Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

A new notice script that pretty-prints alarms in the summary email.

Browse source 
It works already, but the actual pretty-printing is still missing.
This commit is contained in:
Robin Sommer 2011-10-26 10:19:10 -07:00
parent 2f2fad1f80
commit 73d5643302
2 changed files with 97 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
scripts/base/frameworks/notice/__load__.bro
View file

@ -7,6 +7,7 @@
@load ./actions/email_admin @load ./actions/email_admin
@load ./actions/page @load ./actions/page
@load ./actions/add-geodata @load ./actions/add-geodata
@load ./actions/pp-alarms
# There shouldn't be any default overhead from loading these since they # There shouldn't be any default overhead from loading these since they
# *should* only do anything when notices have the ACTION_EMAIL action applied. # *should* only do anything when notices have the ACTION_EMAIL action applied.

96
scripts/base/frameworks/notice/actions/pp-alarms.bro Normal file
View file

@ -0,0 +1,96 @@
#! Notice extension that mails out a pretty-printed version of alarm.log
#! in regular intervals, formatted for better human readability. If activated,
#! that replaces the default summary mail having the raw log output.
module Notice;
export {
## Activate pretty-printed alarm summaries.
const pretty_print_alarms = T &redef;
## Function that renders a single alarm. Can be overidden.
global pretty_print_alarm: function(out: file, n: Info) &redef;
}
# We maintain an old-style file recording the pretty-printed alarms.
const pp_alarms_name = "alarm-mail.txt";
global pp_alarms: file;
global pp_alarms_open: bool = F;
# Returns True if pretty-printed alarm summaries are activated.
function want_pp() : bool
{
# return (pretty_print_alarms && ! reading_traces() && mail_dest != "");
print (pretty_print_alarms && mail_dest != "");
return (pretty_print_alarms && mail_dest != "");
}
# Opens and intializes the output file.
function pp_open()
{
if ( pp_alarms_open )
return;
pp_alarms_open = T;
pp_alarms = open(pp_alarms_name);
local headers = email_headers("Alarm Summary", mail_dest);
write_file(pp_alarms, headers + "\n");
}
# Closes and mails out the current output file.
function pp_send()
{
if ( ! pp_alarms_open )
return;
write_file(pp_alarms, "\n\n--\n[Automatically generated]\n\n");
system(fmt("/bin/cat %s | %s -t -oi && /bin/rm %s",
pp_alarms_name, sendmail, pp_alarms_name));
pp_alarms_open = F;
}
# Postprocessor function that triggers the email.
function pp_postprocessor(info: Log::RotationInfo): bool
{
if ( want_pp() )
pp_send();
}
event bro_init()
{
if ( ! want_pp() )
return;
# This replaces the standard non-pretty-printing filter.
Log::add_filter(Notice::ALARM_LOG,
[$name="alarm-mail", $writer=Log::WRITER_NONE,
$interv=Log::default_rotation_interval,
$postprocessor=pp_postprocessor]);
}
event notice(n: Notice::Info) &priority=-5
{
if ( ! want_pp() )
return;
if ( ACTION_ALARM !in n$actions )
return;
if ( ! pp_alarms_open )
pp_open();
pretty_print_alarm(pp_alarms, n);
}
# Default pretty-printer.
function pretty_print_alarm(out: file, n: Info)
{
print out, n;
}