srv_eventlog_lib.c

samba-3.0.22.tar.gz 编译smb服务器的源码

	
	if ( !tdb )
		tdb = elog_init_tdb( tdbpath );
	
	/* if we got a valid context, then add it to the list */
	
	if ( tdb ) {
		/* on a forced clear, just reset the tdb context if we already
		   have an open entry in the list */

		if ( ptr ) {
			ptr->tdb = tdb;
			return ptr;
		}

		if ( !(tdb_node = TALLOC_ZERO_P( NULL, ELOG_TDB)) ) {
			DEBUG(0,("elog_open_tdb: talloc() failure!\n"));
			tdb_close( tdb );
			return NULL;
		}
		
		tdb_node->name = talloc_strdup( tdb_node, logname );
		tdb_node->tdb = tdb;
		tdb_node->ref_count = 1;
		
		DLIST_ADD( open_elog_list, tdb_node );
	}

	return tdb_node;
}

/*******************************************************************
 Wrapper to handle reference counts to the tdb
*******************************************************************/

int elog_close_tdb( ELOG_TDB *etdb, BOOL force_close )
{
	TDB_CONTEXT *tdb;

	if ( !etdb )
		return 0;
		
	etdb->ref_count--;
	
	SMB_ASSERT( etdb->ref_count >= 0 );

	if ( etdb->ref_count == 0 ) {
		tdb = etdb->tdb;
		DLIST_REMOVE( open_elog_list, etdb );
		TALLOC_FREE( etdb );
		return tdb_close( tdb );
	}
	
	if ( force_close ) {
		tdb = etdb->tdb;
		etdb->tdb = NULL;
		return tdb_close( tdb );
	}

	return 0;
}


/*******************************************************************
 write an eventlog entry. Note that we have to lock, read next 
 eventlog, increment, write, write the record, unlock 
 
 coming into this, ee has the eventlog record, and the auxilliary date 
 (computer name, etc.) filled into the other structure. Before packing 
 into a record, this routine will calc the appropriate padding, etc., 
 and then blast out the record in a form that can be read back in
*******************************************************************/
 
#define MARGIN 512

int write_eventlog_tdb( TDB_CONTEXT * the_tdb, Eventlog_entry * ee )
{
	int32 next_record;
	uint8 *packed_ee;
	TALLOC_CTX *mem_ctx = NULL;
	TDB_DATA kbuf, ebuf;
	uint32 n_packed;

	if ( !ee )
		return 0;

	mem_ctx = talloc_init( "write_eventlog_tdb" );

	if ( mem_ctx == NULL )
		return 0;

	if ( !ee )
		return 0;
	/* discard any entries that have bogus time, which usually indicates a bogus entry as well. */
	if ( ee->record.time_generated == 0 )
		return 0;

	/* todo - check for sanity in next_record */

	fixup_eventlog_entry( ee );

	if ( !can_write_to_eventlog( the_tdb, ee->record.length ) ) {
		DEBUG( 3, ( "Can't write to Eventlog, no room \n" ) );
		talloc_destroy( mem_ctx );
		return 0;
	}

	/* alloc mem for the packed version */
	packed_ee = TALLOC( mem_ctx, ee->record.length + MARGIN );
	if ( !packed_ee ) {
		talloc_destroy( mem_ctx );
		return 0;
	}

	/* need to read the record number and insert it into the entry here */

	/* lock */
	tdb_lock_bystring( the_tdb, EVT_NEXT_RECORD, 1 );
	/* read */
	next_record = tdb_fetch_int32( the_tdb, EVT_NEXT_RECORD );

	n_packed =
		tdb_pack( (char *)packed_ee, ee->record.length + MARGIN,
			  "ddddddwwwwddddddBBdBBBd", ee->record.length,
			  ee->record.reserved1, next_record,
			  ee->record.time_generated, ee->record.time_written,
			  ee->record.event_id, ee->record.event_type,
			  ee->record.num_strings, ee->record.event_category,
			  ee->record.reserved2,
			  ee->record.closing_record_number,
			  ee->record.string_offset,
			  ee->record.user_sid_length,
			  ee->record.user_sid_offset, ee->record.data_length,
			  ee->record.data_offset,
			  ee->data_record.source_name_len,
			  ee->data_record.source_name,
			  ee->data_record.computer_name_len,
			  ee->data_record.computer_name,
			  ee->data_record.sid_padding,
			  ee->record.user_sid_length, ee->data_record.sid,
			  ee->data_record.strings_len,
			  ee->data_record.strings,
			  ee->data_record.user_data_len,
			  ee->data_record.user_data,
			  ee->data_record.data_padding );

	/*DEBUG(3,("write_eventlog_tdb: packed into  %d\n",n_packed)); */

	/* increment the record count */

	kbuf.dsize = sizeof( int32 );
	kbuf.dptr = (char * ) & next_record;

	ebuf.dsize = n_packed;
	ebuf.dptr = (char *)packed_ee;

	if ( tdb_store( the_tdb, kbuf, ebuf, 0 ) ) {
		/* DEBUG(1,("write_eventlog_tdb: Can't write record %d to eventlog\n",next_record)); */
		tdb_unlock_bystring( the_tdb, EVT_NEXT_RECORD );
		talloc_destroy( mem_ctx );
		return 0;
	}
	next_record++;
	tdb_store_int32( the_tdb, EVT_NEXT_RECORD, next_record );
	tdb_unlock_bystring( the_tdb, EVT_NEXT_RECORD );
	talloc_destroy( mem_ctx );
	return ( next_record - 1 );
}

/*******************************************************************
 calculate the correct fields etc for an eventlog entry
*******************************************************************/

void fixup_eventlog_entry( Eventlog_entry * ee )
{
	/* fix up the eventlog entry structure as necessary */

	ee->data_record.sid_padding =
		( ( 4 -
		    ( ( ee->data_record.source_name_len +
			ee->data_record.computer_name_len ) % 4 ) ) % 4 );
	ee->data_record.data_padding =
		( 4 -
		  ( ( ee->data_record.strings_len +
		      ee->data_record.user_data_len ) % 4 ) ) % 4;
	ee->record.length = sizeof( Eventlog_record );
	ee->record.length += ee->data_record.source_name_len;
	ee->record.length += ee->data_record.computer_name_len;
	if ( ee->record.user_sid_length == 0 ) {
		/* Should not pad to a DWORD boundary for writing out the sid if there is
		   no SID, so just propagate the padding to pad the data */
		ee->data_record.data_padding += ee->data_record.sid_padding;
		ee->data_record.sid_padding = 0;
	}
	/* DEBUG(10, ("sid_padding is [%d].\n", ee->data_record.sid_padding)); */
	/* DEBUG(10, ("data_padding is [%d].\n", ee->data_record.data_padding)); */

	ee->record.length += ee->data_record.sid_padding;
	ee->record.length += ee->record.user_sid_length;
	ee->record.length += ee->data_record.strings_len;
	ee->record.length += ee->data_record.user_data_len;
	ee->record.length += ee->data_record.data_padding;
	/* need another copy of length at the end of the data */
	ee->record.length += sizeof( ee->record.length );
}

/********************************************************************
 Note that it's a pretty good idea to initialize the Eventlog_entry 
 structure to zero's before calling parse_logentry on an batch of 
 lines that may resolve to a record.  ALSO, it's a good idea to 
 remove any linefeeds (that's EOL to you and me) on the lines 
 going in.
********************************************************************/

BOOL parse_logentry( char *line, Eventlog_entry * entry, BOOL * eor )
{
	char *start = NULL, *stop = NULL;
	pstring temp;
	int temp_len = 0;

	start = line;

	/* empty line signyfiying record delimeter, or we're at the end of the buffer */
	if ( start == NULL || strlen( start ) == 0 ) {
		DEBUG( 6,
		       ( "parse_logentry: found end-of-record indicator.\n" ) );
		*eor = True;
		return True;
	}
	if ( !( stop = strchr( line, ':' ) ) ) {
		return False;
	}

	DEBUG( 6, ( "parse_logentry: trying to parse [%s].\n", line ) );

	if ( 0 == strncmp( start, "LEN", stop - start ) ) {
		/* This will get recomputed later anyway -- probably not necessary */
		entry->record.length = atoi( stop + 1 );
	} else if ( 0 == strncmp( start, "RS1", stop - start ) ) {
		/* For now all these reserved entries seem to have the same value,
		   which can be hardcoded to int(1699505740) for now */
		entry->record.reserved1 = atoi( stop + 1 );
	} else if ( 0 == strncmp( start, "RCN", stop - start ) ) {
		entry->record.record_number = atoi( stop + 1 );
	} else if ( 0 == strncmp( start, "TMG", stop - start ) ) {
		entry->record.time_generated = atoi( stop + 1 );
	} else if ( 0 == strncmp( start, "TMW", stop - start ) ) {
		entry->record.time_written = atoi( stop + 1 );
	} else if ( 0 == strncmp( start, "EID", stop - start ) ) {
		entry->record.event_id = atoi( stop + 1 );
	} else if ( 0 == strncmp( start, "ETP", stop - start ) ) {
		if ( strstr( start, "ERROR" ) ) {
			entry->record.event_type = EVENTLOG_ERROR_TYPE;
		} else if ( strstr( start, "WARNING" ) ) {
			entry->record.event_type = EVENTLOG_WARNING_TYPE;
		} else if ( strstr( start, "INFO" ) ) {
			entry->record.event_type = EVENTLOG_INFORMATION_TYPE;
		} else if ( strstr( start, "AUDIT_SUCCESS" ) ) {
			entry->record.event_type = EVENTLOG_AUDIT_SUCCESS;
		} else if ( strstr( start, "AUDIT_FAILURE" ) ) {
			entry->record.event_type = EVENTLOG_AUDIT_FAILURE;
		} else if ( strstr( start, "SUCCESS" ) ) {
			entry->record.event_type = EVENTLOG_SUCCESS;
		} else {
			/* some other eventlog type -- currently not defined in MSDN docs, so error out */
			return False;
		}
	}

/*
  else if(0 == strncmp(start, "NST", stop - start))
  {
  entry->record.num_strings = atoi(stop + 1);
  }
*/
	else if ( 0 == strncmp( start, "ECT", stop - start ) ) {
		entry->record.event_category = atoi( stop + 1 );
	} else if ( 0 == strncmp( start, "RS2", stop - start ) ) {
		entry->record.reserved2 = atoi( stop + 1 );
	} else if ( 0 == strncmp( start, "CRN", stop - start ) ) {
		entry->record.closing_record_number = atoi( stop + 1 );
	} else if ( 0 == strncmp( start, "USL", stop - start ) ) {
		entry->record.user_sid_length = atoi( stop + 1 );
	} else if ( 0 == strncmp( start, "SRC", stop - start ) ) {
		memset( temp, 0, sizeof( temp ) );
		stop++;
		while ( isspace( stop[0] ) ) {
			stop++;
		}
		temp_len = strlen( stop );
		strncpy( temp, stop, temp_len );
		rpcstr_push( ( void * ) ( entry->data_record.source_name ),
			     temp, sizeof( entry->data_record.source_name ),
			     STR_TERMINATE );
		entry->data_record.source_name_len =
			( strlen_w( entry->data_record.source_name ) * 2 ) +
			2;
	} else if ( 0 == strncmp( start, "SRN", stop - start ) ) {
		memset( temp, 0, sizeof( temp ) );
		stop++;
		while ( isspace( stop[0] ) ) {
			stop++;
		}
		temp_len = strlen( stop );
		strncpy( temp, stop, temp_len );
		rpcstr_push( ( void * ) ( entry->data_record.computer_name ),
			     temp, sizeof( entry->data_record.computer_name ),
			     STR_TERMINATE );
		entry->data_record.computer_name_len =
			( strlen_w( entry->data_record.computer_name ) * 2 ) +
			2;
	} else if ( 0 == strncmp( start, "SID", stop - start ) ) {
		memset( temp, 0, sizeof( temp ) );
		stop++;
		while ( isspace( stop[0] ) ) {
			stop++;
		}
		temp_len = strlen( stop );
		strncpy( temp, stop, temp_len );
		rpcstr_push( ( void * ) ( entry->data_record.sid ), temp,
			     sizeof( entry->data_record.sid ),
			     STR_TERMINATE );
		entry->record.user_sid_length =
			( strlen_w( entry->data_record.sid ) * 2 ) + 2;
	} else if ( 0 == strncmp( start, "STR", stop - start ) ) {
		/* skip past initial ":" */
		stop++;
		/* now skip any other leading whitespace */
		while ( isspace( stop[0] ) ) {
			stop++;
		}
		temp_len = strlen( stop );
		memset( temp, 0, sizeof( temp ) );
		strncpy( temp, stop, temp_len );
		rpcstr_push( ( void * ) ( entry->data_record.strings +
					  entry->data_record.strings_len ),
			     temp,
			     sizeof( entry->data_record.strings ) -
			     entry->data_record.strings_len, STR_TERMINATE );
		entry->data_record.strings_len += temp_len + 1;
		entry->record.num_strings++;
	} else if ( 0 == strncmp( start, "DAT", stop - start ) ) {
		/* Now that we're done processing the STR data, adjust the length to account for
		   unicode, then proceed with the DAT data. */
		entry->data_record.strings_len *= 2;
		/* skip past initial ":" */
		stop++;
		/* now skip any other leading whitespace */
		while ( isspace( stop[0] ) ) {
			stop++;
		}
		entry->data_record.user_data_len = strlen( stop );
		memset( entry->data_record.user_data, 0,
			sizeof( entry->data_record.user_data ) );
		if ( entry->data_record.user_data_len > 0 ) {
			/* copy no more than the first 1024 bytes */
			if ( entry->data_record.user_data_len >
			     sizeof( entry->data_record.user_data ) )
				entry->data_record.user_data_len =
					sizeof( entry->data_record.
						user_data );
			memcpy( entry->data_record.user_data, stop,
				entry->data_record.user_data_len );
		}
	} else {
		/* some other eventlog entry -- not implemented, so dropping on the floor */
		DEBUG( 10, ( "Unknown entry [%s]. Ignoring.\n", line ) );
		/* For now return true so that we can keep on parsing this mess. Eventually
		   we will return False here. */
		return True;
	}
	return True;
}