4 * NOTE: THIS MODULE IS OBSOLETE
7 /**********************************************************************************
8 ** (c) Copyright 2002, Brenno J.S.A.A.F. de Winter, De Winter Information Soltions
9 ** This is free software; you can redistribute it and/or modify it under the
10 ** terms of the GNU General Public License, see the file COPYING.
11 ***********************************************************************************/
15 /* The function linux_log will seperate the logline in several elements. This will
16 * ease the work of recognizing the type of logline. Once this has been detected
17 * the correct module will start using the data for a log_adv-table.
19 * GLOBALS : $dbms (database class containing the logline)
20 * OUTPUT : Status of success ('TRUE' for success and 'FALSE' for failure
24 global $developrelease;
26 $local_log_string = str_replace(" ", " ", $dbms->db_result_row[6]);
27 $local_logline_array = explode (" ", $local_log_string);
29 $service_type = $dbms->db_result_row[3];
30 switch (strtolower($service_type))
33 //This is a kernel logline now discover which type kernel-record we have
35 //Detect if this is a network-line
36 if (strtolower(substr($local_logline_array[5],0,3)) == "in=")
38 //this is a networkline call the processing the routines
39 $local_result = linux_kernel_network();
45 //This line is a kernel line writing about a device.
46 if (strtolower($local_logline_array[4]) == 'device')
48 echo $local_log_string;
50 $local_result = linux_kernel_device();
55 if ($developrelease == 'TRUE')
58 $local_failing_string = "Failing string: ".$dbms->db_result_row[5];
59 syslog (LOG_INFO, "Unrecognized kernelline:".$local_log_string);
60 syslog (LOG_INFO, $local_failing_string);
68 $local_result = linux_daemon();
72 $local_result = linux_daemon();
76 $local_result = linux_daemon();
80 $local_result = linux_daemon();
84 $local_result = linux_daemon();
88 $local_result = linux_daemon();
92 $local_result = linux_daemon();
96 $local_result = linux_daemon();
100 $local_result = linux_daemon();
104 $local_result = linux_daemon();
108 $local_result = linux_daemon_sendmail();
112 $local_result = linux_daemon();
116 $local_result = linux_daemon();
120 $local_result = linux_daemon();
128 function linux_daemon_sendmail()
131 /* This function is able to deal with the logs delivered by MTAs
132 * the following are currently supported:
135 * GLOBALS : $dbms, $dbms_working
136 * OUTPUT : "TRUE" for success and "FALSE" for failure.
140 global $dbms_working;
144 //Determine the type of records
145 //When this is sendmail find the beginning by chopping everything into
147 $local_log_string = str_replace(" ", " ", $dbms->db_result_row[6]);
148 //echo " Processing " . $local_log_string . "\n";
149 $local_logline_array = explode (" ", $local_log_string);
151 $local_sql_1 = "INSERT INTO log_adv_daemon_email"; //BASIC STATEMENT
152 $local_sql_2 = "logid, detailed_table, service"; //FIELDS
153 $local_sql_3 = "'".$dbms->db_result_row[0]."', 'log_adv_daemon_email', 'sendmail'"; //VALUES
155 $message_id = trim($local_logline_array[5], " \t:");
157 if ($message_id == 'NOQUEUE')
159 // This is an error rather than a real message id.
161 $local_sql_2 .= ", event";
162 $local_sql_3 .= ", '". $message_id ."'";
164 // Try to find the source IP address in the 6th or 7th word.
166 $source_ip = strstr($local_logline_array[6], "[");
169 $end = strpos($source_ip, "]");
170 $source_ip = substr($source_ip, 1, $end - 1);
174 $source_ip = strstr($local_logline_array[7], "[");
177 $end = strpos($source_ip, "]");
178 $source_ip = substr($source_ip, 1, $end - 1);
184 // We found a source IP address
186 $local_sql_2 .= ", source_ip";
187 $local_sql_3 .= ", '". $source_ip ."'";
191 echo "Sendmail error NOQUEUE but no source IP found. logid = " .$dbms->db_result_row[0] . "\n";
196 $local_sql_2 .= ", internal_messageid";
197 $local_sql_3 .= ", '". $message_id ."'";
201 for ($i = 6; $i <= ( count($local_logline_array) - 1); $i++)
204 //Get rid of the nasty comma's at the end
205 if ( substr($local_logline_array[$i], strlen($local_logline_array[$i])-1, 1) == "," )
207 $local_dummylength = strlen($local_logline_array[$i]) -1;
208 $local_dummy = substr ($local_logline_array[$i], 0,$local_dummylength );
209 $local_logline_array[$i] = trim($local_dummy);
212 if (substr($local_logline_array[$i],0,1) == '[' && strstr($local_sql_2, "source_ip") == false)
214 $local_dummy = trim($local_logline_array[$i], " []:");
215 $local_sql_2 .= ", source_ip";
216 $local_sql_3 .= ", '$local_dummy'";
218 else if (strstr($local_logline_array[$i], "="))
221 $local_element = explode("=", $local_logline_array[$i]);
223 switch (strtolower($local_element[0]))
226 $local_sql_2 .= ", from_email";
227 $local_sql_3 .= ", '". addslashes($local_element[1]) ."'";
231 $local_sql_2 .= ", relay";
232 $local_sql_3 .= ", '". addslashes(trim($local_element[1], " []")) ."'";
236 $local_sql_2 .= ", size";
237 $local_sql_3 .= ", '".$local_element[1]."'";
241 $local_sql_2 .= ", delay";
242 $local_sql_3 .= ", '".ereg_replace("\+", " ", $local_element[1])."'";
246 $local_sql_2 .= ", xdelay";
247 $local_sql_3 .= ", '".ereg_replace("\+", " ", $local_element[1])."'";
251 $local_sql_2 .= ", mailer";
252 $local_sql_3 .= ", '".$local_element[1]."'";
256 $local_sql_2 .= ", dsn";
257 $local_sql_3 .= ", '".$local_element[1]."'";
261 $local_sql_2 .= ", external_messageid";
262 if (substr($local_element[1],0,1) == '<')
264 $local_sql_3 .= ", '";
265 $local_sql_3 .= substr($local_element[1],1,(strlen($local_element[1])-2));
270 $local_sql_3 .= ", '".$local_element[1]."'";
274 //As of this point we only deal with Status
276 $local_sql_2 .= ", status";
277 $local_sql_3 .= ", '".$local_element[1]."'";
279 $local_pos = strrpos (strtolower($local_logline_array[$i]), "stat=");
280 $local_len = strlen($local_logline_array[$i]) - $local_pos - 6;
281 $local_sql_2 .= ", status_details";
282 $local_sql_3 .= ", '".substr($local_logline_array[$i], $local_pos + 5, $local_len) . "'";
286 $local_sql_2 .= ", status";
287 $local_sql_3 .= ", '".$local_element[1]."'";
289 $local_pos = strrpos (strtolower($local_logline_array[$i]), "status=");
290 $local_len = strlen($local_logline_array[$i]) - $local_pos - 8;
291 $local_sql_2 .= ", status_details";
292 $local_sql_3 .= ", '".substr($local_logline_array[$i], $local_pos + 7, $local_len) . "'";
296 if ($local_element[1] == "550")
298 $local_sql_2 .= ", event";
299 $local_sql_3 .= ", 'SPAM'";
301 else if ($local_element[1] == "553")
303 $local_sql_2 .= ", event";
304 $local_sql_3 .= ", 'Blocked SPAM'";
308 echo "Unknown reject code in sendmail log: " . $local_element[1] .
309 ", logid = " .$dbms->db_result_row[0] . "\n";
314 echo "POSSIBLE ATTACK special report: $local_log_string\n";
318 if (substr(strtolower($local_element[0]),0,1) == "[")
320 $local_sql_2 .= ", destination_ip";
321 $local_sql_3 .= ", '". substr($local_element[1], 1, strlen($local_element[1]) - 2)."'";
329 //Now that the data is complete create the SQL-statement
330 $local_sql = $local_sql_1." (".$local_sql_2.") VALUES (".$local_sql_3.")";
331 $dbms_working->query($local_sql);
336 function linux_kernel_network()
339 /* This function is able to deal with the output of kernel-network messages
340 * coming from iptables and other similar tools. When elements are found
341 * that cannot be identified a notification will be written to the logbook
342 * for easy expansion of this routine.
344 * GLOBALS : $dbms, $dbms_working;
345 * OUTPUT : "TRUE" for success and "FALSE" for failure.
349 global $dbms_working;
351 $local_log_string = str_replace(" ", " ", $dbms->db_result_row[6]);
352 $local_logline_array = explode (" ", $local_log_string);
353 $local_sql_1 = "INSERT INTO log_adv_kernel_network"; //BASIC STATEMENT
354 $local_sql_2 = "logid, detailed_table"; //FIELDS
355 $local_sql_3 = "'".$dbms->db_result_row[0]."', 'log_adv_kernel_network'"; //VALUES
360 for ($i = 4; $i <= ( count($local_logline_array) - 1); $i++)
362 $local_element = explode("=", $local_logline_array[$i]);
363 switch (strtolower($local_element[0]))
366 $local_sql_2 .= ", device_in";
367 $local_sql_3 .= ", '".$local_element[1]."'";
371 $local_sql_2 .= ", device_out";
372 $local_sql_3 .= ", '".$local_element[1]."'";
376 $local_sql_2 .= ", hw_address";
377 $local_sql_3 .= ", '".$local_element[1]."'";
381 $local_sql_2 .= ", source_ip";
382 $local_sql_3 .= ", '".$local_element[1]."'";
386 $local_sql_2 .= ", destination_ip";
387 $local_sql_3 .= ", '".$local_element[1]."'";
391 if ($local_len == 0) {
392 $local_sql_2 .= ", packet_length";
395 $local_sql_2 .= ", body_len";
398 $local_sql_3 .= ", '".$local_element[1]."'";
402 if ($local_tos == "F") {
403 $local_sql_2 .= ", tos_bit";
404 $local_sql_3 .= ", '".$local_element[1]."'";
410 $local_sql_2 .= ", prec_bit";
411 $local_sql_3 .= ", '".$local_element[1]."'";
415 $local_sql_2 .= ", ttl";
416 $local_sql_3 .= ", '".$local_element[1]."'";
421 if ($local_id == 0) {
422 $local_sql_2 .= ", header_id";
423 $local_sql_3 .= ", '".$local_element[1]."'";
429 $local_sql_2 .= ", protocol";
430 $local_sql_3 .= ", '".$local_element[1]."'";
431 if ($local_element[1] == 'ICMP') {
437 $local_sql_2 .= ", destination_port";
438 $local_sql_3 .= ", '".$local_element[1]."'";
442 $local_sql_2 .= ", source_port";
443 $local_sql_3 .= ", '".$local_element[1]."'";
447 $local_sql_2 .= ", window";
448 $local_sql_3 .= ", '".$local_element[1]."'";
452 $local_sql_2 .= ", urgp";
453 $local_sql_3 .= ", '".$local_element[1]."'";
457 $local_sql_2 .= ", rst";
458 $local_sql_3 .= ", true";
462 $local_sql_2 .= ", syn";
463 $local_sql_3 .= ", true";
467 $local_sql_2 .= ", df";
468 $local_sql_3 .= ", true";
472 $local_sql_2 .= ", type";
473 $local_sql_3 .= ", '".$local_element[1]."'";
477 $local_sql_2 .= ", code";
478 $local_sql_3 .= ", '".$local_element[1]."'";
482 $local_sql_2 .= ", sequence_number";
483 $local_sql_3 .= ", '".$local_element[1]."'";
487 $local_sql_2 .= ", res";
488 $local_sql_3 .= ", '".$local_element[1]."'";
492 /*This record is different. In ICMP information is sometimes returned on an original packet.
493 * When the brackets are used a second line will be added to the
494 * log_adv_kernel_network-table. For that reason the processing into the database will be
495 * done here as well. After that a new insert-string will be created.
498 //Enter the data into the database
499 $local_sql = $local_sql_1." (".$local_sql_2.") VALUES (".$local_sql_3.")";
500 $dbms_working->query($local_sql);
502 $local_sql_1 = "INSERT INTO log_adv_kernel_network"; //BASIC STATEMENT
503 $local_sql_2 = "logid, detailed_table"; //FIELDS
504 $local_sql_3 = "'".$dbms->db_result_row[0]."', 'kernel_network'"; //VALUES
509 /* $local_element[0];
510 syslog(LOG_INFO, "Unrecognized kernel/network entry: ".$local_element[0]);
518 //Now that the data is complete create the SQL-statement
519 $local_sql = $local_sql_1." (".$local_sql_2.") VALUES (".$local_sql_3.")";
520 $dbms_working->query($local_sql);
525 function linux_kernel_device()
527 /* This function is able to deal with the output of kernel-network messages
528 * coming from device related processes. Typically networkcard and other
529 * hardware-related data will show-up here
531 * GLOBALS : $dbms, $dbms_working
532 * OUTPUT : "TRUE" for success and "FALSE" for failure.
535 global $dbms, $dbms_working;
539 function linux_daemon()
541 /* This function is able to deal with the output of kernel-network messages
542 * coming from device related processes. Typically networkcard and other
543 * hardware-related data will show-up here
545 * GLOBALS : $dbms, $dbms_working
546 * OUTPUT : "TRUE" for success and "FALSE" for failure.
549 global $dbms, $dbms_working;
551 $local_log_line = strtolower($dbms->db_result_row[6]);
553 //Find a sign of stop
554 //Using the word shutdown
555 $pos = strpos($local_log_line, "shutdown");
558 $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES ";
559 $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '"
560 .$dbms->db_result_row[3]."', 'stop')";
562 $dbms_working->query($local_sql);
566 //Using the word stop
567 $pos = strpos($local_log_line, "stop");
570 $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES ";
571 $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '"
572 .$dbms->db_result_row[3]."', 'stop')";
573 $dbms_working->query($local_sql);
577 //As the word restart
578 $pos = strpos($local_log_line, "restart");
581 $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES ";
582 $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '"
583 .$dbms->db_result_row[3]."', 'stop')";
584 $dbms_working->query($local_sql);
586 $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES ";
587 $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '"
588 .$dbms->db_result_row[3]."', 'start')";
589 $dbms_working->query($local_sql);
593 //As the word start this is an else for restart.
594 //If we wouldn't do so restart would also give a positive on start
595 $pos = strpos($local_log_line, "start");
598 $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES ";
599 $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '"
600 .$dbms->db_result_row[3]."', 'start')";
601 $dbms_working->query($local_sql);
606 //The word error indicates problems.
607 $pos = strpos($local_log_line, "error");
608 $pos2 = strpos($local_log_line, "crash"); //The word crash is also considered to be an error
610 if ($pos > 0 or $pos2 > 0)
612 $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES ";
613 $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '"
614 .$dbms->db_result_row[3]."', 'error detected')";
615 $dbms_working->query($local_sql);
617 //Quite often an error will be followed with information that the daemon or service ended.
618 $pos = strpos($local_log_line, "abort");
622 $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES ";
623 $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '"
624 .$dbms->db_result_row[3]."', 'abort')";
625 $dbms_working->query($local_sql);
629 $pos = strpos($local_log_line, "ended");
632 $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES ";
633 $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '"
634 .$dbms->db_result_row[3]."', 'abort')";
635 $dbms_working->query($local_sql);
639 $pos = strpos($local_log_line, "stop");
642 $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES ";
643 $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '"
644 .$dbms->db_result_row[3]."', 'abort')";
645 $dbms_working->query($local_sql);
650 //For power management there is a charge warning
651 $pos = strpos($local_log_line, "charge");
654 $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES ";
655 $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '"
656 .$dbms->db_result_row[3]."', 'Power warning')";
657 $dbms_working->query($local_sql);
662 //As the word start this is an else for restart.
663 //If we wouldn't do so restart would also give a positive on start
664 //This can only be done if we ensured nothing else was the case
665 //PLEASE USE THIS AS LATE AS POSSIBLE!!!
666 $pos = strpos($local_log_line, "exiting");
669 $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES ";
670 $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '"
671 .$dbms->db_result_row[3]."', 'start')";
672 $dbms_working->query($local_sql);