Ejemplo n.º 1
0
function Parseline($buffer)
{
    $buffer = trim($buffer);
    if ($buffer == null) {
        return null;
    }
    if (strpos($buffer, "init urllist") > 0) {
        return;
    }
    if (strpos($buffer, "init expressionlist") > 0) {
        return;
    }
    if (strpos($buffer, "init domainlist") > 0) {
        return;
    }
    if (preg_match('#INFO: loading dbfile (.+)#', $buffer, $re)) {
        events("LOADING {$re['1']}");
        $GLOBALS[__FILE__]["DBFILE"] = trim($re[1]);
        return null;
    }
    if (preg_match("#FATAL: Error db_open: Unknown error#", $buffer, $re)) {
        events("ERROR ON {$GLOBALS[__FILE__]["DBFILE"]} : {$buffer}");
        if (basename($GLOBALS[__FILE__]["DBFILE"]) == "urls.db") {
            events("urls.db -> create " . dirname($GLOBALS[__FILE__]["DBFILE"]) . "/urls it and recompile it");
            @file_put_contents(dirname($GLOBALS[__FILE__]["DBFILE"]) . "/urls", "www." . md5(time()) . ".bv");
        }
        $file = "/etc/artica-postfix/croned.1/squidguard." . md5($GLOBALS[__FILE__]["DBFILE"]) . ".error";
        if (IfFileTime($file)) {
            $cmd = LOCATE_PHP5_BIN2() . " /usr/share/artica-postfix/exec.squidguard.php --compile-single \"{$GLOBALS[__FILE__]["DBFILE"]}\" &";
            events("{$cmd}");
            shell_exec($cmd);
            WriteFileCache($file);
        }
        return null;
    }
    if (preg_match("#\\]\\s+(.+?):\\s+Cannot allocate memory#", $buffer, $re)) {
        events("ERROR ON {$re[1]} : Cannot allocate memory -> create it");
        @file_put_contents($re[1], "www." . md5(time()) . ".bv");
        shell_exec("squid -k reconfigure");
        return null;
    }
    if (preg_match("#\\]\\s+(.+?):\\s+No such file or directory#", $buffer, $re)) {
        events("ERROR ON {$re[1]} : No such file or directory -> create it");
        @file_put_contents($re[1], "www.nodomain.bv");
        shell_exec("squid -k reconfigure");
        return null;
    }
    if (strpos($buffer, "ERROR: Going into emergency mode") > 0) {
        events("ERROR: Going into emergency mode");
        send_email_events("squidguard: squidguard turn to emergency mode", "SquidGuard claim\n{$buffer}\nPlease contact your support to fix this problem\ncurrently, no filtering urls will be enabled", "proxy");
        return;
    }
    events("Not filtered: {$buffer}");
}
Ejemplo n.º 2
0
function Parseline($buffer){
$buffer=trim($buffer);
if($buffer==null){return null;}

if(strpos($buffer,"init urllist")>0){return ;}
if(strpos($buffer,"init expressionlist")>0){return ;}
if(strpos($buffer,"init domainlist")>0){return ;}


	if(preg_match('#INFO: loading dbfile (.+)#',$buffer,$re)){
		events("LOADING $re[1]");
	  	$GLOBALS[__FILE__]["DBFILE"]=trim($re[1]);
		return null;
		}	
		
		
		
	if(preg_match("#FATAL: Error db_open: Unknown error#",$buffer,$re)){
	  	events("ERROR ON {$GLOBALS[__FILE__]["DBFILE"]}");
	  	$file="/etc/artica-postfix/croned.1/squidguard.". md5($GLOBALS[__FILE__]["DBFILE"]).".error";
		if(IfFileTime($file)){
	  		shell_exec(LOCATE_PHP5_BIN2()." /usr/share/artica-postfix/exec.squidguard.php --compile-single \"{$GLOBALS[__FILE__]["DBFILE"]}\" &");
	  		WriteFileCache($file);
		}
		return null;
		}

	if(strpos($buffer,"ERROR: Going into emergency mode")>0){
		events("ERROR: Going into emergency mode");
		send_email_events("squidguard: squidguard turn to emergency mode","SquidGuard claim\n$buffer\nPlease contact your support to fix this problem\ncurrently, no filtering urls will be enabled","proxy");
		return ;
	}
		
		

	events("Not filtered: $buffer");

}
Ejemplo n.º 3
0
function nss_parser($buffer){
	if(preg_match('#nss_wins.+?failed to bind to server\s+(.+?)\s+with\s+dn="(.+?)"\s+Error:\s+Invalid credentials#',$buffer,$re)){	
		$file="/etc/artica-postfix/croned.1/nss_parser.Invalidcredentials.error";
		events("nss_wins:: Invalid credentials");
		if(IfFileTime($file)){
			email_events("System error NSS cannot bind to {$re[1]}: Invalid credentials","NSS Wins claim \"$buffer\"",'system');
			}
			WriteFileCache($file);	
			return;	
		}	
		
	
	events_not_filtered("nss_wins:: Not Filtered:\"$buffer\"");
	
}
Ejemplo n.º 4
0
function Parseline($buffer)
{
    $buffer = trim($buffer);
    if ($buffer == null) {
        return null;
    }
    $mdbuff = md5($buffer);
    if (isset($GLOBALS['MDBUFF'][$mdbuff])) {
        return;
    }
    $GLOBALS['MDBUFF'][$mdbuff] = true;
    if (count($GLOBALS['MDBUFF']) > 1000) {
        $GLOBALS['MDBUFF'] = array();
    }
    if (strpos($buffer, "] PASS ") > 0) {
        return;
    }
    if (strpos($buffer, "UFDBinitHTTPSchecker") > 0) {
        return;
    }
    if (strpos($buffer, "IP socket port") > 0) {
        return;
    }
    if (strpos($buffer, "listening on interface") > 0) {
        return;
    }
    if (strpos($buffer, "yielding") > 0) {
        return;
    }
    if (strpos($buffer, "system:") > 0) {
        return;
    }
    if (strpos($buffer, "URL verification threads and") > 0) {
        return;
    }
    if (strpos($buffer, "worker threads") > 0) {
        return;
    }
    if (strpos($buffer, "license status") > 0) {
        return;
    }
    if (strpos($buffer, "redirect-fatal-error") > 0) {
        return;
    }
    if (strpos($buffer, "using OpenSSL library") > 0) {
        return;
    }
    if (strpos($buffer, "CA certificates are") > 0) {
        return;
    }
    if (strpos($buffer, "Failure to load the CA database") > 0) {
        return;
    }
    if (strpos($buffer, "CA file is") > 0) {
        return;
    }
    if (strpos($buffer, "ufdbHandleAlarmForTimeEvents") > 0) {
        return;
    }
    if (strpos($buffer, "Changing daemon status") > 0) {
        return;
    }
    if (strpos($buffer, "UFDBchangeStatus") > 0) {
        return;
    }
    if (strpos($buffer, "url-lookup-delay-during-database-reload") > 0) {
        return;
    }
    if (strpos($buffer, "url-lookup-result-during-database-reload") > 0) {
        return;
    }
    if (strpos($buffer, "url-lookup-result-when-fatal-error") > 0) {
        return;
    }
    if (strpos($buffer, "no http-server") > 0) {
        return;
    }
    if (strpos($buffer, "upload-stats") > 0) {
        return;
    }
    if (strpos($buffer, "analyse-uncategorised-urls") > 0) {
        return;
    }
    if (strpos($buffer, "redirect-loading-database") > 0) {
        return;
    }
    if (strpos($buffer, "ufdb-expression-debug") > 0) {
        return;
    }
    if (strpos($buffer, "ufdb-debug-filter") > 0) {
        return;
    }
    if (strpos($buffer, "database status: up to date") > 0) {
        return;
    }
    if (strpos($buffer, "ufdbGenTable should be called with the") > 0) {
        return;
    }
    if (strpos($buffer, "is deprecated and ignored") > 0) {
        return;
    }
    if (strpos($buffer, "init domainlist") > 0) {
        return;
    }
    if (strpos($buffer, "is empty !") > 0) {
        return;
    }
    if (strpos($buffer, "init expressionlist") > 0) {
        return;
    }
    if (strpos($buffer, "is optimised to one expression") > 0) {
        return;
    }
    if (strpos($buffer, "be analysed since there is no proper database") > 0) {
        return;
    }
    if (strpos($buffer, "REDIRECT 302") > 0) {
        return;
    }
    if (strpos($buffer, "close fd") > 0) {
        return;
    }
    if (strpos($buffer, ": open fd ") > 0) {
        return;
    }
    if (strpos($buffer, "acl {") > 0) {
        return;
    }
    if (strpos($buffer, "URL verifications") > 0) {
        return;
    }
    if (strpos($buffer, "must be part of the security") > 0) {
        return;
    }
    if (strpos($buffer, "}") > 0) {
        return;
    }
    if (strpos($buffer, "finished retrieving") > 0) {
        return;
    }
    if (strpos($buffer, "loading URL table from") > 0) {
        return;
    }
    if (strpos($buffer, "]    option") > 0) {
        return;
    }
    if (strpos($buffer, "{") > 0) {
        return;
    }
    if (strpos($buffer, "] category \"") > 0) {
        return;
    }
    if (strpos($buffer, "]    domainlist     \"") > 0) {
        return;
    }
    if (strpos($buffer, "]       pass ") > 0) {
        return;
    }
    if (strpos($buffer, "] safe-search") > 0) {
        return;
    }
    if (strpos($buffer, "configuration file") > 0) {
        return;
    }
    if (strpos($buffer, "refreshdomainlist") > 0) {
        return;
    }
    if (strpos($buffer, "software suite is free and Open Source Software") > 0) {
        return;
    }
    if (strpos($buffer, "by URLfilterDB") > 0) {
        return;
    }
    if (strpos($buffer, "] configuration status") > 0) {
        return;
    }
    if (strpos($buffer, 'expressionlist "') > 0) {
        return;
    }
    if (strpos($buffer, 'is newer than') > 0) {
        return;
    }
    if (strpos($buffer, 'source "') > 0) {
        return;
    }
    if (strpos($buffer, 'youtube-edufilter-id') > 0) {
        return;
    }
    if (trim($buffer) == null) {
        return;
    }
    if (strpos($buffer, 'max-logfile-size') > 0) {
        return;
    }
    if (strpos($buffer, 'check-proxy-tunnels') > 0) {
        return;
    }
    if (strpos($buffer, 'seconds to allow worker') > 0) {
        return;
    }
    if (strpos($buffer, '] loading URL category') > 0) {
        return;
    }
    if (preg_match("#\\] REDIR\\s+#", $buffer)) {
        return;
    }
    if (strpos($buffer, 'execdomainlist for') > 0) {
        return;
    }
    if (strpos($buffer, 'dynamic_domainlist_updater_main') > 0) {
        return;
    }
    if (preg_match("#FATAL ERROR: connection queue is full#", $buffer)) {
        $TimeFile = "/etc/artica-postfix/pids/webfiltering-connection.queue.full";
        if (!IfFileTime($TimeFile, 5)) {
            return;
        }
        $Threads = intval(@file_get_contents("/etc/artica-postfix/settings/Daemons/UfdbGuardThreads"));
        $ThreadNew = $Threads + 5;
        if ($ThreadNew > 128) {
            $ThreadNew = 128;
        }
        squid_admin_mysql(0, "Webfiltering Service connection queue is full increase Threads from {$Threads} to {$ThreadNew} [action=restart]", $buffer, __FILE__, __LINE__);
        @file_put_contents("/etc/artica-postfix/settings/Daemons/UfdbGuardThreads", $ThreadNew);
        shell_exec("{$GLOBALS["nohup"]} /etc/init.d/ufdb restart --force >/dev/null 2>&1 &");
        return;
    }
    if (stripos(" {$buffer}", "HUP signal received to reload the configuration") > 0) {
        squid_admin_mysql(1, "Webfiltering Service was reloaded - reloading databases [action=notify]", $buffer, __FILE__, __LINE__);
        events_ufdb_exec("Webfiltering Service was reloaded, wait 15 seconds");
        return;
    }
    if (stripos(" {$buffer}", "ufdbGuard daemon stopped") > 0) {
        squid_admin_mysql(1, "Webfiltering Service was stopped [action=notify]", $buffer, __FILE__, __LINE__);
        events_ufdb_exec("Webfiltering Service was stopped, wait 15 seconds");
        return;
    }
    if (stripos(" {$buffer}", 'Changing daemon status to "started"') > 0) {
        squid_admin_mysql(1, "Webfiltering Service was started [action=notify]", $buffer, __FILE__, __LINE__);
        events_ufdb_exec("Webfiltering Service was started, wait 15 seconds");
        return;
    }
    if (preg_match("#thread socket-handler caught signal 11#", $buffer, $re)) {
        $TimeFile = "/etc/artica-postfix/pids/webfiltering-emergency";
        if (!IfFileTime($TimeFile, 5)) {
            return;
        }
        squid_admin_mysql(0, "Webfiltering crash [action=Webfiltering Emergency]", $buffer, __FILE__, __LINE__);
        shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.squid.urgency.remove.php --ufdb-on >/dev/null 2>&1 &");
        return;
    }
    if (preg_match("#Changing daemon status to \"error\"#", $buffer, $re)) {
        $TimeFile = "/etc/artica-postfix/pids/webfiltering-emergency";
        if (!IfFileTime($TimeFile, 5)) {
            return;
        }
        squid_admin_mysql(0, "Webfiltering service error [action=Webfiltering Emergency]", $buffer, __FILE__, __LINE__);
        shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.ufdb.emergency.php --ufdb-on >/dev/null 2>&1 &");
        return;
    }
    if (preg_match("#FATAL ERROR: cannot open configuration file\\s+\\/etc\\/squid3\\/ufdbGuard\\.conf#i", $buffer, $re)) {
        squid_admin_mysql(0, "Webfiltering error, Open Configuration File failed [action=restart service]", $buffer, __FILE__, __LINE__);
        shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.ufdb.php --restart --force --ufdbtail --fatal-error >/dev/null 2>&1 &");
        return;
    }
    if (preg_match("#FATAL.*?read failed on \"(.+?)\".*?Bad address#i", $buffer, $re)) {
        squid_admin_mysql(0, "Webfiltering service error on database: {$re[1]}  [action=Webfiltering Emergency]", $buffer, __FILE__, __LINE__);
        shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.ufdb.emergency.php --ufdb-on >/dev/null 2>&1 &");
        return;
    }
    if (preg_match("#FATAL ERROR: cannot read from.*?No such file or directory#", $buffer, $re)) {
        squid_admin_mysql(0, "Webfiltering error: a database is missing [action=reconfigure]", $buffer, __FILE__, __LINE__);
        shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.squidguard.php --build --force >/dev/null 2>&1 &");
        return;
    }
    if (preg_match("#There are no sources and there is no default ACL#i", $buffer)) {
        events("Seems not to be defined -> build compilation.");
        xsyslog("{reconfigure} ufdb service...");
        shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.squidguard.php --build --force >/dev/null 2>&1 &");
        return;
    }
    if (preg_match("#ERROR: cannot write to PID file\\s+(.+)#i", $buffer, $re)) {
        xsyslog("Apply permissions on {$re[1]}");
        $pidfile = $re[1];
        $pidpath = dirname($pidfile);
        @mkdir($pidpath, 0755, true);
        @chown($pidpath, "squid");
        @chmod($pidpath, 0755);
        return;
    }
    if (preg_match("#\\] Changing daemon status to.*?error#", $buffer, $re)) {
        squid_admin_mysql(0, "Fatal! Webfilter daemon is turned to error", $buffer, __FILE__, __LINE__);
        return;
    }
    if (preg_match("#\\] Changing daemon status to.*?terminated#", $buffer, $re)) {
        squid_admin_mysql(1, "Webfilter daemon is turned to OFF", $buffer, __FILE__, __LINE__);
        return;
    }
    if (preg_match("#can't execute command of execdomainlist.*?popen failed: Cannot allocate memory#", $buffer, $re)) {
        @file_put_contents("/etc/artica-postfix/settings/Daemons/UfdbExecDomainList", 0);
        squid_admin_mysql(0, "Not Enough memory to use execdomainlist feature [action=reconfigure]", "{$buffer}\nexecdomainlist feature will be disabled..", __FILE__, __LINE__);
        shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.squidguard.php --build --force >/dev/null 2>&1 &");
        return;
    }
    if (preg_match('#FATAL ERROR: table "(.+?)"\\s+could not be parsed.*?error code = [0-9]+#', $buffer, $re)) {
        $direname = dirname($re[1]);
        squid_admin_mysql(0, "Database {$direname} corrupted", $buffer . "\nReconfigure ufdb service after removing {$direname}...", __FILE__, __LINE__);
        events("Webfiltering engine error on {$direname}");
        if (!is_dir($direname)) {
            return;
        }
        shell_exec("{$GLOBALS["SBIN_RM"]} -rf {$direname} >/dev/null 2>&1");
        xsyslog("{reconfigure} ufdb service after removing {$direname}...");
        shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.squidguard.php --build --force >/dev/null 2>&1 &");
        return;
    }
    if (preg_match("#BLOCK-FATAL\\s+#", $buffer, $re)) {
        $TimeFile = "/etc/artica-postfix/pids/UFDB_BLOCK_FATAL";
        if (!IfFileTime($TimeFile, 10)) {
            return;
        }
        events("Webfiltering engine error, reload service");
        events_ufdb_exec("service was restarted, {$buffer}");
        squid_admin_mysql(0, "Fatal, Web filtering engine error", $buffer . "\nThe service will be reloaded", __FILE__, __LINE__);
        xsyslog("Reloading ufdb service...");
        shell_exec("{$GLOBALS["nohup"]} /etc/init.d/ufdb reload >/dev/null 2>&1 &");
        return;
    }
    if (preg_match("#FATAL ERROR: connection queue is full#", $buffer, $re)) {
        $TimeFile = "/etc/artica-postfix/pids/UFDB_QUEUE_IS_FULL";
        $Threads = @file_get_contents("/etc/artica-postfix/settings/Daemons/UfdbGuardThreads");
        if (!is_numeric($Threads)) {
            $Threads = 48;
        }
        $Threads = $Threads + 1;
        if ($Threads > 140) {
            $Threads = 140;
        }
        @file_put_contents("/etc/artica-postfix/settings/Daemons/UfdbGuardThreads", $Threads);
        if (!IfFileTime($TimeFile, 2)) {
            return;
        }
        squid_admin_mysql(0, "Fatal, Web filtering connection queue is full", $buffer . "\nThe service will be restarted and threads are increased to {$Threads}", __FILE__, __LINE__);
        xsyslog("Restarting ufdb service after connection queue is full...");
        shell_exec("{$GLOBALS["nohup"]} /etc/init.d/ufdb restart >/dev/null 2>&1 &");
        return;
    }
    if (preg_match('#FATAL\\*\\s+table\\s+"(.+?)"\\s+could not be parsed.+?14#', $buffer, $re)) {
        events("Table on {$re[1]} crashed");
        squid_admin_mysql(0, "Database {$re[1]} corrupted", $buffer, __FILE__, __LINE__);
        ufdbguard_admin_events("Table on {$re[1]} crashed\n{$buffer}", __FUNCTION__, __FILE__, __LINE__, "ufdbguard-service");
        events_ufdb_exec("{$buffer}");
        $GLOBALS["CLASS_UNIX"]->send_email_events("ufdbguard: {$re[1]} could not be parsed", "Ufdbguard claim: {$buffer}\n\n\t\tYou need to compile this database", "proxy");
        return;
    }
    if (preg_match("#FATAL ERROR: cannot bind daemon socket: Address already in use#", $buffer)) {
        events_ufdb_exec("ERROR DETECTED : {$buffer} `cannot bind daemon socket`");
        squid_admin_mysql(1, "Fatal ERROR: cannot bind daemon socket: Address already in use [action=restart]", $buffer, __FILE__, __LINE__);
        ufdbguard_admin_events("Fatal ERROR: cannot bind daemon socket: Address already in use", __FUNCTION__, __FILE__, __LINE__, "ufdbguard-service");
        xsyslog("Restarting ufdb service...");
        shell_exec("{$GLOBALS["nohup"]} /etc/init.d/ufdb restart >/dev/null 2>&1 &");
        return;
    }
    if (preg_match('#\\] FATAL ERROR: cannot read from "(.+?)".*?No such file or directory#', $buffer, $re)) {
        squid_admin_mysql(0, "Database {$re[1]} missing", $buffer, __FILE__, __LINE__);
        events("cannot read '{$re[1]}' -> \"{$buffer}\"");
        squid_admin_mysql(2, "Web filtering issue on {$re[1]}", "Launch recover_a_database()", __FILE__, __LINE__);
        recover_a_database($re[1]);
        return;
    }
    if (preg_match('#\\*FATAL.+? cannot read from "(.+?)".+?: No such file or directory#', $buffer, $re)) {
        squid_admin_mysql(0, "Database {$re[1]} missing", $buffer, __FILE__, __LINE__);
        events("cannot read '{$re[1]}' -> \"{$buffer}\"");
        squid_admin_mysql(2, "Web filtering issue on {$re[1]}", "Launch recover_a_database()", __FILE__, __LINE__);
        recover_a_database($re[1]);
        return;
    }
    if (preg_match('#\\*FATAL\\*\\s+cannot read from\\s+"(.+?)"#', $buffer, $re)) {
        squid_admin_mysql(0, "Database {$re[1]} missing", $buffer, __FILE__, __LINE__);
        events("Problem on {$re[1]}");
        events_ufdb_exec("{$buffer}");
        squid_admin_mysql(2, "Web filtering issue on {$re[1]}", "Launch recover_a_database()", __FILE__, __LINE__);
        recover_a_database($re[1]);
        $GLOBALS["CLASS_UNIX"]->send_email_events("ufdbguard: {$re[1]} Not compiled..", "Ufdbguard claim: {$buffer}\nYou need to compile your databases");
        return;
    }
    if (preg_match("#\\*FATAL\\*\\s+cannot read from\\s+\"(.+?)\\.ufdb\".+?No such file or directory#", $buffer, $re)) {
        squid_admin_mysql(0, "Database {$re[1]} missing", $buffer . "\n Problem on {$re[1]}\n\nYou need to compile your databases", __FILE__, __LINE__);
        events("UFDB database missing : Problem on {$re[1]}");
        if (!is_file($re[1])) {
            @mkdir(dirname($re[1]), 666, true);
            shell_exec("/bin/touch {$re[1]}");
        }
        $GLOBALS["CLASS_UNIX"]->send_email_events("ufdbguard: {$re[1]} Not compiled..", "Ufdbguard claim: {$buffer}\nYou need to compile your databases", "ufdbguard-service");
        return;
    }
    if (preg_match("#thread worker-[0-1]+.+?caught signal\\s+[0-1]+#", $buffer, $re)) {
        squid_admin_mysql(0, "Webfiltering Daemon as crashed - Start a new one", $buffer, __FILE__, __LINE__);
        $GLOBALS["CLASS_UNIX"]->send_email_events("ufdbguard: crashed", "Ufdbguard claim: {$buffer}\n", "proxy");
        shell_exec("/etc/init.d/ufdb start &");
    }
    if (preg_match("#\\*FATAL\\*\\s+expression list\\s+(.+?): Permission denied#", $buffer, $re)) {
        squid_admin_mysql(0, "Database {$re[1]} permission denied", $buffer . "\nProblem on '{$re[1]}' -> chown squid:squid", __FILE__, __LINE__);
        events("UFDB expression permission issue : Problem on '{$re[1]}' -> chown squid:squid");
        shell_exec("{$GLOBALS["chown"]} -R squid:squid " . dirname($re[1]));
        return;
    }
    if (preg_match("#\\*FATAL.+?expression list\\s+(.+?):\\s+No such file or directory#", $buffer, $re)) {
        squid_admin_mysql(0, "Database {$re[1]} missing", $buffer . "\nProblem on '{$re[1]}' -> Try to repair", __FILE__, __LINE__);
        events("Expression list: Problem on {$re[1]} -> \"{$buffer}\"");
        events("Creating directory " . dirname($re[1]));
        @mkdir(dirname($re[1]), 0755, true);
        events("Creating empty file '" . $re[1] . "'");
        @file_put_contents($re[1], "\n");
        events("ufdbguard tail: Service will be reloaded");
        $GLOBALS["CLASS_UNIX"]->send_email_events(basename(__FILE__) . ":Service ufdb will be reloaded ", "Cause:{$buffer}", "ufdbguard-service");
        squid_admin_mysql(2, "Ask to reload the Web filtering service", "Cause:{$buffer}");
        ufdbguard_admin_events("ufdbguard tail: Service will be reloaded", __FUNCTION__, __FILE__, __LINE__, "watchdog");
        shell_exec("{$GLOBALS["RELOADCMD"]} --function==" . __FUNCTION__ . " --line=" . __LINE__ . " " . "--filename=" . basename(__FILE__) . " >/dev/null 2>&1 &");
        return;
    }
    if (preg_match("#database table \\/var\\/lib\\/squidguard\\/(.+?)\\/domains\\s+is empty#", $buffer, $re)) {
        //ufdbguard_admin_events("Database {$re[1]} as no datas, you should recompile your databases",__FUNCTION__,__FILE__,__LINE__,"ufdbguard-service");
        //$GLOBALS["CLASS_UNIX"]->send_email_events("ufdbguard: {$re[1]} database is empty, please compile your databases","Ufdbguard claim: $buffer\nYou need to compile your databases","proxy");
        return;
    }
    if (preg_match("#the new configuration and database are loaded for ufdbguardd ([0-9\\.]+)#", $buffer, $re)) {
        squid_admin_mysql(2, "Web Filtering engine service v{$re[1]} has reloaded new configuration and databases", "");
        $GLOBALS["CLASS_UNIX"]->send_email_events("UfdbGuard v{$re[1]} has reloaded new configuration and databases", null, "ufdbguard-service");
        return;
    }
    if (preg_match("#statistics:(.+)#", $buffer, $re)) {
        if (preg_match("#blocked ([0-9]+) times#", $re[1], $ri)) {
            if ($ri[1] > 0) {
                //squid_admin_mysql(2, "{$re[1]}","");
            }
        }
        return;
    }
    if (preg_match("#BLOCK (.*?)\\s+(.+?)\\s+(.+?)\\s+(.+?)\\s+(|http|https|ftp|ftps)://(.+?)myip=(.+)\$#", $buffer, $re)) {
        $user = trim($re[1]);
        $local_ip = $re[2];
        $rulename = $re[3];
        $category = $re[4];
        $www = $re[6];
        $public_ip = $re[7];
        //events("BLOCK[".__LINE__."]: $user/$local_ip - $www");
        if (strpos($www, "/") > 0) {
            $tb = explode("/", $www);
            $www = $tb[0];
        }
        if (preg_match("#^www\\.(.+)#", $www, $re)) {
            $www = $re[1];
        }
        if (preg_match("#([0-9]+)\\.addr#", $www)) {
            $www = long2ip($re[1]);
        }
        if (preg_match("#^([0-9\\.]+)#", $local_ip, $re)) {
            $local_ip = $re[1];
        }
        $date = time();
        $table = date('Ymd') . "_blocked";
        $category = CategoryCodeToCatName($category);
        if ($user == "-") {
            $user = null;
        }
        $MAC = $GLOBALS["CLASS_UNIX"]->IpToMac($local_ip);
        $time = time();
        if (preg_match("#^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+\$#", $www)) {
            $public_ip = $www;
            $www = $GLOBALS["CLASS_UNIX"]->IpToHostname($www);
        }
        $Clienthostname = $GLOBALS["CLASS_UNIX"]->IpToHostname($local_ip);
        if ($Clienthostname == null) {
            $Clienthostname = $local_ip;
        }
        paranoidmode($local_ip, $www);
        $q = new influx();
        if ($GLOBALS["UfdbguardSMTPNotifs"]["BLOCK_NOTIFS"] == 1) {
            events("Write notif");
            $line_notif = date("H:i:s") . " [{$www}]: blocked domain: User: {$user}/{$local_ip}/{$Clienthostname}, Category: {$category}, Rule: {$rulename}";
            $q->insert_ufdb_notif($line_notif);
        }
        if ($GLOBALS["SQUID_PERFORMANCE"] > 2) {
            return;
        }
        $line = "{$time}:::{$user}:::{$category}:::{$rulename}:::{$public_ip}:::blocked domain:::blocked domain:::{$Clienthostname}:::{$www}:::{$local_ip}";
        $q->insert_ufdb($line);
        return;
    }
    if (preg_match("#BLOCK\\s+(.*?)\\s+(.+?)\\s+(.*?)\\s+(.+?)\\s+(.+?)\\s+[A-Z]+#", $buffer, $re)) {
        $date = time();
        $user = trim($re[1]);
        $local_ip = $re[2];
        $rulename = $re[3];
        $category = $re[4];
        $uri = $re[5];
        //events("BLOCK[".__LINE__."]: $user/$local_ip - $www Notif:{$GLOBALS["UfdbguardSMTPNotifs"]["BLOCK_NOTIFS"]}");
        if (preg_match("#^([0-9\\.]+)#", $local_ip, $re)) {
            $local_ip = $re[1];
        }
        $time = time();
        $array = parse_url($uri);
        $www = $array["host"];
        if (strpos($www, ":") > 0) {
            $t = explode(":", $www);
            $www = $t[0];
        }
        if (preg_match("#([0-9]+)\\.addr#", $www)) {
            $www = long2ip($re[1]);
        }
        $category = CategoryCodeToCatName($category);
        $MAC = $GLOBALS["CLASS_UNIX"]->IpToMac($local_ip);
        if (preg_match("#^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+\$#", $www)) {
            $public_ip = $www;
            $www = $GLOBALS["CLASS_UNIX"]->IpToHostname($www);
        } else {
            $public_ip = HostnameToIp($www);
        }
        if (preg_match("#^www\\.(.+)#", $www, $re)) {
            $www = $re[1];
        }
        $Clienthostname = $GLOBALS["CLASS_UNIX"]->IpToHostname($local_ip);
        if ($Clienthostname == null) {
            $Clienthostname = $local_ip;
        }
        if ($user == "-") {
            $user = null;
        }
        CreateCounter($www, $local_ip, $user, $category);
        paranoidmode($local_ip, $www);
        $q = new influx();
        if ($GLOBALS["UfdbguardSMTPNotifs"]["BLOCK_NOTIFS"] == 1) {
            $line_notif = date("H:i:s") . " [{$www}]: blocked domain: User: {$user}/{$local_ip}/{$Clienthostname}, Category: {$category}, Rule: {$rulename}";
            $q->insert_ufdb_notif($line_notif);
        }
        if ($GLOBALS["SQUID_PERFORMANCE"] > 2) {
            return;
        }
        $q = new influx();
        $line = "{$time}:::{$user}:::{$category}:::{$rulename}:::{$public_ip}:::blocked domain:::blocked domain:::{$Clienthostname}:::{$www}:::{$local_ip}";
        $q->insert_ufdb($line);
        return;
    }
    events("Not filtered: {$buffer}");
}
Ejemplo n.º 5
0
function haarp_remove()
{
    if ($GLOBALS["HAARP_FATAL"] < 5) {
        squid_admin_mysql(0, "Haarp Fatal: {$GLOBALS["HAARP_FATAL"]}/5 waiting 5 times..", "after 5 times, the service will be disabled\n", __FILE__, __LINE__);
        return false;
    }
    $file = "/etc/artica-postfix/croned.1/haarp.haarp_remove";
    if ($GLOBALS["HAARP_FATAL"] < 8) {
        if (IfFileTime($file, 5)) {
            return;
        }
    }
    squid_admin_mysql(0, "Haarp Fatal: Too many errors on this service, disable it", "Too many errors as been detected on StreamCache system.\nArtica will disable this service in order to continue production\n", __FILE__, __LINE__);
    $GLOBALS["CLASS_SOCKET"]->SET_INFO("EnableHaarp", "0");
    shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.squid.php --build --force >/dev/null 2>&1 &");
    $GLOBALS["HAARP_FATAL"] = 0;
    WriteFileCache($file);
}
Ejemplo n.º 6
0
function Parseline($buffer)
{
    $buffer = trim($buffer);
    if (preg_match("#artica-filter#", $buffer)) {
        return true;
    }
    if (preg_match("#postfix\\/#", $buffer)) {
        return true;
    }
    if (preg_match("#CRON\\[#", $buffer)) {
        return true;
    }
    if (preg_match("#: CACHEMGR:#", $buffer)) {
        return true;
    }
    if (preg_match("#exec\\.postfix-logger\\.php:#", $buffer)) {
        return true;
    }
    if (preg_match("#artica-install\\[#", $buffer)) {
        return true;
    }
    if (preg_match("#monitor action done#", $buffer)) {
        return true;
    }
    if (preg_match("#monitor service.+?on user request#", $buffer)) {
        return true;
    }
    if (preg_match("#CRON\\[.+?\\(root\\).+CMD#", $buffer)) {
        return true;
    }
    if (preg_match("#winbindd\\[.+?winbindd_listen_fde_handler#", $buffer)) {
        return true;
    }
    if (preg_match('#smbd\\[.+Ignoring unknown parameter\\s+"hide_unwriteable_files"#', $buffer, $re)) {
        events("SAMBA unknown parameter hide_unwriteable_files");
        $file = "/etc/artica-postfix/croned.1/hide_unwriteable_files";
        if (IfFileTime($file)) {
            email_events("Samba unknown parameter hide_unwriteable_files", "Samba claim \"{$buffer}\" Artica will correct the configuration file", 'system');
            shell_exec(LOCATE_PHP5_BIN2() . " /usr/share/artica-postfix/exec.samba.php --fix-HideUnwriteableFiles &");
            @file_put_contents($file, "#");
        }
        return true;
    }
    if (preg_match('#load_usershare_shares: directory\\s+(.+?)\\s+is not owned by root or does not have the sticky bit#', $buffer, $re)) {
        events("SAMBA load_usershare_shares {$re[1]}");
        $file = "/etc/artica-postfix/croned.1/load_usershare_shares";
        if (IfFileTime($file)) {
            email_events("Samba load_usershare_shares permissions issues", "Samba claim \"{$buffer}\" Artica will correct the filesystem directory", 'system');
            shell_exec("chmod 1775 {$re['1']}/ &");
            shell_exec("chmod chmod +t {$re['1']}/ &");
            @file_put_contents($file, "#");
        }
        return true;
    }
    if (preg_match("#amavis\\[.+?:\\s+\\(.+?\\)TROUBLE\\s+in child_init_hook:#", $buffer, $re)) {
        events("AMAVIS TROUBLE in child_init_hook");
        $file = "/etc/artica-postfix/croned.1/amavis." . md5("AMAVIS:TROUBLE in child_init_hook");
        if (IfFileTime($file)) {
            email_events("Amavis child error", "Amavis claim \"{$buffer}\" the amavis daemon will be restarted", 'postfix');
            shell_exec('/etc/init.d/artica-postfix restart amavis &');
            @file_put_contents($file, "#");
        }
        return true;
    }
    if (preg_match("#amavis\\[.+?:\\s+\\(.+?\\)_DIE:\\s+Suicide in child_init_hook#", $buffer, $re)) {
        events("AMAVIS TROUBLE in child_init_hook");
        $file = "/etc/artica-postfix/croned.1/amavis." . md5("AMAVIS:TROUBLE in child_init_hook");
        if (IfFileTime($file)) {
            email_events("Amavis child error", "Amavis claim \"{$buffer}\" the amavis daemon will be restarted", 'postfix');
            shell_exec('/etc/init.d/artica-postfix restart amavis &');
            @file_put_contents($file, "#");
        }
        return true;
    }
    if (preg_match("#smbd_audit:\\s+(.+?)\\|(.+?)\\|(.+?)\\|(.+?)\\|(.+?)\\|(.+?)\\|(.+?)\\|(.+?)\$#", $buffer, $re)) {
        events("{$re[5]}/{$re[8]} in xapian queue");
        WriteXapian("{$re[5]}/{$re[8]}");
        return true;
    }
    if (preg_match("#squid\\[.+?comm_old_accept:\\s+FD\\s+15:.+?Invalid argument#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/comm_old_accept.FD15";
        if (IfFileTime($file)) {
            events("comm_old_accept FD15 SQUID");
            email_events("Squid File System error", "SQUID claim \"{$buffer}\" the squid service will be restarted", 'system');
            THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart squid-cache');
            WriteFileCache($file);
            return;
        } else {
            events("comm_old_accept FD15 SQUID");
            return;
        }
    }
    if (preg_match("#dansguardian.+?:\\s+Error connecting to proxy#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/squid.tostart.error";
        if (IfFileTime($file, 2)) {
            events("Squid not available...! Artica will start squid");
            email_events("Proxy error", "DansGuardian claim \"{$buffer}\", Artica will start squid ", 'system');
            THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart squid-cache');
            THREAD_COMMAND_SET('/etc/init.d/artica-postfix start dansguardian');
            WriteFileCache($file);
            return;
        } else {
            events("Proxy error, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#zarafa-server.+?INNODB engine is disabled#", $buffer)) {
        $file = "/etc/artica-postfix/croned.1/zarafa.INNODB.engine";
        if (IfFileTime($file, 2)) {
            events("Zarafa innodb errr");
            THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart mysql');
            THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart zarafa');
            WriteFileCache($file);
            return;
        } else {
            events("Zarafa innodb err, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#(.+?)\\[.+?segfault at.+?error.+?in.+?\\[#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/segfault.{$re[1]}";
        if (IfFileTime($file, 10)) {
            events("{$re[1]}: segfault");
            email_events("{$re[1]}: segfault", "Kernel claim \"{$buffer}\" ", 'system');
            WriteFileCache($file);
            return;
        }
    }
    if (preg_match("#kernel:.+?Out of memory:\\s+kill\\s+process\\s+#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/kernel.Out.of.memory";
        if (IfFileTime($file, 1)) {
            events("Out of memory -> REBOOT !!!");
            email_events("Out of memory ! server will be rebooted", "Kernel claim \"{$buffer}\" the server will be rebooted", 'system');
            WriteFileCache($file);
            shell_exec("/etc/init.d/artica-postfix stop");
            shell_exec("reboot");
            return;
        }
    }
    if (preg_match("#winbindd\\[.+?failed to bind to server\\s+(.+?)\\s+with dn.+?Error: Can.+?contact LDAP server#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/winbindd.ldap.failed";
        if (IfFileTime($file, 10)) {
            events("winbindd -> LDAP FAIELD");
            email_events("LDAP server is unavailable", "Samba claim \"{$buffer}\" artica will try to restart LDAP server ", 'system');
            WriteFileCache($file);
            THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart ldap');
            return;
        }
    }
    if (preg_match("#winbindd\\[.+?resolve_name: unknown name switch type lmhost#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/winbindd.lmhost.failed";
        if (IfFileTime($file, 10)) {
            events("winbindd -> lmhost failed");
            WriteFileCache($file);
            THREAD_COMMAND_SET("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.samba.php --fix-lmhost");
            return;
        }
    }
    if (preg_match("#nmbd\\[.+?become_logon_server_success: Samba is now a logon server for workgroup (.+?)\\s+on subnet\\s+([A-Z0-9\\._-]+)#", $buffer, $re)) {
        email_events("Samba (file sharing) started domain {$re[1]}/{$re[2]}", "Samba notice: \"{$buffer}\"", 'system');
        return;
    }
    if (preg_match("#zarafa-server.+?Unable to connect to database.+?MySQL server on.+?([0-9\\.]+)#", $buffer)) {
        $file = "/etc/artica-postfix/croned.1/zarafa.MYSQL.CONNECT";
        if (IfFileTime($file, 2)) {
            events("Zarafa Mysql Error errr");
            email_events("MailBox server unable connect to database", "Zarafa server  claim \"{$buffer}\" ", 'mailbox');
            WriteFileCache($file);
            return;
        } else {
            events("MailBox server unable connect to database but take action after 10mn");
            return;
        }
    }
    if (preg_match("#winbindd:\\s+Exceeding\\s+[0-9]+\\s+client\\s+connections.+?no idle connection found#", $buffer)) {
        $file = "/etc/artica-postfix/croned.1/Winbindd.connect.error";
        if (IfFileTime($file, 2)) {
            events("winbindd Error connections");
            email_events("Winbindd exceeding connections", "Samba server  claim \"{$buffer}\" \nArtica will restart samba", 'system');
            shell_exec('/etc/init.d/artica-postfix restart samba &');
            WriteFileCache($file);
            return;
        } else {
            events("Winbindd exceeding connections take action after 10mn");
            return;
        }
    }
    // -------------------------------------------------------------------- MONIT
    if (preg_match("#'(.+?)'\\s+total mem amount of\\s+([0-9]+).+?matches resource limit#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/mem.{$re[1]}.monit";
        if (IfFileTime($file, 15)) {
            events("{$re[1]} limit memory exceed");
            email_events("{$re[1]}: memory limit", "Monitor claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("{$re[1]} limit memory exceed, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#monit\\[.+?'(.+?)'\\s+trying to restart#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/restart.{$re[1]}.monit";
        if (IfFileTime($file, 5)) {
            events("{$re[1]} was restarted");
            email_events("{$re[1]}: stopped, try to restart", "Monitor claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("{$re[1]}: stopped, try to restart, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#monit\\[.+?'(.+?)'\\s+process is not running#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/restart.{$re[1]}.monit";
        if (IfFileTime($file, 5)) {
            events("{$re[1]} was stopped");
            email_events("{$re[1]}: stopped", "Monitor claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("{$re[1]}: stopped, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#pdns\\[.+?:\\s+binding UDP socket to.+?Address already in use#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/restart.pdns.bind.error";
        if (IfFileTime($file, 5)) {
            events("PowerDNS: Unable to bind UDP socket");
            email_events("PowerDNS: Unable to bind UDP socket", "Artica will restart PowerDNS", 'system');
            THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart pdns');
            WriteFileCache($file);
            return;
        } else {
            events("PowerDNS: Unable to bind UDP socket: but take action after 10mn");
            return;
        }
    }
    if (preg_match("#cpu system usage of ([0-9\\.]+)% matches#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/cpu.system.monit";
        if (IfFileTime($file, 15)) {
            events("cpu exceed");
            email_events("cpu warning {$re[1]}%", "Monitor claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("cpu exceed, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#monit.+?'(.+)'\\s+start:#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/monit.start.{$re[1]}";
        if (IfFileTime($file, 5)) {
            events("{$re[1]} start");
            email_events("{$re[1]} starting", "Monitor currently starting service {$re[1]}", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("{$re[1]} start, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#monit\\[.+?:\\s+'(.+?)'\\s+process is running with pid\\s+([0-9]+)#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/monit.run.{$re[1]}";
        if (IfFileTime($file, 5)) {
            events("{$re[1]} running");
            email_events("{$re[1]} now running pid {$re[2]}", "Monitor report {$buffer}", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("{$re[1]} running, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#nmbd.+?:\\s+Cannot sync browser lists#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/samba.CannotSyncBrowserLists.error";
        if (IfFileTime($file)) {
            events("Samba cannot sync browser list, remove /var/lib/samba/wins.dat");
            @unlink("/var/lib/samba/wins.dat");
            WriteFileCache($file);
        } else {
            events("Samba error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#freshclam.+?:\\s+Database updated \\(([0-9]+)\\s+signatures\\) from .+?#", $buffer, $re)) {
        email_events("ClamAV Database Updated {$re[1]} signatures", "{$buffer}", 'update');
        return;
    }
    if (preg_match("#squid.+?:\\s+essential ICAP service is down after an options fetch failure:\\s+icap:\\/\\/:1344\\/av\\/respmod#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/squid.icap1.error";
        if (IfFileTime($file)) {
            email_events("Kaspersky for Squid Down", "{$buffer}", 'system');
            THREAD_COMMAND_SET('/etc/init.d/artica-postfix start kav4proxy');
            THREAD_COMMAND_SET('squid -k reconfigure');
            WriteFileCache($file);
            return;
        } else {
            events("KAV4PROXY error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#KASERROR.+?NOLOGID.+?Can.+?find user mailflt3#", $buffer)) {
        $file = "/etc/artica-postfix/croned.1/KASERROR.NOLOGID.mailflt3";
        if (IfFileTime($file)) {
            THREAD_COMMAND_SET('/usr/share/artica-postfix/bin/artica-install --mailflt3');
            WriteFileCache($file);
            return;
        } else {
            events("KASERROR error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#lmtp.+?status=deferred.+?lmtp\\]:.+?(No such file or directory|Too many levels of symbolic links)#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/cyrus.lmtp.failed";
        if (IfFileTime($file)) {
            email_events("cyrus-imapd socket error", "Postfix claim \"{$buffer}\", Artica will restart cyrus", 'system');
            THREAD_COMMAND_SET('/usr/share/artica-postfix/bin/artica-install --cyrus-checkconfig');
            THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart imap');
            THREAD_COMMAND_SET("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.postfix.main.cf.php --imap-sockets");
            cyrus_socket_error($buffer, $re[1] . "lmtp");
            WriteFileCache($file);
            return;
        } else {
            events("CYRUS error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#dhcpd: DHCPREQUEST for (.+?)\\s+from\\s+(.+?)\\s+\\((.+?)\\)\\s+via#", $buffer, $re)) {
        events("DHCPD: IP:{$re[1]} MAC:({$re[2]}) computer name={$re[3]}-> exec.dhcpd-leases.php");
        THREAD_COMMAND_SET("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.dhcpd-leases.php --single-computer {$re[1]} {$re[2]} {$re[3]}");
        return;
    }
    if (preg_match("#rsyncd\\[.+?:\\s+recv.+?\\[(.+?)\\].+?([0-9]+)\$#", $buffer, $re)) {
        $file = md5($buffer);
        @mkdir('/var/log/artica-postfix/rsync', null, true);
        $f["IP"] = $re[1];
        $f["DATE"] = date('Y-m-d H:00:00');
        $f["SIZE"] = $re[2];
        @file_put_contents("/var/log/artica-postfix/rsync/{$file}", serialize($f));
    }
    if (preg_match("#kavmilter.+?Can.+?t load keys: No active key#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/kavmilter.key.failed";
        if (IfFileTime($file)) {
            email_events("Kaspersky Antivirus Mail license error", "KavMilter claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("Kaspersky Antivirus Mail license error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#kavmd.+?Can.+?t load keys:.+?#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/kavmd.key.failed";
        if (IfFileTime($file)) {
            email_events("Kaspersky Antivirus Mail license error", "Kaspersky Antivirus Mail claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("Kaspersky Antivirus Mail license error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#kavmd.+?ERROR Engine problem#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/kavmd.engine.failed";
        if (IfFileTime($file)) {
            email_events("Kaspersky Antivirus Mail Engine error", "Kaspersky Antivirus Mail claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("Kaspersky Antivirus Mail Engine error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#kavmilter.+?WARNING.+?Your AV signatures are older than#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/kavmilter.upd.failed";
        if (IfFileTime($file)) {
            email_events("Kaspersky Antivirus Mail AV signatures are older", "KavMilter claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("Kaspersky Antivirus update license error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#dansguardian.+?Error compiling regexp#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/dansguardian.compiling.regexp";
        if (IfFileTime($file)) {
            email_events("Dansguardian failed to start", "Dansguardian claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("Dansguardian failed to start:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#kavmilter.+?Invalid value specified for SendmailPath#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/kavmilter.SendmailPath.Invalid";
        if (IfFileTime($file)) {
            events("Check SendmailPath for kavmilter");
            THREAD_COMMAND_SET("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.kavmilter.php --SendmailPath");
            WriteFileCache($file);
            return;
        } else {
            events("Check SendmailPath for kavmilter:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#KAVMilter Error.+?Group.+?Default.+?has error#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/kavmilter.Default.error";
        if (IfFileTime($file)) {
            events("Check Group default for kavmilter");
            THREAD_COMMAND_SET("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.kavmilter.php --default-group");
            WriteFileCache($file);
            return;
        } else {
            events("Check Group default for kavmilter:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#kavmilter.+?Message INFECTED from (.+?)\\(remote:\\[(.+?)\\).+?with\\s+(.+?)\$#", $buffer, $re)) {
        events("KAVMILTER INFECTION <{$re[1]}> {$re[2]}");
        infected_queue("kavmilter", trim($re[1]), trim($re[2]), trim($re[3]));
        return;
    }
    if (preg_match("#pdns\\[.+?\\[LdapBackend.+?Ldap connection to server failed#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/pdns.ldap.error";
        if (IfFileTime($file)) {
            events("PDNS LDAP FAILED");
            email_events("PowerDNS ldap connection failed", "PowerDNS claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("PDNS FAILED:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#master.+?cannot find executable for service.+?sieve#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/cyrus.sieve.error";
        if (IfFileTime($file)) {
            events("Check sieve path");
            THREAD_COMMAND_SET("/usr/share/artica-postfix/bin/artica-install --reconfigure-cyrus");
            WriteFileCache($file);
            return;
        } else {
            events("Check sieve path error :{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#smbd\\[.+?write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/samba.Error.Connection.reset.by.peer.error";
        if (IfFileTime($file)) {
            events("Check sieve Error Connection reset by peer");
            $text[] = "Your MS Windows computers should not have access to the server cause network generic errors";
            $text[] = "- Check these parameters:";
            $text[] = "- Check if Apparmor or SeLinux are disabled on the server.";
            $text[] = "- Check your hard drives by this command-line: hdparm -tT /dev/sda(0-9)";
            $text[] = "- Check that 137|138|139|445 ports is open from workstation to this server";
            $text[] = "- Check network switch or hub connection between this server and your workstations.";
            $text[] = "- Try to add this registry key [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Disk]\n\t\"TimeOutValue\"=dword:0000003c";
            email_events("Samba network error", "Samba claim \"{$buffer}\"\n" . implode("\n", $text), 'system');
            WriteFileCache($file);
            return;
        } else {
            events("Check sieve Error Connection reset by peer :{$buffer}, but take action after 10mn");
            return;
        }
    }
    events("Not Filtered:\"{$buffer}\"");
}