From fbdf1baf1c2c9caebd88b6c5cb9d7b41bf6a02d2 Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@endace.com>
Date: Tue, 16 Feb 2010 15:56:27 -0800
Subject: [PATCH] - rebase

Provide limits to the unified outputs.
---
 src/alert-unified-alert.c  | 34 +++++++++++++++++++++++++++++++---
 src/alert-unified-log.c    | 35 ++++++++++++++++++++++++++++++++---
 src/alert-unified2-alert.c | 35 +++++++++++++++++++++++++++++++----
 src/output.h               |  1 -
 suricata.yaml              |  9 +++++++++
 5 files changed, 103 insertions(+), 11 deletions(-)

diff --git a/src/alert-unified-alert.c b/src/alert-unified-alert.c
index da4b1e0a34..f1282f7181 100644
--- a/src/alert-unified-alert.c
+++ b/src/alert-unified-alert.c
@@ -32,12 +32,19 @@
 #include "util-time.h"
 #include "util-error.h"
 #include "util-debug.h"
+#include "util-byte.h"
 
 #include "output.h"
 #include "alert-unified-alert.h"
 
 #define DEFAULT_LOG_FILENAME "unified.alert"
 
+/**< Default log file limit in MB. */
+#define DEFAULT_LIMIT 32
+
+/**< Minimum log file limit in MB. */
+#define MIN_LIMIT 1
+
 #define MODULE_NAME "AlertUnifiedAlert"
 
 TmEcode AlertUnifiedAlert (ThreadVars *, Packet *, void *, PacketQueue *);
@@ -293,13 +300,34 @@ LogFileCtx *AlertUnifiedAlertInitCtx(ConfNode *conf)
         filename = DEFAULT_LOG_FILENAME;
     file_ctx->prefix = strdup(filename);
 
-    ret = AlertUnifiedAlertOpenFileCtx(file_ctx, filename);
-    /* XXX make configurable */
-    file_ctx->size_limit = UNIFIED_FILESIZE_LIMIT;
+    const char *s_limit = NULL;
+    uint32_t limit = DEFAULT_LIMIT;
+    if (conf != NULL) {
+        s_limit = ConfNodeLookupChildValue(conf, "limit");
+        if (s_limit != NULL) {
+            if (ByteExtractStringUint32(&limit, 10, 0, s_limit) == -1) {
+                SCLogError(SC_ERR_INVALID_ARGUMENT,
+                    "Fail to initialize unified alert output, invalid limit: %s",
+                    s_limit);
+                exit(EXIT_FAILURE);
+            }
+            if (limit < MIN_LIMIT) {
+                SCLogError(SC_ERR_INVALID_ARGUMENT,
+                    "Fail to initialize unified alert output, limit less than "
+                    "allowed minimum.");
+                exit(EXIT_FAILURE);
+            }
+        }
+    }
+    file_ctx->size_limit = limit * 1024 * 1024;
 
+    ret = AlertUnifiedAlertOpenFileCtx(file_ctx, filename);
     if (ret < 0)
         return NULL;
 
+    SCLogInfo("Unified-alert initialized: filename %s, limit %"PRIu32" MB",
+       filename, limit);
+
     return file_ctx;
 }
 
diff --git a/src/alert-unified-log.c b/src/alert-unified-log.c
index 402233343e..90d33ca3b0 100644
--- a/src/alert-unified-log.c
+++ b/src/alert-unified-log.c
@@ -34,12 +34,19 @@
 #include "util-time.h"
 #include "util-debug.h"
 #include "util-error.h"
+#include "util-byte.h"
 
 #include "output.h"
 #include "alert-unified-log.h"
 
 #define DEFAULT_LOG_FILENAME "unified.log"
 
+/**< Default log file limit in MB. */
+#define DEFAULT_LIMIT 32
+
+/**< Minimum log file limit in MB. */
+#define MIN_LIMIT 1
+
 #define MODULE_NAME "AlertUnifiedLog"
 
 TmEcode AlertUnifiedLog (ThreadVars *, Packet *, void *, PacketQueue *);
@@ -308,15 +315,37 @@ LogFileCtx *AlertUnifiedLogInitCtx(ConfNode *conf)
     }
     if (filename == NULL)
         filename = DEFAULT_LOG_FILENAME;
-
     file_ctx->prefix = strdup(filename);
-    file_ctx->size_limit = UNIFIED_FILESIZE_LIMIT; /* XXX Make configurable. */
 
-    ret = AlertUnifiedLogOpenFileCtx(file_ctx, filename);
+    const char *s_limit = NULL;
+    uint32_t limit = DEFAULT_LIMIT;
+    if (conf != NULL) {
+        s_limit = ConfNodeLookupChildValue(conf, "limit");
+        if (s_limit != NULL) {
+            if (ByteExtractStringUint32(&limit, 10, 0, s_limit) == -1) {
+                SCLogError(SC_ERR_INVALID_ARGUMENT,
+                    "Fail to initialize unified log output, invalid limit: %s",
+                    s_limit);
+                exit(EXIT_FAILURE);
+            }
+            if (limit < MIN_LIMIT) {
+                SCLogError(SC_ERR_INVALID_ARGUMENT,
+                    "Fail to initialize unified log output, limit less than "
+                    "allowed minimum.");
+                exit(EXIT_FAILURE);
+            }
+            SCLogDebug("limit set to %"PRIu32, limit);
+        }
+    }
+    file_ctx->size_limit = limit * 1024 * 1024;
 
+    ret = AlertUnifiedLogOpenFileCtx(file_ctx, filename);
     if (ret < 0)
         return NULL;
 
+    SCLogInfo("Unified-log initialized: filename %s, limit %"PRIu32" MB",
+       filename, limit);
+
     return file_ctx;
 }
 
diff --git a/src/alert-unified2-alert.c b/src/alert-unified2-alert.c
index 693a09adce..9936c22a8e 100644
--- a/src/alert-unified2-alert.c
+++ b/src/alert-unified2-alert.c
@@ -21,6 +21,7 @@
 #include "util-error.h"
 #include "util-debug.h"
 #include "util-time.h"
+#include "util-byte.h"
 
 #include "output.h"
 #include "alert-unified2-alert.h"
@@ -31,6 +32,12 @@
 
 #define DEFAULT_LOG_FILENAME "unified2.alert"
 
+/**< Default log file limit in MB. */
+#define DEFAULT_LIMIT 32
+
+/**< Minimum log file limit in MB. */
+#define MIN_LIMIT 1
+
 /*prototypes*/
 TmEcode Unified2Alert (ThreadVars *, Packet *, void *, PacketQueue *);
 TmEcode Unified2AlertThreadInit(ThreadVars *, void *, void **);
@@ -585,14 +592,34 @@ LogFileCtx *Unified2AlertInitCtx(ConfNode *conf)
         filename = DEFAULT_LOG_FILENAME;
     file_ctx->prefix = strdup(filename);
 
-    ret = Unified2AlertOpenFileCtx(file_ctx, filename);
-
-    /* XXX make configurable */
-    file_ctx->size_limit = UNIFIED_FILESIZE_LIMIT;
+    const char *s_limit = NULL;
+    uint32_t limit = DEFAULT_LIMIT;
+    if (conf != NULL) {
+        s_limit = ConfNodeLookupChildValue(conf, "limit");
+        if (s_limit != NULL) {
+            if (ByteExtractStringUint32(&limit, 10, 0, s_limit) == -1) {
+                SCLogError(SC_ERR_INVALID_ARGUMENT,
+                    "Fail to initialize unified2 output, invalid limit: %s",
+                    s_limit);
+                exit(EXIT_FAILURE);
+            }
+            if (limit < MIN_LIMIT) {
+                SCLogError(SC_ERR_INVALID_ARGUMENT,
+                    "Fail to initialize unified2 output, limit less than "
+                    "allowed minimum.");
+                exit(EXIT_FAILURE);
+            }
+        }
+    }
+    file_ctx->size_limit = limit * 1024 * 1024;
 
+    ret = Unified2AlertOpenFileCtx(file_ctx, filename);
     if (ret < 0)
         return NULL;
 
+    SCLogInfo("Unified2-alert initialized: filename %s, limit %"PRIu32" MB",
+       filename, limit);
+
     return file_ctx;
 }
 
diff --git a/src/output.h b/src/output.h
index d516a06311..a70af28129 100644
--- a/src/output.h
+++ b/src/output.h
@@ -9,7 +9,6 @@
 #define __OUTPUT_H__
 
 #include "suricata.h"
-#define UNIFIED_FILESIZE_LIMIT 10*1024*1024
 
 typedef struct OutputModule_ {
     char *name;
diff --git a/suricata.yaml b/suricata.yaml
index 45c7aff069..89017f05af 100644
--- a/suricata.yaml
+++ b/suricata.yaml
@@ -21,14 +21,23 @@ outputs:
       enabled: yes
       filename: unified.log
 
+      # Limit in MB.
+      #limit: 32
+
   - unified-alert:
       enabled: yes
       filename: unified.alert
 
+      # Limit in MB.
+      #limit: 32
+
   - unified2-alert:
       enabled: yes
       filename: unified2.alert
 
+      # Limit in MB.
+      #limit: 32
+
   - http-log:
       enabled: yes
       filename: http.log