Drupal message parser for LogAnalyzer

Diskussions related to the development of PhpLogCon

Google Ads


Drupal message parser for LogAnalyzer

Postby 1kg2 » Fri Dec 07, 2012 3:37 am

Here is a message parser for the Drupal (6.x, 7.x) syslog module, closely based on your templates. I mapped the Drupal fields to existing WEBLOG fields to simplify creating a view. Works with LogAnalyzer 3.6.0. Drupal log messages are split out by rsyslog via /etc/rsyslog.d/20-drupal.conf below.
Please feel free to commit if this is a starting point for something remotely useful.

classes/msgparsers/msgparser.drupal.class.php
Code: Select all
<?php
/*
   *********************************************************************
   * LogAnalyzer - http://loganalyzer.adiscon.com
   * -----------------------------------------------------------------   *
   * Drupal MSG Parser is used to split Drupal fields if found
   * in the msg
   *                                                   *
   * LogAnalyzer is free software: you can redistribute it and/or modify
   * it under the terms of the GNU General Public License as published by
   * the Free Software Foundation, either version 3 of the License, or
   * (at your option) any later version.
   *
   * LogAnalyzer is distributed in the hope that it will be useful,
   * but WITHOUT ANY WARRANTY; without even the implied warranty of
   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   * GNU General Public License for more details.
   *
   * You should have received a copy of the GNU General Public License
   * along with LogAnalyzer. If not, see <http://www.gnu.org/licenses/>.
   *
   * A copy of the GPL can be found in the file "COPYING" in this
   * distribution.
   *********************************************************************
*/

// --- Avoid directly accessing this file!
if ( !defined('IN_PHPLOGCON') )
{
   die('Hacking attempt');
   exit;
}
// ---

// --- Basic Includes
require_once($gl_root_path . 'classes/enums.class.php');
require_once($gl_root_path . 'classes/msgparser.class.php');
require_once($gl_root_path . 'include/constants_errors.php');
require_once($gl_root_path . 'include/constants_logstream.php');
// ---

class MsgParser_drupal extends MsgParser {

   // Public Information properties
   public $_ClassName = 'Drupal Format';
   public $_ClassDescription = 'This is a parser for a special format which can be created with Drupal.';
   public $_ClassRequiredFields = null;
   public $_ClassHelpArticle = "http://www.drupal.org";

   // Constructor
   public function MsgParser_eventlog() {
      return; // Nothing
   }

   /**
   * ParseLine
   *
   * @param arrArguments array in&out: properties of interest. There can be no guarantee the logstream can actually deliver them.
   * @return integer Error stat
   */
   public function ParseMsg($szMsg, &$arrArguments)
   {
      global $content, $fields;

      //trim the msg first to remove spaces from begin and end
      $szMsg = trim($szMsg);

      // Sample (Drupal syslog module):
      // http://beta2.kinonation.com|1354838305|system|208.57.201.113|http://beta2.kinonation.com/admin/modules/list/confirm|http://beta2.kinonation.com/admin/modules|1||syslog module installed.
      // Source:                        
      // %host%|%id%|%module%|%IP%|%URL%|%URL2%|%id2%|%dontknow%|%msg%%$CRLF%
      if ( preg_match("/(.*?)\|(.*?)\|(.*?)\|(.*?)\|(.*?)\|(.*?)\|(.*?)\|(.*?)\|(.*?)$/", $szMsg, $out ) )
      {
         // Copy parsed properties!
         $arrArguments[SYSLOG_HOST] = $out[1];
         $arrArguments[SYSLOG_PROCESSID] = $out[2];
         $arrArguments[SYSLOG_WEBLOG_USERAGENT] = $out[3];
         $arrArguments[SYSLOG_WEBLOG_REFERER] = $out[4];
         $arrArguments[SYSLOG_WEBLOG_QUERYSTRING] = $out[5];
         $arrArguments[SYSLOG_WEBLOG_URL] = $out[6];
         $arrArguments[SYSLOG_EVENT_USER] = $out[7];
//         $arrArguments[SYSLOG_WEBLOG_PVER] = $out[8];
         $arrArguments[SYSLOG_MESSAGE] = $out[9];

         if ( $this->_MsgNormalize == 1 )
         {
            //Init tmp msg
            $szTmpMsg = "";

            // Create Field Array to prepend into msg! Reverse Order here
            $myFields = array( SYSLOG_MESSAGE, SYSLOG_EVENT_USER, SYSLOG_WEBLOG_URL, SYSLOG_WEBLOG_QUERYSTRING, SYSLOG_WEBLOG_REFERER, SYSLOG_WEBLOG_USERAGENT, SYSLOG_PROCESSID, SYSLOG_HOST );

            foreach ( $myFields as $myField )
            {
               // Set Field Caption
               if ( isset($fields[$myField]['FieldCaption']) )
                  $szFieldName = $fields[$myField]['FieldCaption'];
               else
                  $szFieldName = $myField;

               // Append Field into msg
               $szTmpMsg = $szFieldName . ": '" . $arrArguments[$myField] . "'\n" . $szTmpMsg;
            }

            // copy finished MSG back!
            $arrArguments[SYSLOG_MESSAGE] = $szTmpMsg;

         }
      }
      else
      {
         // return no match in this case!
         return ERROR_MSG_NOMATCH;
      }
      // If we reached this position, return success!
      return SUCCESS;
   }
}

?>


/etc/rsyslog.d/20-drupal.conf
Code: Select all
#  Rules to split out Drupal syslog messages into /var/log/drupal.log
#
#
# First some standard log files.  Log by facility.
#
:syslogtag, contains, "drupal"   /var/log/drupal.log


matching Drupal view
Code: Select all
INSERT INTO `logcon_views` (`ID`, `DisplayName`, `Columns`, `userid`, `groupid`)
VALUES
   (1, 'Drupal', 'timereported, syslogseverity, FROMHOST, uID, procid, http_referer, http_querystring, http_url, user, msg', NULL, NULL);
1kg2
New
 
Posts: 1
Joined: Fri Dec 07, 2012 3:23 am

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: Drupal message parser for LogAnalyzer

Postby alorbach » Thu Dec 13, 2012 10:03 am

Thanks for sharing this code with us :).
Would you mind if we add this into our msgparser database on http://loganalyzer.adiscon.com/message-parsers ?

best regards,
Andre Lorbach
alorbach
Site Admin
 
Posts: 1627
Joined: Thu Feb 13, 2003 11:55 am

Google Ads



Return to Developer's Corner

Who is online

Users browsing this forum: No registered users and 0 guests

cron