includes/syslog.php

<?php

// FIXME : use db functions properly
// $device_id_host = @dbFetchCell("SELECT device_id FROM devices WHERE `hostname` = '".mres($entry['host'])."' OR `sysName` = '".mres($entry['host'])."'");
// $device_id_ip = @dbFetchCell("SELECT device_id FROM ipv4_addresses AS A, ports AS I WHERE A.ipv4_address = '" . $entry['host']."' AND I.port_id = A.port_id");


function get_cache($host, $value)
{
    global $dev_cache;

    if (!isset($dev_cache[$host][$value])) {
        switch ($value) {
            case 'device_id':
                // Try by hostname
                $ip = inet_pton($host);
                if (inet_ntop($ip) === false) {
                    $dev_cache[$host]['device_id'] = dbFetchCell('SELECT `device_id` FROM devices WHERE `hostname` = ? OR `sysName` = ?', array($host, $host));
                } else {
                    $dev_cache[$host]['device_id'] = dbFetchCell('SELECT `device_id` FROM devices WHERE `hostname` = ? OR `sysName` = ? OR `ip` = ?', array($host, $host, $ip));
                }
                // If failed, try by IP
                if (!is_numeric($dev_cache[$host]['device_id'])) {
                    $dev_cache[$host]['device_id'] = dbFetchCell('SELECT `device_id` FROM `ipv4_addresses` AS A, `ports` AS I WHERE A.ipv4_address = ? AND I.port_id = A.port_id', array($host));
                }
                break;

            case 'os':
                $dev_cache[$host]['os'] = dbFetchCell('SELECT `os` FROM devices WHERE `device_id` = ?', array(get_cache($host, 'device_id')));
                break;

            case 'version':
                $dev_cache[$host]['version'] = dbFetchCell('SELECT `version` FROM devices WHERE `device_id`= ?', array(get_cache($host, 'device_id')));
                break;

            default:
                return null;
        }//end switch
    }//end if

    return $dev_cache[$host][$value];
}//end get_cache()


function process_syslog($entry, $update)
{
    global $config, $dev_cache;

    foreach ($config['syslog_filter'] as $bi) {
        if (strpos($entry['msg'], $bi) !== false) {
            return $entry;
        }
    }

    $entry['host'] = preg_replace("/^::ffff:/", "", $entry['host']);
    $entry['device_id'] = get_cache($entry['host'], 'device_id');
    if ($entry['device_id']) {
        $os = get_cache($entry['host'], 'os');

        if (in_array($os, array('ios', 'iosxe', 'catos'))) {
            // multipart message
            if (strpos($entry['msg'], ':') !== false) {
                $matches = array();
                $timestamp_prefix = '([\*\.]?[A-Z][a-z]{2} \d\d? \d\d:\d\d:\d\d(.\d\d\d)?( [A-Z]{3})?: )?';
                $program_match = '(?<program>%?[A-Za-z\d\-_]+(:[A-Z]* %[A-Z\d\-_]+)?)';
                $message_match = '(?<msg>.*)';
                if (preg_match('/^' . $timestamp_prefix . $program_match . ': ?' . $message_match . '/', $entry['msg'], $matches)) {
                    $entry['program'] = $matches['program'];
                    $entry['msg'] = $matches['msg'];
                }
                unset($matches);
            } else {
                // if this looks like a program (no groups of 2 or more lowercase letters), move it to program
                if (!preg_match('/[(a-z)]{2,}/', $entry['msg'])) {
                    $entry['program'] = $entry['msg'];
                    unset($entry['msg']);
                }
            }
        } elseif ($os == 'linux' and get_cache($entry['host'], 'version') == 'Point') {
            // Cisco WAP200 and similar
            $matches = array();
            if (preg_match('#Log: \[(?P<program>.*)\] - (?P<msg>.*)#', $entry['msg'], $matches)) {
                $entry['msg']     = $matches['msg'];
                $entry['program'] = $matches['program'];
            }

            unset($matches);
        } elseif ($os == 'linux') {
            $matches = array();
            // pam_krb5(sshd:auth): authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231
            // pam_krb5[sshd:auth]: authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231
            if (empty($entry['program']) and preg_match('#^(?P<program>([^(:]+\([^)]+\)|[^\[:]+\[[^\]]+\])) ?: ?(?P<msg>.*)$#', $entry['msg'], $matches)) {
                $entry['msg']     = $matches['msg'];
                $entry['program'] = $matches['program'];
            } // SYSLOG CONNECTION BROKEN; FD='6', SERVER='AF_INET(123.213.132.231:514)', time_reopen='60'
            // pam_krb5: authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231
            // Disabled because broke this:
            // diskio.c: don't know how to handle 10 request
            // elseif($pos = strpos($entry['msg'], ';') or $pos = strpos($entry['msg'], ':')) {
            // $entry['program'] = substr($entry['msg'], 0, $pos);
            // $entry['msg'] = substr($entry['msg'], $pos+1);
            // }
            // fallback, better than nothing...
            elseif (empty($entry['program']) and !empty($entry['facility'])) {
                $entry['program'] = $entry['facility'];
            }

            unset($matches);
        } elseif ($os == 'procurve') {
            $matches = array();
            if (preg_match('/^(?P<program>[A-Za-z]+): {2}(?P<msg>.*)/', $entry['msg'], $matches)) {
                $entry['msg']     = $matches['msg']. " [". $entry['program']. "]";
                $entry['program'] = $matches['program'];
            }
            unset($matches);
        }//end if

        if (!isset($entry['program'])) {
            $entry['program'] = $entry['msg'];
            unset($entry['msg']);
        }

        $entry['program'] = strtoupper($entry['program']);
        $entry = array_map('trim', $entry);

        if ($update) {
            dbInsert(
                array(
                    'device_id' => $entry['device_id'],
                    'program'   => $entry['program'],
                    'facility'  => $entry['facility'],
                    'priority'  => $entry['priority'],
                    'level'     => $entry['level'],
                    'tag'       => $entry['tag'],
                    'msg'       => $entry['msg'],
                    'timestamp' => $entry['timestamp'],
                ),
                'syslog'
            );
        }

        unset($os);
    }//end if

    return $entry;
}//end process_syslog()
missing file! git-svn-id: http://www.observium.org/svn/observer/trunk@199 61d68cd4-352d-0410-923a-c4978735b2b8 2008-03-23 21:32:54 +00:00			`<?php`

/// -> // git-svn-id: http://www.observium.org/svn/observer/trunk@3240 61d68cd4-352d-0410-923a-c4978735b2b8 2012-05-25 12:24:34 +00:00			`// FIXME : use db functions properly`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			// $device_id_host = @dbFetchCell("SELECT device_id FROM devices WHERE `hostname` = '".mres($entry['host'])."' OR `sysName` = '".mres($entry['host'])."'");
			`// $device_id_ip = @dbFetchCell("SELECT device_id FROM ipv4_addresses AS A, ports AS I WHERE A.ipv4_address = '" . $entry['host']."' AND I.port_id = A.port_id");`
fixed syslog? why knows! git-svn-id: http://www.observium.org/svn/observer/trunk@2405 61d68cd4-352d-0410-923a-c4978735b2b8 2011-09-02 06:56:21 +00:00
Fix coding style part 2 2015-07-13 20:10:26 +02:00
Update code in includes to be PSR-2 compliant (#4220) refactor: Update code in /includes to be psr2 compliant #4220 2016-08-28 12:32:58 -05:00			`function get_cache($host, $value)`
			`{`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`global $dev_cache;`

			`if (!isset($dev_cache[$host][$value])) {`
			`switch ($value) {`
Update code in includes to be PSR-2 compliant (#4220) refactor: Update code in /includes to be psr2 compliant #4220 2016-08-28 12:32:58 -05:00			`case 'device_id':`
			`// Try by hostname`
			`$ip = inet_pton($host);`
			`if (inet_ntop($ip) === false) {`
			$dev_cache[$host]['device_id'] = dbFetchCell('SELECT `device_id` FROM devices WHERE `hostname` = ? OR `sysName` = ?', array($host, $host));
			`} else {`
			$dev_cache[$host]['device_id'] = dbFetchCell('SELECT `device_id` FROM devices WHERE `hostname` = ? OR `sysName` = ? OR `ip` = ?', array($host, $host, $ip));
			`}`
			`// If failed, try by IP`
			`if (!is_numeric($dev_cache[$host]['device_id'])) {`
			$dev_cache[$host]['device_id'] = dbFetchCell('SELECT `device_id` FROM `ipv4_addresses` AS A, `ports` AS I WHERE A.ipv4_address = ? AND I.port_id = A.port_id', array($host));
			`}`
			`break;`
Fix coding style part 2 2015-07-13 20:10:26 +02:00
Update code in includes to be PSR-2 compliant (#4220) refactor: Update code in /includes to be psr2 compliant #4220 2016-08-28 12:32:58 -05:00			`case 'os':`
			$dev_cache[$host]['os'] = dbFetchCell('SELECT `os` FROM devices WHERE `device_id` = ?', array(get_cache($host, 'device_id')));
			`break;`
Fix coding style part 2 2015-07-13 20:10:26 +02:00
Update code in includes to be PSR-2 compliant (#4220) refactor: Update code in /includes to be psr2 compliant #4220 2016-08-28 12:32:58 -05:00			`case 'version':`
			$dev_cache[$host]['version'] = dbFetchCell('SELECT `version` FROM devices WHERE `device_id`= ?', array(get_cache($host, 'device_id')));
			`break;`
Fix coding style part 2 2015-07-13 20:10:26 +02:00
Update code in includes to be PSR-2 compliant (#4220) refactor: Update code in /includes to be psr2 compliant #4220 2016-08-28 12:32:58 -05:00			`default:`
			`return null;`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`}//end switch`
			`}//end if`

			`return $dev_cache[$host][$value];`
			`}//end get_cache()`


Update code in includes to be PSR-2 compliant (#4220) refactor: Update code in /includes to be psr2 compliant #4220 2016-08-28 12:32:58 -05:00			`function process_syslog($entry, $update)`
			`{`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`global $config, $dev_cache;`

			`foreach ($config['syslog_filter'] as $bi) {`
			`if (strpos($entry['msg'], $bi) !== false) {`
			`return $entry;`
kill a whole bunch of trailing spaces git-svn-id: http://www.observium.org/svn/observer/trunk@2516 61d68cd4-352d-0410-923a-c4978735b2b8 2011-09-20 09:55:11 +00:00			`}`
delete users (and all perms) fixed git-svn-id: http://www.observium.org/svn/observer/trunk@2371 61d68cd4-352d-0410-923a-c4978735b2b8 2011-05-26 21:27:40 +00:00			`}`
fixed syslog? why knows! git-svn-id: http://www.observium.org/svn/observer/trunk@2405 61d68cd4-352d-0410-923a-c4978735b2b8 2011-09-02 06:56:21 +00:00
Rewrite sender-ip if ::ffff: is prepended because the syslogserver uses IPv6 2015-08-21 16:02:59 +02:00			`$entry['host'] = preg_replace("/^::ffff:/", "", $entry['host']);`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`$entry['device_id'] = get_cache($entry['host'], 'device_id');`
			`if ($entry['device_id']) {`
			`$os = get_cache($entry['host'], 'os');`

			`if (in_array($os, array('ios', 'iosxe', 'catos'))) {`
This should process all of the messages on these sites and if it fails, there should be no data loss http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/29804-186.html http://www.cisco.com/c/en/us/td/docs/ios/system/messages/guide/consol_smg/sm_cnovr.html 2016-02-27 16:00:06 -06:00			`// multipart message`
Update code in includes to be PSR-2 compliant (#4220) refactor: Update code in /includes to be psr2 compliant #4220 2016-08-28 12:32:58 -05:00			`if (strpos($entry['msg'], ':') !== false) {`
This should process all of the messages on these sites and if it fails, there should be no data loss http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/29804-186.html http://www.cisco.com/c/en/us/td/docs/ios/system/messages/guide/consol_smg/sm_cnovr.html 2016-02-27 16:00:06 -06:00			`$matches = array();`
Fix log entries with timestamps included and incorrect time (leading * or .) Issue #3316 2016-04-11 19:57:49 -05:00			`$timestamp_prefix = '([\*\.]?[A-Z][a-z]{2} \d\d? \d\d:\d\d:\d\d(.\d\d\d)?( [A-Z]{3})?: )?';`
Some devices have "logging timestamp" enabled, try to remove that from the start of the message. Fixes #3199 2016-03-09 08:20:51 -06:00			`$program_match = '(?<program>%?[A-Za-z\d\-_]+(:[A-Z]* %[A-Z\d\-_]+)?)';`
			`$message_match = '(?<msg>.*)';`
Update code in includes to be PSR-2 compliant (#4220) refactor: Update code in /includes to be psr2 compliant #4220 2016-08-28 12:32:58 -05:00			`if (preg_match('/^' . $timestamp_prefix . $program_match . ': ?' . $message_match . '/', $entry['msg'], $matches)) {`
This should process all of the messages on these sites and if it fails, there should be no data loss http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/29804-186.html http://www.cisco.com/c/en/us/td/docs/ios/system/messages/guide/consol_smg/sm_cnovr.html 2016-02-27 16:00:06 -06:00			`$entry['program'] = $matches['program'];`
			`$entry['msg'] = $matches['msg'];`
			`}`
			`unset($matches);`
Update code in includes to be PSR-2 compliant (#4220) refactor: Update code in /includes to be psr2 compliant #4220 2016-08-28 12:32:58 -05:00			`} else {`
This should process all of the messages on these sites and if it fails, there should be no data loss http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/29804-186.html http://www.cisco.com/c/en/us/td/docs/ios/system/messages/guide/consol_smg/sm_cnovr.html 2016-02-27 16:00:06 -06:00			`// if this looks like a program (no groups of 2 or more lowercase letters), move it to program`
move the negation outside of the regular expression for more accurate results 2016-03-02 23:48:07 -06:00			`if (!preg_match('/[(a-z)]{2,}/', $entry['msg'])) {`
This should process all of the messages on these sites and if it fails, there should be no data loss http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/29804-186.html http://www.cisco.com/c/en/us/td/docs/ios/system/messages/guide/consol_smg/sm_cnovr.html 2016-02-27 16:00:06 -06:00			`$entry['program'] = $entry['msg'];`
			`unset($entry['msg']);`
Update code in includes to be PSR-2 compliant (#4220) refactor: Update code in /includes to be psr2 compliant #4220 2016-08-28 12:32:58 -05:00			`}`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`}`
Update code in includes to be PSR-2 compliant (#4220) refactor: Update code in /includes to be psr2 compliant #4220 2016-08-28 12:32:58 -05:00			`} elseif ($os == 'linux' and get_cache($entry['host'], 'version') == 'Point') {`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`// Cisco WAP200 and similar`
			`$matches = array();`
			`if (preg_match('#Log: \[(?P<program>.)\] - (?P<msg>.)#', $entry['msg'], $matches)) {`
			`$entry['msg'] = $matches['msg'];`
			`$entry['program'] = $matches['program'];`
			`}`

			`unset($matches);`
Update code in includes to be PSR-2 compliant (#4220) refactor: Update code in /includes to be psr2 compliant #4220 2016-08-28 12:32:58 -05:00			`} elseif ($os == 'linux') {`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`$matches = array();`
Syslog Linux OpenVPN pattern does not match example, remove it 2016-03-05 12:12:00 +01:00			`// pam_krb5(sshd:auth): authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`// pam_krb5[sshd:auth]: authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231`
fix: syslog, pull out pam program source (#5942) * Clean up syslog integration * Fix syslog test * Fix some more tests I missed earlier 2017-02-21 15:40:16 +01:00			`if (empty($entry['program']) and preg_match('#^(?P<program>([^(:]+\([^)]+\)\|[^\[:]+\[[^\]]+\])) ?: ?(?P<msg>.*)$#', $entry['msg'], $matches)) {`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`$entry['msg'] = $matches['msg'];`
			`$entry['program'] = $matches['program'];`
			`} // SYSLOG CONNECTION BROKEN; FD='6', SERVER='AF_INET(123.213.132.231:514)', time_reopen='60'`
			`// pam_krb5: authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231`
			`// Disabled because broke this:`
			`// diskio.c: don't know how to handle 10 request`
			`// elseif($pos = strpos($entry['msg'], ';') or $pos = strpos($entry['msg'], ':')) {`
			`// $entry['program'] = substr($entry['msg'], 0, $pos);`
			`// $entry['msg'] = substr($entry['msg'], $pos+1);`
			`// }`
			`// fallback, better than nothing...`
Update code in includes to be PSR-2 compliant (#4220) refactor: Update code in /includes to be psr2 compliant #4220 2016-08-28 12:32:58 -05:00			`elseif (empty($entry['program']) and !empty($entry['facility'])) {`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`$entry['program'] = $entry['facility'];`
			`}`

			`unset($matches);`
Update code in includes to be PSR-2 compliant (#4220) refactor: Update code in /includes to be psr2 compliant #4220 2016-08-28 12:32:58 -05:00			`} elseif ($os == 'procurve') {`
Human readable program, and append event ID to message 2016-03-04 16:14:47 +01:00			`$matches = array();`
			`if (preg_match('/^(?P<program>[A-Za-z]+): {2}(?P<msg>.*)/', $entry['msg'], $matches)) {`
			`$entry['msg'] = $matches['msg']. " [". $entry['program']. "]";`
			`$entry['program'] = $matches['program'];`
			`}`
			`unset($matches);`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`}//end if`

			`if (!isset($entry['program'])) {`
			`$entry['program'] = $entry['msg'];`
			`unset($entry['msg']);`
			`}`

			`$entry['program'] = strtoupper($entry['program']);`
Syslog trim whitespace 2016-03-05 11:06:29 +01:00			`$entry = array_map('trim', $entry);`
Fix coding style part 2 2015-07-13 20:10:26 +02:00
			`if ($update) {`
			`dbInsert(`
			`array(`
			`'device_id' => $entry['device_id'],`
			`'program' => $entry['program'],`
			`'facility' => $entry['facility'],`
			`'priority' => $entry['priority'],`
			`'level' => $entry['level'],`
			`'tag' => $entry['tag'],`
			`'msg' => $entry['msg'],`
			`'timestamp' => $entry['timestamp'],`
			`),`
			`'syslog'`
			`);`
			`}`

			`unset($os);`
			`}//end if`

			`return $entry;`
			`}//end process_syslog()`