public CustomLogHanderResultDto CheckCustomLog(string AlertName, string HostName, string InstanceName, string Description, JObject table, JArray row, string rowPayload, ILogger log) { CustomLogHanderResultDto result = new CustomLogHanderResultDto(); string resourceHostName = HostName; if (resourceHostName.Contains(".")) { resourceHostName = resourceHostName.Substring(0, resourceHostName.IndexOf('.') - 1); } string regexString = regex; regexString = regexString.Replace("{HOSTNAME}", resourceHostName); log.LogInformation($"DB regex - check for alert {AlertName}: {regexString} on {rowPayload}"); // Check if body contains a database, then report incident Regex rx = new Regex(regexString, RegexOptions.IgnoreCase); // Find matches. MatchCollection matches = rx.Matches(rowPayload); if (matches.Count > 0) { result.Handled = true; // If we have a match with databases foreach (Match match in matches) { log.LogInformation($"DB regex - found match for alert {AlertName} and regex {regexString}: {match.Value}!"); AlertResult dbResult = new AlertResult() { ResourceName = HostName, InstanceName = match.Value.Replace($"{resourceHostName}\\", "") }; dbResult.PartitionKey = dbResult.ResourceName + " - " + dbResult.InstanceName; dbResult.Type = type; dbResult.Description = Description; result.Results.Add(dbResult); } } else { log.LogInformation($"DB regex - No matches found!"); } return(result); }
protected AlertResult[] GetAlertResults(string alertName, string payload, Newtonsoft.Json.Linq.JObject payloadObj, ILogger log) { List <AlertResult> results = new List <AlertResult>(); foreach (JObject table in payloadObj["data"]["SearchResult"]["tables"]) { int resourceIndex = GetColumnIndex(alertName, "Computer", table, log); int instanceIndex = GetColumnIndex(alertName, "InstanceName", table, log); int renderedDescriptionIndex = GetColumnIndex(alertName, "RenderedDescription", table, log); if (resourceIndex != -1) { foreach (JArray row in table["rows"]) { AlertResult result = new AlertResult() { ResourceName = row[resourceIndex].ToString(), PartitionKey = row[resourceIndex].ToString() }; // Set instance info, if available if (instanceIndex != -1 && !String.IsNullOrEmpty(row[instanceIndex].ToString())) { result.InstanceName = row[instanceIndex].ToString(); result.PartitionKey = result.ResourceName + " - " + result.InstanceName; } // Set rendered description info, if available if (renderedDescriptionIndex != -1 && !String.IsNullOrEmpty(row[renderedDescriptionIndex].ToString())) { result.Description = row[renderedDescriptionIndex].ToString(); } bool handled = false; List <AlertResult> localResults = new List <AlertResult>(); log.LogInformation($"Starting handler check for Alert Rule {alertName}"); foreach (string customHandlerKey in customLogHandlers.Keys) { ICustomLogHandler handler = customLogHandlers[customHandlerKey]; CustomLogHanderResultDto logHandlerResult = handler.CheckCustomLog(alertName, result.ResourceName, result.InstanceName, result.Description, table, row, Newtonsoft.Json.JsonConvert.SerializeObject(row), log); if (logHandlerResult.Handled) { log.LogInformation($"Handler {handler.LogType} was successful for alert {alertName}"); handled = true; } localResults.AddRange(logHandlerResult.Results); } if (handled) { // Custom handlers matched, add them results.AddRange(localResults); } else { log.LogInformation($"No handlers matched {alertName}, adding OTHER alert."); // No custom handler results, just add main alert results.Add(result); } } } } return(results.ToArray()); }
public CustomLogHanderResultDto CheckCustomLog(string AlertName, string HostName, string InstanceName, string Description, JObject table, JArray row, string rowPayload, ILogger log) { CustomLogHanderResultDto result = new CustomLogHanderResultDto(); try { // Check if body contains disk info, then report incident Regex rx = new Regex(regex, RegexOptions.IgnoreCase); // Find matches in the instance text. MatchCollection matches = rx.Matches(InstanceName); if (matches.Count > 0) { result.Handled = true; log.LogInformation($"DISK regex {regex} successful, found {matches.Count} matches"); // If we have a match with disks foreach (Match match in matches) { bool createIncident = true; int freeSpacePercentIndex = GetColumnIndex("Free_Space_Percent", table); int freeMegabytesIndex = GetColumnIndex("Free_MB", table); decimal freeSpacePercent = 0, freeMegabytes = 0, diskSize = 0; if (freeSpacePercentIndex != -1) { freeSpacePercent = Math.Round(Convert.ToDecimal(row[freeSpacePercentIndex].ToString())); } if (freeMegabytesIndex != -1) { freeMegabytes = Convert.ToDecimal(row[freeMegabytesIndex].ToString()); } if (freeSpacePercent > 0 && freeMegabytes > 0) { diskSize = Math.Round(freeMegabytes / (freeSpacePercent / 100)); } if (diskSize > 500000 && freeSpacePercent > 5) { // Don't create incident if disk is large (> 500 GB) and free space percent is greater than 5 createIncident = false; } if (createIncident) { AlertResult diskResult = new AlertResult() { ResourceName = HostName, InstanceName = match.Value }; diskResult.PartitionKey = diskResult.ResourceName + " - " + diskResult.InstanceName; diskResult.Type = type; if (!String.IsNullOrEmpty(Description)) { diskResult.Description = Description; } else { diskResult.Description = $"Disk alert for drive: {diskResult.InstanceName} - size: {diskSize} - free percent: {freeSpacePercent} - free mb: {freeMegabytes}"; } result.Results.Add(diskResult); } } } else { log.LogInformation($"DISK regex - No matches found!"); } } catch (Exception ex) { log.LogError(ex, "Error in CustomLogServiceDISK"); } return(result); }