+ notification_t n = {
+ .severity = NOTIF_OKAY,
+ .time = cdtime(),
+ .plugin = "sysevent",
+ .type = "gauge",
+ };
+
+#if HAVE_YAJL_V2
+ if (node != NULL) {
+ // If we have a parsed-JSON node to work with, use that
+ // msg
+ const char *msg_path[] = {rsyslog_keys[2], (const char *)0};
+ yajl_val msg_v = yajl_tree_get(*node, msg_path, yajl_t_string);
+
+ char msg[listen_buffer_size];
+
+ if (msg_v != NULL) {
+ memset(msg, '\0', listen_buffer_size);
+ snprintf(msg, listen_buffer_size, "%s%c", YAJL_GET_STRING(msg_v), '\0');
+ }
+
+ // severity
+ const char *severity_path[] = {"@fields", rsyslog_field_keys[1],
+ (const char *)0};
+ yajl_val severity_v = yajl_tree_get(*node, severity_path, yajl_t_string);
+
+ char severity[listen_buffer_size];
+
+ if (severity_v != NULL) {
+ memset(severity, '\0', listen_buffer_size);
+ snprintf(severity, listen_buffer_size, "%s%c",
+ YAJL_GET_STRING(severity_v), '\0');
+ }
+
+ // sev_num
+ const char *sev_num_str_path[] = {"@fields", rsyslog_field_keys[2],
+ (const char *)0};
+ yajl_val sev_num_str_v =
+ yajl_tree_get(*node, sev_num_str_path, yajl_t_string);
+
+ char sev_num_str[listen_buffer_size];
+ int sev_num = -1;
+
+ if (sev_num_str_v != NULL) {
+ memset(sev_num_str, '\0', listen_buffer_size);
+ snprintf(sev_num_str, listen_buffer_size, "%s%c",
+ YAJL_GET_STRING(sev_num_str_v), '\0');
+
+ sev_num = atoi(sev_num_str);
+
+ if (sev_num < 4)
+ n.severity = NOTIF_FAILURE;
+ }
+
+ // process
+ const char *process_path[] = {"@fields", rsyslog_field_keys[3],
+ (const char *)0};
+ yajl_val process_v = yajl_tree_get(*node, process_path, yajl_t_string);
+
+ char process[listen_buffer_size];
+
+ if (process_v != NULL) {
+ memset(process, '\0', listen_buffer_size);
+ snprintf(process, listen_buffer_size, "%s%c", YAJL_GET_STRING(process_v),
+ '\0');
+ }
+
+ // hostname
+ const char *hostname_path[] = {rsyslog_keys[1], (const char *)0};
+ yajl_val hostname_v = yajl_tree_get(*node, hostname_path, yajl_t_string);
+
+ char hostname_str[listen_buffer_size];
+
+ if (hostname_v != NULL) {
+ memset(hostname_str, '\0', listen_buffer_size);
+ snprintf(hostname_str, listen_buffer_size, "%s%c",
+ YAJL_GET_STRING(hostname_v), '\0');
+ }
+
+ gen_message_payload(
+ (msg_v != NULL ? msg : NULL), (severity_v != NULL ? severity : NULL),
+ (sev_num_str_v != NULL ? sev_num : -1),
+ (process_v != NULL ? process : NULL),
+ (hostname_v != NULL ? hostname_str : hostname_g), timestamp, &buf);
+ } else {
+ // Data was not sent in JSON format, so just treat the whole log entry
+ // as the message (and we'll be unable to acquire certain data, so the
+ // payload
+ // generated below will be less informative)
+
+ gen_message_payload(message, NULL, -1, NULL, hostname_g, timestamp, &buf);
+ }
+#else
+ gen_message_payload(message, NULL, -1, NULL, hostname_g, timestamp, &buf);
+#endif
+
+ sstrncpy(n.host, hostname_g, sizeof(n.host));
+
+ int status = plugin_notification_meta_add_string(&n, "ves", buf);
+
+ if (status < 0) {
+ sfree(buf);
+ ERROR("sysevent plugin: unable to set notification VES metadata: %s",
+ STRERRNO);
+ return;
+ }
+
+ DEBUG("sysevent plugin: notification VES metadata: %s",
+ n.meta->nm_value.nm_string);
+
+ DEBUG("sysevent plugin: dispatching message");
+
+ plugin_dispatch_notification(&n);
+ plugin_notification_meta_free(n.meta);
+
+ // strdup'd in gen_message_payload
+ if (buf != NULL)
+ sfree(buf);
+}
+
+static void read_ring_buffer() {
+ pthread_mutex_lock(&sysevent_data_lock);
+
+ // If there's currently nothing to read from the buffer,
+ // then wait
+ if (ring.head == ring.tail)
+ pthread_cond_wait(&sysevent_cond, &sysevent_data_lock);
+
+ while (ring.head != ring.tail) {
+ int next = ring.tail + 1;
+
+ if (next >= ring.maxLen)
+ next = 0;
+
+ DEBUG("sysevent plugin: reading from ring buffer: %s",
+ ring.buffer[ring.tail]);
+
+ cdtime_t timestamp = ring.timestamp[ring.tail];
+ char *match_str = NULL;
+
+#if HAVE_YAJL_V2
+ // Try to parse JSON, and if it fails, fall back to plain string
+ char errbuf[1024];
+ errbuf[0] = 0;
+ yajl_val node = yajl_tree_parse((const char *)ring.buffer[ring.tail],
+ errbuf, sizeof(errbuf));
+
+ if (node != NULL) {
+ // JSON rsyslog data
+
+ // If we have any regex filters, we need to see if the message portion of
+ // the data matches any of them (otherwise we're not interested)
+ if (monitor_all_messages == 0) {
+ const char *path[] = {"@message", (const char *)0};
+ yajl_val v = yajl_tree_get(node, path, yajl_t_string);
+
+ char json_val[listen_buffer_size];
+ memset(json_val, '\0', listen_buffer_size);
+
+ snprintf(json_val, listen_buffer_size, "%s%c", YAJL_GET_STRING(v),
+ '\0');
+
+ match_str = (char *)&json_val;