/* * auditd-plugin-clickhouse is an auditd plugin for sending auditd data * to clickhouse DB. * Copyright (C) 2019 Aleksei Nikiforov * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * */ #ifndef AUDITD_PLUGIN_CLICKHOUSE_RECORD_HPP #define AUDITD_PLUGIN_CLICKHOUSE_RECORD_HPP #include #include #include #include #include #include #include #include #include #include bool check_field_type(auparse_type_t field_type, const std::string &database_type, const std::string &database_field_name); class AbstractRecordField { public: enum class Type { Int, String, InterpretedString, InterpretedStringArray }; struct Column { std::string name; clickhouse::ColumnRef value; Column(const std::string &l_name, const clickhouse::ColumnRef &l_value) : name(l_name), value(l_value) { } }; virtual ~AbstractRecordField() = default; virtual void addOrUpdateValue(auparse_state_t *record) = 0; virtual std::vector generateColumnsAndNames() const = 0; virtual void addToColumn(const std::vector &columns) const = 0; virtual Type getType() const = 0; std::string getName() const { return m_name; } protected: explicit AbstractRecordField(const std::string &name); AbstractRecordField(const AbstractRecordField &other) = default; AbstractRecordField& operator=(const AbstractRecordField &other) = default; std::string m_name; }; struct AuditRecord { time_t time; uint64_t milliseconds; uint64_t serial; std::string node; // skip processing node from record fields std::map > fields; }; class CommonStringRecordField: public AbstractRecordField { public: virtual std::vector generateColumnsAndNames() const override; virtual void addToColumn(const std::vector &columns) const override; protected: explicit CommonStringRecordField(const std::string &name); boost::optional m_value; }; class StringRecordField: public CommonStringRecordField { public: static std::shared_ptr createRecord(const std::string &name); virtual void addOrUpdateValue(auparse_state_t *record) override; virtual Type getType() const override; protected: explicit StringRecordField(const std::string &name); }; class InterpretedStringRecordField: public CommonStringRecordField { public: static std::shared_ptr createRecord(const std::string &name); virtual void addOrUpdateValue(auparse_state_t *record) override; virtual Type getType() const override; protected: explicit InterpretedStringRecordField(const std::string &name); }; class IntegerRecordField: public InterpretedStringRecordField { public: static std::shared_ptr createRecord(const std::string &name); virtual void addOrUpdateValue(auparse_state_t *record) override; virtual std::vector generateColumnsAndNames() const override; virtual void addToColumn(const std::vector &columns) const override; virtual Type getType() const override; protected: explicit IntegerRecordField(const std::string &name); boost::optional m_int_value; }; class InterpretedStringArrayRecordField: public AbstractRecordField { public: static std::shared_ptr createRecord(const std::string &name); virtual void addOrUpdateValue(auparse_state_t *record) override; virtual std::vector generateColumnsAndNames() const override; virtual void addToColumn(const std::vector &columns) const override; virtual Type getType() const override; protected: explicit InterpretedStringArrayRecordField(const std::string &name); std::list m_names_array; std::list m_values_array; }; #endif /* AUDITD_PLUGIN_CLICKHOUSE_RECORD_HPP */