Gnucomo-0.0.8: September 4th 2003
$Log: gcm_daemon.php,v $
- Revision 1.17 2003-10-29 09:58:29 arjen
+ Revision 1.24 2007-11-17 09:34:07 arjen
+ Cleaned up some leftovers
+
+ Revision 1.23 2007/11/03 10:31:12 arjen
+ Added the class definition for a filesystem parameter.
+ New issue type: 'property out of range'.
+
+ Revision 1.22 2007/10/23 11:23:52 arjen
+ Record the date when adding the number of abuses for an IP address
+ in the abuse list.
+
+ Revision 1.21 2007/01/11 13:47:41 arjen
+ Log_adv and derived tables removed.
+ Create notifications from log entries with pattern matching.
+
+ Revision 1.20 2005/06/04 07:15:16 arjen
+ Added pattern check on log entries with the service_pattern table.
+
+ Revision 1.19 2004/01/10 20:04:12 arjen
+ Send email about open notifications to an object's users.
+
+ Revision 1.18 2003/12/03 08:07:21 arjen
+ Changed the type of log_adv_daemon_email.delay and log_adv_daemon_email.xdelay
+ from time to interval. These delays can be more than 24 hours.
+
+ Revision 1.17 2003/10/29 09:58:29 arjen
Create separate notifications for different objects in service_check().
Revision 1.16 2003/09/03 12:48:48 arjen
*/
-// $Id: gcm_daemon.php,v 1.17 2003-10-29 09:58:29 arjen Exp $
+// $Id: gcm_daemon.php,v 1.24 2007-11-17 09:34:07 arjen Exp $
ini_set('include_path', '.:./classes:../phpclasses');
ini_set('html_errors', 'false');
+define("BATCHSIZE", 10000);
+
//Tell the log that we're up.
define_syslog_variables();
// Set the standard variables //
+$purge_date =""; // Purge log entries until this date. Default: no purging
$project_name = "gnucomo"; // name of the entire project
$app_name = "gcm_daemon"; // name of the application running
$developrelease = "FALSE"; // Indicates if special debug settings are needed
-$db_version = 43; // The db_version indicates what the level of
+$db_version = 53; // The db_version indicates what the level of
// the database should be. If the database is
// old an update will be generated.
$gcmd_version = 5; // This value indicates the active version of
$project_name = $argv[$argi];
break;
+ case "-p":
+ $argi++;
+ $purge_date = $argv[$argi];
+ break;
+
default:
- echo "Usage: gcm_daemon [-c configname]\n";
+ echo "Usage: gcm_daemon [-c configname] [-p purgedate]\n";
exit();
break;
}
die ("Couldn't initialize database version.\n");
}
-// If there is a new gcm_daemon_version the logrecords that couldn't be
-// understood can be reprocessed. For this reason processed is now changed
-// to false again for not recognized records.
+// The gcm_daemon version is maintained in the database to enable
+// automatic update actions.
$local_sql = "SELECT setting_value FROM db_value
WHERE setting = 'gcm_daemon_version'";
{
if ($dbms->db_result_row[0] < $gcmd_version)
{
- //Reactive log-records that weren't understood earlier.
-
- $local_sql = "UPDATE log SET processed = false
- WHERE logid NOT IN (SELECT DISTINCT logid FROM log_adv)";
- $dbms->query($local_sql);
//Update de gcm_daemon version in the database
$local_sql = "UPDATE db_value SET setting_value = '".$gcmd_version;
do
{
- //At this place we start processing new log-lines
+ if ($purge_date != "")
+ {
+ purge_old_logs($purge_date);
+ }
+ echo "Processing logs...\n";
process_log ();
service_check();
find_notifications();
+ //mail_notifications();
// Gather the statistics for each object
syslog (LOG_INFO, "gcm_daemon ended nicely");
+function purge_old_logs($purge_date)
+{
+ global $dbms;
+
+ /*
+ * Make a temporary table with the logids of the old log entries
+ * We don't want to repeat a selection on the large log table itself.
+ */
+
+ echo "Purging log entries before $purge_date\n";
+
+ $dbms->query("CREATE TABLE gcm_deamon_old_log AS SELECT logid FROM log WHERE timestamp < '$purge_date'");
+ $dbms->query("SELECT logid FROM gcm_deamon_old_log");
+ echo $dbms->num_rows() . " log entries found.\n";
+ $r = $dbms->query("select notificationid from log_notification where logid in
+ (select logid from gcm_deamon_old_log) group by notificationid");
+ echo "Notifications that may be affected:\n";
+ $notifications = array();
+ for ($i=0; $i < $dbms->num_rows(); $i++)
+ {
+ $notif = $dbms->fetch_object($r, $i);
+ $notifications[] = $notif->notificationid;
+ echo $notif->notificationid . "\n";
+ }
+ $dbms->query("delete from log_notification where logid in
+ (select logid from gcm_deamon_old_log)");
+
+ // Clean up any notifications that have no more logs left
+ foreach ($notifications as $notif)
+ {
+ $c = $dbms->fetch_object($dbms->query("select count(*) from log_notification where notificationid=$notif"), 0);
+ echo "Notification $notif has " . $c->count . " log entries left.\n";
+ if ($c->count == 0)
+ {
+ echo "Cleaning up notification $notif.\n";
+ $dbms->query("delete from action_user where notificationid=$notif");
+ $dbms->query("delete from notification where notificationid=$notif");
+ }
+ }
+
+ $dbms->query("delete from log where logid in
+ (select logid from gcm_deamon_old_log)");
+
+ $dbms->query("drop table gcm_deamon_old_log");
+}
+
+
function process_log ()
{
$last_log = $dbms->db_result_row[0];
}
+ echo "Last processed logid = $last_log \n";
+
//Query the log-table
+ $log_limit = $last_log + BATCHSIZE;
$local_sql = "SELECT * FROM log WHERE logid > CAST(".$last_log." AS BIGINT)
- ORDER BY logid";
+ AND logid <= $log_limit ORDER BY logid";
$dbms->query($local_sql);
//Update the log-statistics in the object-table
$local_object_os = "";
$local_object_os_version = "";
+/*
while ($local_counter < $dbms->num_rows())
{
}
$local_counter++;
}
+*/
+
+ // Check for spam and other abuses.
+
+ // abuse_check($last_log);
+
+ match_log_patterns($last_log);
// Register that the logrecords have been processed.
+ $local_upper_row--;
$local_sql = "UPDATE db_value SET setting_value = '"
- .$local_log_id."' where setting = 'log_processing'";
+ . $local_upper_row ."' where setting = 'log_processing'";
$dbms->query($local_sql);
UpdateStatistic($objectid, 'logs', $cnt->count);
}
+// Check for spam and other abuses in the log_adv tables.
+
+function abuse_check($logstart)
+{
+return; // This function is obsolete
+ global $dbms;
+
+ // notification: 'abuses exceeded'.
+
+ $noqueue_res = $dbms->query("select logid, source_ip from log_adv_daemon_email
+ where event='NOQUEUE' and logid > " . $logstart);
+ echo "NOQUEUE abuses:\n\n";
+ for ($row = 0; $row < $dbms->num_rows($noqueue_res); $row++)
+ {
+ $noqueue = $dbms->fetch_object($noqueue_res, $row);
+ if ($noqueue->source_ip != '')
+ {
+ $obj = $dbms->fetch_object(
+ $dbms->query("SELECT objectid FROM log WHERE logid = '" . $noqueue->logid . "'"),0);
+ record_abuse(0, $obj->objectid, $noqueue->source_ip, 2);
+
+ // TODO: Create notification
+ }
+ }
+ $dbms->Free($noqueue_res);
+
+ $noqueue_res = $dbms->query("select logid, source_ip, relay from log_adv_daemon_email
+ where event='SPAM' and logid > " . $logstart);
+ echo "SPAM abuses:\n\n";
+ for ($row = 0; $row < $dbms->num_rows($noqueue_res); $row++)
+ {
+ $noqueue = $dbms->fetch_object($noqueue_res, $row);
+ $source = $noqueue->source_ip;
+ if ($source == '')
+ {
+ $source = $noqueue->relay;
+ }
+ if ($source != '')
+ {
+ $obj = $dbms->fetch_object(
+ $dbms->query("SELECT objectid FROM log WHERE logid = '" . $noqueue->logid . "'"),0);
+ record_abuse(0, $obj->objectid, $source, 1);
+
+ // TODO: Create notification
+ }
+ }
+ $dbms->Free($noqueue_res);
+
+ echo "HTTP abuses:\n\n";
+ $abuse_res = $dbms->query("select logid, objectid, rawdata from log
+ where servicecode='httpd' and logid > " . $logstart);
+ for ($row = 0; $row < $dbms->num_rows($abuse_res); $row++)
+ {
+ $source = '';
+ $abuse = $dbms->fetch_object($abuse_res, $row);
+ if (ereg("\[error\] \[client ([0-9.]+)\] request failed: URI too long", $abuse->rawdata, $parts))
+ {
+ echo $abuse->rawdata . "\n";
+ echo "Abuse on object " . $abuse->objectid . " from IP address " . $parts[1] . "\n";
+ $source = $parts[1];
+ }
+ if (ereg("\[error\] \[client ([0-9.]+)\] File does not exist: .+/MSADC",
+ $abuse->rawdata, $parts))
+ {
+ echo $abuse->rawdata . "\n";
+ echo "Abuse on object " . $abuse->objectid . " from IP address " . $parts[1] . "\n";
+ $source = $parts[1];
+ }
+ if ($source != '')
+ {
+ record_abuse(0, $abuse->objectid, $source, 2);
+
+ // TODO: Create notification
+ }
+ }
+ $dbms->Free($abuse_res);
+}
+
+function match_log_patterns($logstart)
+{
+ global $dbms;
+
+ $notifications = array();
+
+ $log_limit = $logstart + BATCHSIZE;
+ $noqueue_res = $dbms->query("select logid, objectid, servicecode, rawdata from log
+ where logid > $logstart and logid <= $log_limit
+ order by logid");
+ for ($row = 0; $row < $dbms->num_rows($noqueue_res); $row++)
+ {
+ $logentry = $dbms->fetch_object($noqueue_res, $row);
+ //echo "\n----------\n" . $logentry->rawdata . "\n----------\n";
+ $service = $logentry->servicecode;
+ $pattern_res = $dbms->query("select * from service_pattern where service='$service'
+ OR service='ANY' order by rank");
+
+ $match_found = false;
+ for ($patnr = 0; !$match_found && $patnr < $dbms->num_rows($pattern_res); $patnr++)
+ {
+ $srv_pat = $dbms->fetch_object($pattern_res, $patnr);
+ //echo " Checking with pattern " . $srv_pat->pattern . "\n";
+ if (ereg($srv_pat->pattern, $logentry->rawdata, $matches))
+ {
+ // Scan the argument for '$n' expressions and expand
+
+ $srv_pat->argument = expand_arguments($srv_pat->argument, $matches);
+ //echo " " . $srv_pat->pattern . " matches.\n";
+ //echo " Matched string: " . $matches[0] . "\n";
+ //echo " Action = " . $srv_pat->action . "(" . $srv_pat->argument . ")\n\n";
+ $match_found = true;
+
+ switch ($srv_pat->action)
+ {
+ case "ignore":
+ break;
+
+ case "notify":
+ $notif = $srv_pat->argument;
+ if (!isset($notifications[$logentry->objectid][$notif]))
+ {
+ //echo "Creating notification $notif for object " . $logentry->objectid . ".\n";
+ $remark = "Notification generated from Gnucomo pattern match.";
+ $notifications[$logentry->objectid][$notif] =
+ $dbms->new_notification($logentry->objectid, $notif, $remark);
+ }
+ if (isset($notifications[$logentry->objectid][$notif]))
+ {
+ //echo "Notification $notif for object " . $logentry->objectid . " already created.\n";
+ $insertion = "INSERT INTO log_notification (notificationid, logid) VALUES ('";
+ $insertion .= $notifications[$logentry->objectid][$notif] . "', '";
+ $insertion .= $logentry->logid . "')";
+ $dbms->query($insertion);
+ }
+ break;
+
+ case "abuse":
+ if (record_abuse($logentry->logid, $logentry->objectid, $srv_pat->argument, 1) >= 32)
+ {
+ $source_ip = $srv_pat->argument;
+ $notif = 'abuses exceeded';
+ if (!isset($notifications[$logentry->objectid][$notif][$source_ip]))
+ {
+ echo "Creating notification $notif for object " . $logentry->objectid . ".\n";
+ $remark = "Abuses from IP address $source_ip exceeded the limit.";
+ $notifid = $dbms->new_notification($logentry->objectid, $notif, $remark);
+ $notifications[$logentry->objectid][$notif][$source_ip] = $notifid;
+
+ // Add log entries from previously detected abuses
+
+ echo " Add log entries from previously detected abuses";
+ $abuses = $dbms->query("SELECT logid FROM log_abuse WHERE objectid = '" .
+ $logentry->objectid . "' AND source = '$source_ip'");
+ for ($abusenr = 0; $abusenr < $dbms->num_rows($abuses); $abusenr++)
+ {
+ $log_abuse = $dbms->fetch_object($abuses, $abusenr);
+ if ($log_abuse->logid != $logentry->logid)
+ {
+ $insertion = "INSERT INTO log_notification (notificationid, logid) VALUES ('";
+ $insertion .= $notifid . "', '";
+ $insertion .= $log_abuse->logid . "')";
+ $dbms->query($insertion);
+ }
+ }
+ }
+ if (isset($notifications[$logentry->objectid][$notif][$source_ip]))
+ {
+ echo "Notification $notif for object " . $logentry->objectid . " already created.\n";
+ $insertion = "INSERT INTO log_notification (notificationid, logid) VALUES ('";
+ $insertion .= $notifications[$logentry->objectid][$notif][$source_ip] . "', '";
+ $insertion .= $logentry->logid . "')";
+ $dbms->query($insertion);
+ }
+ }
+ break;
+ case "forgive":
+ record_abuse($logentry->logid, $logentry->objectid, $srv_pat->argument, -4);
+ break;
+ default:
+ echo "Error: unrecognized action in service pattern: " . $srv_pat->action . "\n";
+ break;
+ }
+ }
+ else
+ {
+ // echo " " . $srv_pat->pattern . " does not match.\n";
+ }
+ }
+
+ }
+}
+
+/*
+ * Some IP address abused us. Record the event.
+ * Return the number of abuse points recorded so far for the address
+ */
+
+function record_abuse($logid, $objectid, $sourceip, $points)
+{
+ global $dbms;
+
+ $abuse_points = $points;
+
+ $ipaddress = gethostbyname($sourceip);
+ //echo " IP address for $sourceip is $ipaddress.\n";
+ $sourceip = $ipaddress;
+
+ $abres = $dbms->query("SELECT * FROM object_abuse WHERE objectid='$objectid' AND source='$sourceip'");
+
+ if (pg_numrows($abres) == 0 && $points > 0)
+ {
+ //echo "$sourceip is new.\n";
+ $dbms->query("INSERT INTO object_abuse VALUES ('$objectid', '$sourceip', '$points', '', NOW())");
+ $dbms->query("INSERT INTO log_abuse VALUES ('$logid', '$objectid', '$sourceip')");
+ }
+ else if (pg_numrows($abres) != 0)
+ {
+ $abuse = $dbms->fetch_object($abres, 0);
+ if ($abuse->status == '' || $abuse->status == 'dropped')
+ {
+ $abuse_points = $abuse->nr_abuses + $points;
+ if ($abuse_points < 0)
+ {
+ $abuse_points = 0;
+ }
+ //echo $sourceip . " will get " . $abuse_points . " abuse points, ";
+ //echo "Status was " . $abuse->status . "\n";
+ $dbms->query("UPDATE object_abuse SET nr_abuses='$abuse_points'" .
+ ", last_change=NOW() WHERE objectid='$objectid' AND source='$sourceip'");
+
+ if ($points > 0)
+ {
+ $dbms->query("INSERT INTO log_abuse VALUES ('$logid', '$objectid', '$sourceip')");
+ }
+ if ($abuse_points >= 32)
+ {
+ //echo " BLOCK IP adrress $sourceip on the firewall.\n";
+ $dbms->query("UPDATE object_abuse SET status='dropped'" .
+ " WHERE objectid='$objectid' AND source='$sourceip'");
+ }
+ }
+ }
+
+ return $abuse_points;
+}
+
+
/*
* Service_check - Check the log entries if there are any unknown
* services.
VALUES ('log_servicecheck', '0')");
}
+ echo "Running service check from log id $last_log.\n";
// Query the log-table
+ $log_limit = $last_log + BATCHSIZE;
$qry = "SELECT logid, objectid, servicecode FROM log
- WHERE logid > CAST(".$last_log." AS BIGINT) ORDER BY logid";
+ WHERE logid > CAST(".$last_log." AS BIGINT) AND logid <= $log_limit
+ ORDER BY logid";
$log_res = $dbms->query($qry);
//$log_res = $dbms->query("SELECT logid, objectid, servicecode,rawdata FROM log");
}
}
+/*
+ * find open notifications and send an email to the object's users.
+ */
+
+function mail_notifications ()
+{
+ global $dbms;
+
+ $notifres = $dbms->query("SELECT notificationid, objectid, type_of_issueid FROM notification
+ WHERE statuscode != 'cls'");
+
+ for ($notifrow = 0; $notifrow < pg_numrows($notifres); $notifrow++)
+ {
+ $notification = pg_fetch_object($notifres, $notifrow);
+
+ $issue = pg_fetch_object($dbms->query("SELECT description FROM type_of_issue
+ WHERE type_of_issueid='" . $notification->type_of_issueid . "'"), 0);
+ echo "Mailing Notification for object id " . $notification->objectid . "\n";
+ $object = pg_fetch_object($dbms->query("SELECT objectname FROM object
+ WHERE objectid='" . $notification->objectid ."'"), 0);
+
+ $users = $dbms->query("SELECT username FROM object_user WHERE objectid='" . $notification->objectid . "'");
+
+ for ($userrow = 0; $userrow < pg_numrows($users); $userrow++)
+ {
+ $objusr = pg_fetch_object($users, $userrow);
+ $usr = pg_fetch_object($dbms->query("SELECT email FROM usr
+ WHERE username='" . $objusr->username . "'"), 0);
+
+ $message = "Notification " . $notification->notificationid . ": " . $issue->description;
+ $message .= " for object " . $object->objectname . "\n";
+
+ mail($usr->email, "GnuCoMo Notification", $message);
+ }
+ }
+}
+
+/*
+ * The 'command' may contain positional parameters such as '$1' and '$3',
+ * just like the shell. These parameters are replaced by content from
+ * the 'args' array.
+ */
+
+function expand_arguments($command, $args)
+{
+ while (ereg('\$([0-9]+)', $command, $match))
+ {
+ $index = $match[1];
+ if ($index >= count($args))
+ {
+ echo "Error: Argument $index not found for $command.\n";
+ $command = ereg_replace('\$' . $index, "", $command);
+ }
+ else
+ {
+ $command = ereg_replace('\$' . $index, $args[$index], $command);
+ }
+ }
+ return $command;
+}
+
?>
projects / gnucomo.git / blobdiff