<?php
/*
*********************************************************************
* Copyright (C) 2010 Sebastian Schauenburg
*
* PhpLogCon is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* PhpLogCon is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with phpLogCon. If not, see <http://www.gnu.org/licenses/>.
*
* A copy of the GPL can be found in the file "COPYING" in this
* distribution.
*********************************************************************
*/
// --- Avoid directly accessing this file!
if ( !defined('IN_PHPLOGCON') )
{
die('Hacking attempt');
exit;
}
// ---
// --- Basic Includes
require_once($gl_root_path . 'classes/enums.class.php');
require_once($gl_root_path . 'classes/msgparser.class.php');
require_once($gl_root_path . 'include/constants_errors.php');
require_once($gl_root_path . 'include/constants_logstream.php');
// ---
class MsgParser_eventlogsnare extends MsgParser {
// Public Information properties
public $_ClassName = 'SNARE Eventlog Format';
public $_ClassDescription = 'This is a parser for a special format which can be created with SNARE Agent.';
public $_ClassRequiredFields = null;
public $_ClassHelpArticle = "http://www.intersectalliance.com/projects/SnareWindows/";
// Constructor
public function MsgParser_eventlog() {
return; // Nothing
}
/**
* ParseLine
*
* @param arrArguments array in&out: properties of interest. There can be no guarantee the logstream can actually deliver them.
* @return integer Error stat
*/
public function ParseMsg($szMsg, &$arrArguments)
{
global $content, $fields;
//trim the msg first to remove spaces from begin and end
$szMsg = trim($szMsg);
// Sample: Jan 18 12:09:37 winxp MSWinEventLog#0111#011System#011752#011Mon Jan 18 12:09:33 2010#0117036#011Service Control Manager#011Unknown User#011N/A#011Information#011WINXP#011None#011#011The Windows Time service entered the running state. #011469
if ( preg_match("/(.*?)\#011(.*?)\#011(.*?)\#011([0-9]{1,12})\#011(.*?)\#011([0-9]{1,12})\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)/", $szMsg, $out ) )
{
// Copy parsed properties!
$arrArguments[SYSLOG_EVENT_ID] = $out[6];
$arrArguments[SYSLOG_EVENT_USER] = $out[9];
$arrArguments[SYSLOG_EVENT_SOURCE] = $out[7];
$arrArguments[SYSLOG_EVENT_LOGTYPE] = $out[3];
$arrArguments[SYSLOG_SEVERITY] = $out[10];
$arrArguments[SYSLOG_MESSAGE] = $out[14];
$arrArguments[SYSLOG_HOST] = $out[11];
$arrArguments[SYSLOG_DATE] = $out[5];
if ( $this->_MsgNormalize == 1 )
{
//Init tmp msg
$szTmpMsg = "";
// Create Field Array to prepend into msg! Reverse Order here
$myFields = array( SYSLOG_MESSAGE, SYSLOG_EVENT_CATEGORY, SYSLOG_EVENT_LOGTYPE, SYSLOG_EVENT_SOURCE, SYSLOG_EVENT_USER, SYSLOG_EVENT_ID );
foreach ( $myFields as $myField )
{
// Set Field Caption
if ( isset($fields[$myField]['FieldCaption']) )
$szFieldName = $fields[$myField]['FieldCaption'];
else
$szFieldName = $myField;
// Append Field into msg
$szTmpMsg = $szFieldName . ": '" . $arrArguments[$myField] . "'\n" . $szTmpMsg;
}
// copy finished MSG back!
$arrArguments[SYSLOG_MESSAGE] = $szTmpMsg;
}
}
else
{
// return no match in this case!
return ERROR_MSG_NOMATCH;
}
// Set IUT Property if success!
$arrArguments[SYSLOG_MESSAGETYPE] = IUT_NT_EventReport;
// If we reached this position, return success!
return SUCCESS;
}
}
?>