2016-03-03 00:06:53 -06:00
< ? php
2016-08-22 10:32:05 -05:00
/**
* SyslogTest . php
*
* Tests various syslog input for proper parsing
*
* This program is free software : you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation , either version 3 of the License , or
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
* along with this program . If not , see < http :// www . gnu . org / licenses />.
*
* @ package LibreNMS
* @ link http :// librenms . org
* @ copyright 2016 Tony Murray
* @ author Tony Murray < murraytony @ gmail . com >
*/
namespace LibreNMS\Tests ;
2016-03-03 00:06:53 -06:00
class SyslogTest extends \PHPUnit_Framework_TestCase
{
// The format is:
// $SOURCEIP||$FACILITY||$PRIORITY||$LEVEL||$TAG||$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC||$MSG||$PROGRAM
// There add an IP for each OS you want to test and use that in the input file
2016-08-28 17:32:55 -05:00
private function fillLine ( $line )
{
2016-03-03 00:06:53 -06:00
$entry = array ();
list ( $entry [ 'host' ], $entry [ 'facility' ], $entry [ 'priority' ], $entry [ 'level' ], $entry [ 'tag' ], $entry [ 'timestamp' ], $entry [ 'msg' ], $entry [ 'program' ]) = explode ( " || " , trim ( $line ));
return $entry ;
}
2016-08-28 17:32:55 -05:00
private function createData ( $line , $resultDelta )
{
2016-03-03 00:06:53 -06:00
$entry = $this -> fillLine ( $line );
$data = array ();
$data [ 'input' ] = $entry ;
unset ( $entry [ 'msg' ]); // empty msg
$data [ 'result' ] = array_merge ( $entry , $resultDelta );
return $data ;
}
2016-03-09 08:43:39 -06:00
/**
2016-03-09 14:31:00 -06:00
* Test an input line with the modified fields
*
* @ param string $inputline The line from the syslog daemon including the || ' s
* @ param array $modified of the modified fields , most likely containging the keys program and msg
*/
2016-08-28 17:32:55 -05:00
private function checkSyslog ( $inputline , $modified )
{
2016-03-09 08:43:39 -06:00
$data = $this -> createData ( $inputline , $modified );
$res = process_syslog ( $data [ 'input' ], 0 );
$this -> assertEquals ( $data [ 'result' ], $res );
}
2016-03-03 00:06:53 -06:00
public function testCiscoSyslog ()
{
// populate fake $dev_cache and $config
2016-03-03 06:46:39 -06:00
global $config , $dev_cache ;
2016-03-03 21:21:28 +00:00
$dev_cache [ '1.1.1.1' ] = array ( 'device_id' => 1 , 'os' => 'ios' , 'version' => 1 );
2016-03-03 19:56:18 +00:00
$config = array ();
2016-03-03 00:06:53 -06:00
$config [ 'syslog_filter' ] = array ();
// ---- IOS ----
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-03 00:06:53 -06:00
" 1.1.1.1||user||info||info||0e||2016-02-28 00:23:34||%CARD-SEVERITY-MSG:SLOT %FACILITY-SEVERITY-MNEMONIC: Message-text|| " ,
2016-03-03 21:21:28 +00:00
array ( 'device_id' => 1 , 'program' => '%CARD-SEVERITY-MSG:SLOT %FACILITY-SEVERITY-MNEMONIC' , 'msg' => 'Message-text' )
2016-03-03 00:06:53 -06:00
);
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-03 00:06:53 -06:00
" 1.1.1.1||user||info||info||0e||2016-02-28 00:23:34||%FACILITY-SUBFACILITY-SEVERITY-MNEMONIC: Message-text|| " ,
2016-03-03 21:21:28 +00:00
array ( 'device_id' => 1 , 'program' => '%FACILITY-SUBFACILITY-SEVERITY-MNEMONIC' , 'msg' => 'Message-text' )
2016-03-03 00:06:53 -06:00
);
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-09 08:20:51 -06:00
" 1.1.1.1||local7||info||info||be||2016-03-09 03:58:25||Mar 9 11:58:24.145 UTC: %SEC-6-IPACCESSLOGS: list MNGMNT denied 120.62.186.12 1 packet ||] " ,
array ( 'device_id' => 1 , 'program' => '%SEC-6-IPACCESSLOGS' , 'msg' => 'list MNGMNT denied 120.62.186.12 1 packet' )
);
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-09 08:20:51 -06:00
" 1.1.1.1||local7||info||info||be||2016-04-27 021:12:28||Apr 27 21:12:28: %SYS-5-CONFIG_I: Configured from console by vty0|| " ,
array ( 'device_id' => 1 , 'program' => '%SYS-5-CONFIG_I' , 'msg' => 'Configured from console by vty0' )
);
2016-03-09 10:49:12 -06:00
$this -> checkSyslog (
" 1.1.1.1||local7||info||info||be||2016-04-27 021:12:28||Mar 8 20:14:08.762: %FACILITY-SUBFACILITY-SEVERITY-MNEMONIC: Message-text||000956 " ,
array ( 'device_id' => 1 , 'program' => '%FACILITY-SUBFACILITY-SEVERITY-MNEMONIC' , 'msg' => 'Message-text' )
);
2016-03-03 00:06:53 -06:00
2016-03-09 08:43:39 -06:00
2016-03-03 00:06:53 -06:00
// ---- CatOS ----
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-03 00:06:53 -06:00
" 1.1.1.1||user||info||info||0e||2016-02-28 00:23:34||%IP-3-UDP_SOCKOVFL:UDP socket overflow|| " ,
2016-03-03 21:21:28 +00:00
array ( 'device_id' => 1 , 'program' => '%IP-3-UDP_SOCKOVFL' , 'msg' => 'UDP socket overflow' )
2016-03-03 00:06:53 -06:00
);
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-03 00:06:53 -06:00
" 1.1.1.1||user||info||info||0e||2016-02-28 00:23:34||DTP-1-ILGLCFG: Illegal config (on, isl--on,dot1q) on Port [mod/port]|| " ,
2016-03-03 21:21:28 +00:00
array ( 'device_id' => 1 , 'program' => 'DTP-1-ILGLCFG' , 'msg' => 'Illegal config (on, isl--on,dot1q) on Port [mod/port]' )
2016-03-03 00:06:53 -06:00
);
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-03 00:06:53 -06:00
" 1.1.1.1||user||info||info||0e||2016-02-28 00:23:34||Cannot enable text mode config if ACL config is cleared from nvram|| " ,
2016-03-03 21:21:28 +00:00
array ( 'device_id' => 1 , 'program' => '' , 'msg' => 'Cannot enable text mode config if ACL config is cleared from nvram' )
2016-03-03 00:06:53 -06:00
);
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-03 00:06:53 -06:00
" 1.1.1.1||user||info||info||0e||2016-02-28 00:23:34||%PAGP-5-PORTFROMSTP / %PAGP-5-PORTTOSTP|| " ,
2016-03-03 21:21:28 +00:00
array ( 'device_id' => 1 , 'program' => '%PAGP-5-PORTFROMSTP / %PAGP-5-PORTTOSTP' )
2016-03-03 00:06:53 -06:00
);
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-03 00:06:53 -06:00
" 1.1.1.1||user||info||info||0e||2016-02-28 00:23:34||%SYS-3-EOBC_CHANNELREINIT|| " ,
2016-03-03 21:21:28 +00:00
array ( 'device_id' => 1 , 'program' => '%SYS-3-EOBC_CHANNELREINIT' )
2016-03-03 00:06:53 -06:00
);
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-03 00:06:53 -06:00
" 1.1.1.1||user||info||info||0e||2016-02-28 00:23:34||%SYS-4-MODHPRESET:|| " ,
2016-03-03 21:21:28 +00:00
array ( 'device_id' => 1 , 'program' => '%SYS-4-MODHPRESET' , 'msg' => '' )
2016-03-03 00:06:53 -06:00
);
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-03 00:06:53 -06:00
" 1.1.1.1||user||info||info||0e||2016-02-28 00:23:34||InbandPingProcessFailure:Module x not responding over inband|| " ,
2016-03-03 21:21:28 +00:00
array ( 'device_id' => 1 , 'program' => 'INBANDPINGPROCESSFAILURE' , 'msg' => 'Module x not responding over inband' )
2016-03-03 00:06:53 -06:00
);
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-03 00:06:53 -06:00
" 1.1.1.1||user||info||info||0e||2016-02-28 00:23:34||RxSBIF_SEQ_NUM_ERROR:slot=x|| " ,
2016-03-03 21:21:28 +00:00
array ( 'device_id' => 1 , 'program' => 'RXSBIF_SEQ_NUM_ERROR' , 'msg' => 'slot=x' )
2016-03-03 00:06:53 -06:00
);
2016-04-11 19:57:49 -05:00
// With program from syslog
2016-08-28 17:32:55 -05:00
$this -> checkSyslog (
2016-04-11 19:57:49 -05:00
" 1.1.1.1||local7||notice||notice||bd||2016-04-04 15:18:43||Apr 4 13:18:42.670: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/32, changed state to up||345735 " ,
array ( 'device_id' => 1 , 'program' => '%LINEPROTO-5-UPDOWN' , 'msg' => 'Line protocol on Interface GigabitEthernet0/32, changed state to up' )
);
// Incorrect time
2016-08-28 17:32:55 -05:00
$this -> checkSyslog (
2016-04-11 19:57:49 -05:00
" 1.1.1.1||user||info||info||0e||2016-04-06 15:20:35||*Apr 4 21:26:41.778 UTC: %LWAPP-3-REPLAY_ERR: 1 wcm: Received replay error on slot 1, WLAN ID 1, count 1 from AP xxxx.xxxx.xxxx|| " ,
array ( 'device_id' => 1 , 'program' => '%LWAPP-3-REPLAY_ERR' , 'msg' => '1 wcm: Received replay error on slot 1, WLAN ID 1, count 1 from AP xxxx.xxxx.xxxx' )
);
2016-08-28 17:32:55 -05:00
$this -> checkSyslog (
2016-04-11 19:57:49 -05:00
" 1.1.1.1||user||info||info||0e||2016-04-06 15:20:35||.Apr 4 21:26:41.778 UTC: %LWAPP-3-REPLAY_ERR: 1 wcm: Received replay error on slot 1, WLAN ID 1, count 1 from AP xxxx.xxxx.xxxx|| " ,
array ( 'device_id' => 1 , 'program' => '%LWAPP-3-REPLAY_ERR' , 'msg' => '1 wcm: Received replay error on slot 1, WLAN ID 1, count 1 from AP xxxx.xxxx.xxxx' )
);
2016-03-03 00:06:53 -06:00
}
2016-03-04 12:32:06 +01:00
public function testLinuxSyslog ()
{
// populate fake $dev_cache and $config
global $config , $dev_cache ;
$dev_cache [ '1.1.1.1' ] = array ( 'device_id' => 1 , 'os' => 'linux' , 'version' => 1 );
$config = array ();
$config [ 'syslog_filter' ] = array ();
// ---- PAM ----
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-04 15:18:24 +01:00
" 1.1.1.1||authpriv||info||info||56||2016-02-28 00:23:34||pam_unix(cron:session): session opened for user librenms by (uid=0)||CRON " ,
2016-03-04 12:32:06 +01:00
array ( 'device_id' => 1 , 'program' => 'PAM_UNIX(CRON:SESSION)' , 'msg' => 'session opened for user librenms by (uid=0)' )
);
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-04 15:18:24 +01:00
" 1.1.1.1||authpriv||info||info||55||2016-02-28 00:23:34||pam_unix(sudo:session): session opened for user librenms by root (uid=0)||sudo " ,
2016-03-04 12:32:06 +01:00
array ( 'device_id' => 1 , 'program' => 'PAM_UNIX(SUDO:SESSION)' , 'msg' => 'session opened for user librenms by root (uid=0)' )
);
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-04 12:32:06 +01:00
" 1.1.1.1||auth||info||info||0e||2016-02-28 00:23:34||pam_krb5(sshd:auth): authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231||sshd " ,
array ( 'device_id' => 1 , 'program' => 'PAM_KRB5(SSHD:AUTH)' , 'msg' => 'authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231' )
);
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-04 12:32:06 +01:00
" 1.1.1.1||auth||info||info||0e||2016-02-28 00:23:34||pam_krb5[sshd:auth]: authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231||sshd " ,
array ( 'device_id' => 1 , 'program' => 'PAM_KRB5[SSHD:AUTH]' , 'msg' => 'authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231' )
);
// ---- Postfix ----
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-04 15:18:24 +01:00
" 1.1.1.1||mail||info||info||16||2016-02-28 00:23:34||5C62E329EF: to=<admin@example.com>, relay=mail.example.com[127.0.0.1]:25, delay=0.11, delays=0.04/0.01/0/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5362E6A670E)||postfix/smtp " ,
2016-03-04 12:32:06 +01:00
array ( 'device_id' => 1 , 'program' => 'POSTFIX/SMTP' , 'msg' => '5C62E329EF: to=<admin@example.com>, relay=mail.example.com[127.0.0.1]:25, delay=0.11, delays=0.04/0.01/0/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5362E6A670E)' )
);
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-04 15:18:24 +01:00
" 1.1.1.1||mail||info||info||16||2016-02-28 00:23:34||D7256400EF: from=<librenms@librenms.example.com>, size=882, nrcpt=1 (queue active)||postfix/qmgr " ,
2016-03-04 12:32:06 +01:00
array ( 'device_id' => 1 , 'program' => 'POSTFIX/QMGR' , 'msg' => 'D7256400EF: from=<librenms@librenms.example.com>, size=882, nrcpt=1 (queue active)' )
);
// ---- No program ----
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-04 13:10:07 +01:00
" 1.1.1.1||user||info||info||0e||2016-02-28 00:23:34||some random message|| " ,
2016-03-04 12:32:06 +01:00
array ( 'device_id' => 1 , 'program' => 'USER' , 'msg' => 'some random message' )
);
// ---- Other ----
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-04 15:18:24 +01:00
" 1.1.1.1||cron||info||info||4e||2016-02-28 00:23:34||(librenms) CMD ( /opt/librenms/alerts.php >> /var/log/librenms_alert.log 2>&1)||CRON " ,
2016-03-04 12:32:06 +01:00
array ( 'device_id' => 1 , 'program' => 'CRON' , 'msg' => '(librenms) CMD ( /opt/librenms/alerts.php >> /var/log/librenms_alert.log 2>&1)' )
);
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-04 15:18:24 +01:00
" 1.1.1.1||authpriv||notice||notice||55||2016-02-28 00:23:34|| root : TTY=pts/1 ; PWD=/opt/librenms ; USER=librenms ; COMMAND=/usr/bin/git status||sudo " ,
2016-03-05 11:06:29 +01:00
array ( 'device_id' => 1 , 'program' => 'SUDO' , 'msg' => 'root : TTY=pts/1 ; PWD=/opt/librenms ; USER=librenms ; COMMAND=/usr/bin/git status' )
2016-03-04 15:18:24 +01:00
);
2016-03-05 11:59:49 +01:00
}
2016-03-09 08:43:39 -06:00
2016-03-05 11:59:49 +01:00
public function testProcurveSyslog ()
{
// populate fake $dev_cache and $config
global $config , $dev_cache ;
$dev_cache [ '1.1.1.1' ] = array ( 'device_id' => 1 , 'os' => 'procurve' , 'version' => 1 );
$config = array ();
$config [ 'syslog_filter' ] = array ();
// ---- 2900/2910/3800/5400 ----
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-05 11:59:49 +01:00
" 1.1.1.1||user||info||info||0e||2016-02-28 00:23:34||chassis: Slot A Ready||00422 " ,
array ( 'device_id' => 1 , 'program' => 'CHASSIS' , 'msg' => 'Slot A Ready [00422]' )
);
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-05 11:59:49 +01:00
" 1.1.1.1||user||info||info||0e||2016-02-28 00:23:34||ports: port 21 is now on-line||00076 " ,
array ( 'device_id' => 1 , 'program' => 'PORTS' , 'msg' => 'port 21 is now on-line [00076]' )
);
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-05 11:59:49 +01:00
" 1.1.1.1||user||info||info||0e||2016-02-28 00:23:34||ports: port 21 is now off-line||00077 " ,
array ( 'device_id' => 1 , 'program' => 'PORTS' , 'msg' => 'port 21 is now off-line [00077]' )
);
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-05 11:59:49 +01:00
" 1.1.1.1||user||warning||warning||0c||2016-02-28 00:23:34||FFI: port 21-High collision or drop rate. See help.||00331 " ,
array ( 'device_id' => 1 , 'program' => 'FFI' , 'msg' => 'port 21-High collision or drop rate. See help. [00331]' )
);
// ---- 2610 ----
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-05 11:59:49 +01:00
" 1.1.1.1||user||warning||warning||0c||2016-02-28 00:23:34||port 21-Excessive undersized/giant packets. See help.||FFI " ,
array ( 'device_id' => 1 , 'program' => 'FFI' , 'msg' => 'port 21-Excessive undersized/giant packets. See help.' )
);
2016-03-09 08:43:39 -06:00
$this -> checkSyslog (
2016-03-05 11:59:49 +01:00
" 1.1.1.1||user||info||info||0e||2016-02-28 00:23:34||updated time by -4 seconds||SNTP " ,
array ( 'device_id' => 1 , 'program' => 'SNTP' , 'msg' => 'updated time by -4 seconds' )
);
2016-03-03 00:06:53 -06:00
}
}
