SNARE msg parser

Diskussions related to the development of PhpLogCon

Google Ads


SNARE msg parser

Postby SWAT » Mon Jan 18, 2010 12:54 pm

I wanted to use PHPlogcon together with the SNARE agent and noticed that the logs weren't processed correctly, so I wrote a message parser (based on the original eventlog message parser). I want to contribute this back to the project, so I have added the parser code below. Please let me know if you will implement this in any upcoming release, what needs to be fixed to get this into the official release, what else I need to do or if/why it gets rejected.

Code: Select all
<?php
/*
   *********************************************************************
   * Copyright (C) 2010 Sebastian Schauenburg
   *
   * PhpLogCon is free software: you can redistribute it and/or modify
   * it under the terms of the GNU General Public License as published by
   * the Free Software Foundation, either version 3 of the License, or
   * (at your option) any later version.
   *
   * PhpLogCon is distributed in the hope that it will be useful,
   * but WITHOUT ANY WARRANTY; without even the implied warranty of
   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   * GNU General Public License for more details.
   *
   * You should have received a copy of the GNU General Public License
   * along with phpLogCon. If not, see <http://www.gnu.org/licenses/>.
   *
   * A copy of the GPL can be found in the file "COPYING" in this
   * distribution.
   *********************************************************************
*/

// --- Avoid directly accessing this file!
if ( !defined('IN_PHPLOGCON') )
{
   die('Hacking attempt');
   exit;
}
// ---

// --- Basic Includes
require_once($gl_root_path . 'classes/enums.class.php');
require_once($gl_root_path . 'classes/msgparser.class.php');
require_once($gl_root_path . 'include/constants_errors.php');
require_once($gl_root_path . 'include/constants_logstream.php');
// ---

class MsgParser_eventlogsnare extends MsgParser {

   // Public Information properties
   public $_ClassName = 'SNARE Eventlog Format';
   public $_ClassDescription = 'This is a parser for a special format which can be created with SNARE Agent.';
   public $_ClassRequiredFields = null;
   public $_ClassHelpArticle = "http://www.intersectalliance.com/projects/SnareWindows/";

   // Constructor
   public function MsgParser_eventlog() {
      return; // Nothing
   }

   /**
   * ParseLine
   *
   * @param arrArguments array in&out: properties of interest. There can be no guarantee the logstream can actually deliver them.
   * @return integer Error stat
   */
   public function ParseMsg($szMsg, &$arrArguments)
   {
      global $content, $fields;

      //trim the msg first to remove spaces from begin and end
      $szMsg = trim($szMsg);

      // Sample:   Jan 18 12:09:37 winxp MSWinEventLog#0111#011System#011752#011Mon Jan 18 12:09:33 2010#0117036#011Service Control Manager#011Unknown User#011N/A#011Information#011WINXP#011None#011#011The Windows Time service entered the running state.  #011469
      if ( preg_match("/(.*?)\#011(.*?)\#011(.*?)\#011([0-9]{1,12})\#011(.*?)\#011([0-9]{1,12})\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)/", $szMsg, $out ) )
      {   
         // Copy parsed properties!
              $arrArguments[SYSLOG_EVENT_ID] = $out[6];
              $arrArguments[SYSLOG_EVENT_USER] = $out[9];
              $arrArguments[SYSLOG_EVENT_SOURCE] = $out[7];
              $arrArguments[SYSLOG_EVENT_LOGTYPE] = $out[3];
              $arrArguments[SYSLOG_SEVERITY] = $out[10];
              $arrArguments[SYSLOG_MESSAGE] = $out[14];
              $arrArguments[SYSLOG_HOST] = $out[11];
              $arrArguments[SYSLOG_DATE] = $out[5];

         if ( $this->_MsgNormalize == 1 )
         {
            //Init tmp msg
            $szTmpMsg = "";

            // Create Field Array to prepend into msg! Reverse Order here
            $myFields = array( SYSLOG_MESSAGE, SYSLOG_EVENT_CATEGORY, SYSLOG_EVENT_LOGTYPE, SYSLOG_EVENT_SOURCE, SYSLOG_EVENT_USER, SYSLOG_EVENT_ID );

            foreach ( $myFields as $myField )
            {
               // Set Field Caption
               if ( isset($fields[$myField]['FieldCaption']) )
                  $szFieldName = $fields[$myField]['FieldCaption'];
               else
                  $szFieldName = $myField;

               // Append Field into msg
               $szTmpMsg = $szFieldName . ": '" . $arrArguments[$myField] . "'\n" . $szTmpMsg;
            }

            // copy finished MSG back!
            $arrArguments[SYSLOG_MESSAGE] = $szTmpMsg;

         }
      }
      else
      {
         // return no match in this case!
         return ERROR_MSG_NOMATCH;
      }
      
      // Set IUT Property if success!
      $arrArguments[SYSLOG_MESSAGETYPE] = IUT_NT_EventReport;

      // If we reached this position, return success!
      return SUCCESS;
   }
}

?>
SWAT
New
 
Posts: 3
Joined: Mon Jan 18, 2010 12:40 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: SNARE msg parser

Postby silk600 » Thu Jan 28, 2010 2:51 pm

Thanks for your work in writing this parser.

I plan to hack up a similar parser for Datagram's SyslogAgent that we use here, based on your work (the format looks very similar). I will of course contribute the parser back to the project also.

Could you tell me how to actually get phplogcon to use this parser? I have put the file into /classes/msgparsers/, but I assume I have to configure phplogcon to actually use it somewhere?

Thanks,

Kieran
silk600
New
 
Posts: 3
Joined: Thu Jan 28, 2010 2:41 pm

Re: SNARE msg parser

Postby SWAT » Fri Jan 29, 2010 11:05 am

Just add it to your configuration.

Do not forget to post your final working code here, so it might/can be integrated to phplogcon (or at least I hope so)
SWAT
New
 
Posts: 3
Joined: Mon Jan 18, 2010 12:40 pm

Re: SNARE msg parser

Postby stefaet » Sat Jan 30, 2010 1:09 am

Hi,

I follow the info in this thread to create a custom parser class.
In message parsers I can see them.
I also create:
* custom fields
* custom view that use custom fields
* custom source that use message parsers

When I run the custom source in "Show Events" the custom view field are empty.
In throubleshooting mode (custom view selected):
* the show events enter in Constructor function called MsgParser_XXXX whith return; //nothing
* the process not enter in ParseLine function called ParseMsg($szMsg, &$arrArguments) where parsers the messages

Note: if I select Internal View the log show that the process enter in Constructor and ParseLine function

How can I solve my problem?

Thanks
Stefano
stefaet
New
 
Posts: 1
Joined: Sat Jan 30, 2010 12:47 am

Re: SNARE msg parser

Postby alorbach » Wed Feb 03, 2010 11:48 am

Hi,

thanks for your contribution. I will add this parser into phpLogCon, so it will be included in the next minor update.

best regards,
Andre Lorbach
alorbach
Site Admin
 
Posts: 1627
Joined: Thu Feb 13, 2003 11:55 am

Re: SNARE msg parser

Postby silk600 » Thu Feb 11, 2010 11:32 am

Hi guys.

I'll write this post in such a way as to be useful for people coming accross this in the future.

SWAT wrote:Just add it to your configuration.


Thanks for pointing me in the right direction. I ended up converting my installation to the UserDB (Instructions here:
http://wiki.rsyslog.com/index.php/How_to_to_use_convert.php_to_install_the_Userdb-System_in_an_existing_phpLogCon_installation%3F)
and found the configuration option (after logging in) under Admin Centre -> Message Parsers to verfiy phplogcon sees the parser, and then Admin Centre -> Sources -> edit source link, and add the name of the desired parser to the 'parsers' text box (in this case, "eventlogsnare").

The actual parser should be placed in <PhpLogConRoot>\classes\msgparsers\

and has to be named msgparser.<parsername>.class.php.

SWAT wrote:Do not forget to post your final working code here, so it might/can be integrated to phplogcon (or at least I hope so)


See here: http://kb.monitorware.com/datagram-syslogagent-msg-parser-t10219.html

Cheers,

Kieran
silk600
New
 
Posts: 3
Joined: Thu Jan 28, 2010 2:41 pm

Re: SNARE msg parser

Postby SWAT » Fri Feb 12, 2010 10:49 pm

alorbach wrote:Hi,

thanks for your contribution. I will add this parser into phpLogCon, so it will be included in the next minor update.

best regards,
Andre Lorbach

Awesome, cheers!

@silk600, thanks for the additions and for creating another open/free parser!
SWAT
New
 
Posts: 3
Joined: Mon Jan 18, 2010 12:40 pm

Re: SNARE msg parser

Postby rgerhards » Tue Feb 23, 2010 12:25 pm

Thanks to all for the effort. We've thought a while about how to handle third-party parser (and hopefully soon report!) contributions. Putting them all into phpLogCon's git would become problematic when they reach a large number (and I hope they do). So we have followed other open source projects and create a specific "plugin directory" on the new phpLogCon site. The site is going live these days, and I hope to have the infrastructure for the plugins live pretty soon as well. We will keep only those plugins in git that we manage ourselfs, but if you have a git server for your plugin, let me know and I will add the link to its description inside the plugin directory (once it is available, of course ;)).

Some more background on the new site design and phpLogCon rename can be found in this article:

http://loganalyzer.adiscon.com/artikel/ ... oganalyzer
rgerhards
Site Admin
 
Posts: 3806
Joined: Thu Feb 13, 2003 11:57 am

Re: SNARE msg parser

Postby rgerhards » Tue Feb 23, 2010 12:59 pm

rgerhards
Site Admin
 
Posts: 3806
Joined: Thu Feb 13, 2003 11:57 am

Re: SNARE msg parser

Postby aerlas » Mon Apr 19, 2010 4:50 pm

Hi !

I'm french, sorry for my faults...

First of all, thanks to swat !!
I'm testing rsyslog and especially with windows agents (via SNARE) ..

I installed phplogcon 3.0 -stable ..and have already some results :)
Now, i just want to include your parser.
Your explanations are unclouded.

However, I have a problem / bug ... and i didn't find why ...
Here is my treeview (<PhpLogConRoot>\classes\msgparsers\) :
Image

And that's the result of clicking on Messages Parsers (in Admin Center), to check phplogcon sees the parser :

Image

I made some "echo" to see where is the problem ... (/var/www/include/functions_config.php, lines around N°243)

functions_config.php wrote:// Check if parser file include exists
$szIncludeFile = $szDirectory . $myFile;
if ( file_exists($szIncludeFile) )
{
// Try to include
if ( include_once($szIncludeFile) )
{
// Set ParserClassName
$szParserClass = "MsgParser_" . $myParserID;
echo "szParserClass == > " . $szParserClass . "........................";

// Create Instance and get properties
$tmpParser = new $szParserClass(); // Create an instance
echo "szParserClass == > " . $szParserClass . "<br>";

$szParserName = $tmpParser->_ClassName;
$szParserDescription = $tmpParser->_ClassDescription;
$szParserHelpArticle = $tmpParser->_ClassHelpArticle;



In red, the blocking line ...



What's amazing is that i made a simply test .. i took msgparser.eventlog.class.php, renamed it msgparser.aaaa.class.php ...
Same result !

Image

Image

not a chmod problem ...
Image

Anybody has an answer ? :o/
What did i miss ?
aerlas
New
 
Posts: 3
Joined: Mon Apr 19, 2010 4:04 pm

Re: SNARE msg parser

Postby aerlas » Tue Apr 20, 2010 7:51 am

aerlas wrote:First of all, thanks to swat !!


And thanks to Silk !!! (oops) :) :)
aerlas
New
 
Posts: 3
Joined: Mon Apr 19, 2010 4:04 pm

Re: SNARE msg parser

Postby alorbach » Tue Apr 20, 2010 3:20 pm

You guys do not need to edit any of the loganalyzer files at all. All you need is to use the filebasename also in the classname, or the other way around. So if the codefile is called msgparser.snare.class.php, the class in the code needs to be named "MsgParser_snare"

best regards,
Andre Lorbach
alorbach
Site Admin
 
Posts: 1627
Joined: Thu Feb 13, 2003 11:55 am

Re: SNARE msg parser

Postby aerlas » Wed Apr 21, 2010 11:34 am

YES !

Thank you alorbach !!!!

Effectively, there is en error between the code and the filename !

If the name is : msgparser.snare.class.php, then the code must be :


// --- Basic Includes
require_once($gl_root_path . 'classes/enums.class.php');
require_once($gl_root_path . 'classes/msgparser.class.php');
require_once($gl_root_path . 'include/constants_errors.php');
require_once($gl_root_path . 'include/constants_logstream.php');
// ---

class MsgParser_snare extends MsgParser {

// Public Information properties
public $_ClassName = 'SNARE Eventlog Format';
public $_ClassDescription = 'This is a parser for a special format which can be created with SNARE Agent.';
public $_ClassRequiredFields = null;
public $_ClassHelpArticle = "http://www.intersectalliance.com/projects/SnareWindows/";

// Constructor
public function MsgParser_eventlog() {
return; // Nothing
}



Or, as you say, just rename the file provided by the webpage (http://loganalyzer.adiscon.com/plugins/message-parsers/snare-message-parser) in msgparser.eventsnare.class.php

:)


Easy, i know ... argh ^^
aerlas
New
 
Posts: 3
Joined: Mon Apr 19, 2010 4:04 pm

Re: SNARE msg parser

Postby jwatters » Wed Dec 15, 2010 6:18 pm

Greetings, I am attempting to create a central syslog solution for both Windows and Linux hosts. rSyslog and LogAnalyzer with the ability to write to database really provides a nice matrix of options. Thank you.

I am evaluating LogAnalyzer 3.04 running on CentOS 5.5 x86_64 with rSyslog 4.4.2-5, MySQL 5.1.53, PHP 5.3.3 and Apache 2.2
Everything is working really well with no issues whats so ever for linux hosts and I am receiving messages from my test Windows 2003 hosts from the SNARE agent as well as Datagram and Purdue's Event-to-syslog agents. However' I would like to investigate more the filtering for the SNARE and Datagram agents to fine tune so that I can make a determination of what agent is better fit for our environment but, I am unable to get the SNARE or Datagram parsers to work and would really appreciate any assistance and education.

I'm just not getting it from any of the posts or other documentation. If I add the two files:
msgparser.datagram.class.php
msgparser.snare.class.php
to <mywwwpath>/loganalyzer/classes/msgparsers/ , I get a blank white screen when accessing Message Parsers through Admin Center. If I remove them then I show the default configured parsers without error in Admin Center.
jwatters
New
 
Posts: 4
Joined: Wed Dec 15, 2010 5:28 pm

Re: SNARE msg parser

Postby jwatters » Wed Dec 15, 2010 6:46 pm

I failed to mention that when I change the name of the parsers , the SNARE parser for example, to msgparser.eventlogsnare.php I can then open Message Parsers from Admin Center without a blank screen but, the parser is not listed as installed and I can not assign it to my source.
jwatters
New
 
Posts: 4
Joined: Wed Dec 15, 2010 5:28 pm

Google Ads


Next

Return to Developer's Corner

Who is online

Users browsing this forum: No registered users and 0 guests

cron