/**
* ParseLine
*
* @param arrArguments array in&out: properties of interest. There can be no guarantee the logstream can actually deliver them.
* @return integer Error stat
*/
public function ParseLine($szLine, &$arrArguments)
{
// Set IUT Property first!
$arrArguments[SYSLOG_MESSAGETYPE] = IUT_Syslog;
// Sample: <22>1 2011-03-03T15:27:06+01:00 debian507x64 postfix 2454 - - daemon started -- version 2.5.5, configuration /etc/postfix
// Sample: <46>1 2011-03-03T15:27:05+01:00 debian507x64 rsyslogd - - - [origin software="rsyslogd" swVersion="4.6.4" x-pid="2344" x-info="http://www.rsyslog.com"] (re)start
// Sample (RSyslog): 2008-03-28T11:07:40+01:00 localhost rger: test 1
if (preg_match("/<([0-9]{1,3})>([0-9]) ([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}.[0-9]{1,2}:[0-9]{1,2}) (.*?) (.*?) (.*?) (.*?) (.*?) (.*?)\$/", $szLine, $out)) {
// Copy parsed properties!
$arrArguments[SYSLOG_FACILITY] = $out[1] >> 3;
$arrArguments[SYSLOG_SEVERITY] = $out[1] & 0x7;
$arrArguments[SYSLOG_DATE] = GetEventTime($out[3]);
$arrArguments[SYSLOG_HOST] = $out[4];
$arrArguments[SYSLOG_SYSLOGTAG] = $out[5];
$arrArguments[SYSLOG_PROCESSID] = $out[6];
$arrArguments[SYSLOG_MESSAGE] = $out[9];
} else {
if (preg_match("/<([0-9]{1,3})>([0-9]) ([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}\\.[0-9]{1,6}.[0-9]{1,2}:[0-9]{1,2}) (.*?) (.*?) (.*?) (.*?) (.*?) (.*?)\$/", $szLine, $out)) {
// Copy parsed properties!
$arrArguments[SYSLOG_FACILITY] = $out[1] >> 3;
$arrArguments[SYSLOG_SEVERITY] = $out[1] & 0x7;
$arrArguments[SYSLOG_DATE] = GetEventTime($out[3]);
$arrArguments[SYSLOG_HOST] = $out[4];
$arrArguments[SYSLOG_SYSLOGTAG] = $out[5];
$arrArguments[SYSLOG_PROCESSID] = $out[6];
$arrArguments[SYSLOG_MESSAGE] = $out[9];
} else {
if (isset($arrArguments[SYSLOG_MESSAGE]) && strlen($arrArguments[SYSLOG_MESSAGE]) > 0) {
OutputDebugMessage("Unparseable syslog msg - '" . $arrArguments[SYSLOG_MESSAGE] . "'", DEBUG_ERROR);
}
}
}
// If SyslogTag is set, we check for MessageType!
if (isset($arrArguments[SYSLOG_SYSLOGTAG])) {
if (strpos($arrArguments[SYSLOG_SYSLOGTAG], "EvntSLog") !== false) {
$arrArguments[SYSLOG_MESSAGETYPE] = IUT_NT_EventReport;
}
}
// Return success!
return SUCCESS;
}
/**
* ParseLine
*
* @param arrArguments array in&out: properties of interest. There can be no guarantee the logstream can actually deliver them.
* @return integer Error stat
*/
public function ParseLine($szLine, &$arrArguments)
{
global $content;
// Set IUT Property first!
$arrArguments[SYSLOG_MESSAGETYPE] = IUT_Syslog;
// Sample (WinSyslog/EventReporter): 2008-04-02,15:19:06,2008-04-02,15:19:06,127.0.0.1,16,5,EvntSLog: Performance counters for the RSVP (QoS RSVP) service were loaded successfully.
if (preg_match("/([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}.[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}),([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}.[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}),(.*?),([0-9]{1,2}),([0-9]{1,2}),(.*?):(.*?)\$/", $szLine, $out)) {
// Copy parsed properties!
$arrArguments[SYSLOG_DATE] = GetEventTime($out[1]);
$arrArguments[SYSLOG_HOST] = $out[3];
$arrArguments[SYSLOG_FACILITY] = $out[4];
$arrArguments[SYSLOG_SEVERITY] = $out[5];
$arrArguments[SYSLOG_SYSLOGTAG] = $out[6];
$arrArguments[SYSLOG_MESSAGE] = $out[7];
} else {
if (preg_match("/([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}.[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}),([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}.[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}),(.*?),([0-9]{1,2}),([0-9]{1,2}),(.*?)\$/", $szLine, $out)) {
// Copy parsed properties!
$arrArguments[SYSLOG_DATE] = GetEventTime($out[1]);
$arrArguments[SYSLOG_HOST] = $out[3];
$arrArguments[SYSLOG_FACILITY] = $out[4];
$arrArguments[SYSLOG_SEVERITY] = $out[5];
$arrArguments[SYSLOG_MESSAGE] = $out[6];
} else {
if (isset($arrArguments[SYSLOG_MESSAGE]) && strlen($arrArguments[SYSLOG_MESSAGE]) > 0) {
OutputDebugMessage("Unparseable Winsyslog message - '" . $arrArguments[SYSLOG_MESSAGE] . "'", DEBUG_ERROR);
}
}
}
// If SyslogTag is set, we check for MessageType!
if (isset($arrArguments[SYSLOG_SYSLOGTAG])) {
if (strpos($arrArguments[SYSLOG_SYSLOGTAG], "EvntSLog") !== false) {
$arrArguments[SYSLOG_MESSAGETYPE] = IUT_NT_EventReport;
}
}
// Return success!
return SUCCESS;
}
/**
* ParseLine
*
* @param arrArguments array in&out: properties of interest. There can be no guarantee the logstream can actually deliver them.
* @return integer Error stat
*/
public function ParseMsg($szMsg, &$arrArguments)
{
global $content, $fields;
//trim the msg first to remove spaces from begin and end
$szMsg = trim($szMsg);
// Sample: Oct 14 21:05:52 script,info INICIO; Madrid-arturosoria ;wlan1 ;00:1F:3A:66:70:09 ;192.168.10.117 ;24Mbps ;36Mbps ;15:50:56 ;00:00:00.080 ;-80dBm@1Mbps ;21 ;78 ;43351,126437 ;2959,377
if (preg_match('/(.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?)$/', $szMsg, $out)) {
$arrArguments[SYSLOG_NET_HOST] = trim($out[1]);
// Set wlan log specific properties!
$arrArguments[SYSLOG_NET_INTERFACE] = trim($out[2]);
$arrArguments[SYSLOG_NET_MAC_ADDRESS] = trim($out[3]);
$arrArguments[SYSLOG_NET_LASTIP] = trim($out[4]);
$arrArguments[SYSLOG_NET_RXRATE] = trim($out[5]);
$arrArguments[SYSLOG_NET_TXRATE] = trim($out[6]);
$arrArguments[SYSLOG_NET_UPTIME] = trim($out[7]);
$arrArguments[SYSLOG_NET_LASTACTIVITY] = trim($out[8]);
$arrArguments[SYSLOG_NET_SIGNALSTRENGTH] = trim($out[9]);
// Number based fields
$arrArguments[SYSLOG_NET_SIGNALTONOISE] = trim($out[10]);
$arrArguments[SYSLOG_NET_TXCCQ] = trim($out[11]);
// Set msg to whole logline
$arrArguments[SYSLOG_MESSAGE] = trim($out[0]);
// Get additional parameters!
if (preg_match('/(.|.*?[0-9]{1,12}.*?),(.|.*?[0-9]{1,12}.*?);(.|.*?[0-9]{1,12}.*?),(.|.*?[0-9]{1,12}.*?)$/', $out[12], $out2)) {
$arrArguments[SYSLOG_NET_BYTESRECIEVED] = trim($out2[1]);
$arrArguments[SYSLOG_NET_BYTESSEND] = trim($out2[2]);
$arrArguments[SYSLOG_NET_PACKETSRECIEVED] = trim($out2[3]);
$arrArguments[SYSLOG_NET_PACKETSSEND] = trim($out2[4]);
} else {
$arrArguments[SYSLOG_NET_BYTESRECIEVED] = "";
$arrArguments[SYSLOG_NET_BYTESSEND] = "";
$arrArguments[SYSLOG_NET_PACKETSRECIEVED] = "";
$arrArguments[SYSLOG_NET_PACKETSSEND] = "";
}
if ($this->_MsgNormalize == 1) {
//Init tmp msg
$szTmpMsg = "";
// Create Field Array to prepend into msg! Reverse Order here
$myFields = array(SYSLOG_NET_PACKETSSEND, SYSLOG_NET_PACKETSRECIEVED, SYSLOG_NET_BYTESSEND, SYSLOG_NET_BYTESRECIEVED, SYSLOG_NET_TXCCQ, SYSLOG_NET_SIGNALTONOISE, SYSLOG_NET_UPTIME, SYSLOG_NET_SIGNALSTRENGTH, SYSLOG_NET_LASTACTIVITY, SYSLOG_NET_TXRATE, SYSLOG_NET_RXRATE, SYSLOG_NET_LASTIP, SYSLOG_NET_MAC_ADDRESS, SYSLOG_NET_INTERFACE, SYSLOG_HOST);
foreach ($myFields as $myField) {
// Set Field Caption
if (isset($fields[$myField]['FieldCaption'])) {
$szFieldName = $fields[$myField]['FieldCaption'];
} else {
$szFieldName = $myField;
}
// Append Field into msg
$szTmpMsg = $szFieldName . ": '" . $arrArguments[$myField] . "'\n" . $szTmpMsg;
}
// copy finished MSG back!
$arrArguments[SYSLOG_MESSAGE] = $szTmpMsg;
}
} else {
if (preg_match('/(...)(?:.|..)([0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}) (.*?),(.*?) (.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?)$/', $szMsg, $out)) {
//print_r ( $out );
//exit;
// Set generic properties
$arrArguments[SYSLOG_DATE] = GetEventTime($out[1] . " " . $out[2]);
$arrArguments[SYSLOG_NET_HOST] = trim($out[6]);
// Set wlan log specific properties!
$arrArguments[SYSLOG_NET_INTERFACE] = trim($out[7]);
$arrArguments[SYSLOG_NET_MAC_ADDRESS] = trim($out[8]);
$arrArguments[SYSLOG_NET_LASTIP] = trim($out[9]);
$arrArguments[SYSLOG_NET_RXRATE] = trim($out[10]);
$arrArguments[SYSLOG_NET_TXRATE] = trim($out[11]);
$arrArguments[SYSLOG_NET_UPTIME] = trim($out[12]);
$arrArguments[SYSLOG_NET_LASTACTIVITY] = trim($out[13]);
$arrArguments[SYSLOG_NET_SIGNALSTRENGTH] = trim($out[14]);
// Number based fields
$arrArguments[SYSLOG_NET_SIGNALTONOISE] = trim($out[15]);
$arrArguments[SYSLOG_NET_TXCCQ] = trim($out[16]);
// Set msg to whole logline
$arrArguments[SYSLOG_MESSAGE] = trim($out[0]);
// Get additional parameters!
if (preg_match('/(.|.*?[0-9]{1,12}.*?),(.|.*?[0-9]{1,12}.*?);(.|.*?[0-9]{1,12}.*?),(.|.*?[0-9]{1,12}.*?)$/', $out[17], $out2)) {
$arrArguments[SYSLOG_NET_BYTESRECIEVED] = trim($out2[1]);
$arrArguments[SYSLOG_NET_BYTESSEND] = trim($out2[2]);
$arrArguments[SYSLOG_NET_PACKETSRECIEVED] = trim($out2[3]);
$arrArguments[SYSLOG_NET_PACKETSSEND] = trim($out2[4]);
} else {
$arrArguments[SYSLOG_NET_BYTESRECIEVED] = "";
$arrArguments[SYSLOG_NET_BYTESSEND] = "";
$arrArguments[SYSLOG_NET_PACKETSRECIEVED] = "";
$arrArguments[SYSLOG_NET_PACKETSSEND] = "";
}
if ($this->_MsgNormalize == 1) {
//Init tmp msg
$szTmpMsg = "";
// Create Field Array to prepend into msg! Reverse Order here
$myFields = array(SYSLOG_NET_PACKETSSEND, SYSLOG_NET_PACKETSRECIEVED, SYSLOG_NET_BYTESSEND, SYSLOG_NET_BYTESRECIEVED, SYSLOG_NET_TXCCQ, SYSLOG_NET_SIGNALTONOISE, SYSLOG_NET_UPTIME, SYSLOG_NET_SIGNALSTRENGTH, SYSLOG_NET_LASTACTIVITY, SYSLOG_NET_TXRATE, SYSLOG_NET_RXRATE, SYSLOG_NET_LASTIP, SYSLOG_NET_MAC_ADDRESS, SYSLOG_NET_INTERFACE, SYSLOG_HOST);
foreach ($myFields as $myField) {
// Set Field Caption
if (isset($fields[$myField]['FieldCaption'])) {
$szFieldName = $fields[$myField]['FieldCaption'];
} else {
$szFieldName = $myField;
}
// Append Field into msg
$szTmpMsg = $szFieldName . ": '" . $arrArguments[$myField] . "'\n" . $szTmpMsg;
}
// copy finished MSG back!
$arrArguments[SYSLOG_MESSAGE] = $szTmpMsg;
}
} else {
// return no match in this case!
return ERROR_MSG_NOMATCH;
}
}
// Set IUT Property if success!
$arrArguments[SYSLOG_MESSAGETYPE] = IUT_Syslog;
// If we reached this position, return success!
return SUCCESS;
}
/**
* ParseLine
*
* @param arrArguments array in&out: properties of interest. There can be no guarantee the logstream can actually deliver them.
* @return integer Error stat
*/
public function ParseLine($szLine, &$arrArguments)
{
// Set IUT Property first!
$arrArguments[SYSLOG_MESSAGETYPE] = IUT_Syslog;
// Sample (Syslog): Mar 10 14:45:44 debandre anacron[3226]: Job `cron.daily' terminated (mailing output)
if (preg_match("/(...)(?:.|..)([0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}) ([a-zA-Z0-9_\\-\\.]{1,256}) ([A-Za-z0-9_\\-\\/\\.]{1,32})\\[(.*?)\\]:(.*?)\$/", $szLine, $out)) {
// Copy parsed properties!
$arrArguments[SYSLOG_DATE] = GetEventTime($out[1] . " " . $out[2]);
$arrArguments[SYSLOG_HOST] = $out[3];
$arrArguments[SYSLOG_SYSLOGTAG] = $out[4];
$arrArguments[SYSLOG_PROCESSID] = $out[5];
$arrArguments[SYSLOG_MESSAGE] = $out[6];
} else {
if (preg_match("/(...)(?:.|..)([0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}) ([a-zA-Z0-9_\\-\\.]{1,256}) ([A-Za-z0-9_\\-\\/\\.]{1,32}):(.*?)\$/", $szLine, $out)) {
// Copy parsed properties!
$arrArguments[SYSLOG_DATE] = GetEventTime($out[1] . " " . $out[2]);
$arrArguments[SYSLOG_HOST] = $out[3];
$arrArguments[SYSLOG_SYSLOGTAG] = $out[4];
$arrArguments[SYSLOG_MESSAGE] = $out[5];
} else {
if (preg_match("/(...)(?:.|..)([0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}) ([a-zA-Z0-9_\\-\\.]{1,256}) ([A-Za-z0-9_\\-\\/\\.]{1,32}) (.*?)\$/", $szLine, $out)) {
// Copy parsed properties!
$arrArguments[SYSLOG_DATE] = GetEventTime($out[1] . " " . $out[2]);
$arrArguments[SYSLOG_HOST] = $out[3];
$arrArguments[SYSLOG_SYSLOGTAG] = $out[4];
$arrArguments[SYSLOG_MESSAGE] = $out[5];
} else {
if (preg_match("/(...)(?:.|..)([0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}) (.*?) (.*?)\$/", $szLine, $out)) {
// Copy parsed properties!
$arrArguments[SYSLOG_DATE] = GetEventTime($out[1] . " " . $out[2]);
$arrArguments[SYSLOG_HOST] = $out[3];
$arrArguments[SYSLOG_MESSAGE] = $out[4];
} else {
if (preg_match("/([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}.[0-9]{1,2}:[0-9]{1,2}) (.*?) (.*?):(.*?)\$/", $szLine, $out)) {
// Copy parsed properties!
$arrArguments[SYSLOG_DATE] = GetEventTime($out[1]);
$arrArguments[SYSLOG_HOST] = $out[2];
$arrArguments[SYSLOG_SYSLOGTAG] = $out[3];
$arrArguments[SYSLOG_MESSAGE] = $out[4];
} else {
if (preg_match("/([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}\\.[0-9]{1,6}.[0-9]{1,2}:[0-9]{1,2}) (.*?) (.*?):(.*?)\$/", $szLine, $out)) {
// Copy parsed properties!
$arrArguments[SYSLOG_DATE] = GetEventTime($out[1]);
$arrArguments[SYSLOG_HOST] = $out[2];
$arrArguments[SYSLOG_SYSLOGTAG] = $out[3];
$arrArguments[SYSLOG_MESSAGE] = $out[4];
} else {
if (preg_match("/([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}\\.[0-9]{1,6}.[0-9]{1,2}:[0-9]{1,2}),(.*?)\$/", $szLine, $out)) {
// Some kind of debug message or something ...
$arrArguments[SYSLOG_DATE] = GetEventTime($out[1]);
$arrArguments[SYSLOG_MESSAGE] = $out[2];
} else {
if (isset($arrArguments[SYSLOG_MESSAGE]) && strlen($arrArguments[SYSLOG_MESSAGE]) > 0) {
OutputDebugMessage("Unparseable syslog msg - '" . $arrArguments[SYSLOG_MESSAGE] . "'", DEBUG_ERROR);
}
}
}
}
}
}
}
}
// If SyslogTag is set, we check for MessageType!
if (isset($arrArguments[SYSLOG_SYSLOGTAG])) {
if (strpos($arrArguments[SYSLOG_SYSLOGTAG], "EvntSLog") !== false) {
$arrArguments[SYSLOG_MESSAGETYPE] = IUT_NT_EventReport;
}
}
// Return success!
return SUCCESS;
}
private function CreateSQLWhereClause()
{
if ($this->_filters != null) {
global $dbmapping;
$szTableType = $this->_logStreamConfigObj->DBTableType;
// Reset WhereClause
$this->_SQLwhereClause = "";
// --- Build Query Array
$arrayQueryProperties = $this->_arrProperties;
if (isset($this->_arrFilterProperties) && $this->_arrFilterProperties != null) {
foreach ($this->_arrFilterProperties as $filterproperty) {
if ($this->_arrProperties == null || !in_array($filterproperty, $this->_arrProperties)) {
$arrayQueryProperties[] = $filterproperty;
}
}
}
// ---
// Loop through all available properties
foreach ($arrayQueryProperties as $propertyname) {
// If the property exists in the filter array, we have something to filter for ^^!
if (array_key_exists($propertyname, $this->_filters)) {
// Process all filters
foreach ($this->_filters[$propertyname] as $myfilter) {
// Only perform if database mapping is available for this filter!
if (isset($dbmapping[$szTableType]['DBMAPPINGS'][$propertyname])) {
switch ($myfilter[FILTER_TYPE]) {
case FILTER_TYPE_STRING:
// --- Either make a LIKE or a equal query!
if ($myfilter[FILTER_MODE] & FILTER_MODE_SEARCHFULL) {
// Set addnot to nothing
$addnod = "";
// --- Check if user wants to include or exclude!
if ($myfilter[FILTER_MODE] & FILTER_MODE_INCLUDE) {
$szSearchBegin = " = '";
$szSearchEnd = "' ";
} else {
$szSearchBegin = " <> '";
$szSearchEnd = "' ";
}
// ---
} else {
if ($myfilter[FILTER_MODE] & FILTER_MODE_SEARCHREGEX) {
//REGEXP Supported by MYSQL
if ($this->_logStreamConfigObj->DBType == DB_MYSQL) {
// --- Check if user wants to include or exclude!
if ($myfilter[FILTER_MODE] & FILTER_MODE_INCLUDE) {
$addnod = " ";
} else {
$addnod = " NOT";
}
// ---
$szSearchBegin = "REGEXP '";
$szSearchEnd = "' ";
} else {
if ($this->_logStreamConfigObj->DBType == DB_PGSQL) {
// --- Check if user wants to include or exclude!
if ($myfilter[FILTER_MODE] & FILTER_MODE_INCLUDE) {
$addnod = " ";
} else {
$addnod = " !";
}
// ---
$szSearchBegin = "~* '";
$szSearchEnd = "' ";
} else {
// --- Check if user wants to include or exclude!
if ($myfilter[FILTER_MODE] & FILTER_MODE_INCLUDE) {
$addnod = " ";
} else {
$addnod = " NOT";
}
// ---
// Database Layer does not support REGEXP
$szSearchBegin = "LIKE '%";
$szSearchEnd = "%' ";
}
}
} else {
// --- Check if user wants to include or exclude!
if ($myfilter[FILTER_MODE] & FILTER_MODE_INCLUDE) {
$addnod = "";
} else {
$addnod = " NOT";
}
// ---
$szSearchBegin = " LIKE '%";
$szSearchEnd = "%' ";
}
}
// ---
// --- If Syslog message, we have AND handling, otherwise OR!
if ($propertyname == SYSLOG_MESSAGE) {
$addor = " AND ";
} else {
// If we exclude filters, we need to combine with AND
if ($myfilter[FILTER_MODE] & FILTER_MODE_INCLUDE) {
$addor = " OR ";
} else {
$addor = " AND ";
}
}
// ---
// Not create LIKE Filters
if (isset($tmpfilters[$propertyname])) {
$tmpfilters[$propertyname][FILTER_VALUE] .= $addor . $dbmapping[$szTableType]['DBMAPPINGS'][$propertyname] . $addnod . $szSearchBegin . DB_RemoveBadChars($myfilter[FILTER_VALUE], $this->_logStreamConfigObj->DBType) . $szSearchEnd;
} else {
$tmpfilters[$propertyname][FILTER_TYPE] = FILTER_TYPE_STRING;
$tmpfilters[$propertyname][FILTER_VALUE] = $dbmapping[$szTableType]['DBMAPPINGS'][$propertyname] . $addnod . $szSearchBegin . DB_RemoveBadChars($myfilter[FILTER_VALUE], $this->_logStreamConfigObj->DBType) . $szSearchEnd;
}
break;
case FILTER_TYPE_NUMBER:
// --- Check if user wants to include or exclude!
if ($myfilter[FILTER_MODE] & FILTER_MODE_EXCLUDE) {
// Add to filterset
$szArrayKey = $propertyname . "-NOT";
if (isset($tmpfilters[$szArrayKey])) {
$tmpfilters[$szArrayKey][FILTER_VALUE] .= ", " . $myfilter[FILTER_VALUE];
} else {
$tmpfilters[$szArrayKey][FILTER_TYPE] = FILTER_TYPE_NUMBER;
$tmpfilters[$szArrayKey][FILTER_VALUE] = $dbmapping[$szTableType]['DBMAPPINGS'][$propertyname] . " NOT IN (" . DB_RemoveBadChars($myfilter[FILTER_VALUE], $this->_logStreamConfigObj->DBType);
}
} else {
// Add to filterset
if (isset($tmpfilters[$propertyname])) {
$tmpfilters[$propertyname][FILTER_VALUE] .= ", " . $myfilter[FILTER_VALUE];
} else {
$tmpfilters[$propertyname][FILTER_TYPE] = FILTER_TYPE_NUMBER;
$tmpfilters[$propertyname][FILTER_VALUE] = $dbmapping[$szTableType]['DBMAPPINGS'][$propertyname] . " IN (" . DB_RemoveBadChars($myfilter[FILTER_VALUE], $this->_logStreamConfigObj->DBType);
}
}
// ---
break;
case FILTER_TYPE_DATE:
if (isset($tmpfilters[$propertyname])) {
$tmpfilters[$propertyname][FILTER_VALUE] .= " AND ";
} else {
$tmpfilters[$propertyname][FILTER_VALUE] = "";
$tmpfilters[$propertyname][FILTER_TYPE] = FILTER_TYPE_DATE;
}
if ($myfilter[FILTER_DATEMODE] == DATEMODE_LASTX) {
// Get current timestamp
$nNowTimeStamp = time();
if ($myfilter[FILTER_VALUE] == DATE_LASTX_HOUR) {
$nNowTimeStamp -= 60 * 60;
} else {
if ($myfilter[FILTER_VALUE] == DATE_LASTX_12HOURS) {
$nNowTimeStamp -= 60 * 60 * 12;
} else {
if ($myfilter[FILTER_VALUE] == DATE_LASTX_24HOURS) {
$nNowTimeStamp -= 60 * 60 * 24;
} else {
if ($myfilter[FILTER_VALUE] == DATE_LASTX_7DAYS) {
$nNowTimeStamp -= 60 * 60 * 24 * 7;
} else {
if ($myfilter[FILTER_VALUE] == DATE_LASTX_31DAYS) {
$nNowTimeStamp -= 60 * 60 * 24 * 31;
} else {
// Set filter to unknown and Abort in this case!
$tmpfilters[$propertyname][FILTER_TYPE] = FILTER_TYPE_UNKNOWN;
break;
}
}
}
}
}
// Append filter
$tmpfilters[$propertyname][FILTER_VALUE] .= $dbmapping[$szTableType]['DBMAPPINGS'][$propertyname] . " > '" . date("Y-m-d H:i:s", $nNowTimeStamp) . "'";
} else {
if ($myfilter[FILTER_DATEMODE] == DATEMODE_RANGE_FROM) {
// Obtain Event struct for the time!
$myeventtime = GetEventTime($myfilter[FILTER_VALUE]);
$tmpfilters[$propertyname][FILTER_VALUE] .= $dbmapping[$szTableType]['DBMAPPINGS'][$propertyname] . " > '" . date("Y-m-d H:i:s", $myeventtime[EVTIME_TIMESTAMP]) . "'";
} else {
if ($myfilter[FILTER_DATEMODE] == DATEMODE_RANGE_TO) {
// Obtain Event struct for the time!
$myeventtime = GetEventTime($myfilter[FILTER_VALUE]);
$tmpfilters[$propertyname][FILTER_VALUE] .= $dbmapping[$szTableType]['DBMAPPINGS'][$propertyname] . " < '" . date("Y-m-d H:i:s", $myeventtime[EVTIME_TIMESTAMP]) . "'";
} else {
if ($myfilter[FILTER_DATEMODE] == DATEMODE_RANGE_DATE) {
// Obtain Event struct for the time!
$myeventtime = GetEventTime($myfilter[FILTER_VALUE]);
$tmpfilters[$propertyname][FILTER_VALUE] .= $dbmapping[$szTableType]['DBMAPPINGS'][$propertyname] . " > '" . date("Y-m-d H:i:s", $myeventtime[EVTIME_TIMESTAMP]) . "' AND " . $dbmapping[$szTableType]['DBMAPPINGS'][$propertyname] . " < '" . date("Y-m-d H:i:s", $myeventtime[EVTIME_TIMESTAMP] + 86400) . "'";
}
}
}
}
break;
default:
// Nothing to do!
break;
}
} else {
// Check how to treat not found db mappings / filters
if (GetConfigSetting("TreatNotFoundFiltersAsTrue", 0, CFGLEVEL_USER) == 0) {
return ERROR_DB_DBFIELDNOTFOUND;
}
}
}
}
}
// Check and combine all filters now!
if (isset($tmpfilters)) {
// Append filters
foreach ($tmpfilters as $tmpfilter) {
// Init WHERE or Append AND
if (strlen($this->_SQLwhereClause) > 0) {
$this->_SQLwhereClause .= " AND ";
} else {
$this->_SQLwhereClause = " WHERE ";
}
switch ($tmpfilter[FILTER_TYPE]) {
case FILTER_TYPE_STRING:
$this->_SQLwhereClause .= "( " . $tmpfilter[FILTER_VALUE] . ") ";
break;
case FILTER_TYPE_NUMBER:
$this->_SQLwhereClause .= $tmpfilter[FILTER_VALUE] . ") ";
break;
case FILTER_TYPE_DATE:
$this->_SQLwhereClause .= $tmpfilter[FILTER_VALUE];
break;
default:
// Should not happen, wrong filters!
// We add a dummy into the where clause, just as a place holder
$this->_SQLwhereClause .= " 1=1 ";
break;
}
}
}
//echo $this->_SQLwhereClause;
//$dbmapping[$szTableType][SYSLOG_UID]
} else {
// No filters means nothing to do!
return SUCCESS;
}
}
/**
* ParseLine
*
* @param arrArguments array in&out: properties of interest. There can be no guarantee the logstream can actually deliver them.
* @return integer Error stat
*/
public function ParseMsg($szMsg, &$arrArguments)
{
global $content, $fields;
//trim the msg first to remove spaces from begin and end
$szMsg = trim($szMsg);
//return ERROR_MSG_NOMATCH;
// LogFormat "%h %l %u %t \"%r\" %>s %b" common
// LogFormat "%{Referer}i -> %U" referer
// LogFormat "%{User-agent}i" agent
// LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
// Sample (apache2): 127.0.0.1 - - [14/Sep/2008:06:50:15 +0200] "GET / HTTP/1.0" 200 19023 "-" "VoilaBot link checker"
// Sample: 65.55.211.112 - - [16/Sep/2008:13:37:47 +0200] "GET /index.php?name=News&file=article&sid=1&theme=Printer HTTP/1.1" 200 4908 "-" "msnbot/1.1 (+http://search.msn.com/msnbot.htm)"
if (preg_match('/(.|.*?) (.|.*?) (.|.*?) \\[(.*?)\\] "(.*?) (.*?) (.*?)" (.|[0-9]{1,12}) (.|[0-9]{1,12}) "(.|.*?)" "(.*?)("|)$/', $szMsg, $out)) {
// print_r ( $out );
// exit;
// Set generic properties
$arrArguments[SYSLOG_HOST] = $out[1];
$arrArguments[SYSLOG_DATE] = GetEventTime($out[4]);
// Set weblog specific properties!
$arrArguments[SYSLOG_WEBLOG_USER] = $out[3];
$arrArguments[SYSLOG_WEBLOG_METHOD] = $out[5];
if (strpos($out[6], "?") === false) {
$arrArguments[SYSLOG_WEBLOG_URL] = $out[6];
$arrArguments[SYSLOG_WEBLOG_QUERYSTRING] = "";
} else {
$arrArguments[SYSLOG_WEBLOG_URL] = substr($out[6], 0, strpos($out[6], "?"));
$arrArguments[SYSLOG_WEBLOG_QUERYSTRING] = substr($out[6], strpos($out[6], "?") + 1);
}
// Number based fields
$arrArguments[SYSLOG_WEBLOG_PVER] = $out[7];
$arrArguments[SYSLOG_WEBLOG_STATUS] = $out[8];
$arrArguments[SYSLOG_WEBLOG_BYTESSEND] = $out[9];
$arrArguments[SYSLOG_WEBLOG_REFERER] = $out[10];
$arrArguments[SYSLOG_WEBLOG_USERAGENT] = $out[11];
// Set msg to whole logline
$arrArguments[SYSLOG_MESSAGE] = $out[0];
if ($this->_MsgNormalize == 1) {
//Init tmp msg
$szTmpMsg = "";
// Create Field Array to prepend into msg! Reverse Order here
$myFields = array(SYSLOG_WEBLOG_USER, SYSLOG_WEBLOG_PVER, SYSLOG_WEBLOG_USERAGENT, SYSLOG_WEBLOG_BYTESSEND, SYSLOG_WEBLOG_STATUS, SYSLOG_WEBLOG_REFERER, SYSLOG_WEBLOG_METHOD, SYSLOG_WEBLOG_QUERYSTRING, SYSLOG_WEBLOG_URL);
foreach ($myFields as $myField) {
// Set Field Caption
if (isset($fields[$myField]['FieldCaption'])) {
$szFieldName = $fields[$myField]['FieldCaption'];
} else {
$szFieldName = $myField;
}
// Append Field into msg
$szTmpMsg = $szFieldName . ": '" . $arrArguments[$myField] . "'\n" . $szTmpMsg;
}
// copy finished MSG back!
$arrArguments[SYSLOG_MESSAGE] = $szTmpMsg;
}
} else {
// return no match in this case!
return ERROR_MSG_NOMATCH;
}
// Set IUT Property if success!
$arrArguments[SYSLOG_MESSAGETYPE] = IUT_WEBSERVERLOG;
// If we reached this position, return success!
return SUCCESS;
}
private function CreateQueryArray($uID)
{
global $dbmapping;
$szTableType = $this->_logStreamConfigObj->DBTableType;
// Init Array
$this->_myMongoQuery = array();
if ($this->_filters != null) {
// Loop through all available properties
foreach ($this->_arrProperties as $propertyname) {
// If the property exists in the filter array, we have something to filter for ^^!
if (array_key_exists($propertyname, $this->_filters)) {
// Process all filters
foreach ($this->_filters[$propertyname] as $myfilter) {
// Only perform if database mapping is available for this filter!
if (isset($dbmapping[$szTableType]['DBMAPPINGS'][$propertyname])) {
$szMongoPropID = $dbmapping[$szTableType]['DBMAPPINGS'][$propertyname];
switch ($myfilter[FILTER_TYPE]) {
case FILTER_TYPE_STRING:
// --- Either make a LIKE or a equal query!
if ($myfilter[FILTER_MODE] & FILTER_MODE_SEARCHFULL) {
// --- Check if user wants to include or exclude!
if ($myfilter[FILTER_MODE] & FILTER_MODE_INCLUDE) {
if ($propertyname == SYSLOG_MESSAGE) {
// If we filter for Syslog MSG, we use $ALL to match all values
$this->_myMongoQuery[$szMongoPropID]['$all'][] = $myfilter[FILTER_VALUE];
} else {
// We use $in by default to get results for each value
$this->_myMongoQuery[$szMongoPropID]['$in'][] = $myfilter[FILTER_VALUE];
}
} else {
// $ne equals NOT EQUAL
$this->_myMongoQuery[$szMongoPropID]['$ne'][] = $myfilter[FILTER_VALUE];
}
// ---
} else {
if ($myfilter[FILTER_MODE] & FILTER_MODE_SEARCHREGEX) {
// --- Check if user wants to include or exclude!
if ($myfilter[FILTER_MODE] & FILTER_MODE_INCLUDE) {
// Use REGEX to filter for values, NOT TESTED YET!
$this->_myMongoQuery[$szMongoPropID]['$regex'][] = $myfilter[FILTER_VALUE];
} else {
// Negate the query using $NOT operator.
$this->_myMongoQuery[$szMongoPropID]['$not']['$regex'][] = $myfilter[FILTER_VALUE];
}
// ---
} else {
// This should be a typical LIKE query: Some more checking NEEDED (TODO)!
// --- Check if user wants to include or exclude!
if ($myfilter[FILTER_MODE] & FILTER_MODE_INCLUDE) {
if ($propertyname == SYSLOG_MESSAGE) {
// If we filter for Syslog MSG, we use $ALL to match all values
$this->_myMongoQuery[$szMongoPropID]['$regex'][] = $myfilter[FILTER_VALUE];
} else {
// We use $in by default to get results for each value
$this->_myMongoQuery[$szMongoPropID]['$regex'][] = $myfilter[FILTER_VALUE];
}
// Using REGEX for now!
} else {
// $ne equals NOT EQUAL
$this->_myMongoQuery[$szMongoPropID]['$nin'][] = $myfilter[FILTER_VALUE];
}
// ---
}
}
// ---
break;
case FILTER_TYPE_NUMBER:
// --- Check if user wants to include or exclude!
if ($myfilter[FILTER_MODE] & FILTER_MODE_INCLUDE) {
// We use $in by default to get results for each value
$this->_myMongoQuery[$szMongoPropID]['$in'][] = intval($myfilter[FILTER_VALUE]);
} else {
// $ne equals NOT EQUAL
$this->_myMongoQuery[$szMongoPropID]['$nin'][] = intval($myfilter[FILTER_VALUE]);
}
// ---
break;
case FILTER_TYPE_DATE:
if ($myfilter[FILTER_DATEMODE] == DATEMODE_LASTX) {
// Get current timestamp
$nNowTimeStamp = time();
if ($myfilter[FILTER_VALUE] == DATE_LASTX_HOUR) {
$nNowTimeStamp -= 60 * 60;
} else {
if ($myfilter[FILTER_VALUE] == DATE_LASTX_12HOURS) {
$nNowTimeStamp -= 60 * 60 * 12;
} else {
if ($myfilter[FILTER_VALUE] == DATE_LASTX_24HOURS) {
$nNowTimeStamp -= 60 * 60 * 24;
} else {
if ($myfilter[FILTER_VALUE] == DATE_LASTX_7DAYS) {
$nNowTimeStamp -= 60 * 60 * 24 * 7;
} else {
if ($myfilter[FILTER_VALUE] == DATE_LASTX_31DAYS) {
$nNowTimeStamp -= 60 * 60 * 24 * 31;
} else {
// Set filter to unknown and Abort in this case!
$tmpfilters[$propertyname][FILTER_TYPE] = FILTER_TYPE_UNKNOWN;
break;
}
}
}
}
}
// Create MongoDate Object from Timestamp
$myMongoDate = new MongoDate($nNowTimeStamp);
// add to query array
$this->_myMongoQuery[$szMongoPropID]['$gte'] = $myMongoDate;
} else {
if ($myfilter[FILTER_DATEMODE] == DATEMODE_RANGE_FROM) {
// We use $gt (>) by default to get filter by date
$myeventtime = GetEventTime($myfilter[FILTER_VALUE]);
// Create MongoDate Object from Timestamp
$myMongoDate = new MongoDate($myeventtime[EVTIME_TIMESTAMP]);
// add to query array
$this->_myMongoQuery[$szMongoPropID]['$gte'] = $myMongoDate;
} else {
if ($myfilter[FILTER_DATEMODE] == DATEMODE_RANGE_TO) {
// Obtain Event struct for the time!
$myeventtime = GetEventTime($myfilter[FILTER_VALUE]);
// Create MongoDate Object from Timestamp
$myMongoDate = new MongoDate($myeventtime[EVTIME_TIMESTAMP]);
// add to query array
$this->_myMongoQuery[$szMongoPropID]['$lte'] = $myMongoDate;
} else {
if ($myfilter[FILTER_DATEMODE] == DATEMODE_RANGE_DATE) {
// Obtain Event struct for the time!
$myeventtime = GetEventTime($myfilter[FILTER_VALUE]);
// Create MongoDate Object from Timestamp
$myMongoDateTo = new MongoDate($myeventtime[EVTIME_TIMESTAMP] + 86400);
$myMongoDateFrom = new MongoDate($myeventtime[EVTIME_TIMESTAMP]);
// Add to query array
$this->_myMongoQuery[$szMongoPropID]['$lte'] = $myMongoDateTo;
$this->_myMongoQuery[$szMongoPropID]['$gte'] = $myMongoDateFrom;
}
}
}
}
break;
default:
// Nothing to do!
break;
}
}
}
}
}
//print_r ( array('x' => array( '$gt' => 5, '$lt' => 20 )) );
OutputDebugMessage("CreateQueryArray verbose: " . var_export($this->_myMongoQuery, true), DEBUG_DEBUG);
}
if ($uID != UID_UNKNOWN) {
// Add uID Filter as well!
$myMongoID = new MongoId($this->convBaseHelper($uID, 10, 16));
$this->_myMongoQuery[$dbmapping[$szTableType]['DBMAPPINGS'][SYSLOG_UID]] = array('$lte' => $myMongoID);
}
// Success
return SUCCESS;
}
/**
* ParseLine
*
* @param arrArguments array in&out: properties of interest. There can be no guarantee the logstream can actually deliver them.
* @return integer Error stat
*/
public function ParseMsg($szMsg, &$arrArguments)
{
global $content, $fields;
//trim the msg first to remove spaces from begin and end
$szMsg = trim($szMsg);
// $iSharpPos = strpos($szMsg, "#");
// if ( $iSharpPos !== false && $iSharpPos == 0 )
// return ERROR_MSG_SKIPMESSAGE;
// Special case here, if loglines start with #, they are comments and have to be skipped!
if (($iSharpPos = strpos($szMsg, "#")) !== false && $iSharpPos == 0) {
// Only init fields then
// Set generic properties
$arrArguments[SYSLOG_DATE] = "";
$arrArguments[SYSLOG_HOST] = "";
// Set weblog specific properties!
$arrArguments[SYSLOG_WEBLOG_METHOD] = "";
$arrArguments[SYSLOG_WEBLOG_URL] = "";
$arrArguments[SYSLOG_WEBLOG_QUERYSTRING] = "";
$arrArguments[SYSLOG_WEBLOG_USER] = "";
$arrArguments[SYSLOG_WEBLOG_PVER] = "";
$arrArguments[SYSLOG_WEBLOG_USERAGENT] = "";
$arrArguments[SYSLOG_WEBLOG_REFERER] = "";
$arrArguments[SYSLOG_WEBLOG_STATUS] = "";
$arrArguments[SYSLOG_WEBLOG_BYTESSEND] = "";
// Set msg to whole logline
$arrArguments[SYSLOG_MESSAGE] = $szMsg;
}
// LogFormat: date time cs-method cs-uri-stem cs-uri-query cs-username c-ip cs-version cs(User-Agent) cs(Referer) sc-status sc-bytes
// Sample: 2008-09-17 00:15:24 GET /Include/MyStyleV2.css - - 208.111.154.249 HTTP/1.0 Mozilla/5.0+(X11;+U;+Linux+i686+(x86_64);+en-US;+rv:1.8.1.11)+Gecko/20080109+(Charlotte/0.9t;+http://www.searchme.com/support/) http://www.adiscon.com/Common/en/News/MWCon-2005-09-12.php 200 1812
if (preg_match('/([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}) (.*?) (.|.*?) (.|.*?) (.|.*?) (.|.*?) (.|.*?) (.|.*?) (.|.*?) (.|.*?) (.|.*?)$/', $szMsg, $out)) {
// print_r ( $out );
// exit;
// Set generic properties
$arrArguments[SYSLOG_DATE] = GetEventTime($out[1]);
$arrArguments[SYSLOG_HOST] = $out[6];
// Set weblog specific properties!
$arrArguments[SYSLOG_WEBLOG_METHOD] = $out[2];
$arrArguments[SYSLOG_WEBLOG_URL] = $out[3];
$arrArguments[SYSLOG_WEBLOG_QUERYSTRING] = $out[4];
$arrArguments[SYSLOG_WEBLOG_USER] = $out[5];
$arrArguments[SYSLOG_WEBLOG_PVER] = $out[7];
$arrArguments[SYSLOG_WEBLOG_USERAGENT] = $out[8];
$arrArguments[SYSLOG_WEBLOG_REFERER] = $out[9];
$arrArguments[SYSLOG_WEBLOG_STATUS] = $out[10];
$arrArguments[SYSLOG_WEBLOG_BYTESSEND] = $out[11];
// Set msg to whole logline
$arrArguments[SYSLOG_MESSAGE] = $out[0];
if ($this->_MsgNormalize == 1) {
//Init tmp msg
$szTmpMsg = "";
// Create Field Array to prepend into msg! Reverse Order here
$myFields = array(SYSLOG_WEBLOG_USER, SYSLOG_WEBLOG_PVER, SYSLOG_WEBLOG_USERAGENT, SYSLOG_WEBLOG_BYTESSEND, SYSLOG_WEBLOG_STATUS, SYSLOG_WEBLOG_REFERER, SYSLOG_WEBLOG_METHOD, SYSLOG_WEBLOG_QUERYSTRING, SYSLOG_WEBLOG_URL);
foreach ($myFields as $myField) {
// Set Field Caption
if (isset($fields[$myField]['FieldCaption'])) {
$szFieldName = $fields[$myField]['FieldCaption'];
} else {
$szFieldName = $myField;
}
// Append Field into msg
$szTmpMsg = $szFieldName . ": '" . $arrArguments[$myField] . "'\n" . $szTmpMsg;
}
// copy finished MSG back!
$arrArguments[SYSLOG_MESSAGE] = $szTmpMsg;
}
} else {
// return no match in this case!
return ERROR_MSG_NOMATCH;
}
// Set IUT Property if success!
$arrArguments[SYSLOG_MESSAGETYPE] = IUT_WEBSERVERLOG;
// If we reached this position, return success!
return SUCCESS;
}
