From 49be12423820706874f653e2f0c075c0000cdea0 Mon Sep 17 00:00:00 2001 From: Ultra2D Date: Thu, 18 Feb 2016 12:30:43 +0100 Subject: [PATCH 1/8] Fixed syslog: only parse messages if program is empty --- includes/syslog.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/syslog.php b/includes/syslog.php index 7111a6be68..76ee7769f0 100644 --- a/includes/syslog.php +++ b/includes/syslog.php @@ -107,7 +107,7 @@ function process_syslog($entry, $update) { $entry['program'] = 'Dovecot'; } // pam_krb5(sshd:auth): authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231 // pam_krb5[sshd:auth]: authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231 - else if (preg_match('#^(?P(.*((\(|\[).*(\)|\])))):(?P.*)$#', $entry['msg'], $matches)) { + else if (empty($entry['program']) and preg_match('#^(?P(.*((\(|\[).*(\)|\])))):(?P.*)$#', $entry['msg'], $matches)) { $entry['msg'] = $matches['msg']; $entry['program'] = $matches['program']; } // SYSLOG CONNECTION BROKEN; FD='6', SERVER='AF_INET(123.213.132.231:514)', time_reopen='60' From fb9224d507d88635452470255095e2b11e28daa4 Mon Sep 17 00:00:00 2001 From: Ultra2D Date: Wed, 2 Mar 2016 16:19:32 +0100 Subject: [PATCH 2/8] Keep original behaviour, just prevent false matches --- includes/syslog.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/syslog.php b/includes/syslog.php index 76ee7769f0..3c4980b385 100644 --- a/includes/syslog.php +++ b/includes/syslog.php @@ -107,7 +107,7 @@ function process_syslog($entry, $update) { $entry['program'] = 'Dovecot'; } // pam_krb5(sshd:auth): authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231 // pam_krb5[sshd:auth]: authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231 - else if (empty($entry['program']) and preg_match('#^(?P(.*((\(|\[).*(\)|\])))):(?P.*)$#', $entry['msg'], $matches)) { + else if (preg_match('#^(?P([^(:]+\([^)]+\)|[^\[:]+\[[^\]]+\])) ?: ?(?P.*)$#', $entry['msg'], $matches)) { $entry['msg'] = $matches['msg']; $entry['program'] = $matches['program']; } // SYSLOG CONNECTION BROKEN; FD='6', SERVER='AF_INET(123.213.132.231:514)', time_reopen='60' From 70ad24157f92743ecd42cf26fde671a1775b5ce6 Mon Sep 17 00:00:00 2001 From: Ultra2D Date: Fri, 4 Mar 2016 12:32:06 +0100 Subject: [PATCH 3/8] PHPunit tests for Linux syslog parsing --- tests/SyslogTest.php | 58 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/tests/SyslogTest.php b/tests/SyslogTest.php index 7023f06d0a..849ed3f9e6 100644 --- a/tests/SyslogTest.php +++ b/tests/SyslogTest.php @@ -85,5 +85,63 @@ class SyslogTest extends \PHPUnit_Framework_TestCase $this->assertEquals($data['result'], $res); } } + public function testLinuxSyslog() + { + // populate fake $dev_cache and $config + global $config, $dev_cache; + $dev_cache['1.1.1.1'] = array('device_id' => 1, 'os' => 'linux', 'version' => 1); + $config = array(); + $config['syslog_filter'] = array(); + + // populate test data + $testdata = array(); + + // ---- PAM ---- + //list($entry['host'],$entry['facility'],$entry['priority'], $entry['level'], $entry['tag'], $entry['timestamp'], $entry['msg'], $entry['program']) = explode("||", trim($line)); + $testdata[] = $this->createData( + "1.1.1.1||auth||info||info||0e||2016-02-28 00:23:34||pam_unix(cron:session): session opened for user librenms by (uid=0)||CRON", + array('device_id'=>1, 'program'=>'PAM_UNIX(CRON:SESSION)', 'msg'=>'session opened for user librenms by (uid=0)') + ); + $testdata[] = $this->createData( + "1.1.1.1||auth||info||info||0e||2016-02-28 00:23:34||pam_unix(sudo:session): session opened for user librenms by root (uid=0)||sudo", + array('device_id'=>1, 'program'=>'PAM_UNIX(SUDO:SESSION)', 'msg'=>'session opened for user librenms by root (uid=0)') + ); + $testdata[] = $this->createData( + "1.1.1.1||auth||info||info||0e||2016-02-28 00:23:34||pam_krb5(sshd:auth): authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231||sshd", + array('device_id'=>1, 'program'=>'PAM_KRB5(SSHD:AUTH)', 'msg'=>'authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231') + ); + $testdata[] = $this->createData( + "1.1.1.1||auth||info||info||0e||2016-02-28 00:23:34||pam_krb5[sshd:auth]: authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231||sshd", + array('device_id'=>1, 'program'=>'PAM_KRB5[SSHD:AUTH]', 'msg'=>'authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231') + ); + + // ---- Postfix ---- + $testdata[] = $this->createData( + "1.1.1.1||mail||info||info||0e||2016-02-28 00:23:34||5C62E329EF: to=, relay=mail.example.com[127.0.0.1]:25, delay=0.11, delays=0.04/0.01/0/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5362E6A670E)||postfix/smtp", + array('device_id'=>1, 'program'=>'POSTFIX/SMTP', 'msg'=>'5C62E329EF: to=, relay=mail.example.com[127.0.0.1]:25, delay=0.11, delays=0.04/0.01/0/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5362E6A670E)') + ); + $testdata[] = $this->createData( + "1.1.1.1||mail||info||info||0e||2016-02-28 00:23:34||D7256400EF: from=, size=882, nrcpt=1 (queue active)||postfix/qmgr", + array('device_id'=>1, 'program'=>'POSTFIX/QMGR', 'msg'=>'D7256400EF: from=, size=882, nrcpt=1 (queue active)') + ); + + // ---- No program ---- + $testdata[] = $this->createData( + "1.1.1.1||user||info||info||0e||2016-02-28 00:23:34||some random message", + array('device_id'=>1, 'program'=>'USER', 'msg'=>'some random message') + ); + + // ---- Other ---- + $testdata[] = $this->createData( + "1.1.1.1||syslog||info||info||0e||2016-02-28 00:23:34||(librenms) CMD ( /opt/librenms/alerts.php >> /var/log/librenms_alert.log 2>&1)||CRON", + array('device_id'=>1, 'program'=>'CRON', 'msg'=>'(librenms) CMD ( /opt/librenms/alerts.php >> /var/log/librenms_alert.log 2>&1)') + ); + // run tests + + foreach($testdata as $data) { + $res = process_syslog($data['input'], 0); + $this->assertEquals($data['result'], $res); + } + } } From 24d7926ea61cefef265db7b5e54fcb467f88d377 Mon Sep 17 00:00:00 2001 From: Ultra2D Date: Fri, 4 Mar 2016 13:10:07 +0100 Subject: [PATCH 4/8] Fix build failure --- tests/SyslogTest.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/SyslogTest.php b/tests/SyslogTest.php index 849ed3f9e6..4766d15304 100644 --- a/tests/SyslogTest.php +++ b/tests/SyslogTest.php @@ -97,7 +97,6 @@ class SyslogTest extends \PHPUnit_Framework_TestCase $testdata = array(); // ---- PAM ---- - //list($entry['host'],$entry['facility'],$entry['priority'], $entry['level'], $entry['tag'], $entry['timestamp'], $entry['msg'], $entry['program']) = explode("||", trim($line)); $testdata[] = $this->createData( "1.1.1.1||auth||info||info||0e||2016-02-28 00:23:34||pam_unix(cron:session): session opened for user librenms by (uid=0)||CRON", array('device_id'=>1, 'program'=>'PAM_UNIX(CRON:SESSION)', 'msg'=>'session opened for user librenms by (uid=0)') @@ -127,7 +126,7 @@ class SyslogTest extends \PHPUnit_Framework_TestCase // ---- No program ---- $testdata[] = $this->createData( - "1.1.1.1||user||info||info||0e||2016-02-28 00:23:34||some random message", + "1.1.1.1||user||info||info||0e||2016-02-28 00:23:34||some random message||", array('device_id'=>1, 'program'=>'USER', 'msg'=>'some random message') ); @@ -136,8 +135,9 @@ class SyslogTest extends \PHPUnit_Framework_TestCase "1.1.1.1||syslog||info||info||0e||2016-02-28 00:23:34||(librenms) CMD ( /opt/librenms/alerts.php >> /var/log/librenms_alert.log 2>&1)||CRON", array('device_id'=>1, 'program'=>'CRON', 'msg'=>'(librenms) CMD ( /opt/librenms/alerts.php >> /var/log/librenms_alert.log 2>&1)') ); - // run tests + + // run tests foreach($testdata as $data) { $res = process_syslog($data['input'], 0); $this->assertEquals($data['result'], $res); From 2b6439d502243f723e6002987d9c78afa65b297c Mon Sep 17 00:00:00 2001 From: Ultra2D Date: Fri, 4 Mar 2016 13:45:48 +0100 Subject: [PATCH 5/8] Missing trailing delimiter in original code --- includes/syslog.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/syslog.php b/includes/syslog.php index a644333f42..062708dab6 100644 --- a/includes/syslog.php +++ b/includes/syslog.php @@ -90,7 +90,7 @@ function process_syslog($entry, $update) { $entry['program'] = 'OpenVPN'; } //end if // POP3(username): Disconnected: Logged out top=0/0, retr=0/0, del=0/1, size=2802 - else if ($entry['facility'] == 'mail' and preg_match('#^(((pop3|imap)\-login)|((POP3|IMAP)\(.*\))):', $entry['msg'])) { + else if ($entry['facility'] == 'mail' and preg_match('#^(((pop3|imap)\-login)|((POP3|IMAP)\(.*\))):#', $entry['msg'])) { $entry['program'] = 'Dovecot'; } // pam_krb5(sshd:auth): authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231 // pam_krb5[sshd:auth]: authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231 From 99cd9f96cf75688d4a95f7f6f51c2da1e248bdf2 Mon Sep 17 00:00:00 2001 From: Ultra2D Date: Fri, 4 Mar 2016 15:18:24 +0100 Subject: [PATCH 6/8] Proper tags and facilities; additional example --- tests/SyslogTest.php | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/tests/SyslogTest.php b/tests/SyslogTest.php index 4766d15304..4259489635 100644 --- a/tests/SyslogTest.php +++ b/tests/SyslogTest.php @@ -98,11 +98,11 @@ class SyslogTest extends \PHPUnit_Framework_TestCase // ---- PAM ---- $testdata[] = $this->createData( - "1.1.1.1||auth||info||info||0e||2016-02-28 00:23:34||pam_unix(cron:session): session opened for user librenms by (uid=0)||CRON", + "1.1.1.1||authpriv||info||info||56||2016-02-28 00:23:34||pam_unix(cron:session): session opened for user librenms by (uid=0)||CRON", array('device_id'=>1, 'program'=>'PAM_UNIX(CRON:SESSION)', 'msg'=>'session opened for user librenms by (uid=0)') ); $testdata[] = $this->createData( - "1.1.1.1||auth||info||info||0e||2016-02-28 00:23:34||pam_unix(sudo:session): session opened for user librenms by root (uid=0)||sudo", + "1.1.1.1||authpriv||info||info||55||2016-02-28 00:23:34||pam_unix(sudo:session): session opened for user librenms by root (uid=0)||sudo", array('device_id'=>1, 'program'=>'PAM_UNIX(SUDO:SESSION)', 'msg'=>'session opened for user librenms by root (uid=0)') ); $testdata[] = $this->createData( @@ -116,11 +116,11 @@ class SyslogTest extends \PHPUnit_Framework_TestCase // ---- Postfix ---- $testdata[] = $this->createData( - "1.1.1.1||mail||info||info||0e||2016-02-28 00:23:34||5C62E329EF: to=, relay=mail.example.com[127.0.0.1]:25, delay=0.11, delays=0.04/0.01/0/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5362E6A670E)||postfix/smtp", + "1.1.1.1||mail||info||info||16||2016-02-28 00:23:34||5C62E329EF: to=, relay=mail.example.com[127.0.0.1]:25, delay=0.11, delays=0.04/0.01/0/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5362E6A670E)||postfix/smtp", array('device_id'=>1, 'program'=>'POSTFIX/SMTP', 'msg'=>'5C62E329EF: to=, relay=mail.example.com[127.0.0.1]:25, delay=0.11, delays=0.04/0.01/0/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5362E6A670E)') ); $testdata[] = $this->createData( - "1.1.1.1||mail||info||info||0e||2016-02-28 00:23:34||D7256400EF: from=, size=882, nrcpt=1 (queue active)||postfix/qmgr", + "1.1.1.1||mail||info||info||16||2016-02-28 00:23:34||D7256400EF: from=, size=882, nrcpt=1 (queue active)||postfix/qmgr", array('device_id'=>1, 'program'=>'POSTFIX/QMGR', 'msg'=>'D7256400EF: from=, size=882, nrcpt=1 (queue active)') ); @@ -132,9 +132,13 @@ class SyslogTest extends \PHPUnit_Framework_TestCase // ---- Other ---- $testdata[] = $this->createData( - "1.1.1.1||syslog||info||info||0e||2016-02-28 00:23:34||(librenms) CMD ( /opt/librenms/alerts.php >> /var/log/librenms_alert.log 2>&1)||CRON", + "1.1.1.1||cron||info||info||4e||2016-02-28 00:23:34||(librenms) CMD ( /opt/librenms/alerts.php >> /var/log/librenms_alert.log 2>&1)||CRON", array('device_id'=>1, 'program'=>'CRON', 'msg'=>'(librenms) CMD ( /opt/librenms/alerts.php >> /var/log/librenms_alert.log 2>&1)') ); + $testdata[] = $this->createData( + "1.1.1.1||authpriv||notice||notice||55||2016-02-28 00:23:34|| root : TTY=pts/1 ; PWD=/opt/librenms ; USER=librenms ; COMMAND=/usr/bin/git status||sudo", + array('device_id'=>1, 'program'=>'SUDO', 'msg'=>'root : TTY=pts/1 ; PWD=/opt/librenms ; USER=librenms ; COMMAND=/usr/bin/git status') + ); // run tests From 488f7f44c494dee08b6eb719a3d4e670f193c2b8 Mon Sep 17 00:00:00 2001 From: Ultra2D Date: Fri, 4 Mar 2016 15:51:49 +0100 Subject: [PATCH 7/8] array_walk does not work like that, apparently input is trimmed later on --- includes/syslog.php | 1 - tests/SyslogTest.php | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/includes/syslog.php b/includes/syslog.php index 062708dab6..e56526f59c 100644 --- a/includes/syslog.php +++ b/includes/syslog.php @@ -119,7 +119,6 @@ function process_syslog($entry, $update) { } $entry['program'] = strtoupper($entry['program']); - array_walk($entry, 'trim'); if ($update) { dbInsert( diff --git a/tests/SyslogTest.php b/tests/SyslogTest.php index 4259489635..f71360d9f8 100644 --- a/tests/SyslogTest.php +++ b/tests/SyslogTest.php @@ -137,7 +137,7 @@ class SyslogTest extends \PHPUnit_Framework_TestCase ); $testdata[] = $this->createData( "1.1.1.1||authpriv||notice||notice||55||2016-02-28 00:23:34|| root : TTY=pts/1 ; PWD=/opt/librenms ; USER=librenms ; COMMAND=/usr/bin/git status||sudo", - array('device_id'=>1, 'program'=>'SUDO', 'msg'=>'root : TTY=pts/1 ; PWD=/opt/librenms ; USER=librenms ; COMMAND=/usr/bin/git status') + array('device_id'=>1, 'program'=>'SUDO', 'msg'=>' root : TTY=pts/1 ; PWD=/opt/librenms ; USER=librenms ; COMMAND=/usr/bin/git status') ); From 25e88f743c1d632d6a12a7d64332e407ae87fbb4 Mon Sep 17 00:00:00 2001 From: Ultra2D Date: Fri, 4 Mar 2016 17:43:05 +0100 Subject: [PATCH 8/8] Remove dovecot match because of invalid pattern --- includes/syslog.php | 4 ---- 1 file changed, 4 deletions(-) diff --git a/includes/syslog.php b/includes/syslog.php index e56526f59c..307f8e0da1 100644 --- a/includes/syslog.php +++ b/includes/syslog.php @@ -88,10 +88,6 @@ function process_syslog($entry, $update) { // User_CommonName/123.213.132.231:39872 VERIFY OK: depth=1, /C=PL/ST=Malopolska/O=VLO/CN=v-lo.krakow.pl/emailAddress=root@v-lo.krakow.pl if ($entry['facility'] == 'daemon' and preg_match('#/([0-9]{1,3}\.) {3}[0-9]{1,3}:[0-9]{4,} ([A-Z]([A-Za-z])+( ?)) {2,}:#', $entry['msg'])) { $entry['program'] = 'OpenVPN'; - } //end if - // POP3(username): Disconnected: Logged out top=0/0, retr=0/0, del=0/1, size=2802 - else if ($entry['facility'] == 'mail' and preg_match('#^(((pop3|imap)\-login)|((POP3|IMAP)\(.*\))):#', $entry['msg'])) { - $entry['program'] = 'Dovecot'; } // pam_krb5(sshd:auth): authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231 // pam_krb5[sshd:auth]: authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231 else if (preg_match('#^(?P([^(:]+\([^)]+\)|[^\[:]+\[[^\]]+\])) ?: ?(?P.*)$#', $entry['msg'], $matches)) {