public function SetFileName($szNewVal)
{
// Replace dynamic variables if necessary
if (strpos($szNewVal, "%") !== false) {
OutputDebugMessage("LogStreamConfigDisk|SetFileName: Filename before replacing: " . $szNewVal, DEBUG_DEBUG);
// Create search and replace array
$search = array("%y", "%Y", "%m", "%M", "%d", "%h", "%S", "%w", "%W");
$replace = array(date("y"), date("Y"), date("m"), date("i"), date("d"), date("H"), date("s"), date("w"), date("D"));
// Do the replacing
$szNewVal = str_replace($search, $replace, $szNewVal);
OutputDebugMessage("LogStreamConfigDisk|SetFileName: Filename after replacing: " . $szNewVal, DEBUG_DEBUG);
}
// Set Filename Property!
$this->FileName = $szNewVal;
}
/**
* ParseLine
*
* @param arrArguments array in&out: properties of interest. There can be no guarantee the logstream can actually deliver them.
* @return integer Error stat
*/
public function ParseLine($szLine, &$arrArguments)
{
global $content;
// Set IUT Property first!
$arrArguments[SYSLOG_MESSAGETYPE] = IUT_Syslog;
// Sample (WinSyslog/EventReporter): 2008-04-02,15:19:06,2008-04-02,15:19:06,127.0.0.1,16,5,EvntSLog: Performance counters for the RSVP (QoS RSVP) service were loaded successfully.
if (preg_match("/([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}.[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}),([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}.[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}),(.*?),([0-9]{1,2}),([0-9]{1,2}),(.*?):(.*?)\$/", $szLine, $out)) {
// Copy parsed properties!
$arrArguments[SYSLOG_DATE] = GetEventTime($out[1]);
$arrArguments[SYSLOG_HOST] = $out[3];
$arrArguments[SYSLOG_FACILITY] = $out[4];
$arrArguments[SYSLOG_SEVERITY] = $out[5];
$arrArguments[SYSLOG_SYSLOGTAG] = $out[6];
$arrArguments[SYSLOG_MESSAGE] = $out[7];
} else {
if (preg_match("/([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}.[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}),([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}.[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}),(.*?),([0-9]{1,2}),([0-9]{1,2}),(.*?)\$/", $szLine, $out)) {
// Copy parsed properties!
$arrArguments[SYSLOG_DATE] = GetEventTime($out[1]);
$arrArguments[SYSLOG_HOST] = $out[3];
$arrArguments[SYSLOG_FACILITY] = $out[4];
$arrArguments[SYSLOG_SEVERITY] = $out[5];
$arrArguments[SYSLOG_MESSAGE] = $out[6];
} else {
if (isset($arrArguments[SYSLOG_MESSAGE]) && strlen($arrArguments[SYSLOG_MESSAGE]) > 0) {
OutputDebugMessage("Unparseable Winsyslog message - '" . $arrArguments[SYSLOG_MESSAGE] . "'", DEBUG_ERROR);
}
}
}
// If SyslogTag is set, we check for MessageType!
if (isset($arrArguments[SYSLOG_SYSLOGTAG])) {
if (strpos($arrArguments[SYSLOG_SYSLOGTAG], "EvntSLog") !== false) {
$arrArguments[SYSLOG_MESSAGETYPE] = IUT_NT_EventReport;
}
}
// Return success!
return SUCCESS;
}
/**
* Init advanced settings from _customFilters string
*/
public function InitAdvancedSettings()
{
// Parse and Split _customFilters
if (strlen($this->_customFilters) > 0) {
// First of all split by comma
$tmpFilterValues = explode(",", $this->_customFilters);
//Loop through mappings
foreach ($tmpFilterValues as &$myFilterValue) {
// Split subvalues
$tmpArray = explode("=>", $myFilterValue);
// Set into temporary array
$tmpfilterid = trim($tmpArray[0]);
// Set advanced property
if (isset($this->_arrCustomFilters[$tmpfilterid])) {
// Copy New value first!
$szNewVal = trim($tmpArray[1]);
// Negated logic
if ($this->_arrCustomFilters[$tmpfilterid][FILTER_TYPE] == FILTER_TYPE_NUMBER && !(isset($this->_arrCustomFilters[$tmpfilterid]['MinValue']) && intval($szNewVal) < $this->_arrCustomFilters[$tmpfilterid]['MinValue']) && !(isset($this->_arrCustomFilters[$tmpfilterid]['MaxValue']) && intval($szNewVal) >= $this->_arrCustomFilters[$tmpfilterid]['MaxValue'])) {
if ($tmpfilterid == '_maxHosts') {
$this->_maxHosts = intval($szNewVal);
} else {
if ($tmpfilterid == '_maxauditsummarysPerHost') {
$this->_maxauditsummarysPerHost = intval($szNewVal);
} else {
if ($tmpfilterid == '_colorThreshold') {
$this->_colorThreshold = intval($szNewVal);
}
}
}
} else {
if ($this->_arrCustomFilters[$tmpfilterid][FILTER_TYPE] == FILTER_TYPE_BOOL) {
if ($tmpfilterid == '_events_logon') {
$this->_events_logon = intval($szNewVal);
} else {
if ($tmpfilterid == '_events_logoff') {
$this->_events_logoff = intval($szNewVal);
} else {
if ($tmpfilterid == '_events_logonfail') {
$this->_events_logonfail = intval($szNewVal);
} else {
if ($tmpfilterid == '_events_policychangeevents') {
$this->_events_policychangeevents = intval($szNewVal);
} else {
if ($tmpfilterid == '_events_objectaccess') {
$this->_events_objectaccess = intval($szNewVal);
} else {
if ($tmpfilterid == '_events_systemevents') {
$this->_events_systemevents = intval($szNewVal);
} else {
if ($tmpfilterid == '_events_hostsessionevents') {
$this->_events_hostsessionevents = intval($szNewVal);
} else {
if ($tmpfilterid == '_events_useraccchangeevents') {
$this->_events_useraccchangeevents = intval($szNewVal);
} else {
if ($tmpfilterid == '_events_auditpolicychangesevents') {
$this->_events_auditpolicychangesevents = intval($szNewVal);
} else {
if ($tmpfilterid == '_events_useractions') {
$this->_events_useractions = intval($szNewVal);
} else {
if ($tmpfilterid == '_events_hostactions') {
$this->_events_hostactions = intval($szNewVal);
}
}
}
}
}
}
}
}
}
}
}
} else {
// Write to debuglog
OutputDebugMessage("Failed setting advanced report option property '" . $tmpfilterid . "', value not in value range!", DEBUG_ERROR);
}
}
}
}
}
}
function InitReportModules($szRootPath = "")
{
global $content, $gl_root_path;
// Check for parameter
if (strlen($szRootPath) == 0) {
$szRootPath = $gl_root_path;
}
$szDirectory = $szRootPath . 'classes/reports/';
$aFiles = list_files($szDirectory, true);
if (isset($aFiles) && count($aFiles) > 0) {
foreach ($aFiles as $myFile) {
// Check if file is valid msg parser!
if (preg_match("/report\\.(.*?)\\.(.*?)\\.class\\.php\$/", $myFile, $out)) {
// Set ParserID!
$myReportCat = $out[1];
$myReportID = $out[2];
// Check if parser file include exists
$szIncludeFile = $szDirectory . $myFile;
if (file_exists($szIncludeFile)) {
// Try to include
if (include_once $szIncludeFile) {
// Set ParserClassName
$szReportClass = "Report_" . $myReportID;
// Create Instance and get properties
$tmpReport = new $szReportClass();
// Create an instance
$szReportName = $tmpReport->_reportTitle;
$szReportDescription = $tmpReport->_reportDescription;
$szReportVersion = $tmpReport->_reportVersion;
$szReportHelpArticle = $tmpReport->_reportHelpArticle;
$bNeedsInit = $tmpReport->_reportNeedsInit;
$bInitialized = $tmpReport->_reportInitialized;
$aRequiredFieldsList = $tmpReport->GetRequiredProperties();
/*
// check for required fields!
if ( $tmpReport->_ClassRequiredFields != null && count($tmpParser->_ClassRequiredFields) > 0 )
{
$bCustomFields = true;
$aCustomFieldList = $tmpParser->_ClassRequiredFields;
// print_r ( $aCustomFieldList );
}
else
{
$bCustomFields = false;
$aCustomFieldList = null;
}
*/
// Add entry to report modules list!
$content['REPORTS'][$myReportID] = array("ID" => $myReportID, "Category" => $myReportCat, "DisplayName" => $szReportName, "Description" => $szReportDescription, "ReportVersion" => $szReportVersion, "ReportHelpArticle" => $szReportHelpArticle, "NeedsInit" => $bNeedsInit, "Initialized" => $bInitialized, "ObjRef" => $tmpReport, "RequiredFieldsList" => $aRequiredFieldsList);
// --- Now Search and populate savedReports | but only if DB Version is 9 or higher.
if ($content['database_installedversion'] >= 9) {
// --- Create SQL Query
$sqlquery = " SELECT " . DB_SAVEDREPORTS . ".ID as SavedReportID, " . DB_SAVEDREPORTS . ".sourceid, " . DB_SAVEDREPORTS . ".customTitle, " . DB_SAVEDREPORTS . ".customComment, " . DB_SAVEDREPORTS . ".filterString, " . DB_SAVEDREPORTS . ".customFilters, " . DB_SAVEDREPORTS . ".outputFormat, " . DB_SAVEDREPORTS . ".outputTarget, " . DB_SAVEDREPORTS . ".outputTargetDetails, " . DB_SAVEDREPORTS . ".scheduleSettings " . " FROM `" . DB_SAVEDREPORTS . "`" . " WHERE `" . DB_SAVEDREPORTS . "`.reportid = '" . $myReportID . "' " . " ORDER BY `" . DB_SAVEDREPORTS . "`.customTitle";
// Get Views from DB now!
$result = DB_Query($sqlquery);
$myrows = DB_GetAllRows($result, true);
if (isset($myrows) && count($myrows) > 0) {
// Set to true!
$content['REPORTS'][$myReportID]['HASSAVEDREPORTS'] = true;
// Add all savedreports
foreach ($myrows as &$mySavedReport) {
// Set default properties if not set!
if (!isset($mySavedReport['outputTarget']) || strlen($mySavedReport['outputTarget']) <= 0) {
$mySavedReport['outputTarget'] = REPORT_TARGET_STDOUT;
}
// Add saved report into global array
$content['REPORTS'][$myReportID]['SAVEDREPORTS'][$mySavedReport['SavedReportID']] = $mySavedReport;
}
}
}
// ---
} else {
// DEBUG ERROR
OutputDebugMessage("InitReportModules: Failed including report file '" . $szIncludeFile . "' with error: '" . $php_errormsg . "'", DEBUG_ERROR);
}
} else {
// DEBUG ERROR
OutputDebugMessage("InitReportModules: Reportfile '" . $szIncludeFile . "' does not exist!", DEBUG_ERROR);
}
}
}
}
// TODO: compare update report modules registered in database
}
/**
* Append filter definition for the current stream.
*
* @param filter object in: filter object
* @return integer Error state
*/
public function AppendFilter($szFilters)
{
OutputDebugMessage("LogStream|AppendFilter: SetFilter combined = '" . $szFilters . "'. ", DEBUG_DEBUG);
// Parse Filters from string
$this->ParseFilters($szFilters);
// return success
return SUCCESS;
}
/**
* ParseLine
*
* @param arrArguments array in&out: properties of interest. There can be no guarantee the logstream can actually deliver them.
* @return integer Error stat
*/
public function ParseLine($szLine, &$arrArguments)
{
// Set IUT Property first!
$arrArguments[SYSLOG_MESSAGETYPE] = IUT_Syslog;
// Sample (Syslog): Mar 10 14:45:44 debandre anacron[3226]: Job `cron.daily' terminated (mailing output)
if (preg_match("/(...)(?:.|..)([0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}) ([a-zA-Z0-9_\\-\\.]{1,256}) ([A-Za-z0-9_\\-\\/\\.]{1,32})\\[(.*?)\\]:(.*?)\$/", $szLine, $out)) {
// Copy parsed properties!
$arrArguments[SYSLOG_DATE] = GetEventTime($out[1] . " " . $out[2]);
$arrArguments[SYSLOG_HOST] = $out[3];
$arrArguments[SYSLOG_SYSLOGTAG] = $out[4];
$arrArguments[SYSLOG_PROCESSID] = $out[5];
$arrArguments[SYSLOG_MESSAGE] = $out[6];
} else {
if (preg_match("/(...)(?:.|..)([0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}) ([a-zA-Z0-9_\\-\\.]{1,256}) ([A-Za-z0-9_\\-\\/\\.]{1,32}):(.*?)\$/", $szLine, $out)) {
// Copy parsed properties!
$arrArguments[SYSLOG_DATE] = GetEventTime($out[1] . " " . $out[2]);
$arrArguments[SYSLOG_HOST] = $out[3];
$arrArguments[SYSLOG_SYSLOGTAG] = $out[4];
$arrArguments[SYSLOG_MESSAGE] = $out[5];
} else {
if (preg_match("/(...)(?:.|..)([0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}) ([a-zA-Z0-9_\\-\\.]{1,256}) ([A-Za-z0-9_\\-\\/\\.]{1,32}) (.*?)\$/", $szLine, $out)) {
// Copy parsed properties!
$arrArguments[SYSLOG_DATE] = GetEventTime($out[1] . " " . $out[2]);
$arrArguments[SYSLOG_HOST] = $out[3];
$arrArguments[SYSLOG_SYSLOGTAG] = $out[4];
$arrArguments[SYSLOG_MESSAGE] = $out[5];
} else {
if (preg_match("/(...)(?:.|..)([0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}) (.*?) (.*?)\$/", $szLine, $out)) {
// Copy parsed properties!
$arrArguments[SYSLOG_DATE] = GetEventTime($out[1] . " " . $out[2]);
$arrArguments[SYSLOG_HOST] = $out[3];
$arrArguments[SYSLOG_MESSAGE] = $out[4];
} else {
if (preg_match("/([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}.[0-9]{1,2}:[0-9]{1,2}) (.*?) (.*?):(.*?)\$/", $szLine, $out)) {
// Copy parsed properties!
$arrArguments[SYSLOG_DATE] = GetEventTime($out[1]);
$arrArguments[SYSLOG_HOST] = $out[2];
$arrArguments[SYSLOG_SYSLOGTAG] = $out[3];
$arrArguments[SYSLOG_MESSAGE] = $out[4];
} else {
if (preg_match("/([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}\\.[0-9]{1,6}.[0-9]{1,2}:[0-9]{1,2}) (.*?) (.*?):(.*?)\$/", $szLine, $out)) {
// Copy parsed properties!
$arrArguments[SYSLOG_DATE] = GetEventTime($out[1]);
$arrArguments[SYSLOG_HOST] = $out[2];
$arrArguments[SYSLOG_SYSLOGTAG] = $out[3];
$arrArguments[SYSLOG_MESSAGE] = $out[4];
} else {
if (preg_match("/([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}\\.[0-9]{1,6}.[0-9]{1,2}:[0-9]{1,2}),(.*?)\$/", $szLine, $out)) {
// Some kind of debug message or something ...
$arrArguments[SYSLOG_DATE] = GetEventTime($out[1]);
$arrArguments[SYSLOG_MESSAGE] = $out[2];
} else {
if (isset($arrArguments[SYSLOG_MESSAGE]) && strlen($arrArguments[SYSLOG_MESSAGE]) > 0) {
OutputDebugMessage("Unparseable syslog msg - '" . $arrArguments[SYSLOG_MESSAGE] . "'", DEBUG_ERROR);
}
}
}
}
}
}
}
}
// If SyslogTag is set, we check for MessageType!
if (isset($arrArguments[SYSLOG_SYSLOGTAG])) {
if (strpos($arrArguments[SYSLOG_SYSLOGTAG], "EvntSLog") !== false) {
$arrArguments[SYSLOG_MESSAGETYPE] = IUT_NT_EventReport;
}
}
// Return success!
return SUCCESS;
}
function DB_PrintError($MyErrorMsg, $DieOrNot)
{
global $content, $n, $HTTP_COOKIE_VARS, $errdesc, $errno, $linesep;
$errdesc = mysql_error();
$errno = mysql_errno();
// Define global variable so we know an error has occured!
if (!defined('PHPLOGCON_INERROR')) {
define('PHPLOGCON_INERROR', true);
}
$errormsg = "Database error: {$MyErrorMsg} {$linesep}";
$errormsg .= "mysql error: {$errdesc} {$linesep}";
$errormsg .= "mysql error number: {$errno} {$linesep}";
$errormsg .= "Date: " . date("d.m.Y @ H:i") . $linesep;
$errormsg .= "Script: " . getenv("REQUEST_URI") . $linesep;
$errormsg .= "Referer: " . getenv("HTTP_REFERER") . $linesep;
if ($DieOrNot == true) {
DieWithErrorMsg("{$linesep}" . $errormsg);
} else {
OutputDebugMessage("DB_PrintError: {$errormsg}", DEBUG_ERROR);
if (!isset($content['detailederror'])) {
$content['detailederror_code'] = ERROR_DB_QUERYFAILED;
$content['detailederror'] = GetErrorMessage(ERROR_DB_QUERYFAILED);
} else {
$content['detailederror'] .= "<br><br>" . GetErrorMessage(ERROR_DB_QUERYFAILED);
}
// Append SQL Detail Error
$content['detailederror'] .= "<br><br>" . $errormsg;
}
}
private function GetTriggersAsArray()
{
global $querycount;
// Verify database connection (This also opens the database!)
$res = $this->Verify();
if ($res != SUCCESS) {
return $res;
}
// Init Array
$arrIndexTriggers = array();
// Create SQL and Get INDEXES for table!
if ($this->_logStreamConfigObj->DBType == DB_MYSQL) {
$szSql = "SHOW TRIGGERS";
} else {
if ($this->_logStreamConfigObj->DBType == DB_PGSQL) {
$szSql = "SELECT tgname as \"Trigger\" from pg_trigger;";
} else {
if ($this->_logStreamConfigObj->DBType == DB_MSSQL) {
$szSql = "SELECT B.Name as TableName,A.name AS 'Trigger' FROM sysobjects A,sysobjects B WHERE A.xtype='TR' AND A.parent_obj = B.id";
} else {
// Not supported in this case!
return null;
}
}
}
OutputDebugMessage("LogStreamPDO|GetTriggersAsArray: List Triggers for '" . $this->_logStreamConfigObj->DBTableName . "' - " . $szSql, DEBUG_ULTRADEBUG);
$myQuery = $this->_dbhandle->query($szSql);
if ($myQuery) {
// Loop through results
while ($myRow = $myQuery->fetch(PDO::FETCH_ASSOC)) {
// Add to index keys
$arrIndexTriggers[] = strtolower($myRow['Trigger']);
}
// Free query now
$myQuery->closeCursor();
// Increment for the Footer Stats
$querycount++;
}
// return Array
return $arrIndexTriggers;
}
function GetEventTime($szTimStr)
{
// Sample: Mar 10 14:45:44
if (preg_match("/(...) ([0-9]{1,2}) ([0-9]{1,2}):([0-9]{1,2}):([0-9]{1,2})/", $szTimStr, $out)) {
// RFC 3164 typical timestamp
$eventtime[EVTIME_TIMESTAMP] = mktime($out[3], $out[4], $out[5], GetMonthFromString($out[1]), $out[2], date("Y"));
// If the current time is
if ($eventtime[EVTIME_TIMESTAMP] > time()) {
// rare case on new year only!
$eventtime[EVTIME_TIMESTAMP] = mktime($out[3], $out[4], $out[5], GetMonthFromString($out[1]), $out[2], date("Y") - 1);
}
$eventtime[EVTIME_TIMEZONE] = date('O');
// Get default Offset
$eventtime[EVTIME_MICROSECONDS] = 0;
// echo gmdate(DATE_RFC822, $eventtime[EVTIME_TIMESTAMP]) . "<br>";
// print_r ( $eventtime );
// exit;
} else {
if (preg_match("/([0-9]{4,4})-([0-9]{1,2})-([0-9]{1,2})T([0-9]{1,2}):([0-9]{1,2}):([0-9]{1,2})([+-])([0-9]{1,2}):([0-9]{1,2})/", $szTimStr, $out)) {
// RFC 3164 typical timestamp
$eventtime[EVTIME_TIMESTAMP] = mktime($out[4], $out[5], $out[6], $out[2], $out[3], $out[1]);
$eventtime[EVTIME_TIMEZONE] = $out[7] . $out[8] . $out[9];
$eventtime[EVTIME_MICROSECONDS] = 0;
} else {
if (preg_match("/([0-9]{4,4})-([0-9]{1,2})-([0-9]{1,2})T([0-9]{1,2}):([0-9]{1,2}):([0-9]{1,2})\\.([0-9]{1,6})([+-])([0-9]{1,2}):([0-9]{1,2})/", $szTimStr, $out)) {
// RFC 3164 typical timestamp
$eventtime[EVTIME_TIMESTAMP] = mktime($out[4], $out[5], $out[6], $out[2], $out[3], $out[1]);
$eventtime[EVTIME_TIMEZONE] = $out[8] . $out[9] . $out[10];
$eventtime[EVTIME_MICROSECONDS] = $out[7];
} else {
if (preg_match("/([0-9]{4,4})-([0-9]{1,2})-([0-9]{1,2}),([0-9]{1,2}):([0-9]{1,2}):([0-9]{1,2})/", $szTimStr, $out)) {
// RFC 3164 typical timestamp
$eventtime[EVTIME_TIMESTAMP] = mktime($out[4], $out[5], $out[6], $out[2], $out[3], $out[1]);
$eventtime[EVTIME_TIMEZONE] = date('O');
// Get default Offset
$eventtime[EVTIME_MICROSECONDS] = 0;
} else {
if (preg_match("/([0-9]{4,4})-([0-9]{1,2})-([0-9]{1,2}) ([0-9]{1,2}):([0-9]{1,2}):([0-9]{1,2})/", $szTimStr, $out)) {
// RFC 3164 typical timestamp
$eventtime[EVTIME_TIMESTAMP] = mktime($out[4], $out[5], $out[6], $out[2], $out[3], $out[1]);
$eventtime[EVTIME_TIMEZONE] = date('O');
// Get default Offset
$eventtime[EVTIME_MICROSECONDS] = 0;
} else {
if (preg_match("/([0-9]{4,4})-([0-9]{1,2})-([0-9]{1,2})T([0-9]{1,2}):([0-9]{1,2}):([0-9]{1,2})/", $szTimStr, $out)) {
// RFC 3164 typical timestamp
$eventtime[EVTIME_TIMESTAMP] = mktime($out[4], $out[5], $out[6], $out[2], $out[3], $out[1]);
$eventtime[EVTIME_TIMEZONE] = date('O');
// Get default Offset
$eventtime[EVTIME_MICROSECONDS] = 0;
} else {
if (preg_match("/([0-9]{1,2})\\/(...)\\/([0-9]{1,4}):([0-9]{1,2}):([0-9]{1,2}):([0-9]{1,2}) ([+-])([0-9]{1,4})/", $szTimStr, $out)) {
// Apache Logfile typical timestamp
$eventtime[EVTIME_TIMESTAMP] = mktime($out[4], $out[5], $out[6], GetMonthFromString($out[2]), $out[1], $out[3]);
$eventtime[EVTIME_TIMEZONE] = $out[7] . $out[8];
// Get Offset from MSG
$eventtime[EVTIME_MICROSECONDS] = 0;
} else {
if (preg_match("/([0-9]{4,4})-([0-9]{1,2})-([0-9]{1,2})/", $szTimStr, $out)) {
// RFC 3164 typical timestamp
$eventtime[EVTIME_TIMESTAMP] = mktime(0, 0, 0, $out[2], $out[3], $out[1]);
$eventtime[EVTIME_TIMEZONE] = date('O');
// Get default Offset
$eventtime[EVTIME_MICROSECONDS] = 0;
} else {
$eventtime[EVTIME_TIMESTAMP] = 0;
$eventtime[EVTIME_TIMEZONE] = date('O');
// Get default Offset
$eventtime[EVTIME_MICROSECONDS] = 0;
// Print Error!
OutputDebugMessage("GetEventTime got an unparsable time '" . $szTimStr . "', returning 0", DEBUG_WARN);
}
}
}
}
}
}
}
}
// return result!
return $eventtime;
}
/**
* ParseLine
*
* @param arrArguments array in&out: properties of interest. There can be no guarantee the logstream can actually deliver them.
* @return integer Error stat
*/
public function ParseLine($szLine, &$arrArguments)
{
// Set IUT Property first!
$arrArguments[SYSLOG_MESSAGETYPE] = IUT_Syslog;
// Sample: <22>1 2011-03-03T15:27:06+01:00 debian507x64 postfix 2454 - - daemon started -- version 2.5.5, configuration /etc/postfix
// Sample: <46>1 2011-03-03T15:27:05+01:00 debian507x64 rsyslogd - - - [origin software="rsyslogd" swVersion="4.6.4" x-pid="2344" x-info="http://www.rsyslog.com"] (re)start
// Sample (RSyslog): 2008-03-28T11:07:40+01:00 localhost rger: test 1
if (preg_match("/<([0-9]{1,3})>([0-9]) ([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}.[0-9]{1,2}:[0-9]{1,2}) (.*?) (.*?) (.*?) (.*?) (.*?) (.*?)\$/", $szLine, $out)) {
// Copy parsed properties!
$arrArguments[SYSLOG_FACILITY] = $out[1] >> 3;
$arrArguments[SYSLOG_SEVERITY] = $out[1] & 0x7;
$arrArguments[SYSLOG_DATE] = GetEventTime($out[3]);
$arrArguments[SYSLOG_HOST] = $out[4];
$arrArguments[SYSLOG_SYSLOGTAG] = $out[5];
$arrArguments[SYSLOG_PROCESSID] = $out[6];
$arrArguments[SYSLOG_MESSAGE] = $out[9];
} else {
if (preg_match("/<([0-9]{1,3})>([0-9]) ([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}\\.[0-9]{1,6}.[0-9]{1,2}:[0-9]{1,2}) (.*?) (.*?) (.*?) (.*?) (.*?) (.*?)\$/", $szLine, $out)) {
// Copy parsed properties!
$arrArguments[SYSLOG_FACILITY] = $out[1] >> 3;
$arrArguments[SYSLOG_SEVERITY] = $out[1] & 0x7;
$arrArguments[SYSLOG_DATE] = GetEventTime($out[3]);
$arrArguments[SYSLOG_HOST] = $out[4];
$arrArguments[SYSLOG_SYSLOGTAG] = $out[5];
$arrArguments[SYSLOG_PROCESSID] = $out[6];
$arrArguments[SYSLOG_MESSAGE] = $out[9];
} else {
if (isset($arrArguments[SYSLOG_MESSAGE]) && strlen($arrArguments[SYSLOG_MESSAGE]) > 0) {
OutputDebugMessage("Unparseable syslog msg - '" . $arrArguments[SYSLOG_MESSAGE] . "'", DEBUG_ERROR);
}
}
}
// If SyslogTag is set, we check for MessageType!
if (isset($arrArguments[SYSLOG_SYSLOGTAG])) {
if (strpos($arrArguments[SYSLOG_SYSLOGTAG], "EvntSLog") !== false) {
$arrArguments[SYSLOG_MESSAGETYPE] = IUT_NT_EventReport;
}
}
// Return success!
return SUCCESS;
}
private function PrintDebugError($szErrorMsg)
{
global $extraErrorDescription;
$errdesc = mysql_error();
$errno = mysql_errno();
$errormsg = "{$szErrorMsg} <br>";
$errormsg .= "Detail error: {$errdesc} <br>";
$errormsg .= "Error Code: {$errno} <br>";
// Add to additional error output
$extraErrorDescription = $errormsg;
//Output!
OutputDebugMessage("LogStreamDB|PrintDebugError: {$errormsg}", DEBUG_ERROR);
}
private function PrintDebugError($szErrorMsg)
{
global $extraErrorDescription;
$errormsg = "{$szErrorMsg} <br>";
// Add to additional error output
$extraErrorDescription = $errormsg;
//Output!
OutputDebugMessage("LogStreamMongoDB|PrintDebugError: {$errormsg}", DEBUG_ERROR);
}
public function SetMsgParserList($szParsers)
{
global $gl_root_path;
// Check if we have at least something to check
if ($szParsers == null || strlen($szParsers) <= 0) {
return;
}
// Set list of Parsers!
if (strpos($szParsers, ",")) {
$aParsers = explode(",", $szParsers);
} else {
$aParsers[0] = $szParsers;
}
// Loop through parsers
foreach ($aParsers as $szParser) {
// Remove whitespaces
$szParser = trim($szParser);
// Check if parser file include exists
$szIncludeFile = $gl_root_path . 'classes/msgparsers/msgparser.' . $szParser . '.class.php';
if (file_exists($szIncludeFile)) {
// Try to include
if (@(include_once $szIncludeFile)) {
$this->_msgParserList[] = $szParser;
} else {
OutputDebugMessage("Error, MsgParser '" . $szParser . "' could not be included. ", DEBUG_ERROR);
}
}
}
// print_r ( $this->_msgParserList );
}
/**
* Helper function to consolidate syslogmessages
*/
private function ConsolidateSyslogmessagesPerHost($arrHosts)
{
global $content, $gl_starttime, $fields;
// Now open the stream for data processing
$res = $this->_streamObj->Open($this->_arrProperties, true);
if ($res == SUCCESS) {
// --- New Method to consolidate data!
// TimeStats
$nowtime = microtime_float();
$content["report_rendertime"] .= number_format($nowtime - $gl_starttime, 2, '.', '') . "s ";
// Update all Checksums first!
$this->_streamObj->UpdateAllMessageChecksum();
// TimeStats
$nowtime = microtime_float();
$content["report_rendertime"] .= number_format($nowtime - $gl_starttime, 2, '.', '') . "s ";
foreach ($arrHosts as $myHost) {
// Set custom filters
$this->_streamObj->ResetFilters();
$this->_streamObj->SetFilter($this->_filterString . " " . $fields[SYSLOG_MESSAGETYPE]['SearchField'] . ":=" . IUT_Syslog);
$this->_streamObj->RemoveFilters(SYSLOG_HOST);
$this->_streamObj->AppendFilter($fields[SYSLOG_HOST]['SearchField'] . ":=" . $myHost);
// Set Host Item Basics if not set yet
$content["report_consdata"][$myHost][SYSLOG_HOST] = $myHost;
// Get Data for single host
$content["report_consdata"][$myHost]['cons_msgs'] = $this->_streamObj->ConsolidateDataByField(MISC_CHECKSUM, $this->_maxMsgsPerHost, MISC_CHECKSUM, SORTING_ORDER_DESC, null, true, true);
// Only process results if valid!
if (is_array($content["report_consdata"][$myHost]['cons_msgs'])) {
foreach ($content["report_consdata"][$myHost]['cons_msgs'] as &$myConsData) {
// Set Basic data entries
if (!isset($content['filter_facility_list'][$myConsData[SYSLOG_FACILITY]])) {
$myConsData[SYSLOG_FACILITY] = SYSLOG_LOCAL0;
}
// Set default in this case
if (!isset($content['filter_severity_list'][$myConsData[SYSLOG_SEVERITY]])) {
$myConsData[SYSLOG_SEVERITY] = SYSLOG_NOTICE;
}
// Set default in this case
}
} else {
// Write to debuglog
OutputDebugMessage("Failed consolidating data for '" . $myHost . "' with error " . $content["report_consdata"][$myHost]['cons_msgs'], DEBUG_ERROR);
// Set to empty array
$content["report_consdata"][$myHost]['cons_msgs'] = array();
}
}
// TimeStats
$nowtime = microtime_float();
$content["report_rendertime"] .= number_format($nowtime - $gl_starttime, 2, '.', '') . "s ";
// ---
// --- Start Postprocessing
foreach ($content["report_consdata"] as &$tmpConsolidatedComputer) {
// First use callback function to sort array
uasort($tmpConsolidatedComputer['cons_msgs'], "MultiSortArrayByItemCountDesc");
// Remove entries according to _maxMsgsPerHost
if (count($tmpConsolidatedComputer['cons_msgs']) > $this->_maxMsgsPerHost) {
$iDropCount = 0;
do {
array_pop($tmpConsolidatedComputer['cons_msgs']);
$iDropCount++;
} while (count($tmpConsolidatedComputer['cons_msgs']) > $this->_maxMsgsPerHost);
// Append a dummy entry which shows count of all other events
if ($iDropCount > 0) {
$lastEntry[SYSLOG_SEVERITY] = SYSLOG_NOTICE;
$lastEntry[SYSLOG_FACILITY] = SYSLOG_LOCAL0;
$lastEntry[SYSLOG_SYSLOGTAG] = $content['LN_GEN_ALL_OTHER_EVENTS'];
$lastEntry[SYSLOG_MESSAGE] = $content['LN_GEN_ALL_OTHER_EVENTS'];
$lastEntry['itemcount'] = $iDropCount;
$lastEntry['firstoccurrence_date'] = "-";
$lastEntry['lastoccurrence_date'] = "-";
$tmpConsolidatedComputer['cons_msgs'][] = $lastEntry;
}
}
// TimeStats
$nowtime = microtime_float();
$content["report_rendertime"] .= number_format($nowtime - $gl_starttime, 2, '.', '') . "s ";
// PostProcess Events!
foreach ($tmpConsolidatedComputer["cons_msgs"] as &$tmpMyEvent) {
$tmpMyEvent['FirstOccurrence_Date_Formatted'] = GetFormatedDate($tmpMyEvent['firstoccurrence_date']);
$tmpMyEvent['LastOccurrence_Date_Formatted'] = GetFormatedDate($tmpMyEvent['lastoccurrence_date']);
$tmpMyEvent['syslogseverity_text'] = $this->GetSeverityDisplayName($tmpMyEvent['syslogseverity']);
//$content['filter_severity_list'][ $tmpMyEvent['syslogseverity'] ]["DisplayName"];
$tmpMyEvent['syslogfacility_text'] = $this->GetFacilityDisplayName($tmpMyEvent['syslogfacility']);
//$content['filter_facility_list'][ $tmpMyEvent['syslogfacility'] ]["DisplayName"];
$tmpMyEvent['syslogseverity_bgcolor'] = $this->GetSeverityBGColor($tmpMyEvent['syslogseverity']);
$tmpMyEvent['syslogfacility_bgcolor'] = $this->GetSeverityBGColor($tmpMyEvent['syslogfacility']);
$tmpMyEvent['htmlmsg'] = htmlspecialchars($tmpMyEvent[SYSLOG_MESSAGE]);
}
}
// ---
}
// Work done!
return SUCCESS;
}
function GetTimeStampFromTimeString($szTimeString)
{
//Sample: 2008-4-1T00:00:00
if (preg_match("/([0-9]{4,4})-([0-9]{1,2})-([0-9]{1,2})T([0-9]{1,2}):([0-9]{1,2}):([0-9]{1,2})\$/", $szTimeString, $out)) {
// return new timestamp
return mktime($out[4], $out[5], $out[6], $out[2], $out[3], $out[1]);
} else {
if (preg_match("/([0-9]{4,4})-([0-9]{1,2})-([0-9]{1,2})\$/", $szTimeString, $out)) {
// return new timestamp
return mktime(0, 0, 0, $out[2], $out[3], $out[1]);
} else {
OutputDebugMessage("Unparseable Time in GetTimeStampFromTimeString - '" . $szTimeString . "'", DEBUG_WARN);
return $szTimeString;
}
}
}
public function SetSourceID($newSourceID)
{
global $content;
// check if valid!
if (isset($content['Sources'][$newSourceID])) {
$this->_mySourceID = $newSourceID;
} else {
OutputDebugMessage("SetSourceID failed, ID '" . $newSourceID . "' is not a valid Logstream Source", DEBUG_ERROR);
return;
}
}
