
***
* Use of this file is deprecated, use svn log.
***

2004-02-10  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/lml-alert.c (generate_target): 
	check for user/process/node before inserting a default
	value for theses.

2004-02-01  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/file-server.c: 
	* src/pconfig.c (set_file): 
	* src/log-common.c:
	big sanitization of the API.
	
	* plugins/simple/simple.c (parse_ruleset_directive): 
	if an inclusion file, do not ignore other file.
	
2004-02-01  Yoann Vandoorselaere  <yoann@prelude-ids.org>
		
	* src/udp-server.c (udp_server_process_event): 
	use log_file_set_source().
	(udp_server_process_event): remove trailling syslog
	priority / facility '>' character.

	* src/log-common.c (log_file_set_source): 
	implemented. Doesn't check wether the file exist.
	free previous value if already set.
	
	(log_file_set_filename): free filename if it already
	exist.

	* src/udp-server.c (udp_server_new): verbose message
	when the syslog server is enabled.
	
	(udp_server_process_event, udp_server_new): embed
	a log_file_t within udp_server_t. Set the filename
	to be the source of the syslog message. Avoid a crash
	due to the recent log file handling change.

2004-01-31  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* plugins/simple/ruleset/simple.rules (regex): 
	use the same classification for user authentication
	(succeeded/failed). 

2004-01-23  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* plugins/simple/simple.c:	
	(simple_run): remove latest "pass" addition, cleanup the
	code and allow use of the "last" attribute with regex 
	that doesn't generate an alert. Keep the pass_rules_first
	option throught.

2004-01-23  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	(set_pass_first): 
	(parse_rule_pass): implemented.
	(parse_rule_keyword): hook pass keyword.
	(simple_run): stop walking rule in case we meet a "pass" rule.

	(plugin_init): new option to process pas rule first, 
	if the user want to. Make this option get higher priority than
	the ruleset specification option.
	
	(parse_ruleset_directive): if the "pass rules" first option was
	specified, add pass rules at the begining of the list.

2004-01-20   Gene R Gomez  <gene@gomezbrothers.com>

	* plugins/simple/ruleset:
	Cleaned up regex to remove some syslog dependencies (vigor.rules
	and a few others without sample logs remain).  Added honeyd.rules
	ruleset.

2004-01-15  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* plugins/simple/ruleset/simple.rules (regex): 
	better rules.

	* plugins/simple/ruleset/grsecurity.rules: 
	* plugins/simple/ruleset/ssh.rules: 
	syslog independance...
	
	* src/lml-alert.c (generate_target): 
	reuse existing target if any. We need some kind of
	mechanism so that it is totally doable from the rulesets.

	* prelude-lml.conf.in (file): 
	update metalog default format.

2004-01-11  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/log-common.c (log_file_new): 
	oops, set default ts_fmt.

2004-01-10  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/log-common.c 
	(format_header, handle_escaped, format_common): 
	(format_tstamp): Re-worked, cleaned-up, with the 
	ability to tell where exactly in the log is the
	timestamp. Make it much more easy to add new hook
	for IDMEF field within the log.

	(SYSLOG_LOG_FMT): 
	(SYSLOG_TS_FMT): update to the newer format.

	* prelude-lml.conf.in: remove invalid section,
	use new log message configuration format.

2004-01-09  Gene Gomez  <gene@gomezbrothers.com>

        * plugins/simple/ruleset:
        id and revision tags added to all rules.  This should
	allow for better management and revisioning of the 
	rulesets.

2004-01-08  Gene Gomez  <gene@gomezbrothers.com>

        * plugins/simple/ruleset:
        Rulesets "sanitized"; standardized format introduced.

2004-01-07  Nicolas Delon  <delon.nicolas@wanadoo.fr>

	* plugins/simple/simple.c:
	(build_message)
	fit idmef_message changes

2003-12-29  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* plugins.rules.in: remove paxmod. Obsoleted.

2003-12-26  Nicolas Delon  <delon.nicolas@wanadoo.fr>

	* src/lml-alert.c:
	(send_heartbeat_cb)
	call prelude_msgbuf_mark_end() to flush the alert

2003-12-26  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/lml-alert.c (generate_target): 
	if target_user is set add to the alert.
	(lml_emit_alert): call prelude_msgbuf_mark_end() to flush
	the alert.

	* src/pconfig.c (pconfig_set): workaround prelude-getopt
	flaw...

	* src/file-server.c (file_server_wake_up): 
	(initialize_fam): don't try to initialize fam on
	each file monitored in case fam initialization fail once.

	* src/pconfig.c (set_logwatch): remove new logfile
	configuration scheme for now, it's not ready yet.
	(set_file): create the log_file_t object here, and
	set the format according to the last format variable
	value (default is syslog if not set). Option order is
	respected.

2003-12-22  Nicolas Delon  <delon.nicolas@wanadoo.fr>

	* plugins/simple/ruleset/*.rules:
	change all impact.* to assessement.impact.*

2003-12-21  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* plugins/simple/simple.c (parse_rule_object_value): 
	fix a typo.

	* src/pconfig.c (pconfig_set, set_logwatch): 
	comment call to prelude_option_parse_from_context
	for now so that LML is usable...

2003-12-21  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* plugins/simple/simple.c: 
	some code simplification. Include patch from 
	Nicolas Delon, (2003-12-20 Changelog entry).

2003-12-20  Nicolas Delon  <delon.nicolas@wanadoo.fr>

	* plugins/debug/debug.c:
	* plugins/pax/pax.c:
	* plugins/simple/simple.c:
	* plugins/simple/ruleset/checkpoint.rules:
	* plugins/simple/ruleset/cisco.rules:
	* plugins/simple/ruleset/exim.rules:
	* plugins/simple/ruleset/grsecurity.rules:
	* plugins/simple/ruleset/ipchains.rules:
	* plugins/simple/ruleset/ipfw.rules:
	* plugins/simple/ruleset/ipso.rules:
	* plugins/simple/ruleset/netfilter.rules:
	* plugins/simple/ruleset/ntsyslog.rules:
	* plugins/simple/ruleset/portsentry.rules:
	* plugins/simple/ruleset/proftpd.rules:
	* plugins/simple/ruleset/qpopper.rules:
	* plugins/simple/ruleset/simple.rules:
	* plugins/simple/ruleset/squid.rules:
	* plugins/simple/ruleset/ssh.rules:
	* plugins/simple/ruleset/vigor.rules:
	* plugins/simple/ruleset/vpopmail.rules:
	* plugins/simple/ruleset/wap11.rules:
	* plugins/simple/ruleset/zywall.rules:
	* plugins/simple/ruleset/zyxel.rules:
	* src/file-server.c:
	* src/lml-alert.c:
	prelude-lml has been ported to the new IDMEF API
	the most important thing is that simple.c now use
	idmef_object to create object from the rules files
	the code has also been cleaned up and thanks to idmef_object
	simple.c is just about 900 lines long against 2500 before
	the port
	because of the use of idmef_object, the format of rules has changed
	a little bit: "class" become "classification" and listed elements of
	the object must be indexed, for example:
	source.node.address; 
	source.node.address.address=$1;
	become
	source(0).node.address(0).address=$1

2003-12-15  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* Merge from 0-8.

	* src/pconfig.c (set_batch_mode): 
	(set_logfile_format): 
	(set_logfile_ts_format): implemented.
	(set_file): 
	(set_logwatch): cleaner children option handling. 
	(pconfig_set): add options...

	* src/main.c (main): 
	if batch mode is set, don't use the select() loop, 
	and don't sleep between reading call.

	* src/log-common.c: New API abstracting the logfile,
	permitting to easily setup per logfile format string.
	(format_time): 
	(handle_escaped): 
	(format_header): 
	(format_log): use user provided format string.

	* src/file-server.c: if batch_mode is set, don't
	initialize FAM. 
	(file_server_set_batch_mode): implemented.

2003-12-12  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/main.c (main): 
	only use the polling method if batch_mode is not set.
	don't call sleep() in case batch_mode is enabled: we
	want to read everything at once.

	* plugins/simple/simple.c (parse_id): 
	(parse_revision): implemented.
	(parse_rule): added hook for parse_id and parse_revision.

	This feature was requested in order to help with ruleset
	administration.

2003-10-27  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* plugins/simple/ruleset/Makefile.am (ruleset_DATA): 
	* plugins/simple/ruleset/wap11.rules: 
	new ruleset to monitor WAP11 activity.

2003-10-22  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* NEWS: updated.
	* configure.in: bump version to 0.8.6.
	
	* plugins/simple/simple.c:
	(create_service_port): if the variable is prefixed with 0x or 0X, 
	then set VARIABLE_CONTENT_TYPE_HEX. So that we force it to be read 
	as a base 16 value later.
	
	(resolve_variable): do not use atoi() anymore, but use strtol().
	Default base argument is 0, allowing to automatically handle decimal,
	hexadecimal, and octal. For value that contain hex, but not prefixed
	by 0x, then 0x should added as the variable prefix, so that we know
	how to handle it.
	
	* plugins/simple/simple.c (resolve_variable): 
	Avoid to test the value with isdigit if VARIABLE_CONTENT_TYPE_HEX
	is set. This is used for hexadecimal value only. Fix problem if
	first byte of an hexadecimal value is not a digit.

2003-10-21  Stphane Loeuillet <stephane.loeuillet@tiscali.fr>

	* plugins/simple/ruleset/portsentry.rules :
	add a new rule concerning dropped packets

	* plugins/simple/ruleset/zyxel.rules :
	add a rule for PPP logs
	specify ruleset/rule number concerned by a Filter log
	add a H before port number as they are in hexadecimal in those logs

2003-10-11  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* src/lml-alert.c(generate_target):
	fixed handling return value of prelude_inet_getaddrinfo(). 

	* plugins/simple/ipfw.rules:
	fixed ICMP rules. Thanks to mark@fantoma.net for the report. 

2003-10-06  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* NEWS: updated.
	* configure.in: bump version to 0.8.5.

2003-09-25  Nicolas Delon  <delon.nicolas@wanadoo.fr>

	* src/file-server.c:
	(is_file_already_used)
	bug fix, this function only tested if the log file has
	been removed, but not if the file has been renamed or not
	(which typically happen when a log file is rotate without
	compression (is simple rename of the log file is performed))
	(fam_process_event)
	bug fix / update, also call is_file_already_used when the log
	file is moved

	* src/log-common.c:
	bug fix, make this file also compil with OS other than Linux

2003-09-21  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* NEWS: updated
	* configure.in: bump version number to 0.8.4.
	
	* plugins/simple/simple.c (emit_alert): 
	do not free target_hostname. It should provide more
	informations about the target.
	
	* plugins/simple/ruleset/netfilter.rules: 
	Add target information to the alert issued from netfilter logs.
	
2003-08-10  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* configure.in: removed pcre.h test. 

2003-08-10  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* src/regex.c (regex_create_entry): removed a debugging printf. 

2003-08-09  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* configure.in:
	handle situation where $fam_include_dir is undefined correctly. 

2003-08-09  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/regex.c (trim): \0 at the end of the string,
	so that we don't get the end of the filtered input line.

	* src/file-server.c (logfile_alert): 
	set file category to "current".

2003-08-06  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/regex.c (trim): fix this function so that it
	is clean and understandable.

	(regex_init): use strtok() instead of strtok_r() because
	it might not be supported. Remove lot of un-necessary code,
	no string copy are needed.

2003-07-20  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* NEWS: update for upcoming release.

2003-07-09  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/file-server.c (logfile_alert): 
	* src/main.c (lml_dispatch_log): 
	update to the new log container interface.

	* src/log-common.c: 
	major rework of the log interface, to be more object oriented.
	Also, when log_container_new() is called, always fill a default
	hostname, so that we don't end up with a NULL hostname when 
	log_container_set_log() isn't called (we don't have the syslog
	header).

2003-06-17  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/file-server.c (file_metadata_get_position): 
	always set st_size.
	
	(file_metadata_get_position): don't issue an alert here, if
	there was a rotation. The user already got a logfile deleted
	alert.

	(file_metadata_get_position): 
	(file_metadata_get_position): in case there was a rotation or 
	a checksum error, we have to analyze the file from the beginning: 
	set monitor->last_size to 0 before returning.

	Avoid alert duplicate.
	
2003-06-13  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/lml-alert.c (resolve_failed_fallback): 
	Implemented. Try to fill what we can in case getaddrinfo()
	fail (which only happen in badly configured environment).

	(generate_target): dump an error using prelude_inet_gai_strerror() 
	if prelude_inet_getaddrinfo() fail. Call resolve_failed_fallback().

2003-06-12  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/lml-alert.c (ANALYZER_MODEL): fix class and model.
	(generate_target): use prelude_inet_getaddrinfo() in order
	to get target information, call fill_target().

	(keep_buffer): Ugly hack because of the IDMEF API memory handling
	sillyness. 

	(fill_target): implemented. Walk the addrinfo list and populate
	Node and Address.

2003-06-11  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* configure.in: 
	use AC_PATH_GENERIC instead of AC_PATH_GENERIC2 for
	PCRE checks.

	* acinclude.m4: 
	delete AC_PATH_GENERIC2, make AC_PATH_GENERIC handle
	version number with both 2 and 3 separated numbers.

	* src/file-server.c (file_metadata_read): 
	(file_metadata_save): returning the address of a local 
	variable is a bad idea. I wonder how it worked before.

2003-06-09  Stephane Loeuillet <stephane.loeuillet@tiscali.fr>

	* configure.in
	now detect pcre.h and stops configure if not present

	* src/regex.c :
	make an error message more verbose
	(display name of the file it can't open)

2003-06-02  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/file-server.c (monitor_open): be verbose when
	we fail to open a logfile.

	* src/pconfig.c (set_lml_group): new function,
	find group by name, and save the group GID.

	(pconfig_set): new --group (-g) option, take a groupname
	argument. LML will then setgid to the specified group if
	requested.

	(set_file): check that we have read permission, at least.

	This fix bug #0000081.

2003-05-19  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* plugins/simple/ruleset/ipchains.rules:
	new file. Linux IPChains ruleset from 
	Simon Castro <scastro [at] entreelibre.com>

	* plugins/simple/ruleset/simple.rules:
	* plugins/simple/ruleset/Makefile.am:
	modified accordingly

2003-05-19  Stephane Loeuillet <stephane.loeuillet@tiscali.fr>

	* plugins/simple/ruleset/{simple.rules, Makefile.am} :

	- include the two new .rules files

	* plugins/simple/ruleset/{portsentry,vigor}.rules :

	- add two PortSentry regex
	- add Vigor xDSl router built-in firewall support
	  (John Green <john@giggled.org>)

2003-05-19  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* configure.in (enable_fam): remove debuging echo.
	
	(log_plugin_dir): remove trailling /

	* Makefile.am (install-data-local): 
	install plugin.rules manually, don't overwrite if already
	present.
	
	(EXTRA_DIST): remove preludeconf_DATA (fix bug #0000079:
	"make install of prelude-lml override old 
	etc/prelude-lml/prelude-lml.conf"

2003-05-18  Stephane Loeuillet <stephane.loeuillet@tiscali.fr>

	* plugins/simple/ruleset/{simple,exim,checkpoint,squid,ipso,ntsyslog}.rules :

	- split regex lines to make them more 'diff friendly'

	* plugins/simple/simple.c :

	- split function 'resolve_variable' to new function
	'resolve_variable_list' and 'resolve_variable'

	- add a new variable type for [source/target].service.port
	(VARIABLE_TYPE_PORT). now, ports could either contain a port number
	or a service name (www would resolve to 80, depending your /etc/services)

2003-05-02  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/file-server.c (read_logfile): 
	we are not threaded anymore, so stop using getc_unlocked(),
	which despite the confusing glibc manpage, doesn't seem to
	be portable. Use getc() instead.

2003-04-26  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* configure.in: bump version number to 0.8.3.

	* src/file-server.c (check_logfile_data): 
	handle case where the logfile get truncated.
	
	(read_logfile): return immediatly with rlen set to 0
	if available is 0.
	
2003-04-26  Stephane Loeuillet <stephane.loeuillet@tiscali.fr>

	* plugins/simple/ruleset/{proftpd,qpopper,ssh,vpopmail}.rules :

	- added 'last' keyword when needed to not parse a log line 2 times

	- changed my mail address

2003-04-25  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/file-server.c (read_logfile): changed the semantic
	of this function:

	- Now return -1 if it couldn't read a full log line (data 
	  doesn't end with \n). 

	- Return the size of the whole log line otherwise (not only 
	  what has been read uppon this call, as a log line might 
	  require several call of this function in order to be read). 

	- The function now take a pointer to a 64 bits integer as 
	  argument, which is _always_ modified to reflect the size of 
          what have been read.

	- The function now take an "available" 64bits integer argument
	  that specify how many byte we should read at max (needed because
	  the file size might change between the time we call stat() and we
	  read the file).

	(check_logfile_data): update to fit the new read_logfile() semantic.

	* src/pconfig.c (set_file): 
	fail if the given file doesn't exist (only fail on startup).

	* src/file-server.c (file_metadata_read): 
	in case the metadata file contain invalid stuff, issue
	a warning and truncate it.
	
	(check_logfile_data): remove invalid assertion(). 
	Call abort() if FAM is activated and that it notified us,
	but the number of bytes read doesn't match the new file size.
	That should never happen.

	* src/main.c (main): call file_server_start_monitoring().

	* src/file-server.c: cleanup, re-organisation.
	
	(file_server_start_monitoring): New function, initialize
	everything once by calling file_server_wake_up(), which'll
	have the side effect of opening un-opened file.

	(file_server_monitor_file): do not call monitor_open() here:
	we want all unread bytes to be processed before activating
	FAM notification if enabled.

	(check_logfile_data): assert in case rwe get an EOF on
	read an FAM was initialized.

	(file_metadata_get_position): set last_size to current
	file size only if we want to start at the tail. 

	Emit an alert and set file position to 0 if the checksum 
	is invalid.

	Include size of checksumed line in last_size.

	(file_metadata_save): truncate the file before writing
	to it. Avoid garbage to remain in the file.

	* configure.in: check for FILENAME_MAX, define it
	if it's not defined on this system.

2003-04-24  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/pconfig.c (pconfig_set): 
	add the rotation-interval option.

	* src/Makefile.am (DEFS): 
	add -D_FILE_OFFSET_BITS=64 to the CFLAGS.

	* Makefile.am (install-data-local): 
	create the metadata directory.

	* plugins/simple/ruleset/squid.rules: 
	* plugins/simple/ruleset/ntsyslog.rules: 
	* plugins/simple/ruleset/checkpoint.rules: 
	* plugins/simple/ruleset/ipso.rules: 
	new rulesets from Vincent Glaume <vglaume@exaprobe.com>.

	* plugins/simple/simple.c: Include modified patch
	from Vincent Glaume <vglaume@exaprobe.com>, adding a "last"
	keyword, telling to stop walking our regex list data once a 
	regex has been matched.
	
2003-04-23  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/file-server.c 
	(file_metadata_read): read the offset and the last log line 
	where we stopped analyzing data from the logfile metadata. 
	
	(file_metadata_save): Save current offset and current log line.

	(file_metadata_position_monitor): Position the monitor provided 
	the content of the metadata. If there is no metadata, we start
	reading the file from it's tail.

	If there is metadata available and current logfile size is
	less than the specified metadata offset, the log got rotated,
	and we start analyzing the file at 0.

	If there are metadata available and current logfile size is
	more or equan than the specified metadata offset: start analyzing
	the logfile from the specified offset. Unless the checksum doesn't
	match, in which case we'll issue an alert, and restart from 0.
	
	(file_metadata_open): compute metadata filename associated with
	the monitor. Open it.

2003-04-22  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/file-server.c (monitor_open): 
	if provided filename is "stdin", use stdin as the input
	descriptor.

2003-03-18  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* plugins/simple/ruleset/Makefile.am:
	add missing entries to ruleset_DATA.

	* plugins/simple/ruleset/proftpd.rules:
	* plugins/simple/ruleset/ssh.rules:
	* plugins/simple/ruleset/vpopmail.rules:
	English grammar fixes.

2003-02-27  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* plugins/simple/ruleset/exim.rules (regex): 
	add \ to end of line.

	* src/udp-server.c (udp_server_get_event_fd):
        Avoid a NULL pointer dereference.

	* src/main.c (add_fd_to_set):
        (wait_for_event): don't add the FD if it's value is -1.

2003-02-27  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* plugins/simple/ruleset/exim.rules (regex): 
	add \ to end of line.

	* src/udp-server.c (udp_server_get_event_fd):
	Avoid a NULL pointer dereference.

	* src/main.c (add_fd_to_set):
	(wait_for_event): don't add the FD if it's value is -1.

2003-02-04  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* plugins/simple/ruleset/simple.rules (include): 
	include exim.rules.

	* plugins/simple/ruleset/exim.rules: included 
	contribution from Laurent Oudot <oudot.laurent@wanadoo.fr>.

	* Ruleset update from Stphane Loeuillet 
	<LeRoutier@wanadoo.fr>. Include new ProFTPD,
	vpopmail, and qpopper, rulesets.

	* plugins/simple/simple.c: handling of IDMEF
	source and destination address.

	* src/file-server.c: (fam_wait_for_event):
	remove unused.

	* src/lml-alert.c (generate_analyzer): 
	make LML alert carry LML version.

2003-01-23  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/main.c (sighup_handler): implemented. Set the
	global got_sighup variable to 1 in an atomic way.
	(got_sighup is a volatile sig_atomic_t).

	(main): register an handler for SIGHUP. Use the
	wait_for_event function if we have FAM file monitoring
	or an UDP server or both. Revert to normal polling otherwise,
	meaning we call file_server_wake_up() every second, and check
	for SIGHUP.

	(wait_for_event): call handle_sighup_if_needed() 
	each time we goes throught the event loop. Restart
	the loop if select() return EINTR, so that we caught
	the signal immediatly.

	(handle_sighup_if_needed): implemented. If got_sighup
	is then, then the udp server port will be closed (so 
	that we can bind the port again), and prelude-lml
	will be restarted.

	* src/file-server.c (file_server_monitor_file): 
	print an error if we can't open the monitored file.

	(file_server_get_event_fd): return -1 if we have FAM
	but it is not enabled because of the writev() bug.

	(file_server_standalone): removed this function, the
	code is being moved in another place so that we can 
	poll for SIGHUP periodically.

	* Makefile.am (install-data-local): install 
	prelude-lml.conf-dist with mode 600.

2002-12-18  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/debug/debug.c (debug_run): stop using our own
	msgbuf. Use lml-alert provided function. Also, debug message
	are _low_ priority.

2002-12-09  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* configure.in: bump version number to 0.8.2.

	* NEWS: updated.
	
	* Makefile.am (EXTRA_DIST): include COPYING.OpenSSL
	
	* plugins/simple/ruleset/netfilter.rules: 
	Include patch from Nicolas Delon <delon.nicolas@wanadoo.fr>:
	the pattern "(MAC=[\w:]+)?" is used to match the MAC string 
	reported by netfilter in log. This rule works fine for packets 
	received on a LAN where IP packets are encapsulated in an ethernet (for 
	example) frame, but do not work for packets directly received from 
	internet where MAC as no value and is reported as the simple string 
	"MAC=" in the log line.
	The "(MAC=[\w:]+)?" string should be replaced by "MAC=([\w:]+)?", so 
	that the pattern can match in both cases.
	
	* configure.in (enable_fam): check that FAM library
	and headers are available on this system before compiling
	in FAM support.

	* configure.in:
	* src/file-server.c: 
	Move test issued to see if the operating system we're running
	on is vulnerable to the writev() issued change not being notified
	to file-server.c. The check is now done at runtime, this will 
	prevent people from recompiling LML when reinstalling a new kernel.

	* src/main.c (sig_handler): don't use fprintf, use the 
	log() function.

2002-12-05  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/file-server.c: include config.h before checking
	if HAVE_FAM is set.

	* acconfig.h: removed.

	* configure.in: 
	implemented FAM detection code. This code will both 
	check if FAM is available, and if FAM notice writev()
	change (known Linux kernel bug).

	Also removed code that check if we need aligned access,
	libprelude do that for us, and it's not needed anyway.

2002-11-28  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/pconfig.c (print_help): fit prelude-getopt
        API change.

2002-11-12  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* COPYING.OpenSSL: 
	* README: Permit linking with OpenSSL so that Debian 
        package might be distributed.
	
2002-11-06  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/file-server.c (file_server_standalone): 
	add a call to prelude_wake_up_timer() in standalone mode.

2002-10-28  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/simple/ruleset/zywall.rules: 
	Include ZyWall ruleset contributed by 
	Laurent Oudot <oudot.laurent@wanadoo.fr>

	* plugins/simple/ruleset/simple.rules (include): 
	include zywall.rules.

2002-10-26  Yoann Vandoorselaere  <yoann@mandrakesoft.com>
	
	* plugins/simple/ruleset/ssh.rules: 
	Include sshd ruleset contributed by 
	Nicolas Delon <delon.nicolas@wanadoo.fr>.
	
	* plugins/simple/ruleset/simple.rules (include): 
	include ssh.rules

	* plugins/simple/ruleset/Makefile.am (ruleset_DATA): 
	add ssh.rules

2002-10-13  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/simple/ruleset/grsecurity.rules: 
	new grsecurity ruleset, contributed by 
	Brad Spengler <spender@grsecurity.net>, and handling
	grsecurity up to 1.9.7.

	* plugins/simple/ruleset/simple.rules: fix a typo.

	* plugins/simple/simple.c (parse_ruleset): 
	check if rule->regex is NULL (which is possible
	in case a rule doesn't provide a regex). Dump an
	error, and drop the rule. This fix a possible SIGSEGV
	on possible malformed rules.

2002-09-20  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* plugins/simple/ruleset/simple.rules:
	fix typo. 

2002-09-19  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* plugins/debug/debug.c:
	* plugins/pax/pax.c:
	* plugins/simple/simple.c:
	* src/regex.c:
	include <sys/time.h>. That allows the code to build on FreeBSD.

2002-09-18  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/udp-server.c (udp_server_process_event): 
	new function, read one syslog message.
	(udp_server_get_event_fd): new function.
	(udp_server_new): fix call to memset().

	The udp-server implementation doesn't depend on pthread
	anymore.
	
	* src/main.c (lml_dispatch_log): 
	doesn't take an lml_queue_t argument anymore.
	(main): call file_server_standalone if no udp server
	is configured. Otherwise call wait_for_event.

	(wait_for_event): select on the UDP server socket,
	and on the file-server socket if FAM is activated. 
	Otherwise, the file-server function are called every
	seconds.
	
	* src/log-common.c (_XOPEN_SOURCE): 
	move this definition arround stdio.h inclusion. This
	solve the Solaris compilation problem.

	* src/file-server.c: massive reorganisation.
	(monitor_open): call fam_setup_monitor if HAVE_FAM is set.

	(fam_setup_monitor): 
	(fam_process_event): 
	(fam_wait_for_event): 
	(fam_process_queued_events): new function handling FAM monitor.

	(file_server_standalone): use FAM if possible.
	(file_server_wake_up): ditto.

	file-server is now able to monitor file change throught FAM,
	insteaf of polling every file descriptor every second. This
	code is not yet enabled on architecture that support it 
	because the current Linux Kernel version with Dnotify support
	(user by FAM) doesn't seem to notice some of the data written
	to a file throught writev().
	
	* src/Makefile.am (prelude_lml_SOURCES): 
	remove queue.c dependencie.

	* plugins/simple/ruleset/simple.rules: 
	document User/UserID field usage.

	* plugins/simple/simple.c (create_userid_type): 
	(create_userid_name): 
	(create_userid_number): 
	(retrieve_latest_userid): 
	(create_source_user): 
	(create_target_user): 
	(create_user_category): 
	(parse_target_user_category): 
	(parse_source_user_category): 
	(parse_target_user_userid_type): 
	(parse_source_user_userid_type): 
	(parse_target_user_userid_name): 
	(parse_source_user_userid_name): 
	(parse_target_user_userid_number): 
	(parse_source_user_userid_number): 
	(parse_target_user_userid): 
	(free_user): 
	implemented.
	(record_source_fields): handle User/UserID fields.
	(parse_rule): only call store_runtime_variable if value is not NULL.

	(free_rule): call free_user().

	(parse_rule): update to handle User/UserID IDMEF object.

	(filter_string): allow key without value (so that
	they can be used as delimiter).

2002-09-13  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/log-common.c: fix a solaris compilation problem
	where the timeval structure wouldn't be defined if
	_XOPEN_SOURCE is defined. 

	Only define _XOPEN_SOURCE for <time.h> inclusion,
	and #undef it after.

2002-08-29  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* configure.in: bump version number to 0.8.1.

	* NEWS: update release notes.

	* src/file-server.c (file_server_monitor_file): 
	added a log() telling the file doesn't exist and that
	we'll try to re-open it periodically.

2002-08-24  Guillaume Pelat  <endymion@linux-secure.com>

	* src/log-common.c (log_container_new):
	* src/pconfig.c (set_pidfile):
	(set_udp_server_addr):
	checking strdup return value.

	* src/udp-server.c (udp_server_new):
	fixing memory leak

2002-08-21  Guillaume Pelat  <endymion@linux-secure.com>

	* src/file-server.c (check_modification_time):
	fixed assert problem when two modifications are
	done in the log file at the same second.

2002-08-21  Guillaume Pelat  <endymion@linux-secure.com>

	* src/file-server.c (logfile_alert): 
	* src/regex.c(regex_init):
	replace strncpy by snprintf.

2002-08-21  Guillaume Pelat  <endymion@linux-secure.com>

	* src/file-server.c (logfile_alert): fix unterminated
	string.
	
	* plugins/simple/simple.c (parse_include): fix unterminated
	string. Close the open file.

	* src/regex.c: coding style fixes
	(regex_init): fix unterminated strings.
	
2002-08-20  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/log-common.c (format_syslog_header): 
	return -1 if buf is NULL.
	
	(log_container_new): some of the argument might be NULL.
	(log_container_delete): ditto.

	* configure.in: require autoconf >= 2.53.

2002-08-16  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/file-server.c (file_server_wake_up): cleanup.
	(logfile_alert): new function.
	(process_logfile): new function.

	(is_file_already_used): check the logfile hard link count, emit an
	alert if we reach 0.
	
	(check_modification_time): emit an alert if modification time got
	modified, but file size didn't increase.

	* src/lml-alert.c (lml_emit_alert): 
	there might be no log entry.

	* plugins/simple/simple.c (emit_alert): 
	coding style fix.

	* src/file-server.c: last_size is off_t, not time_t.
	new last_mtime member.
	
	(file_server_monitor_file): dup the filename before
	checking if opening the file suceeded, so that reopening
	inactive file work again.

2002-07-30  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* configure.in: update version number to 0.8.0.

2002-07-29  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	Thanks to DINH Viet Hoa <dinh.viet.hoa@free.fr>, 
	for reporting all theses problem:
	
	* src/include/queue.h: 
	rename queue_t to lml_queue_t to avoid namespace
	conflict.

	* src/file-server.c (read_logfile): 
	clearerr_unlocked is not standard. Use clearerr.

	* src/log-common.c: include string.h.

	
	* src/regex.c (trim): 
	* src/log-common.c (format_syslog_header): 
	cast to int when calling isalnum and isspace.

	
2002-07-11  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* plugins/debug/debug.c (set_debug_state): 
	(set_output): fix the latest prelude getopt API
	change.

2002-06-27  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* fit latest prelude-getopt API change.

2002-06-26  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/simple/simple.c (read_multiline): 
	moved to libprelude, common function.
	(parse_ruleset): use prelude_read_multiline().

2002-06-16  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/simple/simple.c: 
	Included patch from Arnaud Guignard <arnaud.guignard@free.fr> 
	to handle the process IDMEF object.

2002-06-14  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* Makefile.am (install-data-local): 
	use $(DESTDIR) as the top prefix for installing stuff.

2002-06-13  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

        Patch from Arnaud Guignard <arnaud.guignard@free.fr> :

	* plugins/simple/simple.c (parse_ruleset):
	fixed a bug when a TAB was at a beginning of a line in a
	multiline rule.

2002-06-10  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* configure.in: only enable gtkdoc if requested.

	* plugins/simple/ruleset/simple.rules (include): 
	include grsecurity.rules.

	* plugins/simple/simple.c (read_multiline): 
	new function, handle multiline (line ending with \).

	(parse_ruleset): use read_multiline().
	(parse_ruleset): handle TAB at the begining of the line.
	

2002-06-06  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/lml-alert.c (generate_analyzer): 
	generate analyzer. Use prelude_analyzer_fill_infos().
	(send_heartbeat_cb): use generate_analyzer()
	(lml_emit_alert): ditto.

	* plugins/simple/ruleset/grsecurity.rules: 
	Included GRsecurity ruleset, from Brad Spengler 
	<spender@grsecurity.net>. 

	Hand modified it a little to add some missing parenthesis, 
	and change /d and /w to \d and \w respectively.

	* plugins/simple/ruleset/Makefile.am (ruleset_DATA): 
	install grsecurity.rules.

2002-06-03  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/lml-alert.c (lml_alert_init): 
	setup analyzer here; register heartbeat callback.
	(lml_emit_alert): copy global analyzer.
	(send_heartbeat_cb): new function, send an heartbeat
	message.

	* src/main.c (main): 
	call lml_alert_init() after pconfig_set, because
	lml_alert_init now call libprelude function.

	* src/lml-alert.c (send_heartbeat_cb): 
	new function, send an heartbeat.
	(lml_alert_init): 

2002-05-31  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/log-common.c (format_syslog_header): 
	format the syslog timestamp. 

	(format_syslog_header): 
	don't show parsing error... We parse file that don't have the
	syslog format...

	We use strptime() in order to do that, combined with localtime()
	to get missing information, and mktime() to convert back to a
	timeval.

2002-05-31  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* plugins/simple/ruleset/ipfw.rules: updated to use new SimpleMod
	capabilities.

2002-05-30  Laurent Oudot  <oudot.laurent@wanadoo.fr>

	* plugins/simple/simple.c
	remove a debuging printf() in the changelog (suggested by yoann)

2002-05-30  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/lml-alert.c (lml_emit_alert):
	include string.h for strlen()... Thanks to 
	Razvan Cosma (razvan.cosma@catv.telemach.ro) for pointing this out.
	
	* plugins/pax/pax.c (pax_log_processing): 
	* plugins/debug/debug.c (debug_run): 
	* src/lml-alert.c (lml_emit_alert): 

	use idmef_additional_data_set_data().

2002-05-30  Laurent Oudot  <oudot.laurent@wanadoo.fr>

        * plugins/simple/ruleset/netfilter.rules:
        upgrade of the rules owing to the new simple.c possibilities

2002-05-30  Laurent Oudot  <oudot.laurent@wanadoo.fr>

        * plugins/simple/ruleset/zyxel.rules:
        upgrade of the rules owing to the new simple.c possibilities

2002-05-27  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/file-server.c (try_reopening_inactive_fd): 
	remove unused variable.

2002-05-27  Yoann Vandoorselaere  <yoann@mandrakesoft.com>
	
	Patch from Arnaud Guignard <arnaud.guignard@free.fr> :
	
	* plugins/simple/simple.c: added patch to handle
	IDMEF source node category, source node location,
	source node name, source spoofed, source interface,
	source service port, source service protocol,
	source service name, source service portlist,
	target node address, target node category, target
	node location, target node name, target decoy,
	target interface, target service port, target
	service protocol, target service name, target
	service portlist.

	(record_source_fields): fix the impossibility to have
	several source/target node addresses.

	* plugins/simple/ruleset/simple.rules: added definitions
	for each new IDMEF tag.
	
2002-05-21  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/pconfig.c (set_file): 
	file_server_monitor_file() now open the file by itself.

	* src/file-server.c: 
	use list instead of array to store monitor. Now we have
	an active FD list and an inactive FD list.
	
	(file_server_monitor_file): don't take the file handle as
	argument anymore, we open the file by ourselve. Mark the file
	as inactive if we can't open it.

	(file_server_wake_up): 
	if st_nlink is 0, then the file doesn't exist on the filesystem
	anymore, mark as inactive, and try reopening later.
	
	(try_reopening_inactive_fd): new function, try opening
	monitor marked as inactive.

2002-05-16  Baptiste Malguy <baptiste@malguy.net>

        * src/*-plugins.c (*_plugins_init):
        don't return an error if the plugin directory doesn't exist.
        But do so in case of permission problem.

2002-05-05  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/include/Makefile.am (include_HEADERS): 
	install needed include file.

	* Makefile.am (preludeconfdir): fix make distcheck.

2002-04-30  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/simple/simple.c: included patch from
	Arnaud Guignard <arnaud.guignard@free.fr> to handle 
	IDMEF source node address.

2002-04-29  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/simple/ruleset/netfilter.rules:
	MAC content can be empty.

2002-04-28  Laurent Oudot <oudot.laurent@wanadoo.fr>

	* plugin/simple/ruleset/netfilter.rules: new file. Rules for netfilter 
	firewall on Linux 2.4.x boxes.

	* plugins/simple/ruleset/Makefile.am: added netfilter.rules

	* plugins/simple/ruleset/zyxel.rules and cisco.rules: added comments. 

2002-04-27  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* plugins/simple/ruleset/ipfw.rules: fixes, cleanup, ICMP support. 

	* plugins/simple/ruleset/Makefile.am: added ifpw.rules

2002-04-27  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* configure.in: use AM_PROG_LIBTOOL, for older 
        libtool/automake installation.

	* src/file-server.c (read_logfile): 
	return the number of byte read.
	
	(file_server_wake_up): if we get EOF, without reading all
	the new available byte, remeber how many byte are left to 
	be read, and retry even thought st_size isn't modified.

	* src/log-plugins.c (subscribe): 
	(unsubscribe): be more verbose - not only debug.

	* src/file-server.c (file_server_monitor_file): 
	(file_server_wake_up): use st_size, not st_mtime.

	also include libprelude/timer.h

2002-04-27  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* file-server.c: (read_logfile): 
	use clearerr_unlocked() after hitting EOF on observed file. 
	Fixes problem on FreeBSD. 

2002-04-27  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>
	
	* plugins/simple/ruleset/ipfw.rules: new file. Rules for ipfw
	firewall on FreeBSD.

	* plugins/simple/ruleset/simple.rules: include ipfw.rules

2002-04-27  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/log-plugins.c (subscribe): 
	(unsubscribe): be more verbose about subscribed plugins.

	* src/file-server.c: include timer.h.

	* plugins/simple/simple.c: 
	(parse_ruleset): 
	make rulesnum global, this is because of the way we parse include.

	(filter_string): fix off by one error resulting in trailing whitespace
	not being removed.

	(set_simple_ruleset): move the printf telling number of rules loaded
	here, so that we don't get duplicate printf() for each included file.

2002-04-27  Laurent Oudot  <oudot.laurent@wanadoo.fr>

	* plugins/simple/ruleset/simple.rules:
	Added include directive for specific rules in cisco.rules and
	zyxel.rules.
	The include directive is very cool because it will help at maintaining
	the rules (if you don't need for example zyxel rules, you can put a
	simple # character before the include directive). 
	
	* plugins/simple/ruleset/cisco.rules:
	New file dedicated to cisco rules.
	
	* plugins/simple/ruleset/zyxel.rules:
	New file dedicated to zyxel rules.

2002-04-27  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/file-server.c (file_server_monitor_file): 
	use calloc() to allocate the monitor_fd_t object.
	This fix a possible unitialized read.

	* plugins/simple/simple.c (parse_include): 
	return -2 on success.
	
	(parse_rule): -1 mean error, other value < 0 just
	mean to stop the processing for this line.

2002-04-27  Laurent Oudot  <oudot.laurent@wanadoo.fr>

	* plugins/simple/ruleset/simple.rules :
	Added ZyXEL routers and firewalls support.
	It will help at dealing with ZyXEL network equipments used with 
	security filtering features.

2002-04-26  Laurent Oudot  <oudot.laurent@wanadoo.fr>

	* plugins/simple/ruleset/simple.rules :
	Added a contrib from Arnaud Guignard <arnaud.guignard@free.fr> 
	(plugin regex rules) and me (for the cisco part) that aims at
	dealing with cisco security routers alerts.
	It's just a beginning that will be improved in the future.

2002-04-26  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/simple/simple.c (parse_ruleset): 
	strip out \n.
	
	(parse_rule): handle include rule.

	(parse_include): new function, parse include rule.
	If the path is not absolute, then we append the current
	rulesetdir to this filename.

2002-04-25  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/log-common.c (format_syslog_header): 
	revert 2002-04-24, which was not needed (sscanf don't need
	precision).

2002-04-24  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/log-common.c (format_syslog_header): 
	In order for the printf() family function to put a limit to 
	the len of a copied string, a precision have to be given
	(%255s is not valid, %.255s is).

2002-04-12  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/file-server.c (read_logfile): 
	(file_server_wake_up): 

	stop using fgets to read the logfile: we now use getc_unlocked,
	and handle fine the case where :

	- the buffer is too small.
	- we meet EOF before meeting EOL.

	which avoid us being desynchronized. The read buffer is now
	per file monitor.
	
2002-04-08  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/simple/simple.c: try to do time consuming stuff
	at initialisation time.

	* src/regex.c: 
	instead of searching at runtime for the plugin to use
	(using string compareason), resolve plugin dependency
	at initialisation time, and store a pointer to the plugin
	that need to be ran for a given regex.

	(regex_exec): the callback now take the plugin as argument.

	(regex_init): call regex_create_entry instead of doing
	everything ourselve.
	
	(regex_create_entry): new function.
	

	* src/log-plugins.c: 
	we do not use hashkey anymore.

	(log_plugin_run): take the plugin to run as argument.
	It's now up to the caller to know which plugin to run.

	* src/hashkey.c: removed.

	* Makefile.am (install-data-local): 
        Only install default configuration file if it does not
        exit... If a configuration file is already present, warn
        the user and install in prelude-lml.conf-dist.

2002-04-05  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* src/lml-alert.c: include <inttypes.h> and <sys/types.h>
	(FreeBSD compat. fix)

2002-04-04  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/file-server.c (file_server_wake_up): 
	use buffered IO.

	* plugins/simple/simple.c: 
	(store_runtime_variable): new function, keep pointer
	to string that use backward reference.

	(simple_run): call resolve_variable and free_variable_allocated_data().

	(free_variable_allocated_data): 
	new function.
	
	(resolve_variable): new function. Use backward reference
	associated with the matched regex to resolve variable.

	(replace_str): replace a given variable in a string.

	The Simple plugin now support backward reference in IDMEF field setting. 
	This mean you can have dynamic text in IDMEF field. 

2002-04-03  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/simple/simple.c (filter_string): 
	use strchr, not strchrr, to search key - value
	delimiter. 

	* src/udp-server.c (udp_server_standalone): 
	save the set and restore it when select() return.

2002-04-02  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/log-common.c (format_syslog_header): 
	new function, parse the syslog header. 

	* src/lml-alert.c (generate_target): 
	new function, take care of including target_program and
	target_hostname in the IDMEF alert.
	(lml_emit_alert): call generate_target().

	* src/file-server.c (file_server_wake_up): 
	set backslash 0 at the end of the buffer.

	* src/pconfig.c (set_file): now that we do not
	rely on server logic to add file monitor, we can add
	monitor from the option callback.

	* src/udp-server.c: make the size of our buffer 
	compliant with what is specified in RFC 3164 (1024
	bytes max per syslog messages).

	* plugins.rules.in: comment the Debug plugin entry 
	by default.

2002-03-29  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/file-server.c (file_server_monitor_file): 
	set current mtime.

	* plugins/simple/simple.c (parse_impact_desc): 
	new function, parse impact description.
	(parse_rule): 
	Handle impact description.

	(simple_run): detail debuging output a little more.

	* plugins/simple/ruleset/simple.rules: 
	some more rules, and some documentation.

	* src/main.c (lml_dispatch_log): 
	new public function that should be called when we have a new log
	line. This function handle both the case when we're threaded
	(UDP + file monitor), or when there is no thread (file monitor only).

	* src/udp-server.c (udp_server_standalone): 
	select with a timeout of one second. Call file_server_wake_up
	every seconds.

	* src/file-server.c: 
	stop using server-logic.c. We now have an array of FD to monitor.
	In order to do so, we check the FDs modification time and read 
	data if available, then we go to sleep (as tail does).

	(file_server_wake_up): 
	to be called by a working thread instead of file_server_standalone()
	(for exemple if we also have an UDP server).

	(file_server_standalone): 
	new function for starting the file monitor.
	
	* src/server-logic.c:
	Because there is no way to tell read() / select() to block on
	EOF for regular file, server-logic.c isn't an adapted solution.
	Removed.
	
2002-03-29  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/server-logic.c (server_logic_process_requests): 
	(child_reader): don't accept connection before the thread
	install the signal handler for SIGUSR1.

	* prelude-lml.conf.in (file): 
	now that we are able to have the same entry with different
	value several time in config file (libprelude), add new file
	to monitor.

2002-03-28  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* plugins/simple/simple.c: include <inttypes.h> and <sys/types.h>
	(needed for libprelude/* on FreeBSD)

2002-03-28  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/lml-alert.c (lml_emit_alert): 
	fill in more informations... Still many work to do.

	* src/file-server.c (read_file): 
	remove debugging printf().

	* src/udp-server.c (udp_server_standalone): 
	use a bigger buffer. We don't want to rely on ethernet stuff.

	* plugins/pax/pax.c (pax_log_processing): 
	* plugins/simple/simple.c (emit_alert): 
	use lml_emit_alert().

	* src/lml-alert.c: 
	new file providing facility for alert emition.
	Every plugin should use theses functions.

	* plugins/simple/simple.c: 

	This is the start of the Simple plugin. This plugin
	have a ruleset, composed of regex, and of information
	to fill in the alert if the regex match.

2002-03-28  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* plugins/debug/debug.c: revert to including <inttypes.h> instead of
	<stdint.h> for compatibility with FreeBSD 4.x and conformance
	with other Prelude modules. 

2002-03-27  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/hashkey.c (hash_position): 
	cast to unsigned int, lot of cleanup.

	* src/file-server.c (file_server_monitor_file): 
	take an already open FD as argument (so that we don't 
	require root access here).

	* src/udp-server.c (udp_server_start): 
	reader and queue are passed to udp_server_start,
	not udp_server new.

	* src/pconfig.c (pconfig_set): 
	new -u (--user) option. Prelude LML can now run as a
	simple user.

	* src/udp-server.c (udp_server_new): 
	resolve the provided address if any. Else use INADDR_ANY.

	* src/pconfig.c (pconfig_set): 
	add configuration hook for enabling the UDP server,
	setting server address, setting server port.

	* src/main.c (sig_handler): 
	only call udp_server_close if an UDP server is active.

	(main): only start the UDP server if the user want it.

	* prelude-lml.conf.in: 
	Update default configuration file.

2002-03-26  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/regex.c: 
	* src/main.c:
	more cleanup, performance fix.

	* src/regex.c (regex_destroy): 
	use list_for_each_safe

	* src/file-server.c: 
	monitor local files.

	* src/server-logic.c: 
	used by file-server implementation.

	* src/pconfig.c: 
	(pconfig_set): add the --file option.

	* src/main.c: 
	* src/queue.c: 
	* src/udp-server.c: 
	* src/log-plugins.c: coding style fix.

	
2002-03-22  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* plugins/pax/pax.c: include <inttypes.h> and <sys/types.h>
	for compatibility with *BSD systems

2002-03-22  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* AUTHORS: 
	Pierre-Jean Turpeau, not me :-)
	
	* src/Makefile.am (DEFS): local include before anything else.

