Datagram SyslogAgent msg parser

Diskussions related to the development of PhpLogCon

Google Ads


Datagram SyslogAgent msg parser

Postby silk600 » Thu Feb 11, 2010 11:36 am

Hi all,

Here is a parser for Datagram's SyslogAgent log format. I have only tested it with logs collected by Rsyslog written with no specified template (so therefore the default template).


Code: Select all
<?php
/*
*********************************************************************
* Copyright (C) 2010 Sebastian Schauenburg
*
* PhpLogCon is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* PhpLogCon is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with phpLogCon. If not, see <http://www.gnu.org/licenses/>.
*
* A copy of the GPL can be found in the file "COPYING" in this
* distribution.
*********************************************************************
*/

// --- Avoid directly accessing this file!
if ( !defined('IN_PHPLOGCON') )
{
   die('Hacking attempt');
   exit;
}
// ---

// --- Basic Includes
require_once($gl_root_path . 'classes/enums.class.php');
require_once($gl_root_path . 'classes/msgparser.class.php');
require_once($gl_root_path . 'include/constants_errors.php');
require_once($gl_root_path . 'include/constants_logstream.php');
// ---

class MsgParser_eventlogdatagram extends MsgParser {

   // Public Information properties
   public $_ClassName = 'Datagram SyslogAgent Eventlog Format';
   public $_ClassDescription = "This is a parser for a special format which can be created with Datagram's SyslogAgent.";
   public $_ClassRequiredFields = null;
   public $_ClassHelpArticle = "None";

   // Constructor
   public function MsgParser_eventlog() {
      return; // Nothing
   }

   /**
* ParseLine
*
* @param arrArguments array in&out: properties of interest. There can be no guarantee the logstream can actually deliver them.
* @return integer Error stat
*/

/*  Next part modified by Kieran Bloomfield
   Based on the SNARE message parser by SWAT @ http://kb.monitorware.com/snare-msg-parser-t10171.html
   Just hacked the regex / resultant array to work with Datagram's SyslogAgent (logs collected by rsyslog)
   Please feel free to make it better.
   Last updated: 10/02/10
*/

   public function ParseMsg($szMsg, &$arrArguments)
   {
      global $content, $fields;

      //trim the msg first to remove spaces from begin and end
      $szMsg = trim($szMsg);
      
      // Sample1:   Jan 27 09:44:55 dc1 security[success] 565 NT AUTHORITY\SYSTEM Object Open: Object Server:Security Account Manager Object Type:SAM_DOMAIN Object Name:DC=domainname,DC=com Handle ID:53264696 Operation ID:{0,103342745} Process ID:444 Process Name:C:\WINDOWS\system32\lsass.exe Primary User Name:DC1$ Primary Domain:DOMAINNAME Primary Logon ID:(0x0,0x3E7) Client User Name:DC1$ Client Domain:DOMAINNAME Client Logon ID:(0x0,0x3E7) Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser%5397 CreateLocalGroup GetLocalGroupMembership ListAccounts Privileges:- Properties:---%{19195a5a-6da0-11d0-afd3-00c04fd930c9} DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser%5397 CreateLocalGroup GetLocalGroupMembership ListAccounts%{c7407560-20bf-11d0-a268-00aa006f0529}%{bf9679a4-0de6-11d0-a
      // Sample2:   Jan 27 09:44:40 dc1 security[success] 538 NT AUTHORITY\SYSTEM User Logoff: User Name:DC1$ Domain:DOMAINNAME Logon ID:(0x0,0x6288D68) Logon Type:3
      if ( preg_match("/(.*?)[ ](.*?)[ ](.*?)[\\\\](.*?)[ ](.*?)$/", $szMsg, $out ) )
      {   
         // Copy parsed properties!
         $arrArguments[SYSLOG_EVENT_LOGTYPE] = $out[1];
         $arrArguments[SYSLOG_EVENT_ID] = $out[2];
         $arrArguments[SYSLOG_EVENT_USER] = "$out[3]\\$out[4]";
         $arrArguments[SYSLOG_MESSAGE] = $out[5];
         //$arrArguments[SYSLOG_EVENT_SOURCE] = ""; // Datagram SyslogAgent does not give this information
         //$arrArguments[SYSLOG_SEVERITY] = ""; // Datagram SyslogAgent does not give this information
         //$arrArguments[SYSLOG_HOST] = ""; // Leave as is - already populated correctly
         //$arrArguments[SYSLOG_DATE] = ""; // Leave as is - already populated correctly

         if ( $this->_MsgNormalize == 1 )
         {
            //Init tmp msg
            $szTmpMsg = "";

            // Create Field Array to prepend into msg! Reverse Order here
            $myFields = array( SYSLOG_MESSAGE, SYSLOG_EVENT_CATEGORY, SYSLOG_EVENT_LOGTYPE, SYSLOG_EVENT_SOURCE, SYSLOG_EVENT_USER, SYSLOG_EVENT_ID );

            foreach ( $myFields as $myField )
            {
               // Set Field Caption
               if ( isset($fields[$myField]['FieldCaption']) )
               $szFieldName = $fields[$myField]['FieldCaption'];
               else
               $szFieldName = $myField;

               // Append Field into msg
               $szTmpMsg = $szFieldName . ": '" . $arrArguments[$myField] . "'\n" . $szTmpMsg;
            }

            // copy finished MSG back!
            $arrArguments[SYSLOG_MESSAGE] = $szTmpMsg;

         }
      }
      else
      {
         // return no match in this case!
         return ERROR_MSG_NOMATCH;
      }
      
      // Set IUT Property if success!
      $arrArguments[SYSLOG_MESSAGETYPE] = IUT_NT_EventReport;

      // If we reached this position, return success!
      return SUCCESS;
   }
}

?>


Unfortunately Datagram's SyslogAgent does not provide the event source or severity, but having the other fields seperated makes using phpLogCon MUCH more useful, as you can now search for a specific/filter by Event ID/Username/Event Type as well as Host and date/time range. If SyslogAgent is updated to include this missing info in the future, this parser can be updated.

Please see this post: http://kb.monitorware.com/snare-msg-parser-t10171.html#p18502 for instructions on how to install/use it.

Cheers,

Kieran
silk600
New
 
Posts: 3
Joined: Thu Jan 28, 2010 2:41 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Google Ads


Return to Developer's Corner

Who is online

Users browsing this forum: No registered users and 1 guest

cron