From 575ca79ff1a3774a71dbccb1582a5836eac98624 Mon Sep 17 00:00:00 2001 From: Aleksei Nikiforov Date: Mon, 16 Dec 2019 15:35:40 +0300 Subject: [PATCH] Populate empty fields --- auditd-plugin-clickhouse.cpp | 48 +++++++++++++++++++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) diff --git a/auditd-plugin-clickhouse.cpp b/auditd-plugin-clickhouse.cpp index 02782c7..fb9b6c0 100644 --- a/auditd-plugin-clickhouse.cpp +++ b/auditd-plugin-clickhouse.cpp @@ -206,11 +206,57 @@ void auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_type, voi } } - // TODO: add value + data_ptr->addOrUpdateValue(au); } } while (auparse_next_field(au) > 0); } + // first add all missing fields, keep data empty + { + auto missing_fields = callback_data->all_fields_set; + + for (auto iter = audit_record.fields.begin(); iter != audit_record.fields.end(); ++iter) + { + missing_fields.erase(iter->first); + } + + for (auto iter = missing_fields.begin(); iter != missing_fields.end(); ++iter) + { + std::string type_name; + + auto type_iter = callback_data->datatypes_map.find(*iter); + if (type_iter != callback_data->datatypes_map.end()) + { + type_name = type_iter->second; + } + else + { + for (auto regex_type_iter = callback_data->datatype_regexps_map.begin(); regex_type_iter != callback_data->datatype_regexps_map.end(); ++regex_type_iter) + { + if (*iter == std::get<2>(*regex_type_iter)) + { + type_name = std::get<1>(*regex_type_iter); + break; + } + } + } + + if (!type_name.empty()) + { + auto factory_iter = callback_data->type_creation_map.find(type_name); + if (factory_iter != callback_data->type_creation_map.end()) + { + audit_record.fields[*iter] = factory_iter->second(*iter); + } + } + else + { + fprintf(stderr, "Couldn't find registered type name for record with name\"%s\"\n", iter->c_str()); + continue; + } + } + } + // TODO: add audit_record to clickhouse database }