$v) { $syslogprogmsg = $entry['program'] . ': ' . $entry['msg']; if ((isset($v['script'])) && (isset($v['regex'])) && ((preg_match($v['regex'], $syslogprogmsg)))) { shell_exec(escapeshellcmd($v['script']) . ' ' . escapeshellarg($hostname) . ' ' . escapeshellarg($os) . ' ' . escapeshellarg($syslogprogmsg) . ' >/dev/null 2>&1 &'); } } } if (in_array($os, ['ios', 'iosxe', 'catos'])) { // multipart message if (strpos($entry['msg'], ':') !== false) { $matches = []; $timestamp_prefix = '([\*\.]?[A-Z][a-z]{2} \d\d? \d\d:\d\d:\d\d(.\d\d\d)?( [A-Z]{3})?: )?'; $program_match = '(?%?[A-Za-z\d\-_]+(:[A-Z]* %[A-Z\d\-_]+)?)'; $message_match = '(?.*)'; if (preg_match('/^' . $timestamp_prefix . $program_match . ': ?' . $message_match . '/', $entry['msg'], $matches)) { $entry['program'] = $matches['program']; $entry['msg'] = $matches['msg']; } unset($matches); } else { // if this looks like a program (no groups of 2 or more lowercase letters), move it to program if (! preg_match('/[(a-z)]{2,}/', $entry['msg'])) { $entry['program'] = $entry['msg']; unset($entry['msg']); } } } elseif ($os == 'linux' and get_cache($entry['host'], 'version') == 'Point') { // Cisco WAP200 and similar $matches = []; if (preg_match('#Log: \[(?P.*)\] - (?P.*)#', $entry['msg'], $matches)) { $entry['msg'] = $matches['msg']; $entry['program'] = $matches['program']; } unset($matches); } elseif ($os == 'linux') { $matches = []; // pam_krb5(sshd:auth): authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost= // pam_krb5[sshd:auth]: authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost= if (empty($entry['program']) and preg_match('#^(?P([^(:]+\([^)]+\)|[^\[:]+\[[^\]]+\])) ?: ?(?P.*)$#', $entry['msg'], $matches)) { $entry['msg'] = $matches['msg']; $entry['program'] = $matches['program']; } elseif (empty($entry['program']) and ! empty($entry['facility'])) { // SYSLOG CONNECTION BROKEN; FD='6', SERVER='AF_INET(', time_reopen='60' // pam_krb5: authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost= // Disabled because broke this: // diskio.c: don't know how to handle 10 request // elseif($pos = strpos($entry['msg'], ';') or $pos = strpos($entry['msg'], ':')) { // $entry['program'] = substr($entry['msg'], 0, $pos); // $entry['msg'] = substr($entry['msg'], $pos+1); // } // fallback, better than nothing... $entry['program'] = $entry['facility']; } unset($matches); } elseif ($os == 'procurve') { $matches = []; if (preg_match('/^(?P[A-Za-z]+): {2}(?P.*)/', $entry['msg'], $matches)) { $entry['msg'] = $matches['msg'] . ' [' . $entry['program'] . ']'; $entry['program'] = $matches['program']; } unset($matches); } elseif ($os == 'zywall') { // Zwwall sends messages without all the fields, so the offset is wrong $msg = preg_replace('/" /', '";', stripslashes($entry['program'] . ':' . $entry['msg'])); $msg = str_getcsv($msg, ';'); $entry['program'] = null; foreach ($msg as $param) { [$var, $val] = explode('=', $param); if ($var == 'cat') { $entry['program'] = str_replace('"', '', $val); } } $entry['msg'] = join(' ', $msg); }//end if if (! isset($entry['program'])) { $entry['program'] = $entry['msg']; unset($entry['msg']); } $entry['program'] = strtoupper($entry['program']); $entry = array_map('trim', $entry); if ($update) { dbInsert( [ 'device_id' => $entry['device_id'], 'program' => $entry['program'], 'facility' => $entry['facility'], 'priority' => $entry['priority'], 'level' => $entry['level'], 'tag' => $entry['tag'], 'msg' => $entry['msg'], 'timestamp' => $entry['timestamp'], ], 'syslog' ); } unset($os); }//end if return $entry; }//end process_syslog()