$content['fields'][$mycolkey]['cssclassfont'] = "line1"; } else { $content['fields'][$mycolkey]['cssclass'] = "line2"; $content['fields'][$mycolkey]['cssclassfont'] = "line2"; } if ($mycolkey == SYSLOG_MESSAGE) { $content['fields'][$mycolkey]['menucssclass'] = "cellmenu1_naked"; } else { $content['fields'][$mycolkey]['menucssclass'] = "cellmenu1"; } // --- // Set defaults $content['fields'][$mycolkey]['fieldbgcolor'] = ""; $content['fields'][$mycolkey]['hasdetails'] = "false"; if ($content['fields'][$mycolkey]['FieldType'] == FILTER_TYPE_DATE) { $content['fields'][$mycolkey]['fieldvalue'] = GetFormatedDate($logArray[$mycolkey]); // TODO: Show more! } else { if ($content['fields'][$mycolkey]['FieldType'] == FILTER_TYPE_NUMBER) { $content['fields'][$mycolkey]['fieldvalue'] = $logArray[$mycolkey]; // Special style classes and colours for SYSLOG_FACILITY if ($mycolkey == SYSLOG_FACILITY) { // if ( isset($logArray[$mycolkey][SYSLOG_FACILITY]) && strlen($logArray[$mycolkey][SYSLOG_FACILITY]) > 0) if (isset($logArray[$mycolkey]) && is_numeric($logArray[$mycolkey])) { $content['fields'][$mycolkey]['fieldbgcolor'] = 'bgcolor="' . $facility_colors[$logArray[SYSLOG_FACILITY]] . '" '; $content['fields'][$mycolkey]['cssclass'] = "lineColouredBlack"; // Set Human readable Facility! $content['fields'][$mycolkey]['fieldvalue'] = GetFacilityDisplayName($logArray[$mycolkey]); } else { // Use default colour! $content['fields'][$mycolkey]['fieldbgcolor'] = 'bgcolor="' . $facility_colors[SYSLOG_LOCAL0] . '" ';
/** * Helper function to consolidate events */ private function ConsolidateEventsPerHost($arrHosts) { global $content, $gl_starttime, $fields; // Now open the stream for data processing $res = $this->_streamObj->Open($this->_arrProperties, true); if ($res == SUCCESS) { // --- New Method to consolidate data! // TimeStats $nowtime = microtime_float(); $content["report_rendertime"] .= number_format($nowtime - $gl_starttime, 2, '.', '') . "s "; // Update all Checksums first! $this->_streamObj->UpdateAllMessageChecksum(); // TimeStats $nowtime = microtime_float(); $content["report_rendertime"] .= number_format($nowtime - $gl_starttime, 2, '.', '') . "s "; foreach ($arrHosts as $myHost) { // Set custom filters $this->_streamObj->ResetFilters(); $this->_streamObj->SetFilter($this->_filterString . " " . $fields[SYSLOG_MESSAGETYPE]['SearchField'] . ":=" . IUT_NT_EventReport . ",=" . IUT_WEVTMONV2); $this->_streamObj->RemoveFilters(SYSLOG_HOST); $this->_streamObj->AppendFilter($fields[SYSLOG_HOST]['SearchField'] . ":=" . $myHost); // Set Host Item Basics if not set yet $content["report_consdata"][$myHost][SYSLOG_HOST] = $myHost; // Get Data for single host $content["report_consdata"][$myHost]['cons_events'] = $this->_streamObj->ConsolidateDataByField(MISC_CHECKSUM, $this->_maxEventsPerHost, MISC_CHECKSUM, SORTING_ORDER_DESC, null, true, true); //print_r ($fields[SYSLOG_MESSAGE]); foreach ($content["report_consdata"][$myHost]['cons_events'] as &$myConsData) { // Set Basic data entries if (!isset($content['filter_severity_list'][$myConsData[SYSLOG_SEVERITY]])) { $myConsData[SYSLOG_SEVERITY] = SYSLOG_NOTICE; } // Set default in this case } } // TimeStats $nowtime = microtime_float(); $content["report_rendertime"] .= number_format($nowtime - $gl_starttime, 2, '.', '') . "s "; // --- /* OLD CODE // Init uid helper $uID = UID_UNKNOWN; // Set position to BEGIN of FILE $this->_streamObj->Sseek($uID, EnumSeek::BOS, 0); // Start reading data $ret = $this->_streamObj->Read($uID, $logArray); // TimeStats $nowtime = microtime_float(); $content["report_rendertime"] .= number_format($nowtime - $gl_starttime, 2, '.', '') . "s "; // Found first data record if ( $ret == SUCCESS ) { do { // Check if Event from host is in our hosts array if ( in_array($logArray[SYSLOG_HOST], $arrHosts) ) { // Set Host Item Basics if not set yet if ( !isset($content["report_consdata"][ $logArray[SYSLOG_HOST] ][SYSLOG_HOST]) ) { $content["report_consdata"][ $logArray[SYSLOG_HOST] ][SYSLOG_HOST] = $logArray[SYSLOG_HOST]; } // Calc checksum if ( !isset($logArray[MISC_CHECKSUM]) || $logArray[MISC_CHECKSUM] == 0 ) { // Calc crc32 from message, we use this as index $logArray[MISC_CHECKSUM] = crc32( $logArray[SYSLOG_MESSAGE] ); // Maybe useful somewhere else: sprintf( "%u", crc32 ( $logArray[SYSLOG_MESSAGE] )); $strChecksum = $logArray[MISC_CHECKSUM]; // Save calculated Checksum into DB! $this->_streamObj->SaveMessageChecksum($logArray); } else // Get checksum $strChecksum = $logArray[MISC_CHECKSUM]; // Check if entry exists in result array if ( isset($content["report_consdata"][ $logArray[SYSLOG_HOST] ]['cons_events'][ $strChecksum ]) ) { // Increment counter and set First/Last Event date $content["report_consdata"][ $logArray[SYSLOG_HOST] ]['cons_events'][ $strChecksum ]['itemcount']++; // Set FirstEvent date if necessary! if ( $logArray[SYSLOG_DATE][EVTIME_TIMESTAMP] < $content["report_consdata"][ $logArray[SYSLOG_HOST] ]['cons_events'][ $strChecksum ]['FirstEvent_Date'][EVTIME_TIMESTAMP] ) $content["report_consdata"][ $logArray[SYSLOG_HOST] ]['cons_events'][ $strChecksum ]['FirstEvent_Date'] = $logArray[SYSLOG_DATE]; // Set LastEvent date if necessary! if ( $logArray[SYSLOG_DATE][EVTIME_TIMESTAMP] > $content["report_consdata"][ $logArray[SYSLOG_HOST] ]['cons_events'][ $strChecksum ]['LastEvent_Date'][EVTIME_TIMESTAMP] ) $content["report_consdata"][ $logArray[SYSLOG_HOST] ]['cons_events'][ $strChecksum ]['LastEvent_Date'] = $logArray[SYSLOG_DATE]; } else { // Set Basic data entries $content["report_consdata"][ $logArray[SYSLOG_HOST] ]['cons_events'][ $strChecksum ][SYSLOG_SEVERITY] = $logArray[SYSLOG_SEVERITY]; $content["report_consdata"][ $logArray[SYSLOG_HOST] ]['cons_events'][ $strChecksum ][SYSLOG_EVENT_ID] = $logArray[SYSLOG_EVENT_ID]; $content["report_consdata"][ $logArray[SYSLOG_HOST] ]['cons_events'][ $strChecksum ][SYSLOG_EVENT_SOURCE] = $logArray[SYSLOG_EVENT_SOURCE]; $content["report_consdata"][ $logArray[SYSLOG_HOST] ]['cons_events'][ $strChecksum ][SYSLOG_MESSAGE] = $logArray[SYSLOG_MESSAGE]; // Set Counter and First/Last Event date $content["report_consdata"][ $logArray[SYSLOG_HOST] ]['cons_events'][ $strChecksum ]['itemcount'] = 1; $content["report_consdata"][ $logArray[SYSLOG_HOST] ]['cons_events'][ $strChecksum ]['FirstEvent_Date'] = $logArray[SYSLOG_DATE]; $content["report_consdata"][ $logArray[SYSLOG_HOST] ]['cons_events'][ $strChecksum ]['LastEvent_Date'] = $logArray[SYSLOG_DATE]; } } // Get next data record $ret = $this->_streamObj->ReadNext($uID, $logArray); } while ( $ret == SUCCESS ); // TimeStats $nowtime = microtime_float(); $content["report_rendertime"] .= number_format($nowtime - $gl_starttime, 2, '.', '') . "s "; } */ // Start Postprocessing foreach ($content["report_consdata"] as &$tmpConsolidatedComputer) { // First use callback function to sort array uasort($tmpConsolidatedComputer['cons_events'], "MultiSortArrayByItemCountDesc"); // Remove entries according to _maxEventsPerHost if (count($tmpConsolidatedComputer['cons_events']) > $this->_maxEventsPerHost) { $iDropCount = 0; do { array_pop($tmpConsolidatedComputer['cons_events']); $iDropCount++; } while (count($tmpConsolidatedComputer['cons_events']) > $this->_maxEventsPerHost); // Append a dummy entry which shows count of all other events if ($iDropCount > 0) { $lastEntry[SYSLOG_SEVERITY] = SYSLOG_NOTICE; $lastEntry[SYSLOG_EVENT_ID] = "-"; $lastEntry[SYSLOG_EVENT_SOURCE] = $content['LN_GEN_ALL_OTHER_EVENTS']; $lastEntry[SYSLOG_MESSAGE] = $content['LN_GEN_ALL_OTHER_EVENTS']; $lastEntry['itemcount'] = $iDropCount; $lastEntry['FirstEvent_Date'] = "-"; $lastEntry['LastEvent_Date'] = "-"; $tmpConsolidatedComputer['cons_events'][] = $lastEntry; } } // TimeStats $nowtime = microtime_float(); $content["report_rendertime"] .= number_format($nowtime - $gl_starttime, 2, '.', '') . "s "; // PostProcess Events! foreach ($tmpConsolidatedComputer["cons_events"] as &$tmpMyEvent) { $tmpMyEvent['FirstEvent_Date_Formatted'] = GetFormatedDate($tmpMyEvent['firstoccurrence_date']); $tmpMyEvent['LastEvent_Date_Formatted'] = GetFormatedDate($tmpMyEvent['lastoccurrence_date']); $tmpMyEvent['syslogseverity_text'] = $content['filter_severity_list'][$tmpMyEvent['syslogseverity']]["DisplayName"]; $tmpMyEvent['syslogseverity_bgcolor'] = $this->GetSeverityBGColor($tmpMyEvent['syslogseverity']); } } // --- } // Work done! return SUCCESS; }
/** * Helper function to consolidate events */ private function Consolidateauditsummarys() { global $content, $gl_starttime, $fields; // Now open the stream for data processing $res = $this->_streamObj->Open($this->_arrProperties, true); if ($res == SUCCESS) { // --- New Method to consolidate data! // TimeStats $nowtime = microtime_float(); $content["report_rendertime"] .= number_format($nowtime - $gl_starttime, 2, '.', '') . "s "; // Update all Checksums first! //not needed $this->_streamObj->UpdateAllMessageChecksum(); // TimeStats $nowtime = microtime_float(); $content["report_rendertime"] .= number_format($nowtime - $gl_starttime, 2, '.', '') . "s "; // --- Process Logons if ($this->_events_logon == 1) { $content["report_consdata"]["logon"]['cons_events'] = $this->ConsolidateAuditSummaryByIDs("528,4624", "ln_report_logonevents"); $content["report_consdata"]["logon"]['DataCaption'] = $content["ln_report_logonevents"]; $content["report_consdata"]["logon"]['cons_count'] = count($content["report_consdata"]["logon"]['cons_events']); } // --- // --- Process Logoffs if ($this->_events_logoff == 1) { $content["report_consdata"]["logoff"]['cons_events'] = $this->ConsolidateAuditSummaryByIDs("538,4634", "ln_report_logoffevents"); $content["report_consdata"]["logoff"]['DataCaption'] = $content["ln_report_logoffevents"]; $content["report_consdata"]["logoff"]['cons_count'] = count($content["report_consdata"]["logoff"]['cons_events']); } // --- // --- Process Logon failures if ($this->_events_logonfail == 1) { $content["report_consdata"]["logonfail"]['cons_events'] = $this->ConsolidateAuditSummaryByIDs("529,530,531,532,533,534,535,536,537,4625,4626,4627,4628,4629,4630,4631,4632,4633", "ln_report_logonfailevents"); $content["report_consdata"]["logonfail"]['DataCaption'] = $content["ln_report_logonfailevents"]; $content["report_consdata"]["logonfail"]['cons_count'] = count($content["report_consdata"]["logonfail"]['cons_events']); } // --- // --- Process Audigpolicy changes if ($this->_events_policychangeevents == 1) { $content["report_consdata"]["auditpolchanged"]['cons_events'] = $this->ConsolidateAuditSummaryByIDs("617,618,619,643,4713,4714,4715,4719,4739", "ln_report_policychangeevents"); $content["report_consdata"]["auditpolchanged"]['DataCaption'] = $content["ln_report_policychangeevents"]; $content["report_consdata"]["auditpolchanged"]['cons_count'] = count($content["report_consdata"]["auditpolchanged"]['cons_events']); } // --- // --- Process Objectaccess if ($this->_events_objectaccess == 1) { $content["report_consdata"]["objectaccess"]['cons_events'] = $this->ConsolidateAuditSummaryByIDs("567,4663", "ln_report_objectaccessevents"); $content["report_consdata"]["objectaccess"]['DataCaption'] = $content["ln_report_objectaccessevents"]; $content["report_consdata"]["objectaccess"]['cons_count'] = count($content["report_consdata"]["objectaccess"]['cons_events']); } // --- // --- Process System events if ($this->_events_systemevents == 1) { $content["report_consdata"]["systemevents"]['cons_events'] = $this->ConsolidateAuditSummaryByIDs("512,513,520,4108,4109,4616,4697", "ln_report_systemevents"); $content["report_consdata"]["systemevents"]['DataCaption'] = $content["ln_report_systemevents"]; $content["report_consdata"]["systemevents"]['cons_count'] = count($content["report_consdata"]["systemevents"]['cons_events']); } // --- // --- Process Host Session events if ($this->_events_hostsessionevents == 1) { $content["report_consdata"]["hostsessionevents"]['cons_events'] = $this->ConsolidateAuditSummaryByIDs("682,683,4778,4779", "ln_report_hostsessionevents"); $content["report_consdata"]["hostsessionevents"]['DataCaption'] = $content["ln_report_hostsessionevents"]; $content["report_consdata"]["hostsessionevents"]['cons_count'] = count($content["report_consdata"]["hostsessionevents"]['cons_events']); } // --- // --- Process User Account Changes events if ($this->_events_useraccchangeevents == 1) { $content["report_consdata"]["useraccchangeevents"]['cons_events'] = $this->ConsolidateAuditSummaryByIDs("642", "ln_report_useraccchangeevents"); $content["report_consdata"]["useraccchangeevents"]['DataCaption'] = $content["ln_report_useraccchangeevents"]; $content["report_consdata"]["useraccchangeevents"]['cons_count'] = count($content["report_consdata"]["useraccchangeevents"]['cons_events']); } // --- // --- Process Audit policy changes events if ($this->_events_auditpolicychangesevents == 1) { $content["report_consdata"]["auditpolicychangeevents"]['cons_events'] = $this->ConsolidateAuditSummaryByIDs("612, 807, 4719, 4912", "ln_report_auditpolicychangeevents"); $content["report_consdata"]["auditpolicychangeevents"]['DataCaption'] = $content["ln_report_auditpolicychangeevents"]; $content["report_consdata"]["auditpolicychangeevents"]['cons_count'] = count($content["report_consdata"]["auditpolicychangeevents"]['cons_events']); } // --- // --- Individual User Actions if ($this->_events_useractions == 1) { $content["report_detaildata_users"] = $this->ConsolidateAuditSummaryByField(SYSLOG_EVENT_USER, "ln_report_individualuseractions"); $content["report_detaildata_users_caption"] = $content["ln_report_individualuseractions"]; $content["report_detaildata_users_cons_count"] = count($content["report_detaildata_users"]); } // --- // --- Individual Host Actions if ($this->_events_hostactions == 1) { $content["report_detaildata_hosts"] = $this->ConsolidateAuditSummaryByField(SYSLOG_HOST, "ln_report_individualhostactions"); $content["report_detaildata_hosts_caption"] = $content["ln_report_individualhostactions"]; $content["report_detaildata_hosts_cons_count"] = count($content["report_detaildata_hosts"]); } // --- // Start Postprocessing foreach ($content["report_consdata"] as &$tmpConsolidatedData) { // Only process events if there are some if (is_array($tmpConsolidatedData['cons_events']) && count($tmpConsolidatedData['cons_events']) > 0) { // First use callback function to sort array uasort($tmpConsolidatedData['cons_events'], "MultiSortArrayByItemCountDesc"); // TimeStats $nowtime = microtime_float(); $content["report_rendertime"] .= number_format($nowtime - $gl_starttime, 2, '.', '') . "s "; // PostProcess Events! foreach ($tmpConsolidatedData["cons_events"] as &$tmpMyEvent) { $tmpMyEvent['FirstEvent_Date_Formatted'] = GetFormatedDate($tmpMyEvent['firstoccurrence_date']); $tmpMyEvent['LastEvent_Date_Formatted'] = GetFormatedDate($tmpMyEvent['lastoccurrence_date']); $tmpMyEvent['syslogseverity_text'] = $content['filter_severity_list'][$tmpMyEvent['syslogseverity']]["DisplayName"]; $tmpMyEvent['syslogseverity_bgcolor'] = $this->GetSeverityBGColor($tmpMyEvent['syslogseverity']); } } } // Only process events if there are some if (is_array($content["report_detaildata_users"]) && count($content["report_detaildata_users"]) > 0) { // First use callback function to sort array uasort($content["report_detaildata_users"], "MultiSortArrayByItemCountDesc"); } // --- } // Work done! return SUCCESS; }
/** * Read the next line from the file depending on the current * read direction. * * Hint: If the current stream becomes unavailable an error * stated is retuned. A typical case is if a log rotation * changed the original data source. * * @param uID integer out: uID is the offset of data row * @param arrProperitesOut array out: properties * @return integer Error state * @see ReadNext */ public function ReadNext(&$uID, &$arrProperitesOut, $bParseMessage = true) { // Helpers needed for DB Mapping global $content, $gl_starttime; global $dbmapping, $fields; $szTableType = $this->_logStreamConfigObj->DBTableType; // define $ret $ret = SUCCESS; do { // No buffer? then read from DB! if ($this->bufferedRecords == null) { $ret = $this->ReadNextRecordsFromDB($uID); } else { if (!isset($this->bufferedRecords[$this->_currentRecordNum])) { // We need to load new records, so clear the old ones first! $this->ResetBufferedRecords(); // Set new Record start, will be used in the SQL Statement! $this->_currentRecordStart = $this->_currentRecordNum; // + 1; // Now read new ones $ret = $this->ReadNextRecordsFromDB($uID); // Check if we found more records if (!isset($this->bufferedRecords[$this->_currentRecordNum])) { $ret = ERROR_NOMORERECORDS; } } } if ($ret == SUCCESS && $this->_arrProperties != null) { // Init and set variables foreach ($this->_arrProperties as $property) { // Check if mapping exists if (isset($dbmapping[$szTableType]['DBMAPPINGS'][$property])) { // Copy property if available! $dbfieldname = $dbmapping[$szTableType]['DBMAPPINGS'][$property]; if (isset($this->bufferedRecords[$this->_currentRecordNum][$dbfieldname])) { if (isset($fields[$property]['FieldType']) && $fields[$property]['FieldType'] == FILTER_TYPE_DATE) { $myDateField = $this->bufferedRecords[$this->_currentRecordNum][$dbfieldname]; if (gettype($myDateField) == "object" && get_class($myDateField) == "MongoDate") { $arrProperitesOut[$property][EVTIME_TIMESTAMP] = $myDateField->sec; $arrProperitesOut[$property][EVTIME_TIMEZONE] = date('O'); // Get default Offset $arrProperitesOut[$property][EVTIME_MICROSECONDS] = $myDateField->usec; } else { // Try to parse Date! $arrProperitesOut[$property] = GetEventTime($myDateField); } } else { $arrProperitesOut[$property] = $this->bufferedRecords[$this->_currentRecordNum][$dbfieldname]; } } else { $arrProperitesOut[$property] = ''; } } else { $arrProperitesOut[$property] = ''; // echo $property . "=" . $this->bufferedRecords[$this->_currentRecordNum][$dbfieldname]; } } // --- Add dynamic fields into record! foreach ($this->bufferedRecords[$this->_currentRecordNum] as $propName => $propValue) { if (!isset($arrProperitesOut[$propName]) && !$this->CheckFieldnameInMapping($szTableType, $propName) && (isset($propValue) && strlen($propValue) > 0)) { // Add dynamic Property! if (gettype($propValue) == "object" && get_class($propValue) == "MongoDate") { // Handle Date fields $arrProperitesOut[$propName] = GetFormatedDate($propValue->sec); } else { // Default handling $arrProperitesOut[$propName] = $propValue; } } } // --- // Run optional Message Parsers now if (isset($arrProperitesOut[SYSLOG_MESSAGE])) { $retParser = $this->_logStreamConfigObj->ProcessMsgParsers($arrProperitesOut[SYSLOG_MESSAGE], $arrProperitesOut); // Check if we have to skip the message! if ($retParser == ERROR_MSG_SKIPMESSAGE) { $ret = $retParser; } } // Set uID to the PropertiesOut! //DEBUG -> $this->_currentRecordNum; $uID = $arrProperitesOut[SYSLOG_UID] = $this->bufferedRecords[$this->_currentRecordNum][$dbmapping[$szTableType]['DBMAPPINGS'][SYSLOG_UID]]; // Increment $_currentRecordNum $this->_currentRecordNum++; } // Check how long we are running. If only two seconds of execution time are left, we abort further reading! $scriptruntime = intval(microtime_float() - $gl_starttime); if ($content['MaxExecutionTime'] > 0 && $scriptruntime > $content['MaxExecutionTime'] - 2) { // This may display a warning message, so the user knows we stopped reading records because of the script timeout. $content['logstream_warning'] = "false"; $content['logstream_warning_details'] = $content['LN_WARNING_LOGSTREAMDISK_TIMEOUT']; $content['logstream_warning_code'] = ERROR_FILE_NOMORETIME; // Return error code return ERROR_FILE_NOMORETIME; } // This additional filter check will take care on dynamic fields from the message parser! } while ($this->ApplyFilters($ret, $arrProperitesOut) != SUCCESS && $ret == SUCCESS); // reached here means return result! return $ret; }
foreach ($content['Columns'] as $mycolkey) { if (isset($fields[$mycolkey]) && isset($logArray[$mycolkey])) { // Set defaults $content['syslogmessages'][$counter]['values'][$mycolkey]['FieldColumn'] = $mycolkey; $content['syslogmessages'][$counter]['values'][$mycolkey]['uid'] = $uID; $content['syslogmessages'][$counter]['values'][$mycolkey]['FieldAlign'] = $fields[$mycolkey]['FieldAlign']; $content['syslogmessages'][$counter]['values'][$mycolkey]['fieldcssclass'] = $content['syslogmessages'][$counter]['cssclass']; $content['syslogmessages'][$counter]['values'][$mycolkey]['fieldbgcolor'] = ""; $content['syslogmessages'][$counter]['values'][$mycolkey]['isnowrap'] = "nowrap"; $content['syslogmessages'][$counter]['values'][$mycolkey]['hasdetails'] = "false"; $content['syslogmessages'][$counter]['values'][$mycolkey]['detailimagealign'] = "TOP"; // Set default link $content['syslogmessages'][$counter]['values'][$mycolkey]['detaillink'] = "#"; // Now handle fields types differently if ($content['fields'][$mycolkey]['FieldType'] == FILTER_TYPE_DATE) { $content['syslogmessages'][$counter]['values'][$mycolkey]['fieldvalue'] = GetFormatedDate($logArray[$mycolkey]); } else { if ($content['fields'][$mycolkey]['FieldType'] == FILTER_TYPE_NUMBER) { $content['syslogmessages'][$counter]['values'][$mycolkey]['fieldvalue'] = $logArray[$mycolkey]; // Special style classes and colours for SYSLOG_FACILITY if ($mycolkey == SYSLOG_FACILITY) { // if ( isset($logArray[$mycolkey][SYSLOG_FACILITY]) && strlen($logArray[$mycolkey][SYSLOG_FACILITY]) > 0) if (isset($logArray[$mycolkey]) && is_numeric($logArray[$mycolkey])) { $content['syslogmessages'][$counter]['values'][$mycolkey]['fieldbgcolor'] = 'bgcolor="' . $facility_colors[$logArray[SYSLOG_FACILITY]] . '" '; $content['syslogmessages'][$counter]['values'][$mycolkey]['fieldcssclass'] = "lineColouredBlack"; // Set Human readable Facility! $content['syslogmessages'][$counter]['values'][$mycolkey]['fieldvalue'] = GetFacilityDisplayName($logArray[$mycolkey]); } else { // Use default colour! $content['syslogmessages'][$counter]['values'][$mycolkey]['fieldbgcolor'] = 'bgcolor="' . $facility_colors[SYSLOG_LOCAL0] . '" '; }
/** * Helper function to consolidate syslogmessages */ private function ConsolidateSyslogmessagesPerHost($arrHosts) { global $content, $gl_starttime, $fields; // Now open the stream for data processing $res = $this->_streamObj->Open($this->_arrProperties, true); if ($res == SUCCESS) { // --- New Method to consolidate data! // TimeStats $nowtime = microtime_float(); $content["report_rendertime"] .= number_format($nowtime - $gl_starttime, 2, '.', '') . "s "; // Update all Checksums first! $this->_streamObj->UpdateAllMessageChecksum(); // TimeStats $nowtime = microtime_float(); $content["report_rendertime"] .= number_format($nowtime - $gl_starttime, 2, '.', '') . "s "; foreach ($arrHosts as $myHost) { // Set custom filters $this->_streamObj->ResetFilters(); $this->_streamObj->SetFilter($this->_filterString . " " . $fields[SYSLOG_MESSAGETYPE]['SearchField'] . ":=" . IUT_Syslog); $this->_streamObj->RemoveFilters(SYSLOG_HOST); $this->_streamObj->AppendFilter($fields[SYSLOG_HOST]['SearchField'] . ":=" . $myHost); // Set Host Item Basics if not set yet $content["report_consdata"][$myHost][SYSLOG_HOST] = $myHost; // Get Data for single host $content["report_consdata"][$myHost]['cons_msgs'] = $this->_streamObj->ConsolidateDataByField(MISC_CHECKSUM, $this->_maxMsgsPerHost, MISC_CHECKSUM, SORTING_ORDER_DESC, null, true, true); // Only process results if valid! if (is_array($content["report_consdata"][$myHost]['cons_msgs'])) { foreach ($content["report_consdata"][$myHost]['cons_msgs'] as &$myConsData) { // Set Basic data entries if (!isset($content['filter_facility_list'][$myConsData[SYSLOG_FACILITY]])) { $myConsData[SYSLOG_FACILITY] = SYSLOG_LOCAL0; } // Set default in this case if (!isset($content['filter_severity_list'][$myConsData[SYSLOG_SEVERITY]])) { $myConsData[SYSLOG_SEVERITY] = SYSLOG_NOTICE; } // Set default in this case } } else { // Write to debuglog OutputDebugMessage("Failed consolidating data for '" . $myHost . "' with error " . $content["report_consdata"][$myHost]['cons_msgs'], DEBUG_ERROR); // Set to empty array $content["report_consdata"][$myHost]['cons_msgs'] = array(); } } // TimeStats $nowtime = microtime_float(); $content["report_rendertime"] .= number_format($nowtime - $gl_starttime, 2, '.', '') . "s "; // --- // --- Start Postprocessing foreach ($content["report_consdata"] as &$tmpConsolidatedComputer) { // First use callback function to sort array uasort($tmpConsolidatedComputer['cons_msgs'], "MultiSortArrayByItemCountDesc"); // Remove entries according to _maxMsgsPerHost if (count($tmpConsolidatedComputer['cons_msgs']) > $this->_maxMsgsPerHost) { $iDropCount = 0; do { array_pop($tmpConsolidatedComputer['cons_msgs']); $iDropCount++; } while (count($tmpConsolidatedComputer['cons_msgs']) > $this->_maxMsgsPerHost); // Append a dummy entry which shows count of all other events if ($iDropCount > 0) { $lastEntry[SYSLOG_SEVERITY] = SYSLOG_NOTICE; $lastEntry[SYSLOG_FACILITY] = SYSLOG_LOCAL0; $lastEntry[SYSLOG_SYSLOGTAG] = $content['LN_GEN_ALL_OTHER_EVENTS']; $lastEntry[SYSLOG_MESSAGE] = $content['LN_GEN_ALL_OTHER_EVENTS']; $lastEntry['itemcount'] = $iDropCount; $lastEntry['firstoccurrence_date'] = "-"; $lastEntry['lastoccurrence_date'] = "-"; $tmpConsolidatedComputer['cons_msgs'][] = $lastEntry; } } // TimeStats $nowtime = microtime_float(); $content["report_rendertime"] .= number_format($nowtime - $gl_starttime, 2, '.', '') . "s "; // PostProcess Events! foreach ($tmpConsolidatedComputer["cons_msgs"] as &$tmpMyEvent) { $tmpMyEvent['FirstOccurrence_Date_Formatted'] = GetFormatedDate($tmpMyEvent['firstoccurrence_date']); $tmpMyEvent['LastOccurrence_Date_Formatted'] = GetFormatedDate($tmpMyEvent['lastoccurrence_date']); $tmpMyEvent['syslogseverity_text'] = $this->GetSeverityDisplayName($tmpMyEvent['syslogseverity']); //$content['filter_severity_list'][ $tmpMyEvent['syslogseverity'] ]["DisplayName"]; $tmpMyEvent['syslogfacility_text'] = $this->GetFacilityDisplayName($tmpMyEvent['syslogfacility']); //$content['filter_facility_list'][ $tmpMyEvent['syslogfacility'] ]["DisplayName"]; $tmpMyEvent['syslogseverity_bgcolor'] = $this->GetSeverityBGColor($tmpMyEvent['syslogseverity']); $tmpMyEvent['syslogfacility_bgcolor'] = $this->GetSeverityBGColor($tmpMyEvent['syslogfacility']); $tmpMyEvent['htmlmsg'] = htmlspecialchars($tmpMyEvent[SYSLOG_MESSAGE]); } } // --- } // Work done! return SUCCESS; }
/** * Helper function to consolidate events */ private function ConsolidateLogonLogoffs() { global $content, $gl_starttime, $fields; // Now open the stream for data processing $res = $this->_streamObj->Open($this->_arrProperties, true); if ($res == SUCCESS) { // --- New Method to consolidate data! // TimeStats $nowtime = microtime_float(); $content["report_rendertime"] .= number_format($nowtime - $gl_starttime, 2, '.', '') . "s "; // Update all Checksums first! //not needed $this->_streamObj->UpdateAllMessageChecksum(); // TimeStats $nowtime = microtime_float(); $content["report_rendertime"] .= number_format($nowtime - $gl_starttime, 2, '.', '') . "s "; // Get all LOGON Data // Set custom filters $this->_streamObj->ResetFilters(); $this->_streamObj->SetFilter($this->_filterString . " " . $fields[SYSLOG_MESSAGETYPE]['SearchField'] . ":=" . IUT_NT_EventReport . ",=" . IUT_WEVTMONV2 . " " . $fields[SYSLOG_EVENT_ID]['SearchField'] . ":=528,4624"); /* Include EventIDs for new and old Eventlog API*/ $content["report_consdata"]['logon']['cons_events'] = $this->_streamObj->ConsolidateDataByField(SYSLOG_EVENT_USER, $this->_maxLogOnLogOffsPerHost, SYSLOG_EVENT_USER, SORTING_ORDER_DESC, null, true, true); foreach ($content["report_consdata"]['logon']['cons_events'] as &$myConsData) { // Set Basic data entries if (!isset($content['filter_severity_list'][$myConsData[SYSLOG_SEVERITY]])) { $myConsData[SYSLOG_SEVERITY] = SYSLOG_NOTICE; } // Set default in this case } // Set Basic properties $content["report_consdata"]['logon']['DataCaption'] = "Logon Events"; // Get all LOGOFF Data // Set custom filters $this->_streamObj->ResetFilters(); $this->_streamObj->SetFilter($this->_filterString . " " . $fields[SYSLOG_MESSAGETYPE]['SearchField'] . ":=" . IUT_NT_EventReport . ",=" . IUT_WEVTMONV2 . " " . $fields[SYSLOG_EVENT_ID]['SearchField'] . ":=538,4634"); /* Include EventIDs for new and old Eventlog API*/ $content["report_consdata"]['logoff']['cons_events'] = $this->_streamObj->ConsolidateDataByField(SYSLOG_EVENT_USER, $this->_maxLogOnLogOffsPerHost, SYSLOG_EVENT_USER, SORTING_ORDER_DESC, null, true, true); foreach ($content["report_consdata"]['logoff']['cons_events'] as &$myConsData) { // Set Basic data entries if (!isset($content['filter_severity_list'][$myConsData[SYSLOG_SEVERITY]])) { $myConsData[SYSLOG_SEVERITY] = SYSLOG_NOTICE; } // Set default in this case } // Set Basic properties $content["report_consdata"]['logoff']['DataCaption'] = "Logoff Events"; /* foreach ( $arrHosts as $myHost ) { // Set custom filters $this->_streamObj->ResetFilters(); $this->_streamObj->SetFilter( $this->_filterString . " " . $fields[SYSLOG_MESSAGETYPE]['SearchField'] . ":=" . IUT_NT_EventReport . ",=" . IUT_WEVTMONV2 . " " . $fields[SYSLOG_HOST]['SearchField'] . ":=" . $myHost ); // Set Host Item Basics if not set yet $content["report_consdata"][ $myHost ][SYSLOG_HOST] = $myHost; // Get Data for single host $content["report_consdata"][ $myHost ]['cons_events'] = $this->_streamObj->ConsolidateDataByField( SYSLOG_EVENT_ID, $this->_maxLogOnLogOffsPerHost, SYSLOG_EVENT_USER, SORTING_ORDER_DESC, null, true, true ); //print_r ($fields[SYSLOG_MESSAGE]); foreach ( $content["report_consdata"][ $myHost ]['cons_events'] as &$myConsData ) { // Set Basic data entries if (!isset( $content['filter_severity_list'][$myConsData[SYSLOG_SEVERITY]] )) $myConsData[SYSLOG_SEVERITY] = SYSLOG_NOTICE; // Set default in this case } } */ // TimeStats $nowtime = microtime_float(); $content["report_rendertime"] .= number_format($nowtime - $gl_starttime, 2, '.', '') . "s "; // --- // Start Postprocessing foreach ($content["report_consdata"] as &$tmpConsolidatedData) { // First use callback function to sort array uasort($tmpConsolidatedData['cons_events'], "MultiSortArrayByItemCountDesc"); /* // Remove entries according to _maxLogOnLogOffsPerHost if ( count($tmpConsolidatedComputer['cons_events']) > $this->_maxLogOnLogOffsPerHost ) { $iDropCount = 0; do { array_pop($tmpConsolidatedComputer['cons_events']); $iDropCount++; } while ( count($tmpConsolidatedComputer['cons_events']) > $this->_maxLogOnLogOffsPerHost ); // Append a dummy entry which shows count of all other events if ( $iDropCount > 0 ) { $lastEntry[SYSLOG_SEVERITY] = SYSLOG_NOTICE; $lastEntry[SYSLOG_EVENT_ID] = "-"; $lastEntry[SYSLOG_EVENT_SOURCE] = $content['LN_GEN_ALL_OTHER_EVENTS']; $lastEntry[SYSLOG_MESSAGE] = $content['LN_GEN_ALL_OTHER_EVENTS']; $lastEntry['itemcount'] = $iDropCount; $lastEntry['FirstEvent_Date'] = "-"; $lastEntry['LastEvent_Date'] = "-"; $tmpConsolidatedComputer['cons_events'][] = $lastEntry; } } */ // TimeStats $nowtime = microtime_float(); $content["report_rendertime"] .= number_format($nowtime - $gl_starttime, 2, '.', '') . "s "; // PostProcess Events! foreach ($tmpConsolidatedData["cons_events"] as &$tmpMyEvent) { $tmpMyEvent['FirstEvent_Date_Formatted'] = GetFormatedDate($tmpMyEvent['firstoccurrence_date']); $tmpMyEvent['LastEvent_Date_Formatted'] = GetFormatedDate($tmpMyEvent['lastoccurrence_date']); $tmpMyEvent['syslogseverity_text'] = $content['filter_severity_list'][$tmpMyEvent['syslogseverity']]["DisplayName"]; $tmpMyEvent['syslogseverity_bgcolor'] = $this->GetSeverityBGColor($tmpMyEvent['syslogseverity']); } } // --- } // Work done! return SUCCESS; }
public function SetCommonContentVariables() { global $content, $fields; $content["report_title"] = $this->GetCustomTitle(); $content["report_comment"] = $this->GetCustomComment(); $content["report_version"] = $this->GetReportVersion(); $content["report_gentime"] = date(DATE_RFC822); // Create array for readable filters display $myFilters = $this->_streamObj->ReturnFiltersArray(); if ($myFilters != null) { // Enable display of filters $content["report_filters_enabled"] = true; foreach ($myFilters as $myFieldID => $myFieldFilters) { // Init Filterstring entry $aNewDisplayFilter = array(); $aNewDisplayFilter['FilterDisplay'] = ""; $aNewDisplayFilter['FieldID'] = $myFieldID; if (isset($fields[$myFieldID]['FieldCaption'])) { $aNewDisplayFilter['FilterCaption'] = $fields[$myFieldID]['FieldCaption']; } else { $aNewDisplayFilter['FilterCaption'] = $myFieldID; } foreach ($myFieldFilters as $tmpFilter) { // Date field means special handling! if ($myFieldID == SYSLOG_DATE) { // Set Filtertype Display $aNewDisplayFilter['FilterType'] = $content['LN_REPORT_FILTERTYPE_DATE']; // Append Datefilter to Title // $content["report_title"] .= if ($tmpFilter[FILTER_DATEMODE] == DATEMODE_LASTX) { $aNewDisplayFilter['FilterDisplay'] = $content['LN_FILTER_DATELASTX'] . " "; switch ($tmpFilter[FILTER_VALUE]) { case DATE_LASTX_HOUR: $aNewDisplayFilter['FilterDisplay'] .= "'" . $content['LN_DATE_LASTX_HOUR'] . "'"; break; case DATE_LASTX_12HOURS: $aNewDisplayFilter['FilterDisplay'] .= "'" . $content['LN_DATE_LASTX_12HOURS'] . "'"; break; case DATE_LASTX_24HOURS: $aNewDisplayFilter['FilterDisplay'] .= "'" . $content['LN_DATE_LASTX_24HOURS'] . "'"; break; case DATE_LASTX_7DAYS: $aNewDisplayFilter['FilterDisplay'] .= "'" . $content['LN_DATE_LASTX_7DAYS'] . "'"; break; case DATE_LASTX_31DAYS: $aNewDisplayFilter['FilterDisplay'] .= "'" . $content['LN_DATE_LASTX_31DAYS'] . "'"; break; } } else { if ($tmpFilter[FILTER_DATEMODE] == DATEMODE_RANGE_FROM) { $aNewDisplayFilter['FilterDisplay'] = $content["LN_FILTER_DATEFROM"] . " " . GetFormatedDate($tmpFilter[FILTER_VALUE]); } else { if ($tmpFilter[FILTER_DATEMODE] == DATEMODE_RANGE_TO) { $aNewDisplayFilter['FilterDisplay'] = $content["LN_FILTER_DATETO"] . " " . GetFormatedDate($tmpFilter[FILTER_VALUE]); } } } // Add to title! $content["report_title"] .= " - " . $aNewDisplayFilter['FilterDisplay']; } else { if ($tmpFilter[FILTER_TYPE] == FILTER_TYPE_STRING) { // Set Filtertype Display $aNewDisplayFilter['FilterType'] = $content['LN_REPORT_FILTERTYPE_STRING']; // Set Filterdisplay $aNewDisplayFilter['FilterDisplay'] = $aNewDisplayFilter['FilterCaption'] . " "; if ($tmpFilter[FILTER_MODE] & FILTER_MODE_INCLUDE) { if ($tmpFilter[FILTER_MODE] & FILTER_MODE_SEARCHFULL) { $aNewDisplayFilter['FilterDisplay'] .= "equals '" . $tmpFilter[FILTER_VALUE] . "'"; } else { $aNewDisplayFilter['FilterDisplay'] .= "contains '" . $tmpFilter[FILTER_VALUE] . "'"; } } else { if ($tmpFilter[FILTER_MODE] & FILTER_MODE_EXCLUDE) { if ($tmpFilter[FILTER_MODE] & FILTER_MODE_SEARCHFULL) { $aNewDisplayFilter['FilterDisplay'] .= "does not equal '" . $tmpFilter[FILTER_VALUE] . "'"; } else { $aNewDisplayFilter['FilterDisplay'] .= "does not contain '" . $tmpFilter[FILTER_VALUE] . "'"; } } } } else { if ($tmpFilter[FILTER_TYPE] == FILTER_TYPE_NUMBER) { // Set Filtertype Display $aNewDisplayFilter['FilterType'] = $content['LN_REPORT_FILTERTYPE_NUMBER']; // Set Filterdisplay $aNewDisplayFilter['FilterDisplay'] = $aNewDisplayFilter['FilterCaption'] . " "; if ($tmpFilter[FILTER_MODE] & FILTER_MODE_INCLUDE) { $aNewDisplayFilter['FilterDisplay'] .= "== " . $tmpFilter[FILTER_VALUE]; } else { if ($tmpFilter[FILTER_MODE] & FILTER_MODE_EXCLUDE) { $aNewDisplayFilter['FilterDisplay'] .= "!= " . $tmpFilter[FILTER_VALUE]; } } } } } // Add to display filter array if (strlen($aNewDisplayFilter['FilterDisplay']) > 0) { $content["report_filters"][] = $aNewDisplayFilter; } } } } else { // Disable display of filters $content["report_filters_enabled"] = false; } }