Datagram
This will parse the syslog messages from the datagram agent. It is a slight modification of the original script
which is available here. Please note you must add the change to the registry, where the new lines are replaced by
spaces. The default behavior will replace the EOL and lose the last character of every sentence.
/* ********************************************************************* * Copyright (C) 2010 Kieran/Forum user silk600 * * PhpLogCon is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * PhpLogCon is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with phpLogCon. If not, see <http://www.gnu.org/licenses/>. * * A copy of the GPL can be found in the file "COPYING" in this * distribution. ********************************************************************* */ // --- Avoid directly accessing this file! if ( !defined('IN_PHPLOGCON') ) { die('Hacking attempt'); exit; } // --- // --- Basic Includes require_once($gl_root_path . 'classes/enums.class.php'); require_once($gl_root_path . 'classes/msgparser.class.php'); require_once($gl_root_path . 'include/constants_errors.php'); require_once($gl_root_path . 'include/constants_logstream.php'); // --- class MsgParser_datagram extends MsgParser { // Public Information properties public $_ClassName = 'Datagram SyslogAgent Eventlog Format'; public $_ClassDescription = "This is a parser for a special format which can be created with Datagram's SyslogAgent."; public $_ClassRequiredFields = null; public $_ClassHelpArticle = "None"; // Constructor public function MsgParser_datagram() { return; // Nothing } /** * ParseLine * * @param arrArguments array in&out: properties of interest. There can be no guarantee the logstream can actually deliver them. * @return integer Error stat */ /* Next part modified by Kieran Bloomfield Based on the SNARE message parser by SWAT @ http://kb.monitorware.com/snare-msg-parser-t10171.html Just hacked the regex / resultant array to work with Datagram's SyslogAgent (logs collected by rsyslog) Please feel free to make it better. Last updated: 10/02/10 */ public function ParseMsg($szMsg, &$arrArguments) { global $content, $fields; //trim the msg first to remove spaces from begin and end $szMsg = trim($szMsg); //test output //file_put_contents ('/tmp/msgparser.datagram.class.log', "$szMsg\n" ); if ( preg_match("/^(.*?)\[(.*?)\] ([0-9]*) (.*)$/", $szMsg, $out ) ) { //file_put_contents ('/tmp/msgparser.datagram.class.log', "$out\n" ); // Copy parsed properties! //$arrArguments[SYSLOG_EVENT_LOGTYPE] = ""; $arrArguments[SYSLOG_EVENT_ID] = $out[3]; //$arrArguments[SYSLOG_EVENT_USER] = ""; $arrArguments[SYSLOG_MESSAGE] = $out[4]; $arrArguments[SYSLOG_EVENT_SOURCE] = $out[1]; $arrArguments[SYSLOG_SEVERITY] = $out[2]; //$arrArguments[SYSLOG_HOST] = ""; //$arrArguments[SYSLOG_DATE] = ""; // Leave as is - already populated correctly if ( $this->_MsgNormalize == 1 ) { //Init tmp msg $szTmpMsg = ""; // Create Field Array to prepend into msg! Reverse Order here $myFields = array( SYSLOG_MESSAGE, SYSLOG_EVENT_CATEGORY, SYSLOG_EVENT_LOGTYPE, SYSLOG_EVENT_SOURCE, SYSLOG_EVENT_USER, SYSLOG_EVENT_ID ); foreach ( $myFields as $myField ) { // Set Field Caption if ( isset($fields[$myField]['FieldCaption']) ) $szFieldName = $fields[$myField]['FieldCaption']; else $szFieldName = $myField; // Append Field into msg $szTmpMsg = $szFieldName . ": '" . $arrArguments[$myField] . "'\n" . $szTmpMsg; } // copy finished MSG back! $arrArguments[SYSLOG_MESSAGE] = $szTmpMsg; } } else { // return no match in this case! //file_put_contents ('/tmp/msgparser.datagram.class.log', "No match !\n" ); return ERROR_MSG_NOMATCH; } // Set IUT Property if success! $arrArguments[SYSLOG_MESSAGETYPE] = IUT_NT_EventReport; // If we reached this position, return success! return SUCCESS; } }
page revision: 0, last edited: 11 Jan 2015 20:18