$local_logline_array = explode (" ", $local_log_string);
$local_sql_1 = "INSERT INTO log_adv_daemon_email"; //BASIC STATEMENT
- $local_sql_2 = "logid, detailed_table, service, internal_messageid "; //FIELDS
+ $local_sql_2 = "logid, detailed_table, service"; //FIELDS
$local_sql_3 = "'".$dbms->db_result_row[0]."', 'log_adv_daemon_email', 'sendmail'"; //VALUES
- $local_sql_3 .= ", '".substr (trim($local_logline_array[5]), 0
- ,strlen(trim($local_logline_array[5])) -1)."'";
- $local_len = 0;
- $local_id = 0;
+ $message_id = trim($local_logline_array[5], " \t:");
- for ($i = 6; $i <= ( count($local_logline_array) - 1); $i++)
+ if ($message_id == 'NOQUEUE')
{
+ // This is an error rather than a real message id.
+
+ $local_sql_2 .= ", event";
+ $local_sql_3 .= ", '". $message_id ."'";
+
+ // Try to find the source IP address in the 6th or 7th word.
+
+ $source_ip = strstr($local_logline_array[6], "[");
+ if ($source_ip)
+ {
+ $end = strpos($source_ip, "]");
+ $source_ip = substr($source_ip, 1, $end - 1);
+ }
+ else
+ {
+ $source_ip = strstr($local_logline_array[7], "[");
+ if ($source_ip)
+ {
+ $end = strpos($source_ip, "]");
+ $source_ip = substr($source_ip, 1, $end - 1);
+ }
+ }
- //Get rid of the nasty comma's at the end
- if ( substr($local_logline_array[$i], strlen($local_logline_array[$i])-1, 1) == "," )
- {
- $local_dummylength = strlen($local_logline_array[$i]) -1;
- $local_dummy = substr ($local_logline_array[$i], 0,$local_dummylength );
- $local_logline_array[$i] = trim($local_dummy);
- }
+ if ($source_ip)
+ {
+ // We found a source IP address
- if (substr($local_logline_array[$i],0,1) == '[' && strstr($local_sql_2, "source_ip") == false)
- {
- $local_dummy = trim($local_logline_array[$i]);
$local_sql_2 .= ", source_ip";
- $local_sql_3 .= ", '".substr($local_dummy, 1, strlen($local_dummy)-2)."'";
- }
- else if (strstr($local_logline_array[$i], "="))
- {
-
- $local_element = explode("=", $local_logline_array[$i]);
-
- switch (strtolower($local_element[0]))
+ $local_sql_3 .= ", '". $source_ip ."'";
+ }
+ else
+ {
+ echo "Sendmail error NOQUEUE but no source IP found. logid = " .$dbms->db_result_row[0] . "\n";
+ }
+ }
+ else
+ {
+ $local_sql_2 .= ", internal_messageid";
+ $local_sql_3 .= ", '". $message_id ."'";
+ $local_len = 0;
+ $local_id = 0;
+
+ for ($i = 6; $i <= ( count($local_logline_array) - 1); $i++)
+ {
+
+ //Get rid of the nasty comma's at the end
+ if ( substr($local_logline_array[$i], strlen($local_logline_array[$i])-1, 1) == "," )
{
- case "from":
- $local_sql_2 .= ", from_email";
- $local_sql_3 .= ", '". addslashes($local_element[1]) ."'";
- break;
-
- case "size":
- $local_sql_2 .= ", size";
- $local_sql_3 .= ", '".$local_element[1]."'";
- break;
-
- case "delay":
- $local_sql_2 .= ", delay";
- $local_sql_3 .= ", '".ereg_replace("\+", " ", $local_element[1])."'";
- break;
-
- case "xdelay":
- $local_sql_2 .= ", xdelay";
- $local_sql_3 .= ", '".ereg_replace("\+", " ", $local_element[1])."'";
- break;
-
- case "mailer":
- $local_sql_2 .= ", mailer";
- $local_sql_3 .= ", '".$local_element[1]."'";
- break;
-
- case "dsn":
- $local_sql_2 .= ", dsn";
- $local_sql_3 .= ", '".$local_element[1]."'";
- break;
-
- case "msgid":
- $local_sql_2 .= ", external_messageid";
- if (substr($local_element[1],0,1) == '<')
- {
- $local_sql_3 .= ", '";
- $local_sql_3 .= substr($local_element[1],1,(strlen($local_element[1])-2));
- $local_sql_3 .= "'";
- }
- else
+ $local_dummylength = strlen($local_logline_array[$i]) -1;
+ $local_dummy = substr ($local_logline_array[$i], 0,$local_dummylength );
+ $local_logline_array[$i] = trim($local_dummy);
+ }
+
+ if (substr($local_logline_array[$i],0,1) == '[' && strstr($local_sql_2, "source_ip") == false)
+ {
+ $local_dummy = trim($local_logline_array[$i], " []:");
+ $local_sql_2 .= ", source_ip";
+ $local_sql_3 .= ", '$local_dummy'";
+ }
+ else if (strstr($local_logline_array[$i], "="))
+ {
+
+ $local_element = explode("=", $local_logline_array[$i]);
+
+ switch (strtolower($local_element[0]))
{
+ case "from":
+ $local_sql_2 .= ", from_email";
+ $local_sql_3 .= ", '". addslashes($local_element[1]) ."'";
+ break;
+
+ case "relay":
+ $local_sql_2 .= ", relay";
+ $local_sql_3 .= ", '". addslashes(trim($local_element[1], " []")) ."'";
+ break;
+
+ case "size":
+ $local_sql_2 .= ", size";
$local_sql_3 .= ", '".$local_element[1]."'";
+ break;
+
+ case "delay":
+ $local_sql_2 .= ", delay";
+ $local_sql_3 .= ", '".ereg_replace("\+", " ", $local_element[1])."'";
+ break;
+
+ case "xdelay":
+ $local_sql_2 .= ", xdelay";
+ $local_sql_3 .= ", '".ereg_replace("\+", " ", $local_element[1])."'";
+ break;
+
+ case "mailer":
+ $local_sql_2 .= ", mailer";
+ $local_sql_3 .= ", '".$local_element[1]."'";
+ break;
+
+ case "dsn":
+ $local_sql_2 .= ", dsn";
+ $local_sql_3 .= ", '".$local_element[1]."'";
+ break;
+
+ case "msgid":
+ $local_sql_2 .= ", external_messageid";
+ if (substr($local_element[1],0,1) == '<')
+ {
+ $local_sql_3 .= ", '";
+ $local_sql_3 .= substr($local_element[1],1,(strlen($local_element[1])-2));
+ $local_sql_3 .= "'";
+ }
+ else
+ {
+ $local_sql_3 .= ", '".$local_element[1]."'";
+ }
+ break;
+
+ //As of this point we only deal with Status
+ case "stat":
+ $local_sql_2 .= ", status";
+ $local_sql_3 .= ", '".$local_element[1]."'";
+
+ $local_pos = strrpos (strtolower($local_logline_array[$i]), "stat=");
+ $local_len = strlen($local_logline_array[$i]) - $local_pos - 6;
+ $local_sql_2 .= ", status_details";
+ $local_sql_3 .= ", '".substr($local_logline_array[$i], $local_pos + 5, $local_len) . "'";
+ break;
+
+ case "status":
+ $local_sql_2 .= ", status";
+ $local_sql_3 .= ", '".$local_element[1]."'";
+
+ $local_pos = strrpos (strtolower($local_logline_array[$i]), "status=");
+ $local_len = strlen($local_logline_array[$i]) - $local_pos - 8;
+ $local_sql_2 .= ", status_details";
+ $local_sql_3 .= ", '".substr($local_logline_array[$i], $local_pos + 7, $local_len) . "'";
+ break;
+
+ case "reject":
+ if ($local_element[1] == "550")
+ {
+ $local_sql_2 .= ", event";
+ $local_sql_3 .= ", 'SPAM'";
+ }
+ else if ($local_element[1] == "553")
+ {
+ $local_sql_2 .= ", event";
+ $local_sql_3 .= ", 'Blocked SPAM'";
+ }
+ else
+ {
+ echo "Unknown reject code in sendmail log: " . $local_element[1] .
+ ", logid = " .$dbms->db_result_row[0] . "\n";
+ }
+ break;
+
+ case "POSSIBLE":
+ echo "POSSIBLE ATTACK special report: $local_log_string\n";
+ break;
+
+ default:
+ if (substr(strtolower($local_element[0]),0,1) == "[")
+ {
+ $local_sql_2 .= ", destination_ip";
+ $local_sql_3 .= ", '". substr($local_element[1], 1, strlen($local_element[1]) - 2)."'";
+ }
+ break;
}
- break;
-
- //As of this point we only deal with Status
- case "stat":
- $local_sql_2 .= ", status";
- $local_sql_3 .= ", '".$local_element[1]."'";
-
- $local_pos = strrpos (strtolower($local_logline_array[$i]), "stat=");
- $local_len = strlen($local_logline_array[$i]) - $local_pos - 6;
- $local_sql_2 .= ", status_details";
- $local_sql_3 .= ", '".substr($local_logline_array[$i], $local_pos + 5, $local_len) . "'";
- break;
-
- case "status":
- $local_sql_2 .= ", status";
- $local_sql_3 .= ", '".$local_element[1]."'";
-
- $local_pos = strrpos (strtolower($local_logline_array[$i]), "status=");
- $local_len = strlen($local_logline_array[$i]) - $local_pos - 8;
- $local_sql_2 .= ", status_details";
- $local_sql_3 .= ", '".substr($local_logline_array[$i], $local_pos + 7, $local_len) . "'";
- break;
-
- default:
- if (substr(strtolower($local_element[0]),0,1) == "[")
- {
- $local_sql_2 .= ", destination_ip";
- $local_sql_3 .= ", '". substr($local_element[1], 1, strlen($local_element[1]) - 2)."'";
- }
- break;
}
- }
+ }
}
//Now that the data is complete create the SQL-statement
$local_logline_array = explode (" ", $local_log_string);
$local_sql_1 = "INSERT INTO log_adv_kernel_network"; //BASIC STATEMENT
$local_sql_2 = "logid, detailed_table"; //FIELDS
- $local_sql_3 = "'".$dbms->db_result_row[0]."', 'kernel_network'"; //VALUES
+ $local_sql_3 = "'".$dbms->db_result_row[0]."', 'log_adv_kernel_network'"; //VALUES
$local_len = 0;
$local_id = 0;
$local_tos = "F";