db_result_row[6]); $local_logline_array = explode (" ", $local_log_string); $service_type = $dbms->db_result_row[3]; switch (strtolower($service_type)) { case "kernel": //This is a kernel logline now discover which type kernel-record we have //Detect if this is a network-line if (strtolower(substr($local_logline_array[5],0,3)) == "in=") { //this is a networkline call the processing the routines $local_result = linux_kernel_network(); return $local_result; } else { //This line is a kernel line writing about a device. if (strtolower($local_logline_array[4]) == 'device') { echo $local_log_string; $local_result = linux_kernel_device(); return $local_result; } else { if ($developrelease == 'TRUE') { $local_failing_string = "Failing string: ".$dbms->db_result_row[5]; syslog (LOG_INFO, "Unrecognized kernelline:".$local_log_string); syslog (LOG_INFO, $local_failing_string); } return "FALSE"; } } break; case "anacron": $local_result = linux_daemon(); break; case "apmd": $local_result = linux_daemon(); break; case "atd": $local_result = linux_daemon(); break; case "crond": $local_result = linux_daemon(); break; case "httpd": $local_result = linux_daemon(); break; case "lpd": $local_result = linux_daemon(); break; case "mysqld": $local_result = linux_daemon(); break; case "postfix": $local_result = linux_daemon(); break; case "random": $local_result = linux_daemon(); break; case "rhnsd": $local_result = linux_daemon(); break; case "syslog": $local_result = linux_daemon(); break; case "syslogd": $local_result = linux_daemon(); break; case "xinetd": $local_result = linux_daemon(); break; default: break; } } function linux_kernel_network() { /* This function is able to deal with the output of kernel-network messages * coming from iptables and other similar tools. When elements are found * that cannot be identified a notification will be written to the logbook * for easy expansion of this routine. * INPUT : NONE * GLOBALS : $dbms, $dbms_working; * OUTPUT : "TRUE" for success and "FALSE" for failure. */ global $dbms; global $dbms_working; $local_log_string = str_replace(" ", " ", $dbms->db_result_row[6]); $local_logline_array = explode (" ", $local_log_string); $local_sql_1 = "INSERT INTO log_adv_kernel_network"; //BASIC STATEMENT $local_sql_2 = "logid, detailed_table"; //FIELDS $local_sql_3 = "'".$dbms->db_result_row[0]."', 'kernel_network'"; //VALUES $local_len = 0; $local_id = 0; for ($i = 4; $i <= ( count($local_logline_array) - 1); $i++) { //Process each element by exploding this based on the sign: = $local_element = explode("=", $local_logline_array[$i]); switch (strtolower($local_element[0])) { case "in": $local_sql_2 .= ", device_in"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "out": $local_sql_2 .= ", device_out"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "mac": $local_sql_2 .= ", hw_address"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "src": $local_sql_2 .= ", source_ip"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "dst": $local_sql_2 .= ", destination_ip"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "len": if ($local_len == 0) { $local_sql_2 .= ", packet_length"; $local_len++; } else { $local_sql_2 .= ", body_len"; } $local_sql_3 .= ", '".$local_element[1]."'"; break; case "tos": $local_sql_2 .= ", tos_bit"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "prec": $local_sql_2 .= ", prec_bit"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "ttl": $local_sql_2 .= ", ttl"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "id": if ($local_id == 0) { $local_sql_2 .= ", header_id"; $local_sql_3 .= ", '".$local_element[1]."'"; $local_id = 1; } break; case "proto": $local_sql_2 .= ", protocol"; $local_sql_3 .= ", '".$local_element[1]."'"; if ($local_element[1] == 'ICMP') { $local_icmp = true; } break; case "spt": $local_sql_2 .= ", destination_port"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "dpt": $local_sql_2 .= ", source_port"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "window": $local_sql_2 .= ", window"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "urgp": $local_sql_2 .= ", urgp"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "rst": $local_sql_2 .= ", rst"; $local_sql_3 .= ", true"; break; case "syn": $local_sql_2 .= ", syn"; $local_sql_3 .= ", true"; break; case "df": $local_sql_2 .= ", df"; $local_sql_3 .= ", true"; break; case "type": $local_sql_2 .= ", type"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "code": $local_sql_2 .= ", code"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "seq": $local_sql_2 .= ", sequence_number"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "res": $local_sql_2 .= ", res"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "[src": /*This record is different. In ICMP information is sometimes returned on an original packet. * When the brackets are used a second line will be added to the * log_adv_kernel_network-table. For that reason the processing into the database will be * done here as well. After that a new insert-string will be created. */ //Enter the data into the database $local_sql = $local_sql_1." (".$local_sql_2.") VALUES (".$local_sql_3.")"; $dbms_working->query($local_sql); $local_sql_1 = "INSERT INTO log_adv_kernel_network"; //BASIC STATEMENT $local_sql_2 = "logid, detailed_table"; //FIELDS $local_sql_3 = "'".$dbms->db_result_row[0]."', 'kernel_network'"; //VALUES $local_len = 0; $local_id = 0; break; default: /* $local_element[0]; syslog(LOG_INFO, "Unrecognized kernel/network entry: ".$local_element[0]); */ } } //Now that the data is complete create the SQL-statement $local_sql = $local_sql_1." (".$local_sql_2.") VALUES (".$local_sql_3.")"; $dbms_working->query($local_sql); RETURN "TRUE"; } function linux_kernel_device() { /* This function is able to deal with the output of kernel-network messages * coming from device related processes. Typically networkcard and other * hardware-related data will show-up here * INPUT : NONE * GLOBALS : $dbms, $dbms_working * OUTPUT : "TRUE" for success and "FALSE" for failure. */ global $dbms, $dbms_working; } function linux_daemon() { /* This function is able to deal with the output of kernel-network messages * coming from device related processes. Typically networkcard and other * hardware-related data will show-up here * INPUT : NONE * GLOBALS : $dbms, $dbms_working * OUTPUT : "TRUE" for success and "FALSE" for failure. */ global $dbms, $dbms_working; $local_log_line = strtolower($dbms->db_result_row[6]); //Find a sign of stop //Using the word shutdown $pos = strpos($local_log_line, "shutdown"); if ($pos > 0) { $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES "; $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '".$dbms->db_result_row[3]."', 'stop')"; $dbms_working->query($local_sql); } else { //Using the word stop $pos = strpos($local_log_line, "stop"); if ($pos > 0) { $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES "; $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '".$dbms->db_result_row[3]."', 'stop')"; $dbms_working->query($local_sql); } else { //As the word restart $pos = strpos($local_log_line, "restart"); if ($pos > 0) { $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES "; $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '".$dbms->db_result_row[3]."', 'stop')"; $dbms_working->query($local_sql); $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES "; $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '".$dbms->db_result_row[3]."', 'start')"; $dbms_working->query($local_sql); } else { //As the word start this is an else for restart. //If we wouldn't do so restart would also give a positive on start $pos = strpos($local_log_line, "start"); if ($pos > 0) { $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES "; $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '".$dbms->db_result_row[3]."', 'start')"; $dbms_working->query($local_sql); } else { //As the word start this is an else for restart. //If we wouldn't do so restart would also give a positive on start $pos = strpos($local_log_line, "exiting"); if ($pos > 0) { $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES "; $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '".$dbms->db_result_row[3]."', 'start')"; $dbms_working->query($local_sql); } } } } } return "ok"; } ?>