3 /**********************************************************************************
4 ** (c) Copyright 2002, Brenno J.S.A.A.F. de Winter, De Winter Information Soltions
5 ** This is free software; you can redistribute it and/or modify it under the
6 ** terms of the GNU General Public License, see the file COPYING.
7 ***********************************************************************************/
11 /* The function linux_log will seperate the logline in several elements. This will
12 * ease the work of recognizing the type of logline. Once this has been detected
13 * the correct module will start using the data for a log_adv-table.
15 * GLOBALS : $dbms (database class containing the logline)
16 * OUTPUT : Status of success ('TRUE' for success and 'FALSE' for failure
20 global $developrelease;
22 $local_log_string = str_replace(" ", " ", $dbms->db_result_row[6]);
23 $local_logline_array = explode (" ", $local_log_string);
25 $service_type = $dbms->db_result_row[3];
26 switch (strtolower($service_type))
29 //This is a kernel logline now discover which type kernel-record we have
31 //Detect if this is a network-line
32 if (strtolower(substr($local_logline_array[5],0,3)) == "in=")
34 //this is a networkline call the processing the routines
35 $local_result = linux_kernel_network();
41 //This line is a kernel line writing about a device.
42 if (strtolower($local_logline_array[4]) == 'device')
44 echo $local_log_string;
46 $local_result = linux_kernel_device();
51 if ($developrelease == 'TRUE')
54 $local_failing_string = "Failing string: ".$dbms->db_result_row[5];
55 syslog (LOG_INFO, "Unrecognized kernelline:".$local_log_string);
56 syslog (LOG_INFO, $local_failing_string);
64 $local_result = linux_daemon();
68 $local_result = linux_daemon();
72 $local_result = linux_daemon();
76 $local_result = linux_daemon();
80 $local_result = linux_daemon();
84 $local_result = linux_daemon();
88 $local_result = linux_daemon();
92 $local_result = linux_daemon();
96 $local_result = linux_daemon();
100 $local_result = linux_daemon();
104 $local_result = linux_daemon_sendmail();
108 $local_result = linux_daemon();
112 $local_result = linux_daemon();
116 $local_result = linux_daemon();
124 function linux_daemon_sendmail()
127 /* This function is able to deal with the logs delivered by MTAs
128 * the following are currently supported:
131 * GLOBALS : $dbms, $dbms_working
132 * OUTPUT : "TRUE" for success and "FALSE" for failure.
136 global $dbms_working;
140 //Determine the type of records
141 //When this is sendmail find the beginning by chopping everything into
143 $local_log_string = str_replace(" ", " ", $dbms->db_result_row[6]);
144 //echo " Processing " . $local_log_string . "\n";
145 $local_logline_array = explode (" ", $local_log_string);
147 $local_sql_1 = "INSERT INTO log_adv_daemon_email"; //BASIC STATEMENT
148 $local_sql_2 = "logid, detailed_table, service"; //FIELDS
149 $local_sql_3 = "'".$dbms->db_result_row[0]."', 'log_adv_daemon_email', 'sendmail'"; //VALUES
151 $message_id = trim($local_logline_array[5], " \t:");
153 if ($message_id == 'NOQUEUE')
155 // This is an error rather than a real message id.
157 $local_sql_2 .= ", event";
158 $local_sql_3 .= ", '". $message_id ."'";
160 // Try to find the source IP address in the 6th or 7th word.
162 $source_ip = strstr($local_logline_array[6], "[");
165 $end = strpos($source_ip, "]");
166 $source_ip = substr($source_ip, 1, $end - 1);
170 $source_ip = strstr($local_logline_array[7], "[");
173 $end = strpos($source_ip, "]");
174 $source_ip = substr($source_ip, 1, $end - 1);
180 // We found a source IP address
182 $local_sql_2 .= ", source_ip";
183 $local_sql_3 .= ", '". $source_ip ."'";
187 echo "Sendmail error NOQUEUE but no source IP found. logid = " .$dbms->db_result_row[0] . "\n";
192 $local_sql_2 .= ", internal_messageid";
193 $local_sql_3 .= ", '". $message_id ."'";
197 for ($i = 6; $i <= ( count($local_logline_array) - 1); $i++)
200 //Get rid of the nasty comma's at the end
201 if ( substr($local_logline_array[$i], strlen($local_logline_array[$i])-1, 1) == "," )
203 $local_dummylength = strlen($local_logline_array[$i]) -1;
204 $local_dummy = substr ($local_logline_array[$i], 0,$local_dummylength );
205 $local_logline_array[$i] = trim($local_dummy);
208 if (substr($local_logline_array[$i],0,1) == '[' && strstr($local_sql_2, "source_ip") == false)
210 $local_dummy = trim($local_logline_array[$i], " []:");
211 $local_sql_2 .= ", source_ip";
212 $local_sql_3 .= ", '$local_dummy'";
214 else if (strstr($local_logline_array[$i], "="))
217 $local_element = explode("=", $local_logline_array[$i]);
219 switch (strtolower($local_element[0]))
222 $local_sql_2 .= ", from_email";
223 $local_sql_3 .= ", '". addslashes($local_element[1]) ."'";
227 $local_sql_2 .= ", relay";
228 $local_sql_3 .= ", '". addslashes(trim($local_element[1], " []")) ."'";
232 $local_sql_2 .= ", size";
233 $local_sql_3 .= ", '".$local_element[1]."'";
237 $local_sql_2 .= ", delay";
238 $local_sql_3 .= ", '".ereg_replace("\+", " ", $local_element[1])."'";
242 $local_sql_2 .= ", xdelay";
243 $local_sql_3 .= ", '".ereg_replace("\+", " ", $local_element[1])."'";
247 $local_sql_2 .= ", mailer";
248 $local_sql_3 .= ", '".$local_element[1]."'";
252 $local_sql_2 .= ", dsn";
253 $local_sql_3 .= ", '".$local_element[1]."'";
257 $local_sql_2 .= ", external_messageid";
258 if (substr($local_element[1],0,1) == '<')
260 $local_sql_3 .= ", '";
261 $local_sql_3 .= substr($local_element[1],1,(strlen($local_element[1])-2));
266 $local_sql_3 .= ", '".$local_element[1]."'";
270 //As of this point we only deal with Status
272 $local_sql_2 .= ", status";
273 $local_sql_3 .= ", '".$local_element[1]."'";
275 $local_pos = strrpos (strtolower($local_logline_array[$i]), "stat=");
276 $local_len = strlen($local_logline_array[$i]) - $local_pos - 6;
277 $local_sql_2 .= ", status_details";
278 $local_sql_3 .= ", '".substr($local_logline_array[$i], $local_pos + 5, $local_len) . "'";
282 $local_sql_2 .= ", status";
283 $local_sql_3 .= ", '".$local_element[1]."'";
285 $local_pos = strrpos (strtolower($local_logline_array[$i]), "status=");
286 $local_len = strlen($local_logline_array[$i]) - $local_pos - 8;
287 $local_sql_2 .= ", status_details";
288 $local_sql_3 .= ", '".substr($local_logline_array[$i], $local_pos + 7, $local_len) . "'";
292 if ($local_element[1] == "550")
294 $local_sql_2 .= ", event";
295 $local_sql_3 .= ", 'SPAM'";
297 else if ($local_element[1] == "553")
299 $local_sql_2 .= ", event";
300 $local_sql_3 .= ", 'Blocked SPAM'";
304 echo "Unknown reject code in sendmail log: " . $local_element[1] .
305 ", logid = " .$dbms->db_result_row[0] . "\n";
310 echo "POSSIBLE ATTACK special report: $local_log_string\n";
314 if (substr(strtolower($local_element[0]),0,1) == "[")
316 $local_sql_2 .= ", destination_ip";
317 $local_sql_3 .= ", '". substr($local_element[1], 1, strlen($local_element[1]) - 2)."'";
325 //Now that the data is complete create the SQL-statement
326 $local_sql = $local_sql_1." (".$local_sql_2.") VALUES (".$local_sql_3.")";
327 $dbms_working->query($local_sql);
332 function linux_kernel_network()
335 /* This function is able to deal with the output of kernel-network messages
336 * coming from iptables and other similar tools. When elements are found
337 * that cannot be identified a notification will be written to the logbook
338 * for easy expansion of this routine.
340 * GLOBALS : $dbms, $dbms_working;
341 * OUTPUT : "TRUE" for success and "FALSE" for failure.
345 global $dbms_working;
347 $local_log_string = str_replace(" ", " ", $dbms->db_result_row[6]);
348 $local_logline_array = explode (" ", $local_log_string);
349 $local_sql_1 = "INSERT INTO log_adv_kernel_network"; //BASIC STATEMENT
350 $local_sql_2 = "logid, detailed_table"; //FIELDS
351 $local_sql_3 = "'".$dbms->db_result_row[0]."', 'log_adv_kernel_network'"; //VALUES
356 for ($i = 4; $i <= ( count($local_logline_array) - 1); $i++)
358 $local_element = explode("=", $local_logline_array[$i]);
359 switch (strtolower($local_element[0]))
362 $local_sql_2 .= ", device_in";
363 $local_sql_3 .= ", '".$local_element[1]."'";
367 $local_sql_2 .= ", device_out";
368 $local_sql_3 .= ", '".$local_element[1]."'";
372 $local_sql_2 .= ", hw_address";
373 $local_sql_3 .= ", '".$local_element[1]."'";
377 $local_sql_2 .= ", source_ip";
378 $local_sql_3 .= ", '".$local_element[1]."'";
382 $local_sql_2 .= ", destination_ip";
383 $local_sql_3 .= ", '".$local_element[1]."'";
387 if ($local_len == 0) {
388 $local_sql_2 .= ", packet_length";
391 $local_sql_2 .= ", body_len";
394 $local_sql_3 .= ", '".$local_element[1]."'";
398 if ($local_tos == "F") {
399 $local_sql_2 .= ", tos_bit";
400 $local_sql_3 .= ", '".$local_element[1]."'";
406 $local_sql_2 .= ", prec_bit";
407 $local_sql_3 .= ", '".$local_element[1]."'";
411 $local_sql_2 .= ", ttl";
412 $local_sql_3 .= ", '".$local_element[1]."'";
417 if ($local_id == 0) {
418 $local_sql_2 .= ", header_id";
419 $local_sql_3 .= ", '".$local_element[1]."'";
425 $local_sql_2 .= ", protocol";
426 $local_sql_3 .= ", '".$local_element[1]."'";
427 if ($local_element[1] == 'ICMP') {
433 $local_sql_2 .= ", destination_port";
434 $local_sql_3 .= ", '".$local_element[1]."'";
438 $local_sql_2 .= ", source_port";
439 $local_sql_3 .= ", '".$local_element[1]."'";
443 $local_sql_2 .= ", window";
444 $local_sql_3 .= ", '".$local_element[1]."'";
448 $local_sql_2 .= ", urgp";
449 $local_sql_3 .= ", '".$local_element[1]."'";
453 $local_sql_2 .= ", rst";
454 $local_sql_3 .= ", true";
458 $local_sql_2 .= ", syn";
459 $local_sql_3 .= ", true";
463 $local_sql_2 .= ", df";
464 $local_sql_3 .= ", true";
468 $local_sql_2 .= ", type";
469 $local_sql_3 .= ", '".$local_element[1]."'";
473 $local_sql_2 .= ", code";
474 $local_sql_3 .= ", '".$local_element[1]."'";
478 $local_sql_2 .= ", sequence_number";
479 $local_sql_3 .= ", '".$local_element[1]."'";
483 $local_sql_2 .= ", res";
484 $local_sql_3 .= ", '".$local_element[1]."'";
488 /*This record is different. In ICMP information is sometimes returned on an original packet.
489 * When the brackets are used a second line will be added to the
490 * log_adv_kernel_network-table. For that reason the processing into the database will be
491 * done here as well. After that a new insert-string will be created.
494 //Enter the data into the database
495 $local_sql = $local_sql_1." (".$local_sql_2.") VALUES (".$local_sql_3.")";
496 $dbms_working->query($local_sql);
498 $local_sql_1 = "INSERT INTO log_adv_kernel_network"; //BASIC STATEMENT
499 $local_sql_2 = "logid, detailed_table"; //FIELDS
500 $local_sql_3 = "'".$dbms->db_result_row[0]."', 'kernel_network'"; //VALUES
505 /* $local_element[0];
506 syslog(LOG_INFO, "Unrecognized kernel/network entry: ".$local_element[0]);
514 //Now that the data is complete create the SQL-statement
515 $local_sql = $local_sql_1." (".$local_sql_2.") VALUES (".$local_sql_3.")";
516 $dbms_working->query($local_sql);
521 function linux_kernel_device()
523 /* This function is able to deal with the output of kernel-network messages
524 * coming from device related processes. Typically networkcard and other
525 * hardware-related data will show-up here
527 * GLOBALS : $dbms, $dbms_working
528 * OUTPUT : "TRUE" for success and "FALSE" for failure.
531 global $dbms, $dbms_working;
535 function linux_daemon()
537 /* This function is able to deal with the output of kernel-network messages
538 * coming from device related processes. Typically networkcard and other
539 * hardware-related data will show-up here
541 * GLOBALS : $dbms, $dbms_working
542 * OUTPUT : "TRUE" for success and "FALSE" for failure.
545 global $dbms, $dbms_working;
547 $local_log_line = strtolower($dbms->db_result_row[6]);
549 //Find a sign of stop
550 //Using the word shutdown
551 $pos = strpos($local_log_line, "shutdown");
554 $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES ";
555 $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '"
556 .$dbms->db_result_row[3]."', 'stop')";
558 $dbms_working->query($local_sql);
562 //Using the word stop
563 $pos = strpos($local_log_line, "stop");
566 $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES ";
567 $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '"
568 .$dbms->db_result_row[3]."', 'stop')";
569 $dbms_working->query($local_sql);
573 //As the word restart
574 $pos = strpos($local_log_line, "restart");
577 $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES ";
578 $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '"
579 .$dbms->db_result_row[3]."', 'stop')";
580 $dbms_working->query($local_sql);
582 $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES ";
583 $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '"
584 .$dbms->db_result_row[3]."', 'start')";
585 $dbms_working->query($local_sql);
589 //As the word start this is an else for restart.
590 //If we wouldn't do so restart would also give a positive on start
591 $pos = strpos($local_log_line, "start");
594 $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES ";
595 $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '"
596 .$dbms->db_result_row[3]."', 'start')";
597 $dbms_working->query($local_sql);
602 //The word error indicates problems.
603 $pos = strpos($local_log_line, "error");
604 $pos2 = strpos($local_log_line, "crash"); //The word crash is also considered to be an error
606 if ($pos > 0 or $pos2 > 0)
608 $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES ";
609 $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '"
610 .$dbms->db_result_row[3]."', 'error detected')";
611 $dbms_working->query($local_sql);
613 //Quite often an error will be followed with information that the daemon or service ended.
614 $pos = strpos($local_log_line, "abort");
618 $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES ";
619 $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '"
620 .$dbms->db_result_row[3]."', 'abort')";
621 $dbms_working->query($local_sql);
625 $pos = strpos($local_log_line, "ended");
628 $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES ";
629 $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '"
630 .$dbms->db_result_row[3]."', 'abort')";
631 $dbms_working->query($local_sql);
635 $pos = strpos($local_log_line, "stop");
638 $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES ";
639 $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '"
640 .$dbms->db_result_row[3]."', 'abort')";
641 $dbms_working->query($local_sql);
646 //For power management there is a charge warning
647 $pos = strpos($local_log_line, "charge");
650 $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES ";
651 $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '"
652 .$dbms->db_result_row[3]."', 'Power warning')";
653 $dbms_working->query($local_sql);
658 //As the word start this is an else for restart.
659 //If we wouldn't do so restart would also give a positive on start
660 //This can only be done if we ensured nothing else was the case
661 //PLEASE USE THIS AS LATE AS POSSIBLE!!!
662 $pos = strpos($local_log_line, "exiting");
665 $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES ";
666 $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '"
667 .$dbms->db_result_row[3]."', 'start')";
668 $dbms_working->query($local_sql);