2008-03-23 21:32:54 +00:00
< ? php
2011-09-02 06:56:21 +00:00
## FIXME : use db functions properly
# $device_id_host = @dbFetchCell("SELECT device_id FROM devices WHERE `hostname` = '".mres($entry['host'])."' OR `sysName` = '".mres($entry['host'])."'");
# $device_id_ip = @dbFetchCell("SELECT device_id FROM ipv4_addresses AS A, ports AS I WHERE A.ipv4_address = '" . $entry['host']."' AND I.interface_id = A.interface_id");
2011-05-26 21:27:40 +00:00
function get_cache ( $host , $value ){
global $dev_cache ;
2011-09-20 14:22:34 +00:00
if ( ! isset ( $dev_cache [ $host ][ $value ])){
2011-05-26 21:27:40 +00:00
switch ( $value ){
case 'device_id' :
//Try by hostname
2011-09-02 06:56:21 +00:00
$dev_cache [ $host ][ 'device_id' ] = dbFetchCell ( 'SELECT `device_id` FROM devices WHERE `hostname` = ? OR `sysName` = ?' , array ( $host , $host ));
2011-05-26 21:27:40 +00:00
//If failed, try by IP
2011-09-20 14:22:34 +00:00
if ( ! is_numeric ( $dev_cache [ $host ][ 'device_id' ])) {
2011-09-02 06:56:21 +00:00
$dev_cache [ $host ][ 'device_id' ] = dbFetchCell ( 'SELECT `device_id` FROM `ipv4_addresses` AS A, `ports` AS I WHERE A.ipv4_address = ? AND I.interface_id = A.interface_id' , array ( $host ));
2011-09-20 09:55:11 +00:00
}
2011-05-26 21:27:40 +00:00
break ;
case 'os' :
2011-09-02 06:56:21 +00:00
$dev_cache [ $host ][ 'os' ] = dbFetchCell ( 'SELECT `os` FROM devices WHERE `device_id` = ?' , array ( get_cache ( $host , 'device_id' )));
2011-05-26 21:27:40 +00:00
break ;
case 'version' :
2011-09-02 06:56:21 +00:00
$dev_cache [ $host ][ 'version' ] = dbFetchCell ( 'SELECT `version` FROM devices WHERE `device_id`= ?' , array ( get_cache ( $host , 'device_id' )));
2011-05-26 21:27:40 +00:00
break ;
default :
return null ;
}
}
return $dev_cache [ $host ][ $value ];
}
2011-05-14 21:51:58 +00:00
2011-09-02 06:56:21 +00:00
2011-05-12 23:15:56 +00:00
function process_syslog ( $entry , $update ) {
2008-03-23 21:32:54 +00:00
global $config ;
2011-09-20 14:22:34 +00:00
2011-05-13 00:13:57 +00:00
global $dev_cache ;
2008-03-23 21:32:54 +00:00
2011-05-26 21:27:40 +00:00
foreach ( $config [ 'syslog_filter' ] as $bi )
2011-09-20 14:22:34 +00:00
if ( strpos ( $entry [ 'msg' ], $bi ) !== FALSE ){
2011-05-26 21:27:40 +00:00
print_r ( $entry );
echo ( 'D-' . $bi );
return $entry ;
2008-03-23 21:32:54 +00:00
}
2011-09-20 09:55:11 +00:00
2011-05-26 21:27:40 +00:00
$entry [ 'device_id' ] = get_cache ( $entry [ 'host' ], 'device_id' );
2011-09-20 14:22:34 +00:00
if ( $entry [ 'device_id' ]) {
2011-05-26 21:27:40 +00:00
$os = get_cache ( $entry [ 'host' ], 'os' );
2011-09-02 06:56:21 +00:00
2011-09-20 14:22:34 +00:00
if ( in_array ( $os , array ( 'ios' , 'iosxe' , 'catos' ))){
2011-05-26 21:27:40 +00:00
$matches = array ();
2011-09-20 14:22:34 +00:00
# if (preg_match('#%(?P<program>.*):( ?)(?P<msg>.*)#', $entry['msg'], $matches)){
2011-09-02 09:01:32 +00:00
# $entry['msg'] = $matches['msg'];
# $entry['program'] = $matches['program'];
# }
# unset($matches);
if ( strstr ( $entry [ msg ], " % " ))
{
$entry [ 'msg' ] = preg_replace ( " /^%(.+?): \ / " , " \\ 1|| " , $entry [ 'msg' ]);
list (, $entry [ msg ]) = split ( " : % " , $entry [ 'msg' ]);
$entry [ 'msg' ] = " % " . $entry [ 'msg' ];
$entry [ 'msg' ] = preg_replace ( " /^%(.+?): \ / " , " \\ 1|| " , $entry [ 'msg' ]);
}
else
{
$entry [ 'msg' ] = preg_replace ( " /^.*[0-9]:/ " , " " , $entry [ 'msg' ]);
$entry [ 'msg' ] = preg_replace ( " /^[0-9][0-9] \ [A-Z] { 3}:/ " , " " , $entry [ 'msg' ]);
$entry [ 'msg' ] = preg_replace ( " /^(.+?): \ / " , " \\ 1|| " , $entry [ 'msg' ]);
2011-05-13 00:13:57 +00:00
}
2011-09-02 09:01:32 +00:00
$entry [ 'msg' ] = preg_replace ( " /^.+ \ .[0-9] { 3}:/ " , " " , $entry [ 'msg' ]);
$entry [ 'msg' ] = preg_replace ( " /^.+-Traceback=/ " , " Traceback|| " , $entry [ 'msg' ]);
list ( $entry [ 'program' ], $entry [ 'msg' ]) = explode ( " || " , $entry [ 'msg' ]);
$entry [ 'msg' ] = preg_replace ( " /^[0-9]+:/ " , " " , $entry [ 'msg' ]);
if ( ! $entry [ 'program' ])
{
$entry [ 'msg' ] = preg_replace ( " /^([0-9A-Z \ -]+?): \ / " , " \\ 1|| " , $entry [ 'msg' ]);
list ( $entry [ 'program' ], $entry [ 'msg' ]) = explode ( " || " , $entry [ 'msg' ]);
}
if ( ! $entry [ 'msg' ]) { $entry [ 'msg' ] = $entry [ 'program' ]; unset ( $entry [ 'program' ]); }
2011-09-02 06:56:21 +00:00
2011-05-26 21:27:40 +00:00
} elseif ( $os == 'linux' and get_cache ( $entry [ 'host' ], 'version' ) == 'Point' ){
//Cisco WAP200 and similar
$matches = array ();
2011-09-20 14:22:34 +00:00
if ( preg_match ( '#Log: \[(?P<program>.*)\] - (?P<msg>.*)#' , $entry [ 'msg' ], $matches )){
2011-05-26 21:27:40 +00:00
$entry [ 'msg' ] = $matches [ 'msg' ];
$entry [ 'program' ] = $matches [ 'program' ];
2009-04-11 19:10:48 +00:00
}
2011-05-26 21:27:40 +00:00
unset ( $matches );
2011-09-02 06:56:21 +00:00
2011-05-26 21:27:40 +00:00
} elseif ( $os == 'linux' ){
$matches = array ();
//User_CommonName/123.213.132.231:39872 VERIFY OK: depth=1, /C=PL/ST=Malopolska/O=VLO/CN=v-lo.krakow.pl/emailAddress=root@v-lo.krakow.pl
2011-09-20 14:22:34 +00:00
if ( $entry [ 'facility' ] == 'daemon' and preg_match ( '#/([0-9]{1,3}\.){3}[0-9]{1,3}:[0-9]{4,} ([A-Z]([A-Za-z])+( ?)){2,}:#' , $entry [ 'msg' ])){
2011-05-26 21:27:40 +00:00
$entry [ 'program' ] = 'OpenVPN' ;
2008-11-28 12:59:33 +00:00
}
2011-05-26 21:27:40 +00:00
//pop3-login: Login: user=<username>, method=PLAIN, rip=123.213.132.231, lip=123.213.132.231, TLS
//POP3(username): Disconnected: Logged out top=0/0, retr=0/0, del=0/1, size=2802
elseif ( $entry [ 'facility' ] == 'mail' and preg_match ( '#^(((pop3|imap)\-login)|((POP3|IMAP)\(.*\))):' , $entry [ 'msg' ])){
$entry [ 'program' ] = 'Dovecot' ;
}
//pam_krb5(sshd:auth): authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231
//pam_krb5[sshd:auth]: authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231
elseif ( preg_match ( '#^(?P<program>(.*((\(|\[).*(\)|\])))):(?P<msg>.*)$#' , $entry [ 'msg' ], $matches )){
$entry [ 'msg' ] = $matches [ 'msg' ];
$entry [ 'program' ] = $matches [ 'program' ];
}
2011-09-02 09:01:32 +00:00
2011-05-26 21:27:40 +00:00
//SYSLOG CONNECTION BROKEN; FD='6', SERVER='AF_INET(123.213.132.231:514)', time_reopen='60'
//pam_krb5: authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231
2011-09-02 09:01:32 +00:00
## Disabled because broke this:
//diskio.c: don't know how to handle 10 request
#elseif($pos = strpos($entry['msg'], ';') or $pos = strpos($entry['msg'], ':')){
# $entry['program'] = substr($entry['msg'], 0, $pos);
# $entry['msg'] = substr($entry['msg'], $pos+1);
#}
2011-05-26 21:27:40 +00:00
//fallback, better than nothing...
elseif ( empty ( $entry [ 'program' ]) and ! empty ( $entry [ 'facility' ])){
$entry [ 'program' ] = $entry [ 'facility' ];
}
unset ( $matches );
}
2011-09-02 06:56:21 +00:00
2011-09-20 14:22:34 +00:00
if ( ! isset ( $entry [ 'program' ])){
2011-05-26 21:27:40 +00:00
$entry [ 'program' ] = $entry [ 'msg' ];
unset ( $entry [ 'msg' ]);
2008-03-23 21:32:54 +00:00
}
2010-06-13 14:39:09 +00:00
$entry [ 'program' ] = strtoupper ( $entry [ 'program' ]);
2011-05-26 21:27:40 +00:00
array_walk ( $entry , 'trim' );
2011-09-02 06:56:21 +00:00
2011-09-20 14:22:34 +00:00
if ( $update )
2011-05-26 21:27:40 +00:00
dbInsert (
array (
'device_id' => $entry [ 'device_id' ],
2011-09-20 09:55:11 +00:00
'program' => $entry [ 'program' ],
2011-05-26 21:27:40 +00:00
'facility' => $entry [ 'facility' ],
'priority' => $entry [ 'priority' ],
'level' => $entry [ 'level' ],
'tag' => $entry [ 'tag' ],
'msg' => $entry [ 'msg' ],
'timestamp' => $entry [ 'timestamp' ]
),
'syslog'
);
unset ( $os );
}
2011-09-20 09:55:11 +00:00
return $entry ;
2008-03-23 21:32:54 +00:00
}
2011-05-12 11:58:17 +00:00
?>
