db_result_row[6]); $local_logline_array = explode (" ", $local_log_string); $service_type = $dbms->db_result_row[3]; switch (strtolower($service_type)) { case "kernel": //This is a kernel logline now discover which type kernel-record we have //Detect if this is a network-line if (strtolower(substr($local_logline_array[5],0,3)) == "in=") { //this is a networkline call the processing the routines $local_result = linux_kernel_network(); return $local_result; } else { //This line is a kernel line writing about a device. if (strtolower($local_logline_array[4]) == 'device') { echo $local_log_string; $local_result = linux_kernel_device(); return $local_result; } else { if ($developrelease == 'TRUE') { $local_failing_string = "Failing string: ".$dbms->db_result_row[5]; syslog (LOG_INFO, "Unrecognized kernelline:".$local_log_string); syslog (LOG_INFO, $local_failing_string); } return "FALSE"; } } break; case "anacron": $local_result = linux_daemon(); break; case "apmd": $local_result = linux_daemon(); break; case "atd": $local_result = linux_daemon(); break; case "crond": $local_result = linux_daemon(); break; case "httpd": $local_result = linux_daemon(); break; case "lpd": $local_result = linux_daemon(); break; case "mysqld": $local_result = linux_daemon(); break; case "postfix": $local_result = linux_daemon(); break; case "random": $local_result = linux_daemon(); break; case "rhnsd": $local_result = linux_daemon(); break; case "sendmail": $local_result = linux_daemon_sendmail(); break; case "syslog": $local_result = linux_daemon(); break; case "syslogd": $local_result = linux_daemon(); break; case "xinetd": $local_result = linux_daemon(); break; default: break; } } function linux_daemon_sendmail() { /* This function is able to deal with the logs delivered by MTAs * the following are currently supported: * - sendmail * INPUT : NONE * GLOBALS : $dbms, $dbms_working * OUTPUT : "TRUE" for success and "FALSE" for failure. */ global $dbms; global $dbms_working; //Basic processing. //Determine the type of records //When this is sendmail find the beginning by chopping everything into //little pieces. $local_log_string = str_replace(" ", " ", $dbms->db_result_row[6]); //echo " Processing " . $local_log_string . "\n"; $local_logline_array = explode (" ", $local_log_string); $local_sql_1 = "INSERT INTO log_adv_daemon_email"; //BASIC STATEMENT $local_sql_2 = "logid, detailed_table, service, internal_messageid "; //FIELDS $local_sql_3 = "'".$dbms->db_result_row[0]."', 'log_adv_daemon_email', 'sendmail'"; //VALUES $local_sql_3 .= ", '".substr (trim($local_logline_array[5]), 0 ,strlen(trim($local_logline_array[5])) -1)."'"; $local_len = 0; $local_id = 0; for ($i = 6; $i <= ( count($local_logline_array) - 1); $i++) { //Get rid of the nasty comma's at the end if ( substr($local_logline_array[$i], strlen($local_logline_array[$i])-1, 1) == "," ) { $local_dummylength = strlen($local_logline_array[$i]) -1; $local_dummy = substr ($local_logline_array[$i], 0,$local_dummylength ); $local_logline_array[$i] = trim($local_dummy); } if (substr($local_logline_array[$i],0,1) == '[') { $local_dummy = trim($local_logline_array[$i]); $local_sql_2 .= ", source_ip"; $local_sql_3 .= ", '".substr($local_dummy, 1, strlen($local_dummy)-2)."'"; } else if (strstr($local_logline_array[$i], "=")) { $local_element = explode("=", $local_logline_array[$i]); switch (strtolower($local_element[0])) { case "from": $local_sql_2 .= ", from_email"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "size": $local_sql_2 .= ", size"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "delay": $local_sql_2 .= ", delay"; $local_sql_3 .= ", '".ereg_replace("\+", " ", $local_element[1])."'"; break; case "xdelay": $local_sql_2 .= ", xdelay"; $local_sql_3 .= ", '".ereg_replace("\+", " ", $local_element[1])."'"; break; case "mailer": $local_sql_2 .= ", mailer"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "dsn": $local_sql_2 .= ", dsn"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "msgid": $local_sql_2 .= ", external_messageid"; if (substr($local_element[1],0,1) == '<') { $local_sql_3 .= ", '"; $local_sql_3 .= substr($local_element[1],1,(strlen($local_element[1])-2)); $local_sql_3 .= "'"; } else { $local_sql_3 .= ", '".$local_element[1]."'"; } break; //As of this point we only deal with Status case "stat": $local_sql_2 .= ", status"; $local_sql_3 .= ", '".$local_element[1]."'"; $local_pos = strrpos (strtolower($local_logline_array[$i]), "stat="); $local_len = strlen($local_logline_array[$i]) - $local_pos - 6; $local_sql_2 .= ", status_details"; $local_sql_3 .= ", '".substr($local_logline_array[$i], $local_pos + 5, $local_len) . "'"; break; case "status": $local_sql_2 .= ", status"; $local_sql_3 .= ", '".$local_element[1]."'"; $local_pos = strrpos (strtolower($local_logline_array[$i]), "status="); $local_len = strlen($local_logline_array[$i]) - $local_pos - 8; $local_sql_2 .= ", status_details"; $local_sql_3 .= ", '".substr($local_logline_array[$i], $local_pos + 7, $local_len) . "'"; break; default: if (substr(strtolower($local_element[0]),0,1) == "[") { $local_sql_2 .= ", destination_ip"; $local_sql_3 .= ", '". substr($local_element[1], 1, strlen($local_element[1]) - 2)."'"; } break; } } } //Now that the data is complete create the SQL-statement $local_sql = $local_sql_1." (".$local_sql_2.") VALUES (".$local_sql_3.")"; $dbms_working->query($local_sql); RETURN "TRUE"; } function linux_kernel_network() { /* This function is able to deal with the output of kernel-network messages * coming from iptables and other similar tools. When elements are found * that cannot be identified a notification will be written to the logbook * for easy expansion of this routine. * INPUT : NONE * GLOBALS : $dbms, $dbms_working; * OUTPUT : "TRUE" for success and "FALSE" for failure. */ global $dbms; global $dbms_working; $local_log_string = str_replace(" ", " ", $dbms->db_result_row[6]); $local_logline_array = explode (" ", $local_log_string); $local_sql_1 = "INSERT INTO log_adv_kernel_network"; //BASIC STATEMENT $local_sql_2 = "logid, detailed_table"; //FIELDS $local_sql_3 = "'".$dbms->db_result_row[0]."', 'kernel_network'"; //VALUES $local_len = 0; $local_id = 0; $local_tos = "F"; for ($i = 4; $i <= ( count($local_logline_array) - 1); $i++) { $local_element = explode("=", $local_logline_array[$i]); switch (strtolower($local_element[0])) { case "in": $local_sql_2 .= ", device_in"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "out": $local_sql_2 .= ", device_out"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "mac": $local_sql_2 .= ", hw_address"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "src": $local_sql_2 .= ", source_ip"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "dst": $local_sql_2 .= ", destination_ip"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "len": if ($local_len == 0) { $local_sql_2 .= ", packet_length"; $local_len++; } else { $local_sql_2 .= ", body_len"; } $local_sql_3 .= ", '".$local_element[1]."'"; break; case "tos": if ($local_tos == "F") { $local_sql_2 .= ", tos_bit"; $local_sql_3 .= ", '".$local_element[1]."'"; } $local_tos = "T"; break; case "prec": $local_sql_2 .= ", prec_bit"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "ttl": $local_sql_2 .= ", ttl"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "id": if ($local_id == 0) { $local_sql_2 .= ", header_id"; $local_sql_3 .= ", '".$local_element[1]."'"; $local_id = 1; } break; case "proto": $local_sql_2 .= ", protocol"; $local_sql_3 .= ", '".$local_element[1]."'"; if ($local_element[1] == 'ICMP') { $local_icmp = true; } break; case "spt": $local_sql_2 .= ", destination_port"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "dpt": $local_sql_2 .= ", source_port"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "window": $local_sql_2 .= ", window"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "urgp": $local_sql_2 .= ", urgp"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "rst": $local_sql_2 .= ", rst"; $local_sql_3 .= ", true"; break; case "syn": $local_sql_2 .= ", syn"; $local_sql_3 .= ", true"; break; case "df": $local_sql_2 .= ", df"; $local_sql_3 .= ", true"; break; case "type": $local_sql_2 .= ", type"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "code": $local_sql_2 .= ", code"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "seq": $local_sql_2 .= ", sequence_number"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "res": $local_sql_2 .= ", res"; $local_sql_3 .= ", '".$local_element[1]."'"; break; case "[src": /*This record is different. In ICMP information is sometimes returned on an original packet. * When the brackets are used a second line will be added to the * log_adv_kernel_network-table. For that reason the processing into the database will be * done here as well. After that a new insert-string will be created. */ //Enter the data into the database $local_sql = $local_sql_1." (".$local_sql_2.") VALUES (".$local_sql_3.")"; $dbms_working->query($local_sql); $local_sql_1 = "INSERT INTO log_adv_kernel_network"; //BASIC STATEMENT $local_sql_2 = "logid, detailed_table"; //FIELDS $local_sql_3 = "'".$dbms->db_result_row[0]."', 'kernel_network'"; //VALUES $local_len = 0; $local_id = 0; break; default: /* $local_element[0]; syslog(LOG_INFO, "Unrecognized kernel/network entry: ".$local_element[0]); */ } } //Now that the data is complete create the SQL-statement $local_sql = $local_sql_1." (".$local_sql_2.") VALUES (".$local_sql_3.")"; $dbms_working->query($local_sql); RETURN "TRUE"; } function linux_kernel_device() { /* This function is able to deal with the output of kernel-network messages * coming from device related processes. Typically networkcard and other * hardware-related data will show-up here * INPUT : NONE * GLOBALS : $dbms, $dbms_working * OUTPUT : "TRUE" for success and "FALSE" for failure. */ global $dbms, $dbms_working; } function linux_daemon() { /* This function is able to deal with the output of kernel-network messages * coming from device related processes. Typically networkcard and other * hardware-related data will show-up here * INPUT : NONE * GLOBALS : $dbms, $dbms_working * OUTPUT : "TRUE" for success and "FALSE" for failure. */ global $dbms, $dbms_working; $local_log_line = strtolower($dbms->db_result_row[6]); //Find a sign of stop //Using the word shutdown $pos = strpos($local_log_line, "shutdown"); if ($pos > 0) { $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES "; $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '" .$dbms->db_result_row[3]."', 'stop')"; $dbms_working->query($local_sql); } else { //Using the word stop $pos = strpos($local_log_line, "stop"); if ($pos > 0) { $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES "; $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '" .$dbms->db_result_row[3]."', 'stop')"; $dbms_working->query($local_sql); } else { //As the word restart $pos = strpos($local_log_line, "restart"); if ($pos > 0) { $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES "; $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '" .$dbms->db_result_row[3]."', 'stop')"; $dbms_working->query($local_sql); $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES "; $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '" .$dbms->db_result_row[3]."', 'start')"; $dbms_working->query($local_sql); } else { //As the word start this is an else for restart. //If we wouldn't do so restart would also give a positive on start $pos = strpos($local_log_line, "start"); if ($pos > 0) { $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES "; $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '" .$dbms->db_result_row[3]."', 'start')"; $dbms_working->query($local_sql); } else { //The word error indicates problems. $pos = strpos($local_log_line, "error"); $pos2 = strpos($local_log_line, "crash"); //The word crash is also considered to be an error if ($pos > 0 or $pos2 > 0) { $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES "; $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '" .$dbms->db_result_row[3]."', 'error detected')"; $dbms_working->query($local_sql); //Quite often an error will be followed with information that the daemon or service ended. $pos = strpos($local_log_line, "abort"); if ($pos > 0) { $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES "; $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '" .$dbms->db_result_row[3]."', 'abort')"; $dbms_working->query($local_sql); } else { $pos = strpos($local_log_line, "ended"); if ($pos > 0) { $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES "; $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '" .$dbms->db_result_row[3]."', 'abort')"; $dbms_working->query($local_sql); } else { $pos = strpos($local_log_line, "stop"); if ($pos > 0) { $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES "; $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '" .$dbms->db_result_row[3]."', 'abort')"; $dbms_working->query($local_sql); } else { //For power management there is a charge warning $pos = strpos($local_log_line, "charge"); if ($pos > 0) { $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES "; $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '" .$dbms->db_result_row[3]."', 'Power warning')"; $dbms_working->query($local_sql); } else { //As the word start this is an else for restart. //If we wouldn't do so restart would also give a positive on start //This can only be done if we ensured nothing else was the case //PLEASE USE THIS AS LATE AS POSSIBLE!!! $pos = strpos($local_log_line, "exiting"); if ($pos > 0) { $local_sql = "INSERT INTO log_adv_daemon (logid, detailed_table, service, event) VALUES "; $local_sql .= "('".$dbms->db_result_row[0]."', 'log_adv_daemon', '" .$dbms->db_result_row[3]."', 'start')"; $dbms_working->query($local_sql); } } } } } } } } } } return "ok"; } ?>