selms-master/Realtime.rb at master · tendrils/selms-master · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
require 'pp'

require 'RunType.rb'
require 'Host.rb'
require 'Codegen.rb'
require 'Config.rb'
require 'LogFile.rb'

class Realtime
  include Codegen

  def add_action_class(key, value)
    @action_classes[key]=value
  end

  def action_class(key)
    @action_classes[key]
  end

  attr_writer :action_classes
  attr_reader :thread, :re_read_conf

  def initialize()

#######
    $run = self
    @action_classes={}
    @hosts = {}
    @buckets = {}
    @counters = {}
    @host_patterns = {}
#######

    # define a new class for each host.  The class inheirits from Host and
    # defines host specific scanning and alerting methods

    @thread = false
    $threads = []
    @re_read_conf = false

    # define a new class for each host.  The class inheirits from Host and
    # defines host specific scanning and alerting methods

    start_code('realtime', @hosts, @host_patterns)
  end


  # start a thread that reads the pipe and then passes the record
  # to the approriate host scanner

  def run_it
#    @thread = Thread.new {
    files = {}
    def_logf = LogFile.new('default', nil)
    File.open($options['rt_socket'], 'r') { |logs|
      begin
#puts "getting data\n";
        while logs.gets
#	  all, utime, time, hn, record = $_.match(Host::LOG_HEAD).to_a
          hn = $log_store.extract_rt_host($_)
#puts hn
          hn.sub!(/\.#{$options['hostdomain']}$/o, '') if $options['hostdomain']
#	  pp rec if $options['debug.split']

#	  hn = h.sub(/\.#{$options['hostdomain']}$/o, '') if $options['hostdomain']

          next if $options['one_host'] && $options['one_host'] != hn

          unless host = @hosts[hn] then
            @host_patterns.each { |name, h|
              if hn.match(h.pattern) then
                host = @hosts[hn] = h.dup
                host.name = hn

                break
              end
            }
          end
          next unless host

          unless files[hn]
            if f = (host.file['all']) then
              files[hn] = f.class != Regexp ? f : LogFile.new(@file['all'])
            end
          end

          rec = files[hn]['logtype'].gets(nil, $_)
#          rec.split

          pp rec if $options['debug.split']
#          host.scanner( '', time, proc, facility, level, record, orec )
          puts rec.orec
          host.send host.rule_set, 'TEST', rec
# pp ">>>>",  host.rule_set

        end
      rescue StandardError => e
        puts "\n", e.to_str
        puts e.backtrace.join("\n")
      end
    }

  end

  def watch_it
    mins = 0

    # every minute look to see if child is still running, if not then restart it
    # every 5 minutes check to see if config file has changed if it has then
    # reread the config file and check to see if anything affecting rt has changed.
    # If so then assign the running thread to old_r and the new one to rt
    # which will started by the check to make sure that the current thread is alive
    # the old thread is then killed

    # to do:  add more checking!

    re_read_conf = false

    Signal.trap('HUP') {
      @re_read_conf = true
      Process.kill('ALRM', 0)
    }

    #  $logs = LogRecs.new( $options['rt_socket'], $options['rt_buffer_size'])

    while true do # loop every minute

      sleep(60)
      return true if re_read_conf

      time = Time.now

      $bucket.each { |type, bucket|
        $bucket.delete(type) if bucket.check(time) == 0
      }

    end
  end

  def kill_it
    @thread.kill
  end

end