp)); CHKiRet(cstrFinalize(pstrProp)); } else { |