/** * ParseLine * * @param arrArguments array in&out: properties of interest. There can be no guarantee the logstream can actually deliver them. * @return integer Error stat */ public function ParseLine($szLine, &$arrArguments) { // Set IUT Property first! $arrArguments[SYSLOG_MESSAGETYPE] = IUT_Syslog; // Sample: <22>1 2011-03-03T15:27:06+01:00 debian507x64 postfix 2454 - - daemon started -- version 2.5.5, configuration /etc/postfix // Sample: <46>1 2011-03-03T15:27:05+01:00 debian507x64 rsyslogd - - - [origin software="rsyslogd" swVersion="4.6.4" x-pid="2344" x-info="http://www.rsyslog.com"] (re)start // Sample (RSyslog): 2008-03-28T11:07:40+01:00 localhost rger: test 1 if (preg_match("/<([0-9]{1,3})>([0-9]) ([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}.[0-9]{1,2}:[0-9]{1,2}) (.*?) (.*?) (.*?) (.*?) (.*?) (.*?)\$/", $szLine, $out)) { // Copy parsed properties! $arrArguments[SYSLOG_FACILITY] = $out[1] >> 3; $arrArguments[SYSLOG_SEVERITY] = $out[1] & 0x7; $arrArguments[SYSLOG_DATE] = GetEventTime($out[3]); $arrArguments[SYSLOG_HOST] = $out[4]; $arrArguments[SYSLOG_SYSLOGTAG] = $out[5]; $arrArguments[SYSLOG_PROCESSID] = $out[6]; $arrArguments[SYSLOG_MESSAGE] = $out[9]; } else { if (preg_match("/<([0-9]{1,3})>([0-9]) ([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}\\.[0-9]{1,6}.[0-9]{1,2}:[0-9]{1,2}) (.*?) (.*?) (.*?) (.*?) (.*?) (.*?)\$/", $szLine, $out)) { // Copy parsed properties! $arrArguments[SYSLOG_FACILITY] = $out[1] >> 3; $arrArguments[SYSLOG_SEVERITY] = $out[1] & 0x7; $arrArguments[SYSLOG_DATE] = GetEventTime($out[3]); $arrArguments[SYSLOG_HOST] = $out[4]; $arrArguments[SYSLOG_SYSLOGTAG] = $out[5]; $arrArguments[SYSLOG_PROCESSID] = $out[6]; $arrArguments[SYSLOG_MESSAGE] = $out[9]; } else { if (isset($arrArguments[SYSLOG_MESSAGE]) && strlen($arrArguments[SYSLOG_MESSAGE]) > 0) { OutputDebugMessage("Unparseable syslog msg - '" . $arrArguments[SYSLOG_MESSAGE] . "'", DEBUG_ERROR); } } } // If SyslogTag is set, we check for MessageType! if (isset($arrArguments[SYSLOG_SYSLOGTAG])) { if (strpos($arrArguments[SYSLOG_SYSLOGTAG], "EvntSLog") !== false) { $arrArguments[SYSLOG_MESSAGETYPE] = IUT_NT_EventReport; } } // Return success! return SUCCESS; }
/** * ParseLine * * @param arrArguments array in&out: properties of interest. There can be no guarantee the logstream can actually deliver them. * @return integer Error stat */ public function ParseLine($szLine, &$arrArguments) { global $content; // Set IUT Property first! $arrArguments[SYSLOG_MESSAGETYPE] = IUT_Syslog; // Sample (WinSyslog/EventReporter): 2008-04-02,15:19:06,2008-04-02,15:19:06,127.0.0.1,16,5,EvntSLog: Performance counters for the RSVP (QoS RSVP) service were loaded successfully. if (preg_match("/([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}.[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}),([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}.[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}),(.*?),([0-9]{1,2}),([0-9]{1,2}),(.*?):(.*?)\$/", $szLine, $out)) { // Copy parsed properties! $arrArguments[SYSLOG_DATE] = GetEventTime($out[1]); $arrArguments[SYSLOG_HOST] = $out[3]; $arrArguments[SYSLOG_FACILITY] = $out[4]; $arrArguments[SYSLOG_SEVERITY] = $out[5]; $arrArguments[SYSLOG_SYSLOGTAG] = $out[6]; $arrArguments[SYSLOG_MESSAGE] = $out[7]; } else { if (preg_match("/([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}.[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}),([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}.[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}),(.*?),([0-9]{1,2}),([0-9]{1,2}),(.*?)\$/", $szLine, $out)) { // Copy parsed properties! $arrArguments[SYSLOG_DATE] = GetEventTime($out[1]); $arrArguments[SYSLOG_HOST] = $out[3]; $arrArguments[SYSLOG_FACILITY] = $out[4]; $arrArguments[SYSLOG_SEVERITY] = $out[5]; $arrArguments[SYSLOG_MESSAGE] = $out[6]; } else { if (isset($arrArguments[SYSLOG_MESSAGE]) && strlen($arrArguments[SYSLOG_MESSAGE]) > 0) { OutputDebugMessage("Unparseable Winsyslog message - '" . $arrArguments[SYSLOG_MESSAGE] . "'", DEBUG_ERROR); } } } // If SyslogTag is set, we check for MessageType! if (isset($arrArguments[SYSLOG_SYSLOGTAG])) { if (strpos($arrArguments[SYSLOG_SYSLOGTAG], "EvntSLog") !== false) { $arrArguments[SYSLOG_MESSAGETYPE] = IUT_NT_EventReport; } } // Return success! return SUCCESS; }
/** * ParseLine * * @param arrArguments array in&out: properties of interest. There can be no guarantee the logstream can actually deliver them. * @return integer Error stat */ public function ParseMsg($szMsg, &$arrArguments) { global $content, $fields; //trim the msg first to remove spaces from begin and end $szMsg = trim($szMsg); // Sample: Oct 14 21:05:52 script,info INICIO; Madrid-arturosoria ;wlan1 ;00:1F:3A:66:70:09 ;192.168.10.117 ;24Mbps ;36Mbps ;15:50:56 ;00:00:00.080 ;-80dBm@1Mbps ;21 ;78 ;43351,126437 ;2959,377 if (preg_match('/(.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?)$/', $szMsg, $out)) { $arrArguments[SYSLOG_NET_HOST] = trim($out[1]); // Set wlan log specific properties! $arrArguments[SYSLOG_NET_INTERFACE] = trim($out[2]); $arrArguments[SYSLOG_NET_MAC_ADDRESS] = trim($out[3]); $arrArguments[SYSLOG_NET_LASTIP] = trim($out[4]); $arrArguments[SYSLOG_NET_RXRATE] = trim($out[5]); $arrArguments[SYSLOG_NET_TXRATE] = trim($out[6]); $arrArguments[SYSLOG_NET_UPTIME] = trim($out[7]); $arrArguments[SYSLOG_NET_LASTACTIVITY] = trim($out[8]); $arrArguments[SYSLOG_NET_SIGNALSTRENGTH] = trim($out[9]); // Number based fields $arrArguments[SYSLOG_NET_SIGNALTONOISE] = trim($out[10]); $arrArguments[SYSLOG_NET_TXCCQ] = trim($out[11]); // Set msg to whole logline $arrArguments[SYSLOG_MESSAGE] = trim($out[0]); // Get additional parameters! if (preg_match('/(.|.*?[0-9]{1,12}.*?),(.|.*?[0-9]{1,12}.*?);(.|.*?[0-9]{1,12}.*?),(.|.*?[0-9]{1,12}.*?)$/', $out[12], $out2)) { $arrArguments[SYSLOG_NET_BYTESRECIEVED] = trim($out2[1]); $arrArguments[SYSLOG_NET_BYTESSEND] = trim($out2[2]); $arrArguments[SYSLOG_NET_PACKETSRECIEVED] = trim($out2[3]); $arrArguments[SYSLOG_NET_PACKETSSEND] = trim($out2[4]); } else { $arrArguments[SYSLOG_NET_BYTESRECIEVED] = ""; $arrArguments[SYSLOG_NET_BYTESSEND] = ""; $arrArguments[SYSLOG_NET_PACKETSRECIEVED] = ""; $arrArguments[SYSLOG_NET_PACKETSSEND] = ""; } if ($this->_MsgNormalize == 1) { //Init tmp msg $szTmpMsg = ""; // Create Field Array to prepend into msg! Reverse Order here $myFields = array(SYSLOG_NET_PACKETSSEND, SYSLOG_NET_PACKETSRECIEVED, SYSLOG_NET_BYTESSEND, SYSLOG_NET_BYTESRECIEVED, SYSLOG_NET_TXCCQ, SYSLOG_NET_SIGNALTONOISE, SYSLOG_NET_UPTIME, SYSLOG_NET_SIGNALSTRENGTH, SYSLOG_NET_LASTACTIVITY, SYSLOG_NET_TXRATE, SYSLOG_NET_RXRATE, SYSLOG_NET_LASTIP, SYSLOG_NET_MAC_ADDRESS, SYSLOG_NET_INTERFACE, SYSLOG_HOST); foreach ($myFields as $myField) { // Set Field Caption if (isset($fields[$myField]['FieldCaption'])) { $szFieldName = $fields[$myField]['FieldCaption']; } else { $szFieldName = $myField; } // Append Field into msg $szTmpMsg = $szFieldName . ": '" . $arrArguments[$myField] . "'\n" . $szTmpMsg; } // copy finished MSG back! $arrArguments[SYSLOG_MESSAGE] = $szTmpMsg; } } else { if (preg_match('/(...)(?:.|..)([0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}) (.*?),(.*?) (.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?);(.|.*?)$/', $szMsg, $out)) { //print_r ( $out ); //exit; // Set generic properties $arrArguments[SYSLOG_DATE] = GetEventTime($out[1] . " " . $out[2]); $arrArguments[SYSLOG_NET_HOST] = trim($out[6]); // Set wlan log specific properties! $arrArguments[SYSLOG_NET_INTERFACE] = trim($out[7]); $arrArguments[SYSLOG_NET_MAC_ADDRESS] = trim($out[8]); $arrArguments[SYSLOG_NET_LASTIP] = trim($out[9]); $arrArguments[SYSLOG_NET_RXRATE] = trim($out[10]); $arrArguments[SYSLOG_NET_TXRATE] = trim($out[11]); $arrArguments[SYSLOG_NET_UPTIME] = trim($out[12]); $arrArguments[SYSLOG_NET_LASTACTIVITY] = trim($out[13]); $arrArguments[SYSLOG_NET_SIGNALSTRENGTH] = trim($out[14]); // Number based fields $arrArguments[SYSLOG_NET_SIGNALTONOISE] = trim($out[15]); $arrArguments[SYSLOG_NET_TXCCQ] = trim($out[16]); // Set msg to whole logline $arrArguments[SYSLOG_MESSAGE] = trim($out[0]); // Get additional parameters! if (preg_match('/(.|.*?[0-9]{1,12}.*?),(.|.*?[0-9]{1,12}.*?);(.|.*?[0-9]{1,12}.*?),(.|.*?[0-9]{1,12}.*?)$/', $out[17], $out2)) { $arrArguments[SYSLOG_NET_BYTESRECIEVED] = trim($out2[1]); $arrArguments[SYSLOG_NET_BYTESSEND] = trim($out2[2]); $arrArguments[SYSLOG_NET_PACKETSRECIEVED] = trim($out2[3]); $arrArguments[SYSLOG_NET_PACKETSSEND] = trim($out2[4]); } else { $arrArguments[SYSLOG_NET_BYTESRECIEVED] = ""; $arrArguments[SYSLOG_NET_BYTESSEND] = ""; $arrArguments[SYSLOG_NET_PACKETSRECIEVED] = ""; $arrArguments[SYSLOG_NET_PACKETSSEND] = ""; } if ($this->_MsgNormalize == 1) { //Init tmp msg $szTmpMsg = ""; // Create Field Array to prepend into msg! Reverse Order here $myFields = array(SYSLOG_NET_PACKETSSEND, SYSLOG_NET_PACKETSRECIEVED, SYSLOG_NET_BYTESSEND, SYSLOG_NET_BYTESRECIEVED, SYSLOG_NET_TXCCQ, SYSLOG_NET_SIGNALTONOISE, SYSLOG_NET_UPTIME, SYSLOG_NET_SIGNALSTRENGTH, SYSLOG_NET_LASTACTIVITY, SYSLOG_NET_TXRATE, SYSLOG_NET_RXRATE, SYSLOG_NET_LASTIP, SYSLOG_NET_MAC_ADDRESS, SYSLOG_NET_INTERFACE, SYSLOG_HOST); foreach ($myFields as $myField) { // Set Field Caption if (isset($fields[$myField]['FieldCaption'])) { $szFieldName = $fields[$myField]['FieldCaption']; } else { $szFieldName = $myField; } // Append Field into msg $szTmpMsg = $szFieldName . ": '" . $arrArguments[$myField] . "'\n" . $szTmpMsg; } // copy finished MSG back! $arrArguments[SYSLOG_MESSAGE] = $szTmpMsg; } } else { // return no match in this case! return ERROR_MSG_NOMATCH; } } // Set IUT Property if success! $arrArguments[SYSLOG_MESSAGETYPE] = IUT_Syslog; // If we reached this position, return success! return SUCCESS; }
/** * ParseLine * * @param arrArguments array in&out: properties of interest. There can be no guarantee the logstream can actually deliver them. * @return integer Error stat */ public function ParseLine($szLine, &$arrArguments) { // Set IUT Property first! $arrArguments[SYSLOG_MESSAGETYPE] = IUT_Syslog; // Sample (Syslog): Mar 10 14:45:44 debandre anacron[3226]: Job `cron.daily' terminated (mailing output) if (preg_match("/(...)(?:.|..)([0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}) ([a-zA-Z0-9_\\-\\.]{1,256}) ([A-Za-z0-9_\\-\\/\\.]{1,32})\\[(.*?)\\]:(.*?)\$/", $szLine, $out)) { // Copy parsed properties! $arrArguments[SYSLOG_DATE] = GetEventTime($out[1] . " " . $out[2]); $arrArguments[SYSLOG_HOST] = $out[3]; $arrArguments[SYSLOG_SYSLOGTAG] = $out[4]; $arrArguments[SYSLOG_PROCESSID] = $out[5]; $arrArguments[SYSLOG_MESSAGE] = $out[6]; } else { if (preg_match("/(...)(?:.|..)([0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}) ([a-zA-Z0-9_\\-\\.]{1,256}) ([A-Za-z0-9_\\-\\/\\.]{1,32}):(.*?)\$/", $szLine, $out)) { // Copy parsed properties! $arrArguments[SYSLOG_DATE] = GetEventTime($out[1] . " " . $out[2]); $arrArguments[SYSLOG_HOST] = $out[3]; $arrArguments[SYSLOG_SYSLOGTAG] = $out[4]; $arrArguments[SYSLOG_MESSAGE] = $out[5]; } else { if (preg_match("/(...)(?:.|..)([0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}) ([a-zA-Z0-9_\\-\\.]{1,256}) ([A-Za-z0-9_\\-\\/\\.]{1,32}) (.*?)\$/", $szLine, $out)) { // Copy parsed properties! $arrArguments[SYSLOG_DATE] = GetEventTime($out[1] . " " . $out[2]); $arrArguments[SYSLOG_HOST] = $out[3]; $arrArguments[SYSLOG_SYSLOGTAG] = $out[4]; $arrArguments[SYSLOG_MESSAGE] = $out[5]; } else { if (preg_match("/(...)(?:.|..)([0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}) (.*?) (.*?)\$/", $szLine, $out)) { // Copy parsed properties! $arrArguments[SYSLOG_DATE] = GetEventTime($out[1] . " " . $out[2]); $arrArguments[SYSLOG_HOST] = $out[3]; $arrArguments[SYSLOG_MESSAGE] = $out[4]; } else { if (preg_match("/([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}.[0-9]{1,2}:[0-9]{1,2}) (.*?) (.*?):(.*?)\$/", $szLine, $out)) { // Copy parsed properties! $arrArguments[SYSLOG_DATE] = GetEventTime($out[1]); $arrArguments[SYSLOG_HOST] = $out[2]; $arrArguments[SYSLOG_SYSLOGTAG] = $out[3]; $arrArguments[SYSLOG_MESSAGE] = $out[4]; } else { if (preg_match("/([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}\\.[0-9]{1,6}.[0-9]{1,2}:[0-9]{1,2}) (.*?) (.*?):(.*?)\$/", $szLine, $out)) { // Copy parsed properties! $arrArguments[SYSLOG_DATE] = GetEventTime($out[1]); $arrArguments[SYSLOG_HOST] = $out[2]; $arrArguments[SYSLOG_SYSLOGTAG] = $out[3]; $arrArguments[SYSLOG_MESSAGE] = $out[4]; } else { if (preg_match("/([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}\\.[0-9]{1,6}.[0-9]{1,2}:[0-9]{1,2}),(.*?)\$/", $szLine, $out)) { // Some kind of debug message or something ... $arrArguments[SYSLOG_DATE] = GetEventTime($out[1]); $arrArguments[SYSLOG_MESSAGE] = $out[2]; } else { if (isset($arrArguments[SYSLOG_MESSAGE]) && strlen($arrArguments[SYSLOG_MESSAGE]) > 0) { OutputDebugMessage("Unparseable syslog msg - '" . $arrArguments[SYSLOG_MESSAGE] . "'", DEBUG_ERROR); } } } } } } } } // If SyslogTag is set, we check for MessageType! if (isset($arrArguments[SYSLOG_SYSLOGTAG])) { if (strpos($arrArguments[SYSLOG_SYSLOGTAG], "EvntSLog") !== false) { $arrArguments[SYSLOG_MESSAGETYPE] = IUT_NT_EventReport; } } // Return success! return SUCCESS; }
private function CreateSQLWhereClause() { if ($this->_filters != null) { global $dbmapping; $szTableType = $this->_logStreamConfigObj->DBTableType; // Reset WhereClause $this->_SQLwhereClause = ""; // --- Build Query Array $arrayQueryProperties = $this->_arrProperties; if (isset($this->_arrFilterProperties) && $this->_arrFilterProperties != null) { foreach ($this->_arrFilterProperties as $filterproperty) { if ($this->_arrProperties == null || !in_array($filterproperty, $this->_arrProperties)) { $arrayQueryProperties[] = $filterproperty; } } } // --- // Loop through all available properties foreach ($arrayQueryProperties as $propertyname) { // If the property exists in the filter array, we have something to filter for ^^! if (array_key_exists($propertyname, $this->_filters)) { // Process all filters foreach ($this->_filters[$propertyname] as $myfilter) { // Only perform if database mapping is available for this filter! if (isset($dbmapping[$szTableType]['DBMAPPINGS'][$propertyname])) { switch ($myfilter[FILTER_TYPE]) { case FILTER_TYPE_STRING: // --- Either make a LIKE or a equal query! if ($myfilter[FILTER_MODE] & FILTER_MODE_SEARCHFULL) { // Set addnot to nothing $addnod = ""; // --- Check if user wants to include or exclude! if ($myfilter[FILTER_MODE] & FILTER_MODE_INCLUDE) { $szSearchBegin = " = '"; $szSearchEnd = "' "; } else { $szSearchBegin = " <> '"; $szSearchEnd = "' "; } // --- } else { if ($myfilter[FILTER_MODE] & FILTER_MODE_SEARCHREGEX) { //REGEXP Supported by MYSQL if ($this->_logStreamConfigObj->DBType == DB_MYSQL) { // --- Check if user wants to include or exclude! if ($myfilter[FILTER_MODE] & FILTER_MODE_INCLUDE) { $addnod = " "; } else { $addnod = " NOT"; } // --- $szSearchBegin = "REGEXP '"; $szSearchEnd = "' "; } else { if ($this->_logStreamConfigObj->DBType == DB_PGSQL) { // --- Check if user wants to include or exclude! if ($myfilter[FILTER_MODE] & FILTER_MODE_INCLUDE) { $addnod = " "; } else { $addnod = " !"; } // --- $szSearchBegin = "~* '"; $szSearchEnd = "' "; } else { // --- Check if user wants to include or exclude! if ($myfilter[FILTER_MODE] & FILTER_MODE_INCLUDE) { $addnod = " "; } else { $addnod = " NOT"; } // --- // Database Layer does not support REGEXP $szSearchBegin = "LIKE '%"; $szSearchEnd = "%' "; } } } else { // --- Check if user wants to include or exclude! if ($myfilter[FILTER_MODE] & FILTER_MODE_INCLUDE) { $addnod = ""; } else { $addnod = " NOT"; } // --- $szSearchBegin = " LIKE '%"; $szSearchEnd = "%' "; } } // --- // --- If Syslog message, we have AND handling, otherwise OR! if ($propertyname == SYSLOG_MESSAGE) { $addor = " AND "; } else { // If we exclude filters, we need to combine with AND if ($myfilter[FILTER_MODE] & FILTER_MODE_INCLUDE) { $addor = " OR "; } else { $addor = " AND "; } } // --- // Not create LIKE Filters if (isset($tmpfilters[$propertyname])) { $tmpfilters[$propertyname][FILTER_VALUE] .= $addor . $dbmapping[$szTableType]['DBMAPPINGS'][$propertyname] . $addnod . $szSearchBegin . DB_RemoveBadChars($myfilter[FILTER_VALUE], $this->_logStreamConfigObj->DBType) . $szSearchEnd; } else { $tmpfilters[$propertyname][FILTER_TYPE] = FILTER_TYPE_STRING; $tmpfilters[$propertyname][FILTER_VALUE] = $dbmapping[$szTableType]['DBMAPPINGS'][$propertyname] . $addnod . $szSearchBegin . DB_RemoveBadChars($myfilter[FILTER_VALUE], $this->_logStreamConfigObj->DBType) . $szSearchEnd; } break; case FILTER_TYPE_NUMBER: // --- Check if user wants to include or exclude! if ($myfilter[FILTER_MODE] & FILTER_MODE_EXCLUDE) { // Add to filterset $szArrayKey = $propertyname . "-NOT"; if (isset($tmpfilters[$szArrayKey])) { $tmpfilters[$szArrayKey][FILTER_VALUE] .= ", " . $myfilter[FILTER_VALUE]; } else { $tmpfilters[$szArrayKey][FILTER_TYPE] = FILTER_TYPE_NUMBER; $tmpfilters[$szArrayKey][FILTER_VALUE] = $dbmapping[$szTableType]['DBMAPPINGS'][$propertyname] . " NOT IN (" . DB_RemoveBadChars($myfilter[FILTER_VALUE], $this->_logStreamConfigObj->DBType); } } else { // Add to filterset if (isset($tmpfilters[$propertyname])) { $tmpfilters[$propertyname][FILTER_VALUE] .= ", " . $myfilter[FILTER_VALUE]; } else { $tmpfilters[$propertyname][FILTER_TYPE] = FILTER_TYPE_NUMBER; $tmpfilters[$propertyname][FILTER_VALUE] = $dbmapping[$szTableType]['DBMAPPINGS'][$propertyname] . " IN (" . DB_RemoveBadChars($myfilter[FILTER_VALUE], $this->_logStreamConfigObj->DBType); } } // --- break; case FILTER_TYPE_DATE: if (isset($tmpfilters[$propertyname])) { $tmpfilters[$propertyname][FILTER_VALUE] .= " AND "; } else { $tmpfilters[$propertyname][FILTER_VALUE] = ""; $tmpfilters[$propertyname][FILTER_TYPE] = FILTER_TYPE_DATE; } if ($myfilter[FILTER_DATEMODE] == DATEMODE_LASTX) { // Get current timestamp $nNowTimeStamp = time(); if ($myfilter[FILTER_VALUE] == DATE_LASTX_HOUR) { $nNowTimeStamp -= 60 * 60; } else { if ($myfilter[FILTER_VALUE] == DATE_LASTX_12HOURS) { $nNowTimeStamp -= 60 * 60 * 12; } else { if ($myfilter[FILTER_VALUE] == DATE_LASTX_24HOURS) { $nNowTimeStamp -= 60 * 60 * 24; } else { if ($myfilter[FILTER_VALUE] == DATE_LASTX_7DAYS) { $nNowTimeStamp -= 60 * 60 * 24 * 7; } else { if ($myfilter[FILTER_VALUE] == DATE_LASTX_31DAYS) { $nNowTimeStamp -= 60 * 60 * 24 * 31; } else { // Set filter to unknown and Abort in this case! $tmpfilters[$propertyname][FILTER_TYPE] = FILTER_TYPE_UNKNOWN; break; } } } } } // Append filter $tmpfilters[$propertyname][FILTER_VALUE] .= $dbmapping[$szTableType]['DBMAPPINGS'][$propertyname] . " > '" . date("Y-m-d H:i:s", $nNowTimeStamp) . "'"; } else { if ($myfilter[FILTER_DATEMODE] == DATEMODE_RANGE_FROM) { // Obtain Event struct for the time! $myeventtime = GetEventTime($myfilter[FILTER_VALUE]); $tmpfilters[$propertyname][FILTER_VALUE] .= $dbmapping[$szTableType]['DBMAPPINGS'][$propertyname] . " > '" . date("Y-m-d H:i:s", $myeventtime[EVTIME_TIMESTAMP]) . "'"; } else { if ($myfilter[FILTER_DATEMODE] == DATEMODE_RANGE_TO) { // Obtain Event struct for the time! $myeventtime = GetEventTime($myfilter[FILTER_VALUE]); $tmpfilters[$propertyname][FILTER_VALUE] .= $dbmapping[$szTableType]['DBMAPPINGS'][$propertyname] . " < '" . date("Y-m-d H:i:s", $myeventtime[EVTIME_TIMESTAMP]) . "'"; } else { if ($myfilter[FILTER_DATEMODE] == DATEMODE_RANGE_DATE) { // Obtain Event struct for the time! $myeventtime = GetEventTime($myfilter[FILTER_VALUE]); $tmpfilters[$propertyname][FILTER_VALUE] .= $dbmapping[$szTableType]['DBMAPPINGS'][$propertyname] . " > '" . date("Y-m-d H:i:s", $myeventtime[EVTIME_TIMESTAMP]) . "' AND " . $dbmapping[$szTableType]['DBMAPPINGS'][$propertyname] . " < '" . date("Y-m-d H:i:s", $myeventtime[EVTIME_TIMESTAMP] + 86400) . "'"; } } } } break; default: // Nothing to do! break; } } else { // Check how to treat not found db mappings / filters if (GetConfigSetting("TreatNotFoundFiltersAsTrue", 0, CFGLEVEL_USER) == 0) { return ERROR_DB_DBFIELDNOTFOUND; } } } } } // Check and combine all filters now! if (isset($tmpfilters)) { // Append filters foreach ($tmpfilters as $tmpfilter) { // Init WHERE or Append AND if (strlen($this->_SQLwhereClause) > 0) { $this->_SQLwhereClause .= " AND "; } else { $this->_SQLwhereClause = " WHERE "; } switch ($tmpfilter[FILTER_TYPE]) { case FILTER_TYPE_STRING: $this->_SQLwhereClause .= "( " . $tmpfilter[FILTER_VALUE] . ") "; break; case FILTER_TYPE_NUMBER: $this->_SQLwhereClause .= $tmpfilter[FILTER_VALUE] . ") "; break; case FILTER_TYPE_DATE: $this->_SQLwhereClause .= $tmpfilter[FILTER_VALUE]; break; default: // Should not happen, wrong filters! // We add a dummy into the where clause, just as a place holder $this->_SQLwhereClause .= " 1=1 "; break; } } } //echo $this->_SQLwhereClause; //$dbmapping[$szTableType][SYSLOG_UID] } else { // No filters means nothing to do! return SUCCESS; } }
/** * ParseLine * * @param arrArguments array in&out: properties of interest. There can be no guarantee the logstream can actually deliver them. * @return integer Error stat */ public function ParseMsg($szMsg, &$arrArguments) { global $content, $fields; //trim the msg first to remove spaces from begin and end $szMsg = trim($szMsg); //return ERROR_MSG_NOMATCH; // LogFormat "%h %l %u %t \"%r\" %>s %b" common // LogFormat "%{Referer}i -> %U" referer // LogFormat "%{User-agent}i" agent // LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined // Sample (apache2): 127.0.0.1 - - [14/Sep/2008:06:50:15 +0200] "GET / HTTP/1.0" 200 19023 "-" "VoilaBot link checker" // Sample: 65.55.211.112 - - [16/Sep/2008:13:37:47 +0200] "GET /index.php?name=News&file=article&sid=1&theme=Printer HTTP/1.1" 200 4908 "-" "msnbot/1.1 (+http://search.msn.com/msnbot.htm)" if (preg_match('/(.|.*?) (.|.*?) (.|.*?) \\[(.*?)\\] "(.*?) (.*?) (.*?)" (.|[0-9]{1,12}) (.|[0-9]{1,12}) "(.|.*?)" "(.*?)("|)$/', $szMsg, $out)) { // print_r ( $out ); // exit; // Set generic properties $arrArguments[SYSLOG_HOST] = $out[1]; $arrArguments[SYSLOG_DATE] = GetEventTime($out[4]); // Set weblog specific properties! $arrArguments[SYSLOG_WEBLOG_USER] = $out[3]; $arrArguments[SYSLOG_WEBLOG_METHOD] = $out[5]; if (strpos($out[6], "?") === false) { $arrArguments[SYSLOG_WEBLOG_URL] = $out[6]; $arrArguments[SYSLOG_WEBLOG_QUERYSTRING] = ""; } else { $arrArguments[SYSLOG_WEBLOG_URL] = substr($out[6], 0, strpos($out[6], "?")); $arrArguments[SYSLOG_WEBLOG_QUERYSTRING] = substr($out[6], strpos($out[6], "?") + 1); } // Number based fields $arrArguments[SYSLOG_WEBLOG_PVER] = $out[7]; $arrArguments[SYSLOG_WEBLOG_STATUS] = $out[8]; $arrArguments[SYSLOG_WEBLOG_BYTESSEND] = $out[9]; $arrArguments[SYSLOG_WEBLOG_REFERER] = $out[10]; $arrArguments[SYSLOG_WEBLOG_USERAGENT] = $out[11]; // Set msg to whole logline $arrArguments[SYSLOG_MESSAGE] = $out[0]; if ($this->_MsgNormalize == 1) { //Init tmp msg $szTmpMsg = ""; // Create Field Array to prepend into msg! Reverse Order here $myFields = array(SYSLOG_WEBLOG_USER, SYSLOG_WEBLOG_PVER, SYSLOG_WEBLOG_USERAGENT, SYSLOG_WEBLOG_BYTESSEND, SYSLOG_WEBLOG_STATUS, SYSLOG_WEBLOG_REFERER, SYSLOG_WEBLOG_METHOD, SYSLOG_WEBLOG_QUERYSTRING, SYSLOG_WEBLOG_URL); foreach ($myFields as $myField) { // Set Field Caption if (isset($fields[$myField]['FieldCaption'])) { $szFieldName = $fields[$myField]['FieldCaption']; } else { $szFieldName = $myField; } // Append Field into msg $szTmpMsg = $szFieldName . ": '" . $arrArguments[$myField] . "'\n" . $szTmpMsg; } // copy finished MSG back! $arrArguments[SYSLOG_MESSAGE] = $szTmpMsg; } } else { // return no match in this case! return ERROR_MSG_NOMATCH; } // Set IUT Property if success! $arrArguments[SYSLOG_MESSAGETYPE] = IUT_WEBSERVERLOG; // If we reached this position, return success! return SUCCESS; }
private function CreateQueryArray($uID) { global $dbmapping; $szTableType = $this->_logStreamConfigObj->DBTableType; // Init Array $this->_myMongoQuery = array(); if ($this->_filters != null) { // Loop through all available properties foreach ($this->_arrProperties as $propertyname) { // If the property exists in the filter array, we have something to filter for ^^! if (array_key_exists($propertyname, $this->_filters)) { // Process all filters foreach ($this->_filters[$propertyname] as $myfilter) { // Only perform if database mapping is available for this filter! if (isset($dbmapping[$szTableType]['DBMAPPINGS'][$propertyname])) { $szMongoPropID = $dbmapping[$szTableType]['DBMAPPINGS'][$propertyname]; switch ($myfilter[FILTER_TYPE]) { case FILTER_TYPE_STRING: // --- Either make a LIKE or a equal query! if ($myfilter[FILTER_MODE] & FILTER_MODE_SEARCHFULL) { // --- Check if user wants to include or exclude! if ($myfilter[FILTER_MODE] & FILTER_MODE_INCLUDE) { if ($propertyname == SYSLOG_MESSAGE) { // If we filter for Syslog MSG, we use $ALL to match all values $this->_myMongoQuery[$szMongoPropID]['$all'][] = $myfilter[FILTER_VALUE]; } else { // We use $in by default to get results for each value $this->_myMongoQuery[$szMongoPropID]['$in'][] = $myfilter[FILTER_VALUE]; } } else { // $ne equals NOT EQUAL $this->_myMongoQuery[$szMongoPropID]['$ne'][] = $myfilter[FILTER_VALUE]; } // --- } else { if ($myfilter[FILTER_MODE] & FILTER_MODE_SEARCHREGEX) { // --- Check if user wants to include or exclude! if ($myfilter[FILTER_MODE] & FILTER_MODE_INCLUDE) { // Use REGEX to filter for values, NOT TESTED YET! $this->_myMongoQuery[$szMongoPropID]['$regex'][] = $myfilter[FILTER_VALUE]; } else { // Negate the query using $NOT operator. $this->_myMongoQuery[$szMongoPropID]['$not']['$regex'][] = $myfilter[FILTER_VALUE]; } // --- } else { // This should be a typical LIKE query: Some more checking NEEDED (TODO)! // --- Check if user wants to include or exclude! if ($myfilter[FILTER_MODE] & FILTER_MODE_INCLUDE) { if ($propertyname == SYSLOG_MESSAGE) { // If we filter for Syslog MSG, we use $ALL to match all values $this->_myMongoQuery[$szMongoPropID]['$regex'][] = $myfilter[FILTER_VALUE]; } else { // We use $in by default to get results for each value $this->_myMongoQuery[$szMongoPropID]['$regex'][] = $myfilter[FILTER_VALUE]; } // Using REGEX for now! } else { // $ne equals NOT EQUAL $this->_myMongoQuery[$szMongoPropID]['$nin'][] = $myfilter[FILTER_VALUE]; } // --- } } // --- break; case FILTER_TYPE_NUMBER: // --- Check if user wants to include or exclude! if ($myfilter[FILTER_MODE] & FILTER_MODE_INCLUDE) { // We use $in by default to get results for each value $this->_myMongoQuery[$szMongoPropID]['$in'][] = intval($myfilter[FILTER_VALUE]); } else { // $ne equals NOT EQUAL $this->_myMongoQuery[$szMongoPropID]['$nin'][] = intval($myfilter[FILTER_VALUE]); } // --- break; case FILTER_TYPE_DATE: if ($myfilter[FILTER_DATEMODE] == DATEMODE_LASTX) { // Get current timestamp $nNowTimeStamp = time(); if ($myfilter[FILTER_VALUE] == DATE_LASTX_HOUR) { $nNowTimeStamp -= 60 * 60; } else { if ($myfilter[FILTER_VALUE] == DATE_LASTX_12HOURS) { $nNowTimeStamp -= 60 * 60 * 12; } else { if ($myfilter[FILTER_VALUE] == DATE_LASTX_24HOURS) { $nNowTimeStamp -= 60 * 60 * 24; } else { if ($myfilter[FILTER_VALUE] == DATE_LASTX_7DAYS) { $nNowTimeStamp -= 60 * 60 * 24 * 7; } else { if ($myfilter[FILTER_VALUE] == DATE_LASTX_31DAYS) { $nNowTimeStamp -= 60 * 60 * 24 * 31; } else { // Set filter to unknown and Abort in this case! $tmpfilters[$propertyname][FILTER_TYPE] = FILTER_TYPE_UNKNOWN; break; } } } } } // Create MongoDate Object from Timestamp $myMongoDate = new MongoDate($nNowTimeStamp); // add to query array $this->_myMongoQuery[$szMongoPropID]['$gte'] = $myMongoDate; } else { if ($myfilter[FILTER_DATEMODE] == DATEMODE_RANGE_FROM) { // We use $gt (>) by default to get filter by date $myeventtime = GetEventTime($myfilter[FILTER_VALUE]); // Create MongoDate Object from Timestamp $myMongoDate = new MongoDate($myeventtime[EVTIME_TIMESTAMP]); // add to query array $this->_myMongoQuery[$szMongoPropID]['$gte'] = $myMongoDate; } else { if ($myfilter[FILTER_DATEMODE] == DATEMODE_RANGE_TO) { // Obtain Event struct for the time! $myeventtime = GetEventTime($myfilter[FILTER_VALUE]); // Create MongoDate Object from Timestamp $myMongoDate = new MongoDate($myeventtime[EVTIME_TIMESTAMP]); // add to query array $this->_myMongoQuery[$szMongoPropID]['$lte'] = $myMongoDate; } else { if ($myfilter[FILTER_DATEMODE] == DATEMODE_RANGE_DATE) { // Obtain Event struct for the time! $myeventtime = GetEventTime($myfilter[FILTER_VALUE]); // Create MongoDate Object from Timestamp $myMongoDateTo = new MongoDate($myeventtime[EVTIME_TIMESTAMP] + 86400); $myMongoDateFrom = new MongoDate($myeventtime[EVTIME_TIMESTAMP]); // Add to query array $this->_myMongoQuery[$szMongoPropID]['$lte'] = $myMongoDateTo; $this->_myMongoQuery[$szMongoPropID]['$gte'] = $myMongoDateFrom; } } } } break; default: // Nothing to do! break; } } } } } //print_r ( array('x' => array( '$gt' => 5, '$lt' => 20 )) ); OutputDebugMessage("CreateQueryArray verbose: " . var_export($this->_myMongoQuery, true), DEBUG_DEBUG); } if ($uID != UID_UNKNOWN) { // Add uID Filter as well! $myMongoID = new MongoId($this->convBaseHelper($uID, 10, 16)); $this->_myMongoQuery[$dbmapping[$szTableType]['DBMAPPINGS'][SYSLOG_UID]] = array('$lte' => $myMongoID); } // Success return SUCCESS; }
/** * ParseLine * * @param arrArguments array in&out: properties of interest. There can be no guarantee the logstream can actually deliver them. * @return integer Error stat */ public function ParseMsg($szMsg, &$arrArguments) { global $content, $fields; //trim the msg first to remove spaces from begin and end $szMsg = trim($szMsg); // $iSharpPos = strpos($szMsg, "#"); // if ( $iSharpPos !== false && $iSharpPos == 0 ) // return ERROR_MSG_SKIPMESSAGE; // Special case here, if loglines start with #, they are comments and have to be skipped! if (($iSharpPos = strpos($szMsg, "#")) !== false && $iSharpPos == 0) { // Only init fields then // Set generic properties $arrArguments[SYSLOG_DATE] = ""; $arrArguments[SYSLOG_HOST] = ""; // Set weblog specific properties! $arrArguments[SYSLOG_WEBLOG_METHOD] = ""; $arrArguments[SYSLOG_WEBLOG_URL] = ""; $arrArguments[SYSLOG_WEBLOG_QUERYSTRING] = ""; $arrArguments[SYSLOG_WEBLOG_USER] = ""; $arrArguments[SYSLOG_WEBLOG_PVER] = ""; $arrArguments[SYSLOG_WEBLOG_USERAGENT] = ""; $arrArguments[SYSLOG_WEBLOG_REFERER] = ""; $arrArguments[SYSLOG_WEBLOG_STATUS] = ""; $arrArguments[SYSLOG_WEBLOG_BYTESSEND] = ""; // Set msg to whole logline $arrArguments[SYSLOG_MESSAGE] = $szMsg; } // LogFormat: date time cs-method cs-uri-stem cs-uri-query cs-username c-ip cs-version cs(User-Agent) cs(Referer) sc-status sc-bytes // Sample: 2008-09-17 00:15:24 GET /Include/MyStyleV2.css - - 208.111.154.249 HTTP/1.0 Mozilla/5.0+(X11;+U;+Linux+i686+(x86_64);+en-US;+rv:1.8.1.11)+Gecko/20080109+(Charlotte/0.9t;+http://www.searchme.com/support/) http://www.adiscon.com/Common/en/News/MWCon-2005-09-12.php 200 1812 if (preg_match('/([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}) (.*?) (.|.*?) (.|.*?) (.|.*?) (.|.*?) (.|.*?) (.|.*?) (.|.*?) (.|.*?) (.|.*?)$/', $szMsg, $out)) { // print_r ( $out ); // exit; // Set generic properties $arrArguments[SYSLOG_DATE] = GetEventTime($out[1]); $arrArguments[SYSLOG_HOST] = $out[6]; // Set weblog specific properties! $arrArguments[SYSLOG_WEBLOG_METHOD] = $out[2]; $arrArguments[SYSLOG_WEBLOG_URL] = $out[3]; $arrArguments[SYSLOG_WEBLOG_QUERYSTRING] = $out[4]; $arrArguments[SYSLOG_WEBLOG_USER] = $out[5]; $arrArguments[SYSLOG_WEBLOG_PVER] = $out[7]; $arrArguments[SYSLOG_WEBLOG_USERAGENT] = $out[8]; $arrArguments[SYSLOG_WEBLOG_REFERER] = $out[9]; $arrArguments[SYSLOG_WEBLOG_STATUS] = $out[10]; $arrArguments[SYSLOG_WEBLOG_BYTESSEND] = $out[11]; // Set msg to whole logline $arrArguments[SYSLOG_MESSAGE] = $out[0]; if ($this->_MsgNormalize == 1) { //Init tmp msg $szTmpMsg = ""; // Create Field Array to prepend into msg! Reverse Order here $myFields = array(SYSLOG_WEBLOG_USER, SYSLOG_WEBLOG_PVER, SYSLOG_WEBLOG_USERAGENT, SYSLOG_WEBLOG_BYTESSEND, SYSLOG_WEBLOG_STATUS, SYSLOG_WEBLOG_REFERER, SYSLOG_WEBLOG_METHOD, SYSLOG_WEBLOG_QUERYSTRING, SYSLOG_WEBLOG_URL); foreach ($myFields as $myField) { // Set Field Caption if (isset($fields[$myField]['FieldCaption'])) { $szFieldName = $fields[$myField]['FieldCaption']; } else { $szFieldName = $myField; } // Append Field into msg $szTmpMsg = $szFieldName . ": '" . $arrArguments[$myField] . "'\n" . $szTmpMsg; } // copy finished MSG back! $arrArguments[SYSLOG_MESSAGE] = $szTmpMsg; } } else { // return no match in this case! return ERROR_MSG_NOMATCH; } // Set IUT Property if success! $arrArguments[SYSLOG_MESSAGETYPE] = IUT_WEBSERVERLOG; // If we reached this position, return success! return SUCCESS; }