/** * Display syslog messages. * * Display pages with device syslog messages. * Examples: * print_syslogs() - display last 10 syslog messages from all devices * print_syslogs(array('pagesize' => 99)) - display last 99 syslog messages from all device * print_syslogs(array('pagesize' => 10, 'pageno' => 3, 'pagination' => TRUE)) - display 10 syslog messages from page 3 with pagination header * print_syslogs(array('pagesize' => 10, 'device' = 4)) - display last 10 syslog messages for device_id 4 * print_syslogs(array('short' => TRUE)) - show small block with last syslog messages * * @param array $vars * @return none * */ function print_syslogs($vars) { // Short events? (no pagination, small out) $short = isset($vars['short']) && $vars['short']; // With pagination? (display page numbers in header) $pagination = isset($vars['pagination']) && $vars['pagination']; $pageno = isset($vars['pageno']) && !empty($vars['pageno']) ? $vars['pageno'] : 1; $pagesize = isset($vars['pagesize']) && !empty($vars['pagesize']) ? $vars['pagesize'] : 10; $start = $pagesize * $pageno - $pagesize; $priorities = $GLOBALS['config']['syslog']['priorities']; $param = array(); $where = ' WHERE 1 '; foreach ($vars as $var => $value) { if ($value != '') { $cond = array(); switch ($var) { case 'device': case 'device_id': $where .= ' AND `device_id` = ?'; $param[] = $value; break; case 'priority': if (!is_array($value)) { $value = array($value); } foreach ($value as $k => $v) { // Rewrite priority strings to numbers $value[$k] = priority_string_to_numeric($v); } // Do not break here, it's true! // Do not break here, it's true! case 'program': if (!is_array($value)) { $value = array($value); } foreach ($value as $v) { $cond[] = '?'; $param[] = $v === '[[EMPTY]]' ? '' : $v; } $where .= " AND `{$var}` IN ("; $where .= implode(', ', $cond); $where .= ')'; break; case 'message': foreach (explode(',', $value) as $val) { $param[] = '%' . $val . '%'; $cond[] = '`msg` LIKE ?'; } $where .= 'AND ('; $where .= implode(' OR ', $cond); $where .= ')'; break; case 'timestamp_from': $where .= ' AND `timestamp` > ?'; $param[] = $value; break; case 'timestamp_to': $where .= ' AND `timestamp` < ?'; $param[] = $value; break; } } } // Show events only for permitted devices $query_permitted = generate_query_permitted(); $query = 'FROM `syslog` '; $query .= $where . $query_permitted; $query_count = 'SELECT COUNT(`seq`) ' . $query; $query = 'SELECT * ' . $query; $query .= ' ORDER BY `seq` DESC '; $query .= "LIMIT {$start},{$pagesize}"; // Query syslog messages $entries = dbFetchRows($query, $param); // Query syslog count if ($pagination && !$short) { $count = dbFetchCell($query_count, $param); } else { $count = count($entries); } if (!$count) { // There have been no entries returned. Print the warning. print_warning('<h4>No syslog entries found!</h4> Check that the syslog daemon and Observium configuration options are set correctly, that your devices are configured to send syslog to Observium and that there are no firewalls blocking the messages. See <a href="http://www.observium.org/wiki/Category:Documentation" target="_blank">documentation</a> and <a href="http://www.observium.org/wiki/Configuration_Options#Syslog_Settings" target="_blank">configuration options</a> for more information.'); } else { // Entries have been returned. Print the table. $list = array('device' => FALSE, 'priority' => TRUE); // For now (temporarily) priority always displayed if (!isset($vars['device']) || empty($vars['device']) || $vars['page'] == 'syslog') { $list['device'] = TRUE; } if ($short || !isset($vars['priority']) || empty($vars['priority'])) { $list['priority'] = TRUE; } $string = '<table class="table table-bordered table-striped table-hover table-condensed-more">' . PHP_EOL; if (!$short) { $string .= ' <thead>' . PHP_EOL; $string .= ' <tr>' . PHP_EOL; $string .= ' <th>Date</th>' . PHP_EOL; if ($list['device']) { $string .= ' <th>Device</th>' . PHP_EOL; } if ($list['priority']) { $string .= ' <th>Priority</th>' . PHP_EOL; } $string .= ' <th>Message</th>' . PHP_EOL; $string .= ' </tr>' . PHP_EOL; $string .= ' </thead>' . PHP_EOL; } $string .= ' <tbody>' . PHP_EOL; foreach ($entries as $entry) { $string .= ' <tr>'; if ($short) { $string .= ' <td class="syslog" style="white-space: nowrap">'; $timediff = $GLOBALS['config']['time']['now'] - strtotime($entry['timestamp']); $string .= overlib_link('', formatUptime($timediff, "short-3"), format_timestamp($entry['timestamp']), NULL) . '</td>' . PHP_EOL; } else { $string .= ' <td width="160">'; $string .= format_timestamp($entry['timestamp']) . '</td>' . PHP_EOL; } if ($list['device']) { $dev = device_by_id_cache($entry['device_id']); $device_vars = array('page' => 'device', 'device' => $entry['device_id'], 'tab' => 'logs', 'section' => 'syslog'); $string .= ' <td class="entity">' . generate_device_link($dev, short_hostname($dev['hostname']), $device_vars) . '</td>' . PHP_EOL; } if ($list['priority']) { if (!$short) { $string .= ' <td style="color: ' . $priorities[$entry['priority']]['color'] . '; white-space: nowrap;">' . nicecase($priorities[$entry['priority']]['name']) . ' (' . $entry['priority'] . ')</td>' . PHP_EOL; } } $entry['program'] = empty($entry['program']) ? '[[EMPTY]]' : $entry['program']; if ($short) { $string .= ' <td class="syslog">'; $string .= '<strong style="color: ' . $priorities[$entry['priority']]['color'] . ';">' . $entry['program'] . '</strong> : '; } else { $string .= ' <td>'; $string .= '<strong>' . $entry['program'] . '</strong> : '; } $string .= htmlspecialchars($entry['msg']) . '</td>' . PHP_EOL; $string .= ' </tr>' . PHP_EOL; } $string .= ' </tbody>' . PHP_EOL; $string .= '</table>' . PHP_EOL; // Print pagination header if ($pagination && !$short) { $string = pagination($vars, $count) . $string . pagination($vars, $count); } // Print syslog echo $string; } }
function log_event($text, $device = NULL, $type = NULL, $reference = NULL, $severity = 6) { if (!is_array($device)) { $device = device_by_id_cache($device); } if ($device['ignore'] && $type != 'device') { return FALSE; } // Do not log events if device ignored if ($type == 'port') { if (is_array($reference)) { $port = $reference; $reference = $port['port_id']; } else { $port = get_port_by_id_cache($reference); } if ($port['ignore']) { return FALSE; } // Do not log events if interface ignored } $severity = priority_string_to_numeric($severity); // Convert named severities to numeric if ($type == 'device' && $severity == 5 || isset($_SESSION['username'])) { $severity = $severity == 6 ? 5 : $severity; // If severity default, change to notification if (isset($_SESSION['username'])) { $text .= ' (用户: ' . $_SESSION['username'] . ')'; } else { if (is_cli()) { if (is_cron()) { $text .= ' (自动运行)'; } else { $text .= ' (控制台)'; } } } } $insert = array('device_id' => $device['device_id'] ? $device['device_id'] : "NULL", 'entity_id' => is_numeric($reference) ? $reference : array('NULL'), 'entity_type' => $type ? $type : array('NULL'), 'timestamp' => array("NOW()"), 'severity' => $severity, 'message' => $text); $id = dbInsert($insert, 'eventlog'); return $id; }
/** * Display syslog messages. * * Display pages with device syslog messages. * Examples: * print_syslogs() - display last 10 syslog messages from all devices * print_syslogs(array('pagesize' => 99)) - display last 99 syslog messages from all device * print_syslogs(array('pagesize' => 10, 'pageno' => 3, 'pagination' => TRUE)) - display 10 syslog messages from page 3 with pagination header * print_syslogs(array('pagesize' => 10, 'device' = 4)) - display last 10 syslog messages for device_id 4 * print_syslogs(array('short' => TRUE)) - show small block with last syslog messages * * @param array $vars * @return none * */ function print_syslogs($vars) { // Short events? (no pagination, small out) $short = isset($vars['short']) && $vars['short']; // With pagination? (display page numbers in header) $pagination = isset($vars['pagination']) && $vars['pagination']; pagination($vars, 0, TRUE); // Get default pagesize/pageno $pageno = $vars['pageno']; $pagesize = $vars['pagesize']; $start = $pagesize * $pageno - $pagesize; $priorities = $GLOBALS['config']['syslog']['priorities']; $param = array(); $where = ' WHERE 1 '; foreach ($vars as $var => $value) { if ($value != '') { $cond = array(); switch ($var) { case 'device': case 'device_id': $where .= generate_query_values($value, 'device_id'); break; case 'priority': if (!is_array($value)) { $value = explode(',', $value); } foreach ($value as $k => $v) { // Rewrite priority strings to numbers $value[$k] = priority_string_to_numeric($v); } // Do not break here, it's true! // Do not break here, it's true! case 'program': $where .= generate_query_values($value, $var); break; case 'message': $where .= generate_query_values($value, 'msg', '%LIKE%'); break; case 'timestamp_from': $where .= ' AND `timestamp` > ?'; $param[] = $value; break; case 'timestamp_to': $where .= ' AND `timestamp` < ?'; $param[] = $value; break; } } } // Show events only for permitted devices $query_permitted = generate_query_permitted(); $query = 'FROM `syslog` '; $query .= $where . $query_permitted; $query_count = 'SELECT COUNT(*) ' . $query; $query = 'SELECT * ' . $query; $query .= ' ORDER BY `seq` DESC '; $query .= "LIMIT {$start},{$pagesize}"; // Query syslog messages $entries = dbFetchRows($query, $param); // Query syslog count if ($pagination && !$short) { $count = dbFetchCell($query_count, $param); } else { $count = count($entries); } if (!$count) { // There have been no entries returned. Print the warning. print_warning('<h4>No syslog entries found!</h4> Check that the syslog daemon and Observium configuration options are set correctly, that your devices are configured to send syslog to Observium and that there are no firewalls blocking the messages. See <a href="' . OBSERVIUM_URL . '/wiki/Category:Documentation" target="_blank">documentation</a> and <a href="' . OBSERVIUM_URL . '/wiki/Configuration_Options#Syslog_Settings" target="_blank">configuration options</a> for more information.'); } else { // Entries have been returned. Print the table. $list = array('device' => FALSE, 'priority' => TRUE); // For now (temporarily) priority always displayed if (!isset($vars['device']) || empty($vars['device']) || $vars['page'] == 'syslog') { $list['device'] = TRUE; } if ($short || !isset($vars['priority']) || empty($vars['priority'])) { $list['priority'] = TRUE; } $string = generate_box_open($vars['header']); $string .= '<table class="' . OBS_CLASS_TABLE_STRIPED_MORE . '">' . PHP_EOL; if (!$short) { $string .= ' <thead>' . PHP_EOL; $string .= ' <tr>' . PHP_EOL; $string .= ' <th class="state-marker"></th>' . PHP_EOL; # $string .= ' <th></th>' . PHP_EOL; $string .= ' <th>Date</th>' . PHP_EOL; if ($list['device']) { $string .= ' <th>Device</th>' . PHP_EOL; } if ($list['priority']) { $string .= ' <th>Priority</th>' . PHP_EOL; } $string .= ' <th>Message</th>' . PHP_EOL; $string .= ' </tr>' . PHP_EOL; $string .= ' </thead>' . PHP_EOL; } $string .= ' <tbody>' . PHP_EOL; foreach ($entries as $entry) { switch ($entry['priority']) { case "0": // Emergency // Emergency case "1": // Alert // Alert case "2": // Critical // Critical case "3": // Error $entry['html_row_class'] = "error"; break; case "4": // Warning $entry['html_row_class'] = "warning"; break; case "5": // Notification $entry['html_row_class'] = "recovery"; break; case "6": // Informational $entry['html_row_class'] = "up"; break; case "7": // Debugging $entry['html_row_class'] = "suppressed"; break; default: } $string .= ' <tr class="' . $entry['html_row_class'] . '">' . PHP_EOL; $string .= '<td class="state-marker"></td>' . PHP_EOL; if ($short) { $string .= ' <td class="syslog" style="white-space: nowrap">'; $timediff = $GLOBALS['config']['time']['now'] - strtotime($entry['timestamp']); $string .= generate_tooltip_link('', formatUptime($timediff, "short-3"), format_timestamp($entry['timestamp']), NULL) . '</td>' . PHP_EOL; } else { $string .= ' <td width="130">'; $string .= format_timestamp($entry['timestamp']) . '</td>' . PHP_EOL; } if ($list['device']) { $dev = device_by_id_cache($entry['device_id']); $device_vars = array('page' => 'device', 'device' => $entry['device_id'], 'tab' => 'logs', 'section' => 'syslog'); $string .= ' <td class="entity">' . generate_device_link($dev, short_hostname($dev['hostname']), $device_vars) . '</td>' . PHP_EOL; } if ($list['priority']) { if (!$short) { $string .= ' <td style="color: ' . $priorities[$entry['priority']]['color'] . '; white-space: nowrap; width: 95px;"><span class="label label-' . $priorities[$entry['priority']]['label-class'] . '">' . nicecase($priorities[$entry['priority']]['name']) . ' (' . $entry['priority'] . ')</span></td>' . PHP_EOL; } } $entry['program'] = empty($entry['program']) ? '[[EMPTY]]' : $entry['program']; if ($short) { $string .= ' <td class="syslog">'; $string .= '<span class="label label-' . $priorities[$entry['priority']]['label-class'] . '"><strong>' . $entry['program'] . '</strong></span> '; } else { $string .= ' <td>'; $string .= '<span class="label label-' . $priorities[$entry['priority']]['label-class'] . '">' . $entry['program'] . '</span>'; } $string .= escape_html($entry['msg']) . '</td>' . PHP_EOL; $string .= ' </tr>' . PHP_EOL; } $string .= ' </tbody>' . PHP_EOL; $string .= '</table>' . PHP_EOL; $string .= generate_box_close(); // Print pagination header if ($pagination && !$short) { $string = pagination($vars, $count) . $string . pagination($vars, $count); } // Print syslog echo $string; } }
/** * @dataProvider providerPriorityStringToNumeric */ public function testPriorityStringToNumeric($value, $result) { $this->assertSame($result, priority_string_to_numeric($value)); }
function process_syslog($entry, $update) { global $config; global $rules; global $device_rules; global $maint; foreach ($config['syslog']['filter'] as $bi) { if (strpos($entry['msg'], $bi) !== FALSE) { //echo('D-'.$bi); return FALSE; } } $entry['msg_orig'] = $entry['msg']; // Initial rewrites $entry['host'] = strtolower(trim($entry['host'])); // Rewrite priority and level from strings to numbers $entry['priority'] = priority_string_to_numeric($entry['priority']); $entry['level'] = priority_string_to_numeric($entry['level']); $entry['device_id'] = get_cache($entry['host'], 'device_id'); //print_vars($entry); //print_vars($GLOBALS['dev_cache']); if ($entry['device_id']) { $os = get_cache($entry['host'], 'os'); $os_group = get_cache($entry['host'], 'os_group'); if (in_array($os, array('ios', 'iosxe', 'catos', 'asa'))) { $matches = array(); # if (preg_match('#%(?P<program>.*):( ?)(?P<msg>.*)#', $entry['msg'], $matches)) { # $entry['msg'] = $matches['msg']; # $entry['program'] = $matches['program']; # } # unset($matches); //NOTE. Please include examples for syslog entries, to know why need some preg_replace() if (strstr($entry['msg'], '%')) { //10.0.0.210||23||4||4||26644:||2013-11-08 07:19:24|| 033884: Nov 8 07:19:23.993: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1169729434 1500 bytes is out-of-order; expected seq:3124765814. Reason: TCP reassembly queue overflow - session 10.10.32.37:56316 to 93.186.239.142:80 on zone-pair Local->Internet class All_Inspection||26644 //hostname||17||5||5||192462650:||2014-06-17 11:16:01|| %SSH-5-SSH2_SESSION: SSH2 Session request from 10.95.0.42 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded||192462650 if (strpos($entry['msg'], ': %')) { list(, $entry['msg']) = explode(': %', $entry['msg'], 2); $entry['msg'] = "%" . $entry['msg']; } $entry['msg'] = preg_replace("/^%(.+?):\\ /", "\\1||", $entry['msg']); } else { $entry['msg'] = preg_replace("/^.*[0-9]:/", "", $entry['msg']); $entry['msg'] = preg_replace("/^[0-9][0-9]\\ [A-Z]{3}:/", "", $entry['msg']); $entry['msg'] = preg_replace("/^(.+?):\\ /", "\\1||", $entry['msg']); } //$entry['msg'] = preg_replace("/^.+\.[0-9]{3}:/", "", $entry['msg']); /// FIXME. Show which entries this should replace. It's broke all entries with 'IP:PORT'. $entry['msg'] = preg_replace("/^.+-Traceback=/", "Traceback||", $entry['msg']); list($entry['program'], $entry['msg']) = explode("||", $entry['msg'], 2); $entry['msg'] = preg_replace("/^[0-9]+:/", "", $entry['msg']); if (!$entry['program']) { $entry['msg'] = preg_replace("/^([0-9A-Z\\-]+?):\\ /", "\\1||", $entry['msg']); list($entry['program'], $entry['msg']) = explode("||", $entry['msg'], 2); } if (!$entry['msg']) { $entry['msg'] = $entry['program']; unset($entry['program']); } } else { if ($os == 'iosxr') { //1.1.1.1||23||5||5||920:||2014-11-26 17:29:48||RP/0/RSP0/CPU0:Nov 26 16:29:48.161 : bgp[1046]: %ROUTING-BGP-5-ADJCHANGE : neighbor 1.1.1.2 Up (VRF: default) (AS: 11111) ||920 //1.1.1.2||23||6||6||253:||2014-11-26 17:30:21||RP/0/RSP0/CPU0:Nov 26 16:30:21.710 : SSHD_[65755]: %SECURITY-SSHD-6-INFO_GENERAL : Client closes socket connection ||253 //1.1.1.3||local0||err||err||83||2015-01-14 07:29:45||oly-er-01 LC/0/0/CPU0:Jan 14 07:29:45.556 CET: pfilter_ea[301]: %L2-PFILTER_EA-3-ERR_IM_CAPS : uidb set acl failed on interface Bundle-Ether1.1501.ip43696. (null) ||94795 list(, $entry['msg']) = explode(': %', $entry['msg'], 2); list($entry['program'], $entry['msg']) = explode(' : ', $entry['msg'], 2); } else { if ($os == 'linux' && get_cache($entry['host'], 'version') == 'Point') { // Cisco WAP200 and similar $matches = array(); if (preg_match('#Log: \\[(?P<program>.*)\\] - (?P<msg>.*)#', $entry['msg'], $matches)) { $entry['msg'] = $matches['msg']; $entry['program'] = $matches['program']; } unset($matches); } else { if ($os_group == 'unix') { $matches = array(); // User_CommonName/123.213.132.231:39872 VERIFY OK: depth=1, /C=PL/ST=Malopolska/O=VLO/CN=v-lo.krakow.pl/emailAddress=root@v-lo.krakow.pl if ($entry['facility'] == 'daemon' && preg_match('#/([0-9]{1,3}\\.) {3}[0-9]{1,3}:[0-9]{4,} ([A-Z]([A-Za-z])+( ?)) {2,}:#', $entry['msg'])) { $entry['program'] = 'OpenVPN'; } else { if ($entry['facility'] == 'mail' && preg_match('/^(((pop3|imap)\\-login)|((POP3|IMAP)\\(.*\\))):/', $entry['msg'])) { $entry['program'] = 'Dovecot'; } else { if (preg_match('/^(?P<program>(\\S((\\(|\\[).*(\\)|\\])))):(?P<msg>.*)$/', $entry['msg'], $matches)) { $entry['msg'] = $matches['msg']; $entry['program'] = $matches['program']; } else { if (preg_match('/^(?P<program>[^\\s\\(\\[]*):\\ (?P<msg>.*)$/', $entry['msg'], $matches)) { $entry['msg'] = $matches['msg']; $entry['program'] = $matches['program']; } else { if (!empty($entry['program']) && preg_match('/^.*:\\ ' . $entry['program'] . ':\\ (?P<msg>[^(]+\\((?P<program>[^:]+):.*)$/', $entry['msg'], $matches)) { $entry['msg'] = $matches['msg']; $entry['program'] = $matches['program']; } else { if (empty($entry['program']) && !empty($entry['facility'])) { $entry['program'] = $entry['facility']; } } } } } } unset($matches); } else { if ($os == 'ftos') { if (empty($entry['program'])) { //1.1.1.1||23||5||5||||2014-11-23 21:48:10|| Nov 23 21:48:10.745: hostname: %STKUNIT0-M:CP %SEC-5-LOGOUT: Exec session is terminated for user rancid on line vty0|| list(, , $entry['program'], $entry['msg']) = explode(': ', $entry['msg'], 4); list(, $entry['program']) = explode(' %', $entry['program'], 2); } //Jun 3 02:33:23.489: %STKUNIT0-M:CP %SNMP-3-SNMP_AUTH_FAIL: SNMP Authentication failure for SNMP request from host 176.10.35.241 //Jun 1 17:11:50.806: %STKUNIT0-M:CP %ARPMGR-2-MAC_CHANGE: IP-4-ADDRMOVE: IP address 11.222.30.53 is moved from MAC address 52:54:00:7b:37:ad to MAC address 52:54:00:e4:ec:06 . //if (strpos($entry['msg'], '%STKUNIT') === 0) //{ // list(, $entry['program'], $entry['msg']) = explode(': ', $entry['msg'], 3); // //$entry['timestamp'] = date("Y-m-d H:i:s", strtotime($entry['timestamp'])); // convert to timestamp // list(, $entry['program']) = explode(' %', $entry['program'], 2); //} } else { if ($os == 'netscaler') { //10/03/2013:16:49:07 GMT dk-lb001a PPE-4 : UI CMD_EXECUTED 10367926 : User so_readonly - Remote_ip 10.70.66.56 - Command "stat lb vserver" - Status "Success" list(, , , $entry['msg']) = explode(' ', $entry['msg'], 4); list($entry['program'], $entry['msg']) = explode(' : ', $entry['msg'], 3); } } } } } } if ($entry['program'] == '') { /** FIXME, WHAT? Pls examples. $entry['program'] = $entry['msg']; unset($entry['msg']); */ if ($entry['msg'] == '') { // Something wrong, both program and msg empty return $entry; } } else { if (strpos($entry['program'], '(BZ2') === 0) { // Wtf is BZ2LR and BZ@.. /** *Old: 10.10.34.10||3||6||6||hostapd:||2014-07-18 11:29:35|| ath2: STA c8:dd:c9:d1:d4:aa IEEE 802.11: associated||hostapd *New: 10.10.34.10||3||6||6||(BZ2LR,00272250c1cd,v3.2.5.2791)||2014-12-12 09:36:39|| hostapd: ath2: STA dc:a9:71:1b:d6:c7 IEEE 802.11: associated||(BZ2LR,00272250c1cd,v3.2.5.2791) */ list($entry['program'], $entry['msg']) = explode(': ', $entry['msg'], 2); } } $entry['program'] = strtoupper($entry['program']); array_walk($entry, 'trim'); if ($update) { $log_id = dbInsert(array('device_id' => $entry['device_id'], 'host' => $entry['host'], 'program' => $entry['program'], 'facility' => $entry['facility'], 'priority' => $entry['priority'], 'level' => $entry['level'], 'tag' => $entry['tag'], 'msg' => $entry['msg'], 'timestamp' => $entry['timestamp']), 'syslog'); } //$req_dump = print_r(array($entry, $rules, $device_rules), TRUE); //$fp = fopen('/tmp/syslog.log', 'a'); //fwrite($fp, $req_dump); //fclose($fp); $notification_type = 'syslog'; /// FIXME, I not know how 'syslog_rules_assoc' is filled, I pass rules to all devices /// FIXME, this is copy-pasted from above, while not have WUI for syslog_rules_assoc foreach ($rules as $la_id => $rule) { if ((empty($device_rules) || isset($device_rules[$entry['device_id']][$la_id])) && preg_match($rule['la_rule'], $entry['msg_orig'])) { // Mark no notification during maintenance if (isset($maint['device'][$entry['device_id']]) || isset($maint['global']) && $maint['global'] > 0) { $notified = '-1'; } else { $notified = '0'; } $log_id = dbInsert(array('device_id' => $entry['device_id'], 'la_id' => $la_id, 'syslog_id' => $log_id, 'timestamp' => $entry['timestamp'], 'program' => $entry['program'], 'message' => $entry['msg_orig'], 'notified' => $notified), 'syslog_alerts'); // Get contacts for $la_id $transports = get_alert_contacts($entry['device_id'], $la_id, $notification_type); // Add notification to queue if ($notified != '-1' && !empty($transports)) { $device = device_by_id_cache($entry['device_id']); $message_tags = array('ALERT_STATE' => "SYSLOG", 'ALERT_URL' => generate_url(array('page' => 'device', 'device' => $device['device_id'], 'tab' => 'alert', 'entity_type' => 'syslog')), 'ALERT_ID' => $la_id, 'ALERT_MESSAGE' => $rule['la_descr'], 'CONDITIONS' => $rule['la_rule'], 'METRICS' => $entry['msg'], 'SYSLOG_RULE' => $rule['la_rule'], 'SYSLOG_MESSAGE' => $entry['msg'], 'SYSLOG_PROGRAM' => $entry['program'], 'TIMESTAMP' => $entry['timestamp'], 'DEVICE_HOSTNAME' => $device['hostname'], 'DEVICE_LINK' => generate_device_link($device), 'DEVICE_HARDWARE' => $device['hardware'], 'DEVICE_OS' => $device['os_text'] . ' ' . $device['version'] . ' ' . $device['features'], 'DEVICE_LOCATION' => $device['location'], 'DEVICE_UPTIME' => deviceUptime($device)); $message_tags['TITLE'] = alert_generate_subject($device, 'SYSLOG', $message_tags); $notification = array('device_id' => $entry['device_id'], 'log_id' => $log_id, 'aca_type' => $notification_type, 'severity' => $entry['priority'], 'endpoints' => json_encode($transports), 'notification_added' => time(), 'notification_lifetime' => 300, 'notification_entry' => json_encode($entry)); //unset($message_tags['ENTITY_GRAPHS_ARRAY']); $notification['message_tags'] = json_encode($message_tags); $notification_id = dbInsert($notification, 'notifications_queue'); } } } unset($os); } else { if ($config['syslog']['unknown_hosts']) { if ($update) { array_walk($entry, 'trim'); // Store entries for unknown hosts with NULL device_id $log_id = dbInsert(array('host' => $entry['host'], 'program' => $entry['program'], 'facility' => $entry['facility'], 'priority' => $entry['priority'], 'level' => $entry['level'], 'tag' => $entry['tag'], 'msg' => $entry['msg'], 'timestamp' => $entry['timestamp']), 'syslog'); //var_dump($entry); } } } return $entry; }
function process_syslog($entry, $update) { global $config; foreach ($config['syslog']['filter'] as $bi) { if (strpos($entry['msg'], $bi) !== FALSE) { //echo('D-'.$bi); return FALSE; } } $entry['device_id'] = get_cache($entry['host'], 'device_id'); if ($entry['device_id']) { $os = get_cache($entry['host'], 'os'); $os_group = get_cache($entry['host'], 'os_group'); if (in_array($os, array('ios', 'iosxe', 'catos'))) { $matches = array(); # if (preg_match('#%(?P<program>.*):( ?)(?P<msg>.*)#', $entry['msg'], $matches)) { # $entry['msg'] = $matches['msg']; # $entry['program'] = $matches['program']; # } # unset($matches); //NOTE. Please include examples for syslog entries, to know why need some preg_replace() if (strstr($entry['msg'], "%")) { //10.0.0.210||23||4||4||26644:||2013-11-08 07:19:24|| 033884: Nov 8 07:19:23.993: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1169729434 1500 bytes is out-of-order; expected seq:3124765814. Reason: TCP reassembly queue overflow - session 10.10.32.37:56316 to 93.186.239.142:80 on zone-pair Local->Internet class All_Inspection||26644 $entry['msg'] = preg_replace("/^%(.+?):\\ /", "\\1||", $entry['msg']); list(, $entry['msg']) = explode(": %", $entry['msg']); $entry['msg'] = "%" . $entry['msg']; $entry['msg'] = preg_replace("/^%(.+?):\\ /", "\\1||", $entry['msg']); } else { $entry['msg'] = preg_replace("/^.*[0-9]:/", "", $entry['msg']); $entry['msg'] = preg_replace("/^[0-9][0-9]\\ [A-Z]{3}:/", "", $entry['msg']); $entry['msg'] = preg_replace("/^(.+?):\\ /", "\\1||", $entry['msg']); } //$entry['msg'] = preg_replace("/^.+\.[0-9]{3}:/", "", $entry['msg']); /// FIXME. Show which entries this should replace. It's broke all entries with 'IP:PORT'. $entry['msg'] = preg_replace("/^.+-Traceback=/", "Traceback||", $entry['msg']); list($entry['program'], $entry['msg']) = explode("||", $entry['msg']); $entry['msg'] = preg_replace("/^[0-9]+:/", "", $entry['msg']); if (!$entry['program']) { $entry['msg'] = preg_replace("/^([0-9A-Z\\-]+?):\\ /", "\\1||", $entry['msg']); list($entry['program'], $entry['msg']) = explode("||", $entry['msg']); } if (!$entry['msg']) { $entry['msg'] = $entry['program']; unset($entry['program']); } } else { if ($os == 'linux' && get_cache($entry['host'], 'version') == 'Point') { // Cisco WAP200 and similar $matches = array(); if (preg_match('#Log: \\[(?P<program>.*)\\] - (?P<msg>.*)#', $entry['msg'], $matches)) { $entry['msg'] = $matches['msg']; $entry['program'] = $matches['program']; } unset($matches); } else { if ($os_group == 'unix') { $matches = array(); // User_CommonName/123.213.132.231:39872 VERIFY OK: depth=1, /C=PL/ST=Malopolska/O=VLO/CN=v-lo.krakow.pl/emailAddress=root@v-lo.krakow.pl if ($entry['facility'] == 'daemon' && preg_match('#/([0-9]{1,3}\\.) {3}[0-9]{1,3}:[0-9]{4,} ([A-Z]([A-Za-z])+( ?)) {2,}:#', $entry['msg'])) { $entry['program'] = 'OpenVPN'; } else { if ($entry['facility'] == 'mail' && preg_match('/^(((pop3|imap)\\-login)|((POP3|IMAP)\\(.*\\))):/', $entry['msg'])) { $entry['program'] = 'Dovecot'; } else { if (preg_match('/^(?P<program>(\\S((\\(|\\[).*(\\)|\\])))):(?P<msg>.*)$/', $entry['msg'], $matches)) { $entry['msg'] = $matches['msg']; $entry['program'] = $matches['program']; } else { if (preg_match('/^(?P<program>[^\\s\\(\\[]*):\\ (?P<msg>.*)$/', $entry['msg'], $matches)) { $entry['msg'] = $matches['msg']; $entry['program'] = $matches['program']; } else { if (!empty($entry['program']) && preg_match('/^.*:\\ ' . $entry['program'] . ':\\ (?P<msg>[^(]+\\((?P<program>[^:]+):.*)$/', $entry['msg'], $matches)) { $entry['msg'] = $matches['msg']; $entry['program'] = $matches['program']; } elseif (empty($entry['program']) && !empty($entry['facility'])) { $entry['program'] = $entry['facility']; } } } } } unset($matches); } else { if ($os == 'ftos') { //Jun 3 02:33:23.489: %STKUNIT0-M:CP %SNMP-3-SNMP_AUTH_FAIL: SNMP Authentication failure for SNMP request from host 176.10.35.241 //Jun 1 17:11:50.806: %STKUNIT0-M:CP %ARPMGR-2-MAC_CHANGE: IP-4-ADDRMOVE: IP address 11.222.30.53 is moved from MAC address 52:54:00:7b:37:ad to MAC address 52:54:00:e4:ec:06 . if (strstr($entry['msg'], '%')) { list(, $entry['program'], $entry['msg']) = explode(': ', $entry['msg'], 3); //$entry['timestamp'] = date("Y-m-d H:i:s", strtotime($entry['timestamp'])); // convert to timestamp list(, $entry['program']) = explode(' %', $entry['program'], 2); } } else { if ($os == 'netscaler') { //10/03/2013:16:49:07 GMT dk-lb001a PPE-4 : UI CMD_EXECUTED 10367926 : User so_readonly - Remote_ip 10.70.66.56 - Command "stat lb vserver" - Status "Success" list(, , , $entry['msg']) = explode(' ', $entry['msg'], 4); list($entry['program'], $entry['msg']) = explode(' : ', $entry['msg'], 3); } } } } } if (!isset($entry['program'])) { $entry['program'] = $entry['msg']; unset($entry['msg']); } $entry['program'] = strtoupper($entry['program']); array_walk($entry, 'trim'); // Rewrite priority and level from strings to numbers $entry['priority'] = priority_string_to_numeric($entry['priority']); $entry['level'] = priority_string_to_numeric($entry['level']); if ($update) { dbInsert(array('device_id' => $entry['device_id'], 'program' => $entry['program'], 'facility' => $entry['facility'], 'priority' => $entry['priority'], 'level' => $entry['level'], 'tag' => $entry['tag'], 'msg' => $entry['msg'], 'timestamp' => $entry['timestamp']), 'syslog'); } unset($os); } return $entry; }
function process_syslog($entry, $update) { global $config; foreach ($config['syslog']['filter'] as $bi) { if (strpos($entry['msg'], $bi) !== FALSE) { //echo('D-'.$bi); return FALSE; } } $entry['device_id'] = get_cache($entry['host'], 'device_id'); if ($entry['device_id']) { $os = get_cache($entry['host'], 'os'); $os_group = get_cache($entry['host'], 'os_group'); if (in_array($os, array('ios', 'iosxe', 'catos'))) { $matches = array(); # if (preg_match('#%(?P<program>.*):( ?)(?P<msg>.*)#', $entry['msg'], $matches)) { # $entry['msg'] = $matches['msg']; # $entry['program'] = $matches['program']; # } # unset($matches); //NOTE. Please include examples for syslog entries, to know why need some preg_replace() if (strstr($entry['msg'], '%')) { //10.0.0.210||23||4||4||26644:||2013-11-08 07:19:24|| 033884: Nov 8 07:19:23.993: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1169729434 1500 bytes is out-of-order; expected seq:3124765814. Reason: TCP reassembly queue overflow - session 10.10.32.37:56316 to 93.186.239.142:80 on zone-pair Local->Internet class All_Inspection||26644 //hostname||17||5||5||192462650:||2014-06-17 11:16:01|| %SSH-5-SSH2_SESSION: SSH2 Session request from 10.95.0.42 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded||192462650 if (strpos($entry['msg'], ': %')) { list(, $entry['msg']) = explode(': %', $entry['msg'], 2); $entry['msg'] = "%" . $entry['msg']; } $entry['msg'] = preg_replace("/^%(.+?):\\ /", "\\1||", $entry['msg']); } else { $entry['msg'] = preg_replace("/^.*[0-9]:/", "", $entry['msg']); $entry['msg'] = preg_replace("/^[0-9][0-9]\\ [A-Z]{3}:/", "", $entry['msg']); $entry['msg'] = preg_replace("/^(.+?):\\ /", "\\1||", $entry['msg']); } //$entry['msg'] = preg_replace("/^.+\.[0-9]{3}:/", "", $entry['msg']); /// FIXME. Show which entries this should replace. It's broke all entries with 'IP:PORT'. $entry['msg'] = preg_replace("/^.+-Traceback=/", "Traceback||", $entry['msg']); list($entry['program'], $entry['msg']) = explode("||", $entry['msg'], 2); $entry['msg'] = preg_replace("/^[0-9]+:/", "", $entry['msg']); if (!$entry['program']) { $entry['msg'] = preg_replace("/^([0-9A-Z\\-]+?):\\ /", "\\1||", $entry['msg']); list($entry['program'], $entry['msg']) = explode("||", $entry['msg'], 2); } if (!$entry['msg']) { $entry['msg'] = $entry['program']; unset($entry['program']); } } else { if ($os == 'iosxr') { //1.1.1.1||23||5||5||920:||2014-11-26 17:29:48||RP/0/RSP0/CPU0:Nov 26 16:29:48.161 : bgp[1046]: %ROUTING-BGP-5-ADJCHANGE : neighbor 1.1.1.2 Up (VRF: default) (AS: 11111) ||920 //1.1.1.2||23||6||6||253:||2014-11-26 17:30:21||RP/0/RSP0/CPU0:Nov 26 16:30:21.710 : SSHD_[65755]: %SECURITY-SSHD-6-INFO_GENERAL : Client closes socket connection ||253 //1.1.1.3||local0||err||err||83||2015-01-14 07:29:45||oly-er-01 LC/0/0/CPU0:Jan 14 07:29:45.556 CET: pfilter_ea[301]: %L2-PFILTER_EA-3-ERR_IM_CAPS : uidb set acl failed on interface Bundle-Ether1.1501.ip43696. (null) ||94795 list(, $entry['msg']) = explode(': %', $entry['msg'], 2); list($entry['program'], $entry['msg']) = explode(' : ', $entry['msg'], 2); } else { if ($os == 'linux' && get_cache($entry['host'], 'version') == 'Point') { // Cisco WAP200 and similar $matches = array(); if (preg_match('#Log: \\[(?P<program>.*)\\] - (?P<msg>.*)#', $entry['msg'], $matches)) { $entry['msg'] = $matches['msg']; $entry['program'] = $matches['program']; } unset($matches); } else { if ($os_group == 'unix') { $matches = array(); // User_CommonName/123.213.132.231:39872 VERIFY OK: depth=1, /C=PL/ST=Malopolska/O=VLO/CN=v-lo.krakow.pl/emailAddress=root@v-lo.krakow.pl if ($entry['facility'] == 'daemon' && preg_match('#/([0-9]{1,3}\\.) {3}[0-9]{1,3}:[0-9]{4,} ([A-Z]([A-Za-z])+( ?)) {2,}:#', $entry['msg'])) { $entry['program'] = 'OpenVPN'; } else { if ($entry['facility'] == 'mail' && preg_match('/^(((pop3|imap)\\-login)|((POP3|IMAP)\\(.*\\))):/', $entry['msg'])) { $entry['program'] = 'Dovecot'; } else { if (preg_match('/^(?P<program>(\\S((\\(|\\[).*(\\)|\\])))):(?P<msg>.*)$/', $entry['msg'], $matches)) { $entry['msg'] = $matches['msg']; $entry['program'] = $matches['program']; } else { if (preg_match('/^(?P<program>[^\\s\\(\\[]*):\\ (?P<msg>.*)$/', $entry['msg'], $matches)) { $entry['msg'] = $matches['msg']; $entry['program'] = $matches['program']; } else { if (!empty($entry['program']) && preg_match('/^.*:\\ ' . $entry['program'] . ':\\ (?P<msg>[^(]+\\((?P<program>[^:]+):.*)$/', $entry['msg'], $matches)) { $entry['msg'] = $matches['msg']; $entry['program'] = $matches['program']; } else { if (empty($entry['program']) && !empty($entry['facility'])) { $entry['program'] = $entry['facility']; } } } } } } unset($matches); } else { if ($os == 'ftos') { if (empty($entry['program'])) { //1.1.1.1||23||5||5||||2014-11-23 21:48:10|| Nov 23 21:48:10.745: hostname: %STKUNIT0-M:CP %SEC-5-LOGOUT: Exec session is terminated for user rancid on line vty0|| list(, , $entry['program'], $entry['msg']) = explode(': ', $entry['msg'], 4); list(, $entry['program']) = explode(' %', $entry['program'], 2); } //Jun 3 02:33:23.489: %STKUNIT0-M:CP %SNMP-3-SNMP_AUTH_FAIL: SNMP Authentication failure for SNMP request from host 176.10.35.241 //Jun 1 17:11:50.806: %STKUNIT0-M:CP %ARPMGR-2-MAC_CHANGE: IP-4-ADDRMOVE: IP address 11.222.30.53 is moved from MAC address 52:54:00:7b:37:ad to MAC address 52:54:00:e4:ec:06 . //if (strpos($entry['msg'], '%STKUNIT') === 0) //{ // list(, $entry['program'], $entry['msg']) = explode(': ', $entry['msg'], 3); // //$entry['timestamp'] = date("Y-m-d H:i:s", strtotime($entry['timestamp'])); // convert to timestamp // list(, $entry['program']) = explode(' %', $entry['program'], 2); //} } else { if ($os == 'netscaler') { //10/03/2013:16:49:07 GMT dk-lb001a PPE-4 : UI CMD_EXECUTED 10367926 : User so_readonly - Remote_ip 10.70.66.56 - Command "stat lb vserver" - Status "Success" list(, , , $entry['msg']) = explode(' ', $entry['msg'], 4); list($entry['program'], $entry['msg']) = explode(' : ', $entry['msg'], 3); } } } } } } if ($entry['program'] == '') { /** FIXME, WHAT? Pls examples. $entry['program'] = $entry['msg']; unset($entry['msg']); */ if ($entry['msg'] == '') { // Something wrong, both program and msg empty return $entry; } } else { if (strpos($entry['program'], '(BZ2') === 0) { // Wtf is BZ2LR and BZ@.. /** *Old: 10.10.34.10||3||6||6||hostapd:||2014-07-18 11:29:35|| ath2: STA c8:dd:c9:d1:d4:aa IEEE 802.11: associated||hostapd *New: 10.10.34.10||3||6||6||(BZ2LR,00272250c1cd,v3.2.5.2791)||2014-12-12 09:36:39|| hostapd: ath2: STA dc:a9:71:1b:d6:c7 IEEE 802.11: associated||(BZ2LR,00272250c1cd,v3.2.5.2791) */ list($entry['program'], $entry['msg']) = explode(': ', $entry['msg'], 2); } } $entry['program'] = strtoupper($entry['program']); array_walk($entry, 'trim'); // Rewrite priority and level from strings to numbers $entry['priority'] = priority_string_to_numeric($entry['priority']); $entry['level'] = priority_string_to_numeric($entry['level']); if ($update) { dbInsert(array('device_id' => $entry['device_id'], 'program' => $entry['program'], 'facility' => $entry['facility'], 'priority' => $entry['priority'], 'level' => $entry['level'], 'tag' => $entry['tag'], 'msg' => $entry['msg'], 'timestamp' => $entry['timestamp']), 'syslog'); } unset($os); } else { /** NOT FINISHED // Store entries for unknown hosts to temporary table unset($entry['device_id']); dbInsert(array('host' => $entry['host'], 'entry' => json_encode($entry)), 'syslog_unknown'); */ } return $entry; }