enhanced nettester tool so that it re-uses it's callers environment

this enables us to work with the "usual" environment tweaks (for
debugging and other purposes), without the need for any special
handling in nettester itself

9 files changed, 297 insertions, 53 deletions

diff --git a/tests/Makefile.am b/tests/Makefile.am
index 7ca40766..53ca9cb0 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -1,6 +1,6 @@
 if ENABLE_TESTBENCH
 TESTRUNS = rt_init rscript
-check_PROGRAMS = $(TESTRUNS) ourtail nettester tcpflood chkseq msleep
+check_PROGRAMS = $(TESTRUNS) ourtail nettester tcpflood chkseq msleep randomgen
 TESTS = $(TESTRUNS) cfg.sh \
 	validation-run.sh \
 	imtcp-multiport.sh \
@@ -24,6 +24,7 @@ TESTS = $(TESTRUNS) cfg.sh \
 	dynfile_invld_sync.sh \
 	dynfile_invalid2.sh \
 	complex1.sh \
+	random.sh \
 	queue-persist.sh \
 	pipeaction.sh
 	execonlyonce.sh \
@@ -180,6 +181,8 @@ EXTRA_DIST= 1.rstest 2.rstest 3.rstest err1.rstest \
 	   testsuites/gzipwr_large_dynfile.conf \
 	   complex1.sh \
 	   testsuites/complex1.conf \
+	   random.sh \
+	   testsuites/random.conf \
 	   dynfile_invld_async.sh \
 	   dynfile_invld_sync.sh \
 	   dynfile_cachemiss.sh \
@@ -204,6 +207,9 @@ chkseq_SOURCES = chkseq.c
 tcpflood_SOURCES = tcpflood.c
 tcpflood_LDADD = $(SOL_LIBS)
 
+randomgen_SOURCES = randomgen.c
+randomgen_LDADD = $(SOL_LIBS)
+
 nettester_SOURCES = nettester.c getline.c
 nettester_LDADD = $(SOL_LIBS)
 
diff --git a/tests/diag.sh b/tests/diag.sh
index c0f736b8..2cc652ad 100755
--- a/tests/diag.sh
+++ b/tests/diag.sh
@@ -17,7 +17,7 @@ case $1 in
 		cp $srcdir/testsuites/diag-common.conf diag-common.conf
 		cp $srcdir/testsuites/diag-common2.conf diag-common2.conf
 		rm -f rsyslog.action.*.include
-		rm -f rsyslogd.started work-*.conf
+		rm -f rsyslogd.started work-*.conf rsyslog.random.data
 		rm -f rsyslogd2.started work-*.conf
 		rm -f work rsyslog.out.log rsyslog.out.log.save # common work files
 		rm -f rsyslog.out.*.log
@@ -28,7 +28,7 @@ case $1 in
    'exit')	rm -f rsyslogd.started work-*.conf diag-common.conf
    		rm -f rsyslogd2.started diag-common2.conf rsyslog.action.*.include
 		rm -f work rsyslog.out.log rsyslog.out.log.save # common work files
-		rm -f rsyslog.out.*.log
+		rm -f rsyslog.out.*.log rsyslog.random.data
 		rm -rf test-spool
 		;;
    'startup')   # start rsyslogd with default params. $2 is the config file name to use
diff --git a/tests/nettester.c b/tests/nettester.c
index e1ecbcb5..eff5929b 100644
--- a/tests/nettester.c
+++ b/tests/nettester.c
@@ -62,7 +62,7 @@ static char *testSuite = NULL; /* name of current test suite */
 static int iPort = 12514; /* port which shall be used for sending data */
 static char* pszCustomConf = NULL;	/* custom config file, use -c conf to specify */
 static int verbose = 0;	/* verbose output? -v option */
-static int useDebugEnv = 0; /* activate debugging environment (for rsyslog debug log)? */
+static char **ourEnvp;
 
 /* these two are quick hacks... */
 int iFailed = 0;
@@ -218,9 +218,6 @@ int openPipe(char *configFile, pid_t *pid, int *pfd)
 	char *newargv[] = {"../tools/rsyslogd", "dummy", "-c4", "-u2", "-n", "-irsyslog.pid",
 			   "-M../runtime/.libs:../.libs", NULL };
 	char confFile[1024];
-	char *newenviron[] = { NULL };
-	char *newenvironDeb[] = { "RSYSLOG_DEBUG=debug nostdout",
-				"RSYSLOG_DEBUGLOG=log", NULL };
 
 	sprintf(confFile, "-f%s/testsuites/%s.conf", srcdir,
 		(pszCustomConf == NULL) ? configFile : pszCustomConf);
@@ -243,7 +240,7 @@ int openPipe(char *configFile, pid_t *pid, int *pfd)
 		close(pipefd[1]);
 		close(pipefd[0]);
 		fclose(stdin);
-		execve("../tools/rsyslogd", newargv, (useDebugEnv) ? newenvironDeb : newenviron);
+		execve("../tools/rsyslogd", newargv, ourEnvp);
 	} else {            
 		close(pipefd[1]);
 		*pid = cpid;
@@ -450,7 +447,7 @@ void doAtExit(void)
  * of this file.
  * rgerhards, 2009-04-03
  */
-int main(int argc, char *argv[])
+int main(int argc, char *argv[], char *envp[])
 {
 	int fd;
 	int opt;
@@ -459,14 +456,12 @@ int main(int argc, char *argv[])
 	char buf[4096];
 	char testcases[4096];
 
+	ourEnvp = envp;
 	while((opt = getopt(argc, argv, "dc:i:p:t:v")) != EOF) {
 		switch((char)opt) {
                 case 'c':
 			pszCustomConf = optarg;
 			break;
-                case 'd': 
-			useDebugEnv = 1;
-			break;
                 case 'i':
 			if(!strcmp(optarg, "udp"))
 				inputMode = inputUDP;
diff --git a/tests/random.sh b/tests/random.sh
new file mode 100755
index 00000000..79f704c7
--- /dev/null
+++ b/tests/random.sh
@@ -0,0 +1,20 @@
+# Test if rsyslog survives sending truely random data to it...
+#
+# added 2010-04-01 by Rgerhards
+# This file is part of the rsyslog project, released  under GPLv3
+echo ===============================================================================
+echo TEST: \[random.sh\]: testing random data
+source $srcdir/diag.sh init
+# uncomment for debugging support:
+#export RSYSLOG_DEBUG="debug nostdout noprintmutexaction"
+#export RSYSLOG_DEBUGLOG="log"
+source $srcdir/diag.sh startup random.conf
+# generate random data
+./randomgen -f rsyslog.random.data -s 100000
+ls -l rsyslog.random.data
+source $srcdir/diag.sh tcpflood -B -I rsyslog.random.data -c5 -C10
+source $srcdir/diag.sh shutdown-when-empty # shut down rsyslogd when done processing messages
+source $srcdir/diag.sh wait-shutdown       # and wait for it to terminate
+# we do not check anything yet, the point is if rsyslog survived ;)
+# TODO: check for exit message, but we'll notice an abort anyhow, so not that important
+#source $srcdir/diag.sh exit
diff --git a/tests/randomgen.c b/tests/randomgen.c
new file mode 100644
index 00000000..9ba56954
--- /dev/null
+++ b/tests/randomgen.c
@@ -0,0 +1,130 @@
+/* generates random data for later use in test cases. Of course,
+ * we could generate random data during the testcase itself, but
+ * the core idea is that we record the random data so that we have
+ * a chance to reproduce a problem should it occur. IMHO this 
+ * provides the best compromise, by a) having randomness but
+ * b) knowing what was used during the test.
+ *
+ * Params
+ * -f	output file name (stdout if not given)
+ * -s	size of test data, plain number is size in k, 1MB default
+ * -u   uses /dev/urandom instead of libc random number generator
+ *      (when available). Note that this is usually much slower.
+ *
+ * Part of the testbench for rsyslog.
+ *
+ * Copyright 2010 Rainer Gerhards and Adiscon GmbH.
+ *
+ * This file is part of rsyslog.
+ *
+ * Rsyslog is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Rsyslog is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Rsyslog.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * A copy of the GPL can be found in the file "COPYING" in this distribution.
+ */
+#include "config.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <signal.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <assert.h>
+#include <unistd.h>
+#include <string.h>
+#include <netinet/in.h>
+
+#define EXIT_FAILURE 1
+
+static char *fileName = NULL;		/* name of output file */
+static int tryUseURandom = 0;		/* try to use /dev/urandom? */
+static long long fileSize = 1024*1024;	/* file size in K, 1MB default */
+
+
+/* generate the random file. This code really can be improved (e.g. read /dev/urandom
+ * when available)
+ */
+static inline void
+genFile()
+{
+	long i;
+	FILE *fp;
+	FILE *rfp = NULL;
+
+	if(fileName == NULL) {
+		fp = stdout;
+	} else {
+		if((fp = fopen(fileName, "w")) == NULL) {
+			perror(fileName);
+		}
+	}
+
+	/* try to use /dev/urandom, if available */
+	if(tryUseURandom)
+		rfp = fopen("/dev/urandom", "r");
+
+	if(rfp == NULL) {
+		/* fallback, use libc random number generator */
+		for(i = 0 ; i < fileSize ; ++i) {
+			if(fputc((char) rand(), fp) == EOF) {
+				perror(fileName);
+				exit(1);
+			}
+		}
+	} else {
+		/* use /dev/urandom */
+		printf("using /dev/urandom");
+		for(i = 0 ; i < fileSize ; ++i) {
+			if(fputc(fgetc(rfp), fp) == EOF) {
+				perror(fileName);
+				exit(1);
+			}
+		}
+	}
+
+	if(fileName != NULL)
+		fclose(fp);
+}
+
+
+/* Run the test.
+ * rgerhards, 2009-04-03
+ */
+int main(int argc, char *argv[])
+{
+	int ret = 0;
+	int opt;
+
+	srand(time(NULL));	/* seed is good enough for our needs */
+
+	while((opt = getopt(argc, argv, "f:s:u")) != -1) {
+		switch (opt) {
+		case 'f':	fileName = optarg;
+				break;
+		case 's':	fileSize = atol(optarg) * 1024;
+				break;
+		case 'u':	tryUseURandom = 1;
+				break;
+		default:	printf("invalid option '%c' or value missing - terminating...\n", opt);
+				exit (1);
+				break;
+		}
+	}
+
+	printf("generating random data file '%s' of %ldkb - may take a short while...\n",
+		fileName, (long) (fileSize / 1024));
+	genFile();
+
+	exit(ret);
+}
diff --git a/tests/rt-init.c b/tests/rt-init.c
index 66a9ad32..dbe94b4a 100644
--- a/tests/rt-init.c
+++ b/tests/rt-init.c
@@ -39,6 +39,6 @@ ENDExit
 
 BEGINTest
 CODESTARTTest
-finalize_it:
+/*finalize_it:*/
 	/* room for custom error reporter, leave blank if not needed */
 ENDTest
diff --git a/tests/tcpflood.c b/tests/tcpflood.c
index 68c1c097..e92d1308 100644
--- a/tests/tcpflood.c
+++ b/tests/tcpflood.c
@@ -20,6 +20,14 @@
  *      one field to the right. Zero (default) disables this functionality.
  * -M   the message to be sent. Disables all message format options, as
  *      only that exact same message is sent.
+ * -I   read specified input file, do NOT generate own test data. The test
+ *      completes when eof is reached.
+ * -B   The specified file (-I) is binary. No data processing is done by
+ *      tcpflood. If multiple connections are specified, data is read in
+ *      chunks and spread across the connections without taking any record
+ *      delemiters into account.
+ * -C	when input from a file is read, this file is transmitted -C times
+ *      (C like cycle, running out of meaningful option switches ;))
  *
  * Part of the testbench for rsyslog.
  *
@@ -76,6 +84,10 @@ static int *sockArray;  /* array of sockets to use */
 static int msgNum = 0;	/* initial message number to start with */
 static int bShowProgress = 1; /* show progress messages */
 static char *MsgToSend = NULL; /* if non-null, this is the actual message to send */
+static int bBinaryFile = 0;	/* is -I file binary */
+static char *dataFile = NULL;	/* name of data file, if NULL, generate own data */
+static int numFileIterations = 1;/* how often is file data to be sent? */
+FILE *dataFP = NULL;		/* file pointer for data file, if used */
 
 
 /* open a single tcp connection
@@ -167,8 +179,8 @@ int openConnections(void)
 void closeConnections(void)
 {
 	int i;
-	char msgBuf[128];
 	size_t lenMsg;
+	char msgBuf[128];
 
 	if(bShowProgress)
 		write(1, "      close connections", sizeof("      close connections")-1);
@@ -187,6 +199,62 @@ void closeConnections(void)
 }
 
 
+/* generate the message to be sent according to program command line parameters.
+ * this has been moved to its own function as we now have various different ways
+ * of constructing test messages. -- rgerhards, 2010-03-31
+ */
+static inline void
+genMsg(char *buf, size_t maxBuf, int *pLenBuf)
+{
+	int edLen; /* actual extra data length to use */
+	char extraData[MAX_EXTRADATA_LEN + 1];
+	char dynFileIDBuf[128] = "";
+	static int numMsgsGen = 0;
+	int done;
+
+	if(dataFP != NULL) {
+		/* get message from file */
+		do {
+			done = 1;
+			*pLenBuf = fread(buf, 1, 1024, dataFP);
+			if(feof(dataFP)) {
+				if(--numFileIterations > 0)  {
+					rewind(dataFP);
+					done = 0; /* need new iteration */
+				} else {
+					*pLenBuf = 0;
+					goto finalize_it;
+				}
+			}
+		} while(!done); /* Attention: do..while()! */
+	} else if(MsgToSend == NULL) {
+		if(dynFileIDs > 0) {
+			snprintf(dynFileIDBuf, maxBuf, "%d:", rand() % dynFileIDs);
+		}
+		if(extraDataLen == 0) {
+			*pLenBuf = snprintf(buf, maxBuf, "<%s>Mar  1 01:00:00 172.20.245.8 tag msgnum:%s%8.8d:\n",
+					       msgPRI, dynFileIDBuf, msgNum);
+		} else {
+			if(bRandomizeExtraData)
+				edLen = ((long) rand() + extraDataLen) % extraDataLen + 1;
+			else
+				edLen = extraDataLen;
+			memset(extraData, 'X', edLen);
+			extraData[edLen] = '\0';
+			*pLenBuf = snprintf(buf, maxBuf, "<%s>Mar  1 01:00:00 172.20.245.8 tag msgnum:%s%8.8d:%d:%s\n",
+					       msgPRI, dynFileIDBuf, msgNum, edLen, extraData);
+		}
+	} else {
+		/* use fixed message format from command line */
+		*pLenBuf = snprintf(buf, maxBuf, "%s\n", MsgToSend);
+	}
+
+	if(numMsgsGen++ >= numMsgsToSend)
+		*pLenBuf = 0; /* indicate end of run */
+
+finalize_it: ;
+}
+
 /* send messages to the tcp connections we keep open. We use
  * a very basic format that helps identify the message
  * (via msgnum:<number>: e.g. msgnum:00000001:). This format is suitable
@@ -197,52 +265,42 @@ void closeConnections(void)
  */
 int sendMessages(void)
 {
-	int i;
+	int i = 0;
 	int socknum;
 	int lenBuf;
 	int lenSend;
-	int edLen; /* actual extra data length to use */
-	char dynFileIDBuf[128] = "";
+	char *statusText;
 	char buf[MAX_EXTRADATA_LEN + 1024];
-	char extraData[MAX_EXTRADATA_LEN + 1];
 
-	printf("Sending %d messages.\n", numMsgsToSend);
+	if(dataFile == NULL) {
+		printf("Sending %d messages.\n", numMsgsToSend);
+		statusText = "messages";
+	} else {
+		printf("Sending file '%s' %d times.\n", dataFile, numFileIterations);
+		statusText = "kb";
+	}
 	if(bShowProgress)
-		printf("\r%8.8d messages sent", 0);
-	for(i = 0 ; i < numMsgsToSend ; ++i) {
+		printf("\r%8.8d %s sent", 0, statusText);
+	while(1) { /* broken inside loop! */
 		if(i < numConnections)
 			socknum = i;
 		else if(i >= numMsgsToSend - numConnections)
 			socknum = i - (numMsgsToSend - numConnections);
-		else
-			socknum = rand() % numConnections;
-		if(MsgToSend == NULL) {
-			if(dynFileIDs > 0) {
-				sprintf(dynFileIDBuf, "%d:", rand() % dynFileIDs);
-			}
-			if(extraDataLen == 0) {
-				lenBuf = sprintf(buf, "<%s>Mar  1 01:00:00 172.20.245.8 tag msgnum:%s%8.8d:\n",
-						       msgPRI, dynFileIDBuf, msgNum);
-			} else {
-				if(bRandomizeExtraData)
-					edLen = ((long) rand() + extraDataLen) % extraDataLen + 1;
-				else
-					edLen = extraDataLen;
-				memset(extraData, 'X', edLen);
-				extraData[edLen] = '\0';
-				lenBuf = sprintf(buf, "<%s>Mar  1 01:00:00 172.20.245.8 tag msgnum:%s%8.8d:%d:%s\n",
-						       msgPRI, dynFileIDBuf, msgNum, edLen, extraData);
-			}
-		} else {
-			/* use fixed message format from command line */
-			lenBuf = sprintf(buf, "%s\n", MsgToSend);
+		else {
+			int rnd = rand();
+			//socknum = rand() % numConnections;
+			socknum = rnd % numConnections;
 		}
+		genMsg(buf, sizeof(buf), &lenBuf); /* generate the message to send according to params */
+		if(lenBuf == 0)
+			break; /* end of processing! */
 		lenSend = send(sockArray[socknum], buf, lenBuf, 0);
 		if(lenSend != lenBuf) {
 			printf("\r%5.5d\n", i);
 			fflush(stdout);
 			perror("send test data");
-			printf("send() failed at socket %d, index %d, msgNum %d\n", socknum, i, msgNum);
+			printf("send() failed at socket %d, index %d, msgNum %d\n",
+				sockArray[socknum], i, msgNum);
 			fflush(stderr);
 			return(1);
 		}
@@ -251,8 +309,9 @@ int sendMessages(void)
 				printf("\r%8.8d", i);
 		}
 		++msgNum;
+		++i;
 	}
-	printf("\r%8.8d messages sent\n", i);
+	printf("\r%8.8d %s sent\n", i, statusText);
 
 	return 0;
 }
@@ -336,7 +395,7 @@ int main(int argc, char *argv[])
 	if(!isatty(1))
 		bShowProgress = 0;
 
-	while((opt = getopt(argc, argv, "f:t:p:c:m:i:P:d:n:M:r")) != -1) {
+	while((opt = getopt(argc, argv, "f:t:p:c:C:m:i:I:P:d:n:M:rB")) != -1) {
 		switch (opt) {
 		case 't':	targetIP = optarg;
 				break;
@@ -346,6 +405,8 @@ int main(int argc, char *argv[])
 				break;
 		case 'c':	numConnections = atoi(optarg);
 				break;
+		case 'C':	numFileIterations = atoi(optarg);
+				break;
 		case 'm':	numMsgsToSend = atoi(optarg);
 				break;
 		case 'i':	msgNum = atoi(optarg);
@@ -365,6 +426,14 @@ int main(int argc, char *argv[])
 				break;
 		case 'M':	MsgToSend = optarg;
 				break;
+		case 'I':	dataFile = optarg;
+				/* in this mode, we do not know the num messages to send, so
+				 * we set a (high) number to keep the code happy.
+				 */
+				numMsgsToSend = 1000000;
+				break;
+		case 'B':	bBinaryFile = 1;
+				break;
 		default:	printf("invalid option '%c' or value missing - terminating...\n", opt);
 				exit (1);
 				break;
@@ -385,6 +454,13 @@ int main(int argc, char *argv[])
 		}
 	}
 	
+	if(dataFile != NULL) {
+		if((dataFP = fopen(dataFile, "r")) == NULL) {
+			perror(dataFile);
+			exit(1);
+		}
+	}
+
 	if(openConnections() != 0) {
 		printf("error opening connections\n");
 		exit(1);
diff --git a/tests/testsuites/random.conf b/tests/testsuites/random.conf
new file mode 100644
index 00000000..a7079df1
--- /dev/null
+++ b/tests/testsuites/random.conf
@@ -0,0 +1,13 @@
+# we write to /dev/null, as we have no chance to verify the output
+# in any case. What we really check is that rsyslogd does not
+# segfault or otherwise abort.
+# rgerhards, 2010-04-01
+$IncludeConfig diag-common.conf
+
+$ModLoad ../plugins/imtcp/.libs/imtcp
+$MainMsgQueueTimeoutShutdown 10000
+$InputTCPServerRun 13514
+
+$template outfmt,"%rawmsg%\n"
+$template dynfile,"rsyslog.out.log" # trick to use relative path names!
+*.* /dev/null
diff --git a/tests/testsuites/samples.snare_ccoff_udp2 b/tests/testsuites/samples.snare_ccoff_udp2
index 7837b820..337cd97c 100644
--- a/tests/testsuites/samples.snare_ccoff_udp2
+++ b/tests/testsuites/samples.snare_ccoff_udp2
@@ -9,14 +9,18 @@
 # to be adapted. We do NOT try to preserve misbehaviour on such seriously malformed
 # messages.
 #
+# this is a very simple test, though not snare-based
+test
+insert into windows (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('', 1, 'test',5, '20100321185328', '20100321185328', 1, '')
+# and yet another one we have seen in practice
+UX=Abcd-efg-hij-klmno; XXXXX=1111111111, Z123=192.12.231.245:11111, S1234=123456789, XXXXXX=111111111
+insert into windows (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values (' XXXXX=1111111111, Z123=192.12.231.245:11111, S1234=123456789, XXXXXX=111111111', 1, 'localhost',5, '20100321185328', '20100321185328', 1, 'UX=Abcd-efg-hij-klmno;')
 # Sample 1 - note the absence of PRI!
 windowsserver	MSWinEventLog	1	Security	1167	Fri Mar 19 15:33:30 2010	540	Security	SYSTEM	User	Success Audit	WINDOWSSERVER	Logon/Logoff		Successful Network Logon:     User Name: WINDOWSSERVER$     Domain: DOMX     Logon ID: (0x0,0xF88396)     Logon Type: 3     Logon Process: Kerberos     Authentication Package: Kerberos     Workstation Name:      Logon GUID: {79b6eb79-7bcc-8a2e-7dad-953c51dc00fd}     Caller User Name: -     Caller Domain: -     Caller Logon ID: -     Caller Process ID: -     Transited Services: -     Source Network Address: 10.11.11.3     Source Port: 3306    	733\n
-insert into windows (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values (' Mar 19 15:33:30 2010 540 Security SYSTEM User Success Audit WINDOWSSERVER Logon/Logoff  Successful Network Logon:     User Name: WINDOWSSERVER$     Domain: DOMX     Logon ID: (0x0,0xF88396)     Logon Type: 3     Logon Process: Kerberos     Authentication Package: Kerberos     Workstation Name:      Logon GUID: {79b6eb79-7bcc-8a2e-7dad-953c51dc00fd}     Caller User Name: -     Caller Domain: -     Caller Logon ID: -     Caller Process ID: -     Transited Services: -     Source Network Address: 10.11.11.3     Source Port: 3306     733 ', 1, 'localhost',5, '20100321185328', '20100321185328', 1, 'windowsserver MSWinEventLog 1 Security 1167 Fri')
+insert into windows (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values (' Mar 19 15:33:30 2010 540 Security SYSTEM User Success Audit WINDOWSSERVER Logon/Logoff  Successful Network Logon:     User Name: WINDOWSSERVER$     Domain: DOMX     Logon ID: (0x0,0xF88396)     Logon Type: 3     Logon Process: Kerberos     Authentication Package: Kerberos     Workstation Name:      Logon GUID: {79b6eb79-7bcc-8a2e-7dad-953c51dc00fd}     Caller User Name: -     Caller Domain: -     Caller Logon ID: -     Caller Process ID: -     Transited Services: -     Source Network Address: 10.11.11.3     Source Port: 3306     733', 1, 'localhost',5, '20100321185328', '20100321185328', 1, 'windowsserver MSWinEventLog 1 Security 1167 Fri')
 # Sample 2
-# the samples below need to be disabled for the "workaround patch" for the message
-# parser to work. They need to be re-enabled once a final solution has been crafted
-#windowsserver	MSWinEventLog	1	Security	1166	Fri Mar 19 15:33:30 2010	576	Security	SYSTEM	User	Success Audit	WINDOWSSERVER	Logon/Logoff		Special privileges assigned to new logon:     User Name: WINDOWSSERVER$     Domain: DOMX     Logon ID: (0x0,0xF88396)     Privileges: SeSecurityPrivilege   SeBackupPrivilege   SeRestorePrivilege   SeTakeOwnershipPrivilege   SeDebugPrivilege   SeSystemEnvironmentPrivilege   SeLoadDriverPrivilege   SeImpersonatePrivilege   SeEnableDelegationPrivilege  	732\n
-#insert into windows (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values (' Mar 19 15:33:30 2010 576 Security SYSTEM User Success Audit WINDOWSSERVER Logon/Logoff  Special privileges assigned to new logon:     User Name: WINDOWSSERVER$     Domain: DOMX     Logon ID: (0x0,0xF88396)     Privileges: SeSecurityPrivilege   SeBackupPrivilege   SeRestorePrivilege   SeTakeOwnershipPrivilege   SeDebugPrivilege   SeSystemEnvironmentPrivilege   SeLoadDriverPrivilege   SeImpersonatePrivilege   SeEnableDelegationPrivilege   732', 1, 'localhost',5, '20100321185328', '20100321185328', 1, 'windowsserver MSWinEventLog 1 Security 1166 Fri')
+windowsserver	MSWinEventLog	1	Security	1166	Fri Mar 19 15:33:30 2010	576	Security	SYSTEM	User	Success Audit	WINDOWSSERVER	Logon/Logoff		Special privileges assigned to new logon:     User Name: WINDOWSSERVER$     Domain: DOMX     Logon ID: (0x0,0xF88396)     Privileges: SeSecurityPrivilege   SeBackupPrivilege   SeRestorePrivilege   SeTakeOwnershipPrivilege   SeDebugPrivilege   SeSystemEnvironmentPrivilege   SeLoadDriverPrivilege   SeImpersonatePrivilege   SeEnableDelegationPrivilege  	732\n
+insert into windows (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values (' Mar 19 15:33:30 2010 576 Security SYSTEM User Success Audit WINDOWSSERVER Logon/Logoff  Special privileges assigned to new logon:     User Name: WINDOWSSERVER$     Domain: DOMX     Logon ID: (0x0,0xF88396)     Privileges: SeSecurityPrivilege   SeBackupPrivilege   SeRestorePrivilege   SeTakeOwnershipPrivilege   SeDebugPrivilege   SeSystemEnvironmentPrivilege   SeLoadDriverPrivilege   SeImpersonatePrivilege   SeEnableDelegationPrivilege   732', 1, 'localhost',5, '20100321185328', '20100321185328', 1, 'windowsserver MSWinEventLog 1 Security 1166 Fri')
 # Sample 3
-#windowsserver	MSWinEventLog	1	Security	1165	Fri Mar 19 15:33:30 2010	538	Security	SYSTEM	User	Success Audit	WINDOWSSERVER	Logon/Logoff		User Logoff:     User Name: WINDOWSSERVER$     Domain: DOMX     Logon ID: (0x0,0xF8830B)     Logon Type: 3    	731\n
-#insert into windows (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values (' Mar 19 15:33:30 2010 538 Security SYSTEM User Success Audit WINDOWSSERVER Logon/Logoff  User Logoff:     User Name: WINDOWSSERVER$     Domain: DOMX     Logon ID: (0x0,0xF8830B)     Logon Type: 3     731', 1, 'localhost',5, '20100321185328', '20100321185328', 1, 'windowsserver MSWinEventLog 1 Security 1165 Fri')
+windowsserver	MSWinEventLog	1	Security	1165	Fri Mar 19 15:33:30 2010	538	Security	SYSTEM	User	Success Audit	WINDOWSSERVER	Logon/Logoff		User Logoff:     User Name: WINDOWSSERVER$     Domain: DOMX     Logon ID: (0x0,0xF8830B)     Logon Type: 3    	731\n
+insert into windows (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values (' Mar 19 15:33:30 2010 538 Security SYSTEM User Success Audit WINDOWSSERVER Logon/Logoff  User Logoff:     User Name: WINDOWSSERVER$     Domain: DOMX     Logon ID: (0x0,0xF8830B)     Logon Type: 3     731', 1, 'localhost',5, '20100321185328', '20100321185328', 1, 'windowsserver MSWinEventLog 1 Security 1165 Fri')