Remove function outputs from grammar

2025-09-16 14:58:31 +00:00 · 2016-03-30 13:00:51 -07:00
parent a9fc4d2b09
commit 5f0123317a
3 changed files with 2 additions and 38 deletions
--- a/rules/base.txt
+++ b/rules/base.txt
@@ -77,7 +77,7 @@ read and not proc.name in (sshd, sudo, su) and not_cron and sensitive_files | WA
 modify and (bin_dir_rename or bin_dir_mkdir) | WARNING Modify bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
 # Don't load shared objects coming from unexpected places
-read and fd.name contains .so and not (ubuntu_so_dirs or centos_so_dirs) | WARNING output.first_sequence(evt, "fd.filename", "shared_obj", "Loaded .so from unexpected dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)")
+read and fd.name contains .so and not (ubuntu_so_dirs or centos_so_dirs) | WARNING Loaded .so from unexpected dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
 # Attempts to access things that shouldn't be
 evt.res = EACCES | INFO System call returned EACCESS (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
--- a/userspace/digwatch/lua/compiler.lua
+++ b/userspace/digwatch/lua/compiler.lua
@@ -179,10 +179,6 @@ local function outputformat (level, format)
   return {type = "OutputFormat", level = normalize_level(level), value = format}
 end
 local function functioncall (level, str, mname, fname, args)
   return {type = "FunctionCall", level = normalize_level(level), mname = mname, fname = fname, arguments = args, source = str}
 end
 local function rule(filter, output)
   if not output then
      output = outputformat(nil)
@@ -229,7 +225,7 @@ local G = {
  MacroDef = (C(V"Macro") * V"Skip" * V"Colon" * (V"Filter"));
  FuncArgs = symb("(") * list(V"Value", symb(",")) * symb(")");
-  Output = (C(V"Identifier") * V"Skip" * C(V"Name" * P(".") * V"Name" * V"FuncArgs") / functioncall) + (C(V"Identifier") * V"Skip" * C(P(1)^0) / outputformat);
+  Output = C(V"Identifier") * V"Skip" * C(P(1)^0) / outputformat;
  -- Terminals
  Value = terminal "Number" + terminal "String" + terminal "BareString";
@@ -473,11 +469,6 @@ function print_ast(ast, level)
   elseif t == "OutputFormat" then
      print(ast.value)
   elseif t == "FunctionCall" then
      print(ast.mname..ast.fname .. "(" )
      print_ast(ast.arguments)
      print(")")
   elseif t == "Filter" then
      print_ast(ast.value, level)
--- a/userspace/digwatch/lua/output.lua
+++ b/userspace/digwatch/lua/output.lua
@@ -8,31 +8,4 @@ function mod.syslog(evt, level, format)
   nixio.syslog(level, msg)
 end
 local first_sequence_state = {}
 function mod.first_sequence(evt, fieldname, key, format)
   local field_value = digwatch.field(evt, fieldname)
   local now = os.time()
   format = "%evt.time: "..format
   if first_sequence_state[key] == nil then
      first_sequence_state[key] = {}
   end
   if first_sequence_state[key][field_value] == nil or
   now - first_sequence_state[key][field_value] > 5 then
      formatter = digwatch.formatter(format)
      msg = digwatch.format_event(evt, formatter)
      print (msg)
   end
   if field_value == nil then
      formatter = digwatch.formatter(format)
      s = digwatch.format_event(evt, formatter)
      error("first_sequence: field '"..fieldname.."' is nil in event ("..s..")")
   end
   first_sequence_state[key][field_value] = now
 end
 return mod