2008-03-23 21:32:54 +00:00
< ? php
2011-05-26 21:27:40 +00:00
function get_cache ( $host , $value ){
global $dev_cache ;
if ( ! isset ( $dev_cache [ $host ][ $value ])){
switch ( $value ){
case 'device_id' :
//Try by hostname
$dev_cache [ $host ][ 'device_id' ] = dbFetchCell ( 'SELECT `device_id` FROM devices WHERE `hostname`=\'' . $host . '\' OR `sysName`=\'' . $host . '\'' );
//If failed, try by IP
if ( $dev_cache [ $host ][ 'device_id' ] == null )
$dev_cache [ $host ][ 'device_id' ] = dbFetchCell ( 'SELECT device_id FROM ipv4_addresses AS A, ports AS I WHERE A.ipv4_address = \'' . $entry [ 'host' ] . '\' AND I.interface_id = A.interface_id' );
break ;
case 'os' :
$dev_cache [ $host ][ 'os' ] = dbFetchCell ( 'SELECT `os` FROM devices WHERE `device_id`=' . get_cache ( $host , 'device_id' ));
break ;
case 'version' :
$dev_cache [ $host ][ 'version' ] = dbFetchCell ( 'SELECT `version` FROM devices WHERE `device_id`=' . get_cache ( $host , 'device_id' ));
break ;
default :
return null ;
}
}
return $dev_cache [ $host ][ $value ];
}
2011-05-14 21:51:58 +00:00
2011-05-12 23:15:56 +00:00
function process_syslog ( $entry , $update ) {
2008-03-23 21:32:54 +00:00
global $config ;
2011-05-13 00:13:57 +00:00
global $dev_cache ;
2008-03-23 21:32:54 +00:00
2011-05-26 21:27:40 +00:00
foreach ( $config [ 'syslog_filter' ] as $bi )
if ( strpos ( $entry [ 'msg' ], $bi ) !== FALSE ){
print_r ( $entry );
echo ( 'D-' . $bi );
return $entry ;
2008-03-23 21:32:54 +00:00
}
2011-05-26 21:27:40 +00:00
$entry [ 'device_id' ] = get_cache ( $entry [ 'host' ], 'device_id' );
if ( $entry [ 'device_id' ]) {
$os = get_cache ( $entry [ 'host' ], 'os' );
if ( in_array ( $os , array ( 'ios' , 'iosxe' , 'catos' ))){
$matches = array ();
if ( preg_match ( '#%(?P<program>.*):( ?)(?P<msg>.*)#' , $entry [ 'msg' ], $matches )){
$entry [ 'msg' ] = $matches [ 'msg' ];
$entry [ 'program' ] = $matches [ 'program' ];
2011-05-13 00:13:57 +00:00
}
2011-05-26 21:27:40 +00:00
unset ( $matches );
} elseif ( $os == 'linux' and get_cache ( $entry [ 'host' ], 'version' ) == 'Point' ){
//Cisco WAP200 and similar
$matches = array ();
if ( preg_match ( '#Log: \[(?P<program>.*)\] - (?P<msg>.*)#' , $entry [ 'msg' ], $matches )){
$entry [ 'msg' ] = $matches [ 'msg' ];
$entry [ 'program' ] = $matches [ 'program' ];
2009-04-11 19:10:48 +00:00
}
2011-05-26 21:27:40 +00:00
unset ( $matches );
} elseif ( $os == 'linux' ){
$matches = array ();
//User_CommonName/123.213.132.231:39872 VERIFY OK: depth=1, /C=PL/ST=Malopolska/O=VLO/CN=v-lo.krakow.pl/emailAddress=root@v-lo.krakow.pl
if ( $entry [ 'facility' ] == 'daemon' and preg_match ( '#/([0-9]{1,3}\.){3}[0-9]{1,3}:[0-9]{4,} ([A-Z]([A-Za-z)+( ?)){2,}:#' , $entry [ 'msg' ])){
$entry [ 'program' ] = 'OpenVPN' ;
2008-11-28 12:59:33 +00:00
}
2011-05-26 21:27:40 +00:00
//pop3-login: Login: user=<username>, method=PLAIN, rip=123.213.132.231, lip=123.213.132.231, TLS
//POP3(username): Disconnected: Logged out top=0/0, retr=0/0, del=0/1, size=2802
elseif ( $entry [ 'facility' ] == 'mail' and preg_match ( '#^(((pop3|imap)\-login)|((POP3|IMAP)\(.*\))):' , $entry [ 'msg' ])){
$entry [ 'program' ] = 'Dovecot' ;
}
//pam_krb5(sshd:auth): authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231
//pam_krb5[sshd:auth]: authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231
elseif ( preg_match ( '#^(?P<program>(.*((\(|\[).*(\)|\])))):(?P<msg>.*)$#' , $entry [ 'msg' ], $matches )){
$entry [ 'msg' ] = $matches [ 'msg' ];
$entry [ 'program' ] = $matches [ 'program' ];
}
//SYSLOG CONNECTION BROKEN; FD='6', SERVER='AF_INET(123.213.132.231:514)', time_reopen='60'
//pam_krb5: authentication failure; logname=root uid=0 euid=0 tty=ssh ruser= rhost=123.213.132.231
elseif ( $pos = strpos ( $entry [ 'msg' ], ';' ) or $pos = strpos ( $entry [ 'msg' ], ':' )){
$entry [ 'program' ] = substr ( $entry [ 'msg' ], 0 , $pos );
$entry [ 'msg' ] = substr ( $entry [ 'msg' ], $pos + 1 );
}
//fallback, better than nothing...
elseif ( empty ( $entry [ 'program' ]) and ! empty ( $entry [ 'facility' ])){
$entry [ 'program' ] = $entry [ 'facility' ];
}
unset ( $matches );
}
if ( ! isset ( $entry [ 'program' ])){
$entry [ 'program' ] = $entry [ 'msg' ];
unset ( $entry [ 'msg' ]);
2008-03-23 21:32:54 +00:00
}
2010-06-13 14:39:09 +00:00
$entry [ 'program' ] = strtoupper ( $entry [ 'program' ]);
2011-05-26 21:27:40 +00:00
array_walk ( $entry , 'trim' );
if ( $update )
dbInsert (
array (
'device_id' => $entry [ 'device_id' ],
'program' => $entry [ 'program' ],
'facility' => $entry [ 'facility' ],
'priority' => $entry [ 'priority' ],
'level' => $entry [ 'level' ],
'tag' => $entry [ 'tag' ],
'msg' => $entry [ 'msg' ],
'timestamp' => $entry [ 'timestamp' ]
),
'syslog'
);
unset ( $os );
}
2011-05-12 23:15:56 +00:00
return $entry ;
2008-03-23 21:32:54 +00:00
}
2011-05-12 11:58:17 +00:00
?>