#!/usr/bin/php read($project_name)) { echo "Can not read Gnucomo configuration file for $project_name.\n"; exit(); } openlog("gnucomo", LOG_PID, LOG_DAEMON); syslog(LOG_INFO, "gcm_daemon started"); //Open an connection to the database $dbms_type = $class_settings->find_parameter("database", "type"); $dbms_host = $class_settings->find_parameter("database", "host"); $dbms_name = $class_settings->find_parameter("database", "name"); $dbms_user = $class_settings->find_parameter("gcm_daemon", "user"); $dbms_password = $class_settings->find_parameter("gcm_daemon", "password"); db_select($dbms_type); $dbms = new db(); $dbms->db_host = $dbms_host; $dbms->db_name = $dbms_name; $dbms->db_user = $dbms_user; $dbms->db_password = $dbms_password; $dbms->db_connect($class_settings->database()); if ($dbms->have_db_connection() == "FALSE") { exit ("Database connection failed."); } else { // The database connection has been made. $dbms_working = copy_db_class($dbms, $class_settings->database()); } // Verify if the database is up-to-date by checking the versionnumber $local_sql = "SELECT setting_value FROM db_value WHERE setting = 'db_version' "; $dbms->query($local_sql); if ($dbms->fetch_row() == "TRUE") { $active_version = $dbms->db_result_row[0]; // Update the database to the most recent version. if ($active_version < $db_version) { include ("gnucomo_db_version.php"); } } else { syslog (LOG_INFO, "Couldn't initialize database version. Is this a gnucomo database?"); die ("Couldn't initialize database version.\n"); } // The gcm_daemon version is maintained in the database to enable // automatic update actions. $local_sql = "SELECT setting_value FROM db_value WHERE setting = 'gcm_daemon_version'"; $dbms->query($local_sql); if ($dbms->fetch_row() == "TRUE") { if ($dbms->db_result_row[0] < $gcmd_version) { //Update de gcm_daemon version in the database $local_sql = "UPDATE db_value SET setting_value = '".$gcmd_version; $local_sql .= "' WHERE setting = 'gcm_daemon_version'"; $dbms->query($local_sql); } } // Now we loop the tasks that we have to do. do { echo "Processing logs...\n"; process_log (); service_check(); //mail_notifications(); // Gather the statistics for each object $obj_result = $dbms->query("SELECT objectid FROM object"); for ($obj = 0; $obj < $dbms->num_rows($obj_result); $obj++) { $object = $dbms->fetch_object($obj_result, $obj); echo "Gathering statistics for object " . $object->objectid . "\n"; GatherStatistics($object->objectid); } $keep_running = false; } while ($keep_running == true); //Tell the log that we're ending our efforts in a nice way syslog (LOG_INFO, "gcm_daemon ended nicely"); function process_log () { /* This function will walk through the log-records that haven't been processed * first a snapshot will be created of a the non-processed records. * sequentially each record will dealt with. By doing that changes will be made * in several log_adv_xxx tables * INPUT : NONE * OUTPUT : NONE */ global $dbms; global $dbms_working; global $class_settings; $last_log = 0; // Find records in log that still have to be processed. $local_sql = "SELECT setting_value FROM db_value WHERE setting = 'log_processing'"; $dbms->query($local_sql); if ($dbms->fetch_row() == "TRUE") { $last_log = $dbms->db_result_row[0]; } echo "Last processed logid = $last_log \n"; //Query the log-table $log_limit = $last_log + BATCHSIZE; $local_sql = "SELECT * FROM log WHERE logid > CAST(".$last_log." AS BIGINT) AND logid <= $log_limit ORDER BY logid"; $dbms->query($local_sql); //Update the log-statistics in the object-table $local_statistics_db = copy_db_class($dbms, $class_settings->database()); $local_findobject_db = copy_db_class($dbms, $class_settings->database()); //Make totals $local_upper_row = $dbms->num_rows() + $last_log + 1; $local_sql = "SELECT COUNT(logid), objectid from log WHERE logid > CAST(". $last_log . " AS BIGINT) AND logid < CAST (" . $local_upper_row . " AS BIGINT) GROUP BY objectid"; $local_statistics_db->query ($local_sql); // Loop the objects for ($i = 1; $i <= $local_statistics_db->num_rows(); $i++) { $local_object_row = $local_statistics_db->fetch_row(); $local_sql = "UPDATE object SET log_count = log_count + " . $local_statistics_db->db_result_row[0] . " WHERE objectid = '" . $local_statistics_db->db_result_row[1] . "'"; $local_findobject_db->query($local_sql); } $local_counter = 0; if ($dbms->num_rows() > 0) { //Create a database connection for changes in the database. $dbms_changes = copy_db_class($dbms, $class_settings->database()); if ($dbms_changes->have_db_connection() == 'TRUE') { $local_sql = 0 ; $local_sql_statistics = ""; $local_object_os = ""; $local_object_os_version = ""; match_log_patterns($last_log); // Register that the logrecords have been processed. $local_upper_row--; $local_sql = "UPDATE db_value SET setting_value = '" . $local_upper_row ."' where setting = 'log_processing'"; $dbms->query($local_sql); // Update the statistics for the object-table } else { syslog (LOG_INFO, "Couldn't clone database connection."); die ("Couldn't reconnect to the database.\n"); } } } /* * Update a single statistic for some object. * If it does not yet exist, it will be created. */ function UpdateStatistic($objectid, $name, $value) { global $dbms; $result = $dbms->query("SELECT objectid FROM object_statistics WHERE objectid='$objectid' AND statname='$name'"); if ($dbms->num_rows() == 0) { $dbms->query("INSERT INTO object_statistics VALUES ('$objectid', '$name', '$value')"); } else { $dbms->query("UPDATE object_statistics SET statvalue='$value' WHERE statname='$name' AND objectid='$objectid'"); } } /* * Gather the statistics for a single object ($objectid). * We count the number of parameters, removed parameters, notifications * closed notifications and log entries. The totals of these are * maintained in a separate table: object_statistics. */ function GatherStatistics($objectid) { global $dbms; // Gather statistics on parameters $r = $dbms->query("SELECT paramid FROM parameter WHERE objectid=CAST('" . $objectid . "' AS BIGINT)"); $nr_parameters = $dbms->num_rows($r); $removed_parameters = 0; for ($p = 0; $p < $nr_parameters; $p++) { $param = pg_fetch_object($r, $p); $qry ="select change_nature from history where paramid= CAST('"; $qry .= $param->paramid . "' AS BIGINT) order by modified desc"; $rhist = $dbms->query($qry); if ($dbms->num_rows($rhist) == 0) { echo "ERROR: No history for parameter id " . $param->paramid . "\n"; } else { $hist = $dbms->fetch_object($rhist, 0); if ($hist->change_nature == "REMOVED") { $removed_parameters++; } } } UpdateStatistic($objectid, 'parameters', $nr_parameters); UpdateStatistic($objectid, 'removed_parameters', $removed_parameters); // Gather statistics on notifications $r = $dbms->query("SELECT count(notificationid) FROM notification WHERE objectid = CAST('" . $objectid . "' AS BIGINT)"); $cnt = $dbms->fetch_object($r, 0); UpdateStatistic($objectid, 'notifications', $cnt->count); $r = $dbms->query("SELECT count(notificationid) FROM notification WHERE objectid = CAST('" . $objectid . "' AS BIGINT) AND statuscode ='cls'"); $cnt = $dbms->fetch_object($r, 0); UpdateStatistic($objectid, 'closed_notifications', $cnt->count); // Gather statistics on log entries $r = $dbms->query("SELECT count(logid) FROM log WHERE objectid = CAST('" . $objectid . "' AS BIGINT)"); $cnt = $dbms->fetch_object($r, 0); UpdateStatistic($objectid, 'logs', $cnt->count); } function match_log_patterns($logstart) { global $dbms; $notifications = array(); $log_limit = $logstart + BATCHSIZE; $noqueue_res = $dbms->query("select logid, objectid, servicecode, rawdata from log where logid > $logstart and logid <= $log_limit order by logid"); for ($row = 0; $row < $dbms->num_rows($noqueue_res); $row++) { $logentry = $dbms->fetch_object($noqueue_res, $row); //echo "\n----------\n" . $logentry->rawdata . "\n----------\n"; $service = $logentry->servicecode; $pattern_res = $dbms->query("select * from service_pattern where service='$service' OR service='ANY' order by rank"); $match_found = false; for ($patnr = 0; !$match_found && $patnr < $dbms->num_rows($pattern_res); $patnr++) { $srv_pat = $dbms->fetch_object($pattern_res, $patnr); //echo " Checking with pattern " . $srv_pat->pattern . "\n"; if (ereg($srv_pat->pattern, $logentry->rawdata, $matches)) { // Scan the argument for '$n' expressions and expand $srv_pat->argument = expand_arguments($srv_pat->argument, $matches); //echo " " . $srv_pat->pattern . " matches.\n"; //echo " Matched string: " . $matches[0] . "\n"; //echo " Action = " . $srv_pat->action . "(" . $srv_pat->argument . ")\n\n"; $match_found = true; switch ($srv_pat->action) { case "ignore": break; case "notify": $notif = $srv_pat->argument; if (!isset($notifications[$logentry->objectid][$notif])) { //echo "Creating notification $notif for object " . $logentry->objectid . ".\n"; $remark = "Notification generated from Gnucomo pattern match."; $notifications[$logentry->objectid][$notif] = $dbms->new_notification($logentry->objectid, $notif, $remark); } if (isset($notifications[$logentry->objectid][$notif])) { //echo "Notification $notif for object " . $logentry->objectid . " already created.\n"; $insertion = "INSERT INTO log_notification (notificationid, logid) VALUES ('"; $insertion .= $notifications[$logentry->objectid][$notif] . "', '"; $insertion .= $logentry->logid . "')"; $dbms->query($insertion); } break; case "abuse": //echo "Recording abuse for address ", $srv_pat->argument, "\n Log entry:\n "; //echo $logentry->rawdata, "\n Pattern:\n ", $srv_pat->pattern, "\n\n"; if (record_abuse($logentry->logid, $logentry->objectid, $srv_pat->argument, 1) >= 32) { $source_ip = gethostbyname($srv_pat->argument); $notif = 'abuses exceeded'; if (!isset($notifications[$logentry->objectid][$notif][$source_ip])) { echo "Creating notification $notif for object " . $logentry->objectid . ".\n"; $remark = "Abuses from IP address $source_ip exceeded the limit."; $notifid = $dbms->new_notification($logentry->objectid, $notif, $remark); $notifications[$logentry->objectid][$notif][$source_ip] = $notifid; // Add log entries from previously detected abuses echo " Add log entries from previously detected abuses\n"; $abuses = $dbms->query("SELECT logid FROM log_abuse WHERE objectid = '" . $logentry->objectid . "' AND source = '$source_ip'"); for ($abusenr = 0; $abusenr < $dbms->num_rows($abuses); $abusenr++) { $log_abuse = $dbms->fetch_object($abuses, $abusenr); if ($log_abuse->logid != $logentry->logid) { $insertion = "INSERT INTO log_notification (notificationid, logid) VALUES ('"; $insertion .= $notifid . "', '"; $insertion .= $log_abuse->logid . "')"; $dbms->query($insertion); } } } if (isset($notifications[$logentry->objectid][$notif][$source_ip])) { //echo "Notification $notif for object " . $logentry->objectid . " already created.\n"; $insertion = "INSERT INTO log_notification (notificationid, logid) VALUES ('"; $insertion .= $notifications[$logentry->objectid][$notif][$source_ip] . "', '"; $insertion .= $logentry->logid . "')"; $dbms->query($insertion); } } break; case "forgive": record_abuse($logentry->logid, $logentry->objectid, $srv_pat->argument, -4); break; default: echo "Error: unrecognized action in service pattern: " . $srv_pat->action . "\n"; break; } } else { // echo " " . $srv_pat->pattern . " does not match.\n"; } } } } /* * Some IP address abused us. Record the event. * Return the number of abuse points recorded so far for the address */ function record_abuse($logid, $objectid, $sourceip, $points) { global $dbms; $abuse_points = $points; $ipaddress = gethostbyname($sourceip); //echo " IP address for $sourceip is $ipaddress.\n"; $sourceip = $ipaddress; $abres = $dbms->query("SELECT * FROM object_abuse WHERE objectid='$objectid' AND source='$sourceip'"); if (pg_numrows($abres) == 0 && $points > 0) { //echo "$sourceip is new.\n"; $dbms->query("INSERT INTO object_abuse VALUES ('$objectid', '$sourceip', '$points', '', NOW())"); $dbms->query("INSERT INTO log_abuse VALUES ('$logid', '$objectid', '$sourceip')"); } else if (pg_numrows($abres) != 0) { $abuse = $dbms->fetch_object($abres, 0); if ($abuse->status == '' || $abuse->status == 'dropped') { $abuse_points = $abuse->nr_abuses + $points; if ($abuse_points < 0) { $abuse_points = 0; } //echo $sourceip . " will get " . $abuse_points . " abuse points, "; //echo "Status was " . $abuse->status . "\n"; $dbms->query("UPDATE object_abuse SET nr_abuses='$abuse_points'" . ", last_change=NOW() WHERE objectid='$objectid' AND source='$sourceip'"); if ($points > 0) { $dbms->query("INSERT INTO log_abuse VALUES ('$logid', '$objectid', '$sourceip')"); } if ($abuse_points >= 32) { //echo " BLOCK IP adrress $sourceip on the firewall.\n"; $dbms->query("UPDATE object_abuse SET status='dropped'" . " WHERE objectid='$objectid' AND source='$sourceip'"); } } } return $abuse_points; } /* * Service_check - Check the log entries if there are any unknown * services. */ function service_check() { global $dbms; $unknown_notification = array(); $unused_notification = array(); $last_log = 0; // How far did we get last time ? $lastlogres = $dbms->query("SELECT setting_value FROM db_value WHERE setting = 'log_servicecheck'"); if ($dbms->num_rows($lastlogres) == 1) { $last_log = $dbms->Field($lastlogres, 0, 'setting_value'); } else { $dbms->query("INSERT INTO db_value (setting, setting_value) VALUES ('log_servicecheck', '0')"); } echo "Running service check from log id $last_log.\n"; // Query the log-table $log_limit = $last_log + BATCHSIZE; $qry = "SELECT logid, objectid, servicecode FROM log WHERE logid > CAST(".$last_log." AS BIGINT) AND logid <= $log_limit ORDER BY logid"; $log_res = $dbms->query($qry); //$log_res = $dbms->query("SELECT logid, objectid, servicecode,rawdata FROM log"); for ($log_row = 0; $log_row < $dbms->num_rows($log_res); $log_row++) { $log_entry = $dbms->fetch_object($log_res, $log_row); $last_log = $log_entry->logid; // Check if the service is used on the object. $qry = "SELECT * FROM object_service WHERE objectid='"; $qry .= $log_entry->objectid . "' AND servicecode='"; $qry .= $log_entry->servicecode . "'"; $os_res = $dbms->query($qry); if ($dbms->num_rows($os_res) == 0) { // Service is not found for the object, check if the service // exists at all. $qry = "SELECT * FROM service WHERE servicecode='"; $qry .= $log_entry->servicecode . "'"; if ($dbms->num_rows($dbms->query($qry)) == 0) { if (!isset($unknown_notification[$log_entry->objectid])) { $remark = "One or more log entries from a service that is not in the database"; $unknown_notification[$log_entry->objectid] = $dbms->new_notification($log_entry->objectid, 'service unknown', $remark); } if (isset($unknown_notification[$log_entry->objectid])) { $insertion = "INSERT INTO log_notification (notificationid, logid) VALUES ('"; $insertion .= $unknown_notification[$log_entry->objectid] . "', '"; $insertion .= $log_entry->logid . "')"; $dbms->query($insertion); } } else { if (!isset($unused_notification[$log_entry->objectid])) { $remark = "One or more log entries from a service not running on this object"; $unused_notification[$log_entry->objectid] = $dbms->new_notification($log_entry->objectid, 'service not used', $remark); } if (isset($unused_notification[$log_entry->objectid])) { $insertion = "INSERT INTO log_notification (notificationid, logid) VALUES ('"; $insertion .= $unused_notification[$log_entry->objectid] . "', '"; $insertion .= $log_entry->logid . "')"; $dbms->query($insertion); } } } } $qry = "UPDATE db_value SET setting_value = '" . $last_log . "' WHERE setting = 'log_servicecheck'"; $dbms->query($qry); } /* * find open notifications and send an email to the object's users. */ function mail_notifications () { global $dbms; $notifres = $dbms->query("SELECT notificationid, objectid, type_of_issueid FROM notification WHERE statuscode != 'cls'"); for ($notifrow = 0; $notifrow < pg_numrows($notifres); $notifrow++) { $notification = pg_fetch_object($notifres, $notifrow); $issue = pg_fetch_object($dbms->query("SELECT description FROM type_of_issue WHERE type_of_issueid='" . $notification->type_of_issueid . "'"), 0); echo "Mailing Notification for object id " . $notification->objectid . "\n"; $object = pg_fetch_object($dbms->query("SELECT objectname FROM object WHERE objectid='" . $notification->objectid ."'"), 0); $users = $dbms->query("SELECT username FROM object_user WHERE objectid='" . $notification->objectid . "'"); for ($userrow = 0; $userrow < pg_numrows($users); $userrow++) { $objusr = pg_fetch_object($users, $userrow); $usr = pg_fetch_object($dbms->query("SELECT email FROM usr WHERE username='" . $objusr->username . "'"), 0); $message = "Notification " . $notification->notificationid . ": " . $issue->description; $message .= " for object " . $object->objectname . "\n"; mail($usr->email, "GnuCoMo Notification", $message); } } } /* * The 'command' may contain positional parameters such as '$1' and '$3', * just like the shell. These parameters are replaced by content from * the 'args' array. */ function expand_arguments($command, $args) { while (ereg('\$([0-9]+)', $command, $match)) { $index = $match[1]; if ($index >= count($args)) { echo "Error: Argument $index not found for $command.\n"; $command = ereg_replace('\$' . $index, "", $command); } else { $command = ereg_replace('\$' . $index, $args[$index], $command); } } return $command; } ?>