public CustomLogHanderResultDto CheckCustomLog(string AlertName, string HostName, string InstanceName, string Description, JObject table, JArray row, string rowPayload, ILogger log)
{
CustomLogHanderResultDto result = new CustomLogHanderResultDto();
string resourceHostName = HostName;
if (resourceHostName.Contains("."))
{
resourceHostName = resourceHostName.Substring(0, resourceHostName.IndexOf('.') - 1);
}
string regexString = regex;
regexString = regexString.Replace("{HOSTNAME}", resourceHostName);
log.LogInformation($"DB regex - check for alert {AlertName}: {regexString} on {rowPayload}");
// Check if body contains a database, then report incident
Regex rx = new Regex(regexString, RegexOptions.IgnoreCase);
// Find matches.
MatchCollection matches = rx.Matches(rowPayload);
if (matches.Count > 0)
{
result.Handled = true;
// If we have a match with databases
foreach (Match match in matches)
{
log.LogInformation($"DB regex - found match for alert {AlertName} and regex {regexString}: {match.Value}!");
AlertResult dbResult = new AlertResult()
{
ResourceName = HostName, InstanceName = match.Value.Replace($"{resourceHostName}\\", "")
};
dbResult.PartitionKey = dbResult.ResourceName + " - " + dbResult.InstanceName;
dbResult.Type = type;
dbResult.Description = Description;
result.Results.Add(dbResult);
}
}
else
{
log.LogInformation($"DB regex - No matches found!");
}
return(result);
}
protected AlertResult[] GetAlertResults(string alertName, string payload, Newtonsoft.Json.Linq.JObject payloadObj, ILogger log)
{
List <AlertResult> results = new List <AlertResult>();
foreach (JObject table in payloadObj["data"]["SearchResult"]["tables"])
{
int resourceIndex = GetColumnIndex(alertName, "Computer", table, log);
int instanceIndex = GetColumnIndex(alertName, "InstanceName", table, log);
int renderedDescriptionIndex = GetColumnIndex(alertName, "RenderedDescription", table, log);
if (resourceIndex != -1)
{
foreach (JArray row in table["rows"])
{
AlertResult result = new AlertResult()
{
ResourceName = row[resourceIndex].ToString(), PartitionKey = row[resourceIndex].ToString()
};
// Set instance info, if available
if (instanceIndex != -1 && !String.IsNullOrEmpty(row[instanceIndex].ToString()))
{
result.InstanceName = row[instanceIndex].ToString();
result.PartitionKey = result.ResourceName + " - " + result.InstanceName;
}
// Set rendered description info, if available
if (renderedDescriptionIndex != -1 && !String.IsNullOrEmpty(row[renderedDescriptionIndex].ToString()))
{
result.Description = row[renderedDescriptionIndex].ToString();
}
bool handled = false;
List <AlertResult> localResults = new List <AlertResult>();
log.LogInformation($"Starting handler check for Alert Rule {alertName}");
foreach (string customHandlerKey in customLogHandlers.Keys)
{
ICustomLogHandler handler = customLogHandlers[customHandlerKey];
CustomLogHanderResultDto logHandlerResult = handler.CheckCustomLog(alertName, result.ResourceName, result.InstanceName, result.Description, table, row, Newtonsoft.Json.JsonConvert.SerializeObject(row), log);
if (logHandlerResult.Handled)
{
log.LogInformation($"Handler {handler.LogType} was successful for alert {alertName}");
handled = true;
}
localResults.AddRange(logHandlerResult.Results);
}
if (handled)
{
// Custom handlers matched, add them
results.AddRange(localResults);
}
else
{
log.LogInformation($"No handlers matched {alertName}, adding OTHER alert.");
// No custom handler results, just add main alert
results.Add(result);
}
}
}
}
return(results.ToArray());
}
public CustomLogHanderResultDto CheckCustomLog(string AlertName, string HostName, string InstanceName, string Description, JObject table, JArray row, string rowPayload, ILogger log)
{
CustomLogHanderResultDto result = new CustomLogHanderResultDto();
try
{
// Check if body contains disk info, then report incident
Regex rx = new Regex(regex, RegexOptions.IgnoreCase);
// Find matches in the instance text.
MatchCollection matches = rx.Matches(InstanceName);
if (matches.Count > 0)
{
result.Handled = true;
log.LogInformation($"DISK regex {regex} successful, found {matches.Count} matches");
// If we have a match with disks
foreach (Match match in matches)
{
bool createIncident = true;
int freeSpacePercentIndex = GetColumnIndex("Free_Space_Percent", table);
int freeMegabytesIndex = GetColumnIndex("Free_MB", table);
decimal freeSpacePercent = 0, freeMegabytes = 0, diskSize = 0;
if (freeSpacePercentIndex != -1)
{
freeSpacePercent = Math.Round(Convert.ToDecimal(row[freeSpacePercentIndex].ToString()));
}
if (freeMegabytesIndex != -1)
{
freeMegabytes = Convert.ToDecimal(row[freeMegabytesIndex].ToString());
}
if (freeSpacePercent > 0 && freeMegabytes > 0)
{
diskSize = Math.Round(freeMegabytes / (freeSpacePercent / 100));
}
if (diskSize > 500000 && freeSpacePercent > 5)
{
// Don't create incident if disk is large (> 500 GB) and free space percent is greater than 5
createIncident = false;
}
if (createIncident)
{
AlertResult diskResult = new AlertResult()
{
ResourceName = HostName, InstanceName = match.Value
};
diskResult.PartitionKey = diskResult.ResourceName + " - " + diskResult.InstanceName;
diskResult.Type = type;
if (!String.IsNullOrEmpty(Description))
{
diskResult.Description = Description;
}
else
{
diskResult.Description = $"Disk alert for drive: {diskResult.InstanceName} - size: {diskSize} - free percent: {freeSpacePercent} - free mb: {freeMegabytes}";
}
result.Results.Add(diskResult);
}
}
}
else
{
log.LogInformation($"DISK regex - No matches found!");
}
}
catch (Exception ex)
{
log.LogError(ex, "Error in CustomLogServiceDISK");
}
return(result);
}
