From: Balint Kovacs <blint@blint.hu> It was quite unintuitive to determine if a previous message exists in the correlation context as the basis of the decision whether an action should be run or not. This patch adds support for the min-messages and max-messages attributes of the action XML node, the action is run only, of the correlation context contains more or equal messages as the min-messages attribute and less or equal messages as the max-messages attribute. This way it is easy to determine if a context contains sufficient amount of messages for the event to be complete and run a different action if it is not, e.g. if 2 messages are needed for an event, this should emit an event message if there are enough messages and an error message if not. <actions> <action min-messages='2'> <message> <values> <value name="PROGRAM">event</value> <value name="MESSAGE">Hello event!</value> </values> </message> </action> <action max-messages='1'> <message> <values> <value name="PROGRAM">error</value> <value name="MESSAGE">Hello error!</value> </values> </message> </action> </actions> Signed-off-by: Balint Kovacs <blint@blint.hu> --- modules/dbparser/patterndb-int.h | 2 ++ modules/dbparser/patterndb.c | 10 +++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/modules/dbparser/patterndb-int.h b/modules/dbparser/patterndb-int.h index 154b686..9c1385e 100644 --- a/modules/dbparser/patterndb-int.h +++ b/modules/dbparser/patterndb-int.h @@ -122,6 +122,8 @@ enum typedef struct _PDBAction { FilterExprNode *condition; + guint32 min_messages; + guint32 max_messages; guint8 trigger; guint8 content_type; guint16 rate; diff --git a/modules/dbparser/patterndb.c b/modules/dbparser/patterndb.c index 168a24c..715fb4a 100644 --- a/modules/dbparser/patterndb.c +++ b/modules/dbparser/patterndb.c @@ -410,6 +410,8 @@ pdb_action_new(gint id) self->content_type = RAC_NONE; self->id = id; self->inherit_nvpairs = FALSE; + self->min_messages = 0; + self->max_messages = 0; return self; } @@ -557,7 +559,9 @@ pdb_rule_run_actions(PDBRule *self, gint trigger, PatternDB *db, PDBContext *con if ((!action->condition || (!context || filter_expr_eval_with_context(action->condition, (LogMessage **) context->messages->pdata, context->messages->len))) && - pdb_rule_check_rate_limit(self, db, action, msg, buffer)) + (action->min_messages == 0 || action->min_messages <= context->messages->len) && + (action->max_messages == 0 || action->max_messages >= context->messages->len) && + pdb_rule_check_rate_limit(self, db, action, msg, buffer)) { switch (action->content_type) { @@ -958,6 +962,10 @@ pdb_loader_start_element(GMarkupParseContext *context, const gchar *element_name pdb_action_set_condition(state->current_action, state->cfg, attribute_values[i], error); else if (strcmp(attribute_names[i], "rate") == 0) pdb_action_set_rate(state->current_action, attribute_values[i]); + else if (strcmp(attribute_names[i], "min-messages") == 0) + state->current_action->min_messages = atoi(attribute_values[i]); + else if (strcmp(attribute_names[i], "max-messages") == 0) + state->current_action->max_messages = atoi(attribute_values[i]); } state->in_action = TRUE; } -- 1.7.9.5