<?php
/**
* Author: bedirhan
*/
require_once "MSALParser.php";
require_once "MSALDB.php";
$arrayOfLines = file("php://input");
if ($arrayOfLines) {
//$fp = fopen("test.txt","w+");
//fwrite($fp, $msal);
//fclose($fp);
try {
$msal = MSALParser::parse($arrayOfLines, 0, count($arrayOfLines) - 1);
MSALDB::saveMSAL($msal);
} catch (MSALParserException $msalpe) {
// kol kirilir yen icinde kalir
FileLogger::ERROR($msalpe->getMessage());
} catch (MSALDBException $msaldbe) {
// kol kirilir yen icinde kalir
FileLogger::ERROR($msaldbe->getMessage());
}
}
/*
* A NOTE:
*
* in mlogc.conf;
* CollectorRoot "/var/log/mlogc"
* ConsoleURI "http://[serverip]/rpc/auditLogReceiver"
* LogStorageDir "data"
* Keep 1
public static function parse(&$lines)
{
// the allmighty "ModSecurity Single Audit Log" object
$msal = new MSAL();
FileLogger::INFO("MSAL Parsing Started");
// initialize indexes that point to start and end of a audit log part
// should the single log starts with empty lines, then we have to eat them
$startIndex = 0;
while (preg_match(MSALParser::EMPTY_LINE_PATTERN, $lines[$startIndex])) {
$startIndex += 1;
}
$endIndex = count($lines) - 1;
// a simple error checking
if ($startIndex >= $endIndex) {
throw new MSALParserException("MSAL erroneous audit log (all empty lines or a single line)");
}
while (($boundaryLetter = MSALParser::readTillNextBoundary($lines, $startIndex, $endIndex)) != '!') {
switch ($boundaryLetter) {
case 'A':
FileLogger::INFO("MSAL Parsing part A");
$msalHeader = MSALHeaderParser::parse($lines, $startIndex, $endIndex);
$msal->setMSALHeader($msalHeader);
break;
case 'B':
FileLogger::INFO("MSAL Parsing part B");
$msalRequestHeaders = MSALRequestHeadersParser::parse($lines, $startIndex, $endIndex);
$msal->setMSALRequestHeaders($msalRequestHeaders);
break;
case 'C':
FileLogger::INFO("MSAL Parsing part C");
$msalRequestBody = MSALRequestBodyParser::parse($lines, $startIndex, $endIndex);
$msal->setMSALRequestBody($msalRequestBody);
break;
case 'F':
FileLogger::INFO("MSAL Parsing part F");
$msalResponseHeaders = MSALResponseHeadersParser::parse($lines, $startIndex, $endIndex);
$msal->setMSALResponseHeaders($msalResponseHeaders);
break;
case 'E':
FileLogger::INFO("MSAL Parsing part E");
$msalResponseBody = MSALResponseBodyParser::parse($lines, $startIndex, $endIndex);
$msal->setMSALResponseBody($msalResponseBody);
break;
case 'H':
FileLogger::INFO("MSAL Parsing part H");
$msalTrailer = MSALTrailerParser::parse($lines, $startIndex, $endIndex);
$msal->setMSALTrailer($msalTrailer);
break;
case 'Z':
FileLogger::INFO("MSAL Parsing part Z");
break;
default:
// throw an error, an unexpected log part letter is read!
throw new MSALParserException("An undefined log boundary specified : " . $boundaryLetter);
break;
}
// why $endIndex + 1 ?
// because $endIndex points to a line just before the next boundary
$startIndex = $endIndex + 1;
// reset the endIndex
$endIndex = count($lines) - 1;
// a simple eof checking
// should we check boundary Z? not now.
if ($startIndex > $endIndex) {
FileLogger::INFO("MSAL Parsing Finished");
break;
}
}
return $msal;
}
