<?php
/*
   *********************************************************************
   * Copyright (C) 2010 Sebastian Schauenburg
   *
   * PhpLogCon is free software: you can redistribute it and/or modify
   * it under the terms of the GNU General Public License as published by
   * the Free Software Foundation, either version 3 of the License, or
   * (at your option) any later version.
   *
   * PhpLogCon is distributed in the hope that it will be useful,
   * but WITHOUT ANY WARRANTY; without even the implied warranty of
   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   * GNU General Public License for more details.
   *
   * You should have received a copy of the GNU General Public License
   * along with phpLogCon. If not, see <http://www.gnu.org/licenses/>.
   *
   * A copy of the GPL can be found in the file "COPYING" in this
   * distribution.
   *********************************************************************
*/

// --- Avoid directly accessing this file!
if ( !defined('IN_PHPLOGCON') )
{
   die('Hacking attempt');
   exit;
}
// ---

// --- Basic Includes
require_once($gl_root_path . 'classes/enums.class.php');
require_once($gl_root_path . 'classes/msgparser.class.php');
require_once($gl_root_path . 'include/constants_errors.php');
require_once($gl_root_path . 'include/constants_logstream.php');
// ---

class MsgParser_eventlogsnare extends MsgParser {

   // Public Information properties
   public $_ClassName = 'SNARE Eventlog Format';
   public $_ClassDescription = 'This is a parser for a special format which can be created with SNARE Agent.';
   public $_ClassRequiredFields = null;
   public $_ClassHelpArticle = "http://www.intersectalliance.com/projects/SnareWindows/";

   // Constructor
   public function MsgParser_eventlog() {
      return; // Nothing
   }

   /**
   * ParseLine
   *
   * @param arrArguments array in&out: properties of interest. There can be no guarantee the logstream can actually deliver them.
   * @return integer Error stat
   */
   public function ParseMsg($szMsg, &$arrArguments)
   {
      global $content, $fields;

      //trim the msg first to remove spaces from begin and end
      $szMsg = trim($szMsg);

      // Sample:   Jan 18 12:09:37 winxp MSWinEventLog#0111#011System#011752#011Mon Jan 18 12:09:33 2010#0117036#011Service Control Manager#011Unknown User#011N/A#011Information#011WINXP#011None#011#011The Windows Time service entered the running state.  #011469
      if ( preg_match("/(.*?)\#011(.*?)\#011(.*?)\#011([0-9]{1,12})\#011(.*?)\#011([0-9]{1,12})\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)/", $szMsg, $out ) )
      {   
         // Copy parsed properties!
              $arrArguments[SYSLOG_EVENT_ID] = $out[6];
              $arrArguments[SYSLOG_EVENT_USER] = $out[9];
              $arrArguments[SYSLOG_EVENT_SOURCE] = $out[7];
              $arrArguments[SYSLOG_EVENT_LOGTYPE] = $out[3];
              $arrArguments[SYSLOG_SEVERITY] = $out[10];
              $arrArguments[SYSLOG_MESSAGE] = $out[14];
              $arrArguments[SYSLOG_HOST] = $out[11];
              $arrArguments[SYSLOG_DATE] = $out[5];

         if ( $this->_MsgNormalize == 1 )
         {
            //Init tmp msg
            $szTmpMsg = "";

            // Create Field Array to prepend into msg! Reverse Order here
            $myFields = array( SYSLOG_MESSAGE, SYSLOG_EVENT_CATEGORY, SYSLOG_EVENT_LOGTYPE, SYSLOG_EVENT_SOURCE, SYSLOG_EVENT_USER, SYSLOG_EVENT_ID );

            foreach ( $myFields as $myField )
            {
               // Set Field Caption
               if ( isset($fields[$myField]['FieldCaption']) )
                  $szFieldName = $fields[$myField]['FieldCaption'];
               else
                  $szFieldName = $myField;

               // Append Field into msg
               $szTmpMsg = $szFieldName . ": '" . $arrArguments[$myField] . "'\n" . $szTmpMsg;
            }

            // copy finished MSG back!
            $arrArguments[SYSLOG_MESSAGE] = $szTmpMsg;

         }
      }
      else
      {
         // return no match in this case!
         return ERROR_MSG_NOMATCH;
      }
      
      // Set IUT Property if success!
      $arrArguments[SYSLOG_MESSAGETYPE] = IUT_NT_EventReport;

      // If we reached this position, return success!
      return SUCCESS;
   }
}

?>
