$entry['device_id'], 'host' => $entry['host'], 'program' => $entry['program'], 'facility' => $entry['facility'], 'priority' => $entry['priority'], 'level' => $entry['level'], 'tag' => $entry['tag'], 'msg' => $entry['msg'], 'datetime' => $entry['timestamp'] ), 'logs' ); dbInsert( array( 'device_id' => $entry['device_id'], 'program' => $entry['program'], 'facility' => $entry['facility'], 'priority' => $entry['priority'], 'level' => $entry['level'], 'tag' => $entry['tag'], 'msg' => $entry['msg'], 'timestamp' => $entry['timestamp'] ), 'syslog' ); } return $entry; } function process_syslog_old ($entry, $update) { global $config; global $dev_cache; foreach($config['syslog_filter'] as $bi) if(strpos($entry['msg'], $bi) !== FALSE){ print_r($entry); echo('D-'.$bi); return $entry; } $entry['device_id'] = get_cache($entry['host'], 'device_id'); if($entry['device_id']) { $os = get_cache($entry['host'], 'os'); if(in_array($os, array('ios', 'iosxe', 'catos'))){ $matches = array(); if(preg_match('#%(?P.*):( ?)(?P.*)#', $entry['msg'], $matches)){ $entry['msg'] = $matches['msg']; $entry['program'] = $matches['program']; } unset($matches); } elseif($os == 'linux' and get_cache($entry['host'], 'version') == 'Point'){ //Cisco WAP200 and similar $matches = array(); if(preg_match('#Log: \[(?P.*)\] - (?P.*)#', $entry['msg'], $matches)){ $entry['msg'] = $matches['msg']; $entry['program'] = $matches['program']; } unset($matches); } elseif($os == 'linux'){ $matches = array(); //User_CommonName/123.213.132.231:39872 VERIFY OK: depth=1, /C=PL/ST=Malopolska/O=VLO/CN=v-lo.krakow.pl/emailAddress=root@v-lo.krakow.pl if($entry['facility'] == 'daemon' and preg_match('#/([0-9]{1,3}\.){3}[0-9]{1,3}:[0-9]{4,} ([A-Z]([A-Za-z)+( ?)){2,}:#', $entry['msg'])){ $entry['program'] = 'OpenVPN'; } //pop3-login: Login: user=, method=PLAIN, rip=123.213.132.231, lip=123.213.132.231, TLS //POP3(username): Disconnected: Logged out top=0/0, retr=0/0, del=0/1, size=2802 elseif($entry['facility'] == 'mail' and preg_match('#^(((pop3|imap)\-login)|((POP3|IMAP)\(.*\))):', $entry['msg'])){ $entry['program'] = 'Dovecot'; } //pam_krb5(sshd:auth): authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231 //pam_krb5[sshd:auth]: authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231 elseif(preg_match('#^(?P(.*((\(|\[).*(\)|\])))):(?P.*)$#', $entry['msg'], $matches)){ $entry['msg'] = $matches['msg']; $entry['program'] = $matches['program']; } //SYSLOG CONNECTION BROKEN; FD='6', SERVER='AF_INET(123.213.132.231:514)', time_reopen='60' //pam_krb5: authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231 elseif($pos = strpos($entry['msg'], ';') or $pos = strpos($entry['msg'], ':')){ $entry['program'] = substr($entry['msg'], 0, $pos); $entry['msg'] = substr($entry['msg'], $pos+1); } //fallback, better than nothing... elseif(empty($entry['program']) and !empty($entry['facility'])){ $entry['program'] = $entry['facility']; } unset($matches); } if(!isset($entry['program'])){ $entry['program'] = $entry['msg']; unset($entry['msg']); } $entry['program'] = strtoupper($entry['program']); array_walk($entry, 'trim'); if($update) dbInsert( array( 'device_id' => $entry['device_id'], 'program' => $entry['program'], 'facility' => $entry['facility'], 'priority' => $entry['priority'], 'level' => $entry['level'], 'tag' => $entry['tag'], 'msg' => $entry['msg'], 'timestamp' => $entry['timestamp'] ), 'syslog' ); unset($os); } return $entry; } ?>