From d0e489b5c2e8115a5a30c37a3629fbcdac95fec2 Mon Sep 17 00:00:00 2001 From: Henri DF Date: Tue, 12 Apr 2016 18:29:48 -0700 Subject: [PATCH 1/8] Remove unneccessary HAS_FILTERING conditional --- userspace/digwatch/digwatch.cpp | 6 ------ 1 file changed, 6 deletions(-) diff --git a/userspace/digwatch/digwatch.cpp b/userspace/digwatch/digwatch.cpp index 0a963106..c9a98b45 100644 --- a/userspace/digwatch/digwatch.cpp +++ b/userspace/digwatch/digwatch.cpp @@ -261,7 +261,6 @@ int digwatch_init(int argc, char **argv) if(optind < argc) { -#ifdef HAS_FILTERING for(int32_t j = optind ; j < argc; j++) { rules_file += argv[j]; @@ -271,11 +270,6 @@ int digwatch_init(int argc, char **argv) } } -#else - fprintf(stderr, "filtering not compiled.\n"); - result = EXIT_FAILURE; - goto exit; -#endif } if(rules_file.size() == 0) { From b4bc2d52be05bf09d5552fa68629fc703b97dcbe Mon Sep 17 00:00:00 2001 From: Henri DF Date: Tue, 12 Apr 2016 18:34:49 -0700 Subject: [PATCH 2/8] rename infile -> scap_filename --- userspace/digwatch/digwatch.cpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/userspace/digwatch/digwatch.cpp b/userspace/digwatch/digwatch.cpp index c9a98b45..5305460a 100644 --- a/userspace/digwatch/digwatch.cpp +++ b/userspace/digwatch/digwatch.cpp @@ -203,7 +203,7 @@ int digwatch_init(int argc, char **argv) int long_index = 0; string lua_main_filename; string output_name = "stdout"; - string infile; + string scap_filename; string conf_filename; string lua_dir = DIGWATCH_LUA_DIR; lua_State* ls = NULL; @@ -244,7 +244,7 @@ int digwatch_init(int argc, char **argv) output_name = optarg; break; case 'r': - infile = optarg; + scap_filename = optarg; break; case '?': result = EXIT_FAILURE; @@ -375,9 +375,9 @@ int digwatch_init(int argc, char **argv) add_output(ls, *it); } - if (infile.size()) + if (scap_filename.size()) { - inspector->open(infile); + inspector->open(scap_filename); } else { From 357276b78746534b71ebc2e749051ad058d3d5c6 Mon Sep 17 00:00:00 2001 From: Henri DF Date: Tue, 12 Apr 2016 18:36:24 -0700 Subject: [PATCH 3/8] Fix opt def for scap input file (was 'R', should be 'r') --- userspace/digwatch/digwatch.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/userspace/digwatch/digwatch.cpp b/userspace/digwatch/digwatch.cpp index 5305460a..f330adb6 100644 --- a/userspace/digwatch/digwatch.cpp +++ b/userspace/digwatch/digwatch.cpp @@ -224,7 +224,7 @@ int digwatch_init(int argc, char **argv) // Parse the args // while((op = getopt_long(argc, argv, - "c:ho:R:", + "c:ho:r:u:", long_options, &long_index)) != -1) { switch(op) From ef938442342669b63ca35b786c6f81c356804e7f Mon Sep 17 00:00:00 2001 From: Henri DF Date: Tue, 12 Apr 2016 18:43:33 -0700 Subject: [PATCH 4/8] Rename digwatch.conf -> digwatch_rules.conf --- digwatch.yaml | 3 ++- rules/CMakeLists.txt | 2 +- rules/{digwatch.conf => digwatch_rules.conf} | 0 userspace/digwatch/configuration.cpp | 2 +- userspace/digwatch/configuration.h | 2 +- userspace/digwatch/digwatch.cpp | 2 +- 6 files changed, 6 insertions(+), 5 deletions(-) rename rules/{digwatch.conf => digwatch_rules.conf} (100%) diff --git a/digwatch.yaml b/digwatch.yaml index 9d5c98f5..bc6c41ff 100644 --- a/digwatch.yaml +++ b/digwatch.yaml @@ -1,7 +1,8 @@ -rules_file: /etc/digwatch.conf +rules_file: /etc/digwatch_rules.conf # Priority level # Any rule with priority lower than this level will be discarded +# WARNING currently has no effect! priority_level: warning syslog_output: diff --git a/rules/CMakeLists.txt b/rules/CMakeLists.txt index b1c34ae1..dff2d608 100644 --- a/rules/CMakeLists.txt +++ b/rules/CMakeLists.txt @@ -1,3 +1,3 @@ -install(FILES digwatch.conf +install(FILES digwatch_rules.conf DESTINATION "${DIR_ETC}") diff --git a/rules/digwatch.conf b/rules/digwatch_rules.conf similarity index 100% rename from rules/digwatch.conf rename to rules/digwatch_rules.conf diff --git a/userspace/digwatch/configuration.cpp b/userspace/digwatch/configuration.cpp index 401d6328..06706b27 100644 --- a/userspace/digwatch/configuration.cpp +++ b/userspace/digwatch/configuration.cpp @@ -18,7 +18,7 @@ void digwatch_configuration::init(string conf_filename) string m_config_file = conf_filename; m_config = new yaml_configuration(m_config_file); - m_rules_file = m_config->get_scalar("rules_file", "/etc/digwatch.conf"); + m_rules_filename = m_config->get_scalar("rules_file", "/etc/digwatch_rules.conf"); m_priority_level = m_config->get_scalar("priority_level", "warning"); output_config file_output; diff --git a/userspace/digwatch/configuration.h b/userspace/digwatch/configuration.h index 9d3644ab..056976ea 100644 --- a/userspace/digwatch/configuration.h +++ b/userspace/digwatch/configuration.h @@ -94,7 +94,7 @@ class digwatch_configuration public: void init(std::string conf_filename); void init(); - std::string m_rules_file; + std::string m_rules_filename; std::string m_priority_level; std::vector m_outputs; private: diff --git a/userspace/digwatch/digwatch.cpp b/userspace/digwatch/digwatch.cpp index f330adb6..01d6069b 100644 --- a/userspace/digwatch/digwatch.cpp +++ b/userspace/digwatch/digwatch.cpp @@ -365,7 +365,7 @@ int digwatch_init(int argc, char **argv) digwatch_syslog::init(ls); - rules->load_rules(rules_file); + rules->load_rules(config.m_rules_filename); inspector->set_filter(rules->get_filter()); inspector->set_hostname_and_port_resolution_mode(false); From 86e2e17c330e2d0e7fad26a48b4fd7ab6e2f06d8 Mon Sep 17 00:00:00 2001 From: Henri DF Date: Tue, 12 Apr 2016 20:15:46 -0700 Subject: [PATCH 5/8] Change rules file command-line setting Now is optional, and uses -u rather than passed as a positional arg. --- userspace/digwatch/digwatch.cpp | 31 ++++++++++--------------------- 1 file changed, 10 insertions(+), 21 deletions(-) diff --git a/userspace/digwatch/digwatch.cpp b/userspace/digwatch/digwatch.cpp index 01d6069b..635eb2b3 100644 --- a/userspace/digwatch/digwatch.cpp +++ b/userspace/digwatch/digwatch.cpp @@ -205,6 +205,7 @@ int digwatch_init(int argc, char **argv) string output_name = "stdout"; string scap_filename; string conf_filename; + string rules_filename; string lua_dir = DIGWATCH_LUA_DIR; lua_State* ls = NULL; @@ -246,6 +247,9 @@ int digwatch_init(int argc, char **argv) case 'r': scap_filename = optarg; break; + case 'u': + rules_filename = optarg; + break; case '?': result = EXIT_FAILURE; goto exit; @@ -257,27 +261,6 @@ int digwatch_init(int argc, char **argv) inspector->set_buffer_format(event_buffer_format); - string rules_file; - - if(optind < argc) - { - for(int32_t j = optind ; j < argc; j++) - { - rules_file += argv[j]; - if(j < argc - 1) - { - rules_file += " "; - } - } - - } - - if(rules_file.size() == 0) { - usage(); - result = EXIT_FAILURE; - goto exit; - - } ifstream* conf_stream; if (conf_filename.size()) @@ -323,6 +306,12 @@ int digwatch_init(int argc, char **argv) config.init(); } + if (rules_filename.size()) + { + config.m_rules_filename = rules_filename; + } + cout << "Using rules file " + config.m_rules_filename + "\n"; + if(signal(SIGINT, signal_callback) == SIG_ERR) { fprintf(stderr, "An error occurred while setting SIGINT signal handler.\n"); From a529b11e0dabf2a896e185f11dd5f323197328d7 Mon Sep 17 00:00:00 2001 From: Henri DF Date: Tue, 12 Apr 2016 20:16:34 -0700 Subject: [PATCH 6/8] Clean up usage message and choice of flags --- userspace/digwatch/digwatch.cpp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/userspace/digwatch/digwatch.cpp b/userspace/digwatch/digwatch.cpp index 635eb2b3..7320f5f9 100644 --- a/userspace/digwatch/digwatch.cpp +++ b/userspace/digwatch/digwatch.cpp @@ -46,9 +46,10 @@ static void usage() "Usage: digwatch [options] rules_filename\n\n" "Options:\n" " -h, --help Print this page\n" + " -c Configuration file (default " DIGWATCH_SOURCE_CONF_FILE ", " DIGWATCH_INSTALL_CONF_FILE ")\n" " -o Output type (options are 'stdout', 'syslog', default is 'stdout')\n" - " -r , --read=\n" - " Read the events from .\n" + " -e Read the events from (in .scap format) instead of tapping into live.\n" + " -r Rules configuration file (defaults to value set in configuration file, or /etc/digwatch_rules.conf).\n" "\n" ); } @@ -212,7 +213,6 @@ int digwatch_init(int argc, char **argv) static struct option long_options[] = { {"help", no_argument, 0, 'h' }, - {"readfile", required_argument, 0, 'r' }, {0, 0, 0, 0} }; @@ -225,7 +225,7 @@ int digwatch_init(int argc, char **argv) // Parse the args // while((op = getopt_long(argc, argv, - "c:ho:r:u:", + "c:ho:e:r:", long_options, &long_index)) != -1) { switch(op) @@ -244,10 +244,10 @@ int digwatch_init(int argc, char **argv) } output_name = optarg; break; - case 'r': + case 'e': scap_filename = optarg; break; - case 'u': + case 'r': rules_filename = optarg; break; case '?': From 6e008a2ff591411da25628ae0328748786e8edb7 Mon Sep 17 00:00:00 2001 From: Henri DF Date: Tue, 12 Apr 2016 20:33:07 -0700 Subject: [PATCH 7/8] Improve error message when rules file not found --- userspace/digwatch/rules.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/userspace/digwatch/rules.cpp b/userspace/digwatch/rules.cpp index f93b875d..39ca0edc 100644 --- a/userspace/digwatch/rules.cpp +++ b/userspace/digwatch/rules.cpp @@ -45,7 +45,7 @@ void digwatch_rules::load_rules(string rules_filename) is.open(rules_filename); if(!is.is_open()) { - throw sinsp_exception("can't open file " + rules_filename); + throw sinsp_exception("Can't open file " + rules_filename + ". Try setting file location in config file or use '-r' flag."); } lua_getglobal(m_ls, m_lua_load_rule.c_str()); From b14ae8ac11d567d81393f5230375ee164fa43932 Mon Sep 17 00:00:00 2001 From: Henri DF Date: Tue, 12 Apr 2016 21:35:39 -0700 Subject: [PATCH 8/8] Add digwatch.yaml to packages --- CMakeLists.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 7a435945..0964c7ef 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -152,7 +152,8 @@ ExternalProject_Add(lpeg CONFIGURE_COMMAND "" INSTALL_COMMAND "") - +install(FILES digwatch.yaml + DESTINATION "${DIR_ETC}") add_subdirectory(${SYSDIG_DIR}/userspace/libscap ${PROJECT_BINARY_DIR}/userspace/libscap) add_subdirectory(${SYSDIG_DIR}/userspace/libsinsp ${PROJECT_BINARY_DIR}/userspace/libsinsp)