public string[] Parse(SyslogMessage message)
{
Trace.WriteLine("Parsing message");
lock (typeRegex)
{
if (message == null || String.IsNullOrWhiteSpace(message.Message))
{
Trace.WriteLine("Empty message");
return null;
}
// Is this an interesting message?
if (!typeRegex.IsMatch(message.Message) || !subtypeRegex.IsMatch(message.Message))
{
Trace.WriteLine("Message rejected - no regex match");
return null;
}
// Get the bits we want
string[] result = new string[5];
result[0] = message.Timestamp.ToUniversalTime().ToString("yyyy-MM-dd HH:mm:ss");
result[1] = srcRegex.Match(message.Message).Groups[1].Value;
result[2] = dstRegex.Match(message.Message).Groups[1].Value;
result[3] = sentRegex.Match(message.Message).Groups[1].Value;
result[4] = rcvdRegex.Match(message.Message).Groups[1].Value;
Trace.WriteLine("Message parsed");
return result;
}
}
/// <summary>
/// Parses the <see cref="SyslogMessage"/> into its individual data fields.
/// </summary>
/// <param name="message">The <see cref="SyslogMessage"/> to process.</param>
/// <returns>Returns a string array of the parsed fields. Returns <see cref="null"/> if there is an error processing the messages.</returns>
string[] IParser.Parse(SyslogMessage message)
{
if (message == null || message.Message == null)
{
return null;
}
string[] msgParts = message.Message.Split(' ');
string[] msg = null;
if (msgParts.Length >= 26)
{
msg = new string[18];
msg[0] = message.Timestamp.ToString(); //MsgDateTime
msg[1] = msgParts[3]; //SourceIP
msg[2] = msgParts[4]; //DestIP
msg[3] = msgParts[5]; //ContentType
msg[4] = msgParts[7]; //URL
msg[5] = msgParts[10]; //Action
msg[6] = msgParts[11]; //Reason
msg[7] = msgParts[13]; //FormatVersion
msg[8] = msgParts[14]; //MatchFlag
msg[9] = msgParts[15]; //TQFlag
msg[10] = msgParts[16]; //ActionType
msg[11] = msgParts[17]; //SrcType
//SrcDetail
int srcDetailPartsCount;
if (msgParts[18].Contains("(") && msgParts[18].Contains(")"))
{
srcDetailPartsCount = 0;
msg[12] = msgParts[18].Replace("(", string.Empty).Replace(")", string.Empty);
}
else
{
srcDetailPartsCount = -1;
do
{
srcDetailPartsCount++;
msg[12] += msgParts[18 + srcDetailPartsCount] + " ";
} while (!msgParts[18 + srcDetailPartsCount].Contains(")"));
msg[12] = msg[12].TrimEnd(' ');
msg[12] = msg[12].Replace("(", string.Empty).Replace(")", string.Empty);
msg[12] = msg[12].Substring(msg[12].IndexOf(':') + 1,
msg[12].Length - 1 - msg[12].IndexOf(':'));
}
msg[13] = msgParts[19 + srcDetailPartsCount]; //DestType
msg[14] = msgParts[21 + srcDetailPartsCount]; //SpyType
msg[15] = msgParts[24 + srcDetailPartsCount]; //MatchedPart
msg[16] = msgParts[25 + srcDetailPartsCount]; //MatchedCategory
//UserInfo
msg[17] = msgParts[26 + srcDetailPartsCount].Substring(msgParts[26 + srcDetailPartsCount].IndexOf(':') + 1,
msgParts[26 + srcDetailPartsCount].Length - 1 - msgParts[26 + srcDetailPartsCount].IndexOf(':') - 1);
}
return msg;
}
protected override void OnMessageReceived(SyslogMessage message)
{
if (OnServerMessageReceived != null)
{
OnServerMessageReceived(message);
}
}
/// <summary>
/// Parses the <see cref="SyslogMessage"/> into its individual data fields.
/// </summary>
/// <param name="message">The <see cref="SyslogMessage"/> to process.</param>
/// <returns>Returns a string array of the parsed fields. Returns <see cref="null"/> if there is an error processing the messages.</returns>
string[] IParser.Parse(SyslogMessage message)
{
string[] msgParts = new string[13];
if (message == null || message.Message == null)
{
return null;
}
Match headerMatches = headerRegex.Match(message.Message);
if (headerMatches.Groups.Count > 0)
{
msgParts[0] = message.Timestamp.ToString(); //MsgDateTime
switch (headerMatches.Groups["NAME"].Value)
{
case "SCAN":
Match scanMatches = scanRegex.Match(headerMatches.Groups["INFO"].Value);
//Header info
msgParts[1] = headerMatches.Groups["IP"].Value;
msgParts[2] = headerMatches.Groups["ID"].Value;
msgParts[3] = headerMatches.Groups["START_TIME"].Value;
msgParts[4] = headerMatches.Groups["END_TIME"].Value;
//Scan info
msgParts[5] = scanMatches.Groups["ENCRYPTION"].Value;
msgParts[6] = scanMatches.Groups["SENDER"].Value;
msgParts[7] = scanMatches.Groups["RECIPIENT"].Value;
if (scanMatches.Groups["SCORE"].Value != "-")
{
msgParts[8] = scanMatches.Groups["SCORE"].Value;
}
else
{
msgParts[8] = "0";
}
msgParts[9] = scanMatches.Groups["ACTION"].Value;
msgParts[10] = scanMatches.Groups["REASON"].Value;
msgParts[11] = scanMatches.Groups["REASON_EXTRA"].Value;
msgParts[12] = scanMatches.Groups["SUBJECT"].Value;
break;
case "SEND":
case "RECV":
default:
msgParts = null;
break;
}
}
return msgParts;
}
private void ListenerMessageReceived(SyslogMessage e)
{
if (e != null)
{
// Add syslog message to the top of the grid.
dataGridView1.Rows.Insert(0,e.Timestamp.ToShortDateString(),
e.Timestamp.ToShortTimeString(),
e.Hostname,
e.Message);
}
}
void MessageReceivedSink_OnServerMessageReceived(SyslogMessage message)
{
if (!IsDisposed)
{
if (!Disposing)
{
// Use Invoke to ensure that the event is fired on the forms thread.
Invoke(new HandleMessageReceived(Listener_MessageReceived), message);
}
else
{
client.Disconnect();
}
}
}
/// <summary>
/// Processes a message received event.
/// </summary>
/// <param name="result">The result of a receive event.</param>
private void ReceiveCallback(IAsyncResult result)
{
// get a reference to the socket on which the message was received
Socket sock = (Socket)result.AsyncState;
EndPoint ep = null;
IPEndPoint remoteEP = null;
// variable to store received data length
int inlen;
remoteEndpoint = new IPEndPoint(IPAddress.Any, 0);
// Gather information about the message and the sender
try
{
ep = (EndPoint)remoteEndpoint;
inlen = sock.EndReceiveFrom(result, ref ep);
remoteEP = (IPEndPoint)ep;
}
catch (Exception ex)
{
// only post messages if class socket reference is not null
// in all other cases, the socket has been terminated
if (this.socket != null)
{
EventLogger.LogEvent("Receive operation failed with message: " + ex.Message,
System.Diagnostics.EventLogEntryType.Warning);
}
inlen = -1;
}
// if socket has been closed, ignore received data and return
if (this.socket == null) { return; }
// check that received data is long enough
if (inlen <= 0)
{
// request next packet
RegisterReceiveOperation();
return;
}
// If an IP forward is defined for the source of this message, forward the message to the specified IP's
if (ipForwards.ContainsKey(remoteEP.Address.ToString()))
{
if (this.socket != null)
{
foreach (string ipAddress in ipForwards[remoteEP.Address.ToString()])
{
byte[] sendBuffer = new byte[this.receiveBuffer.Length];
this.receiveBuffer.CopyTo(sendBuffer, 0);
this.sendSocket.BeginSendTo(sendBuffer, 0, inlen, SocketFlags.None,
new IPEndPoint(IPAddress.Parse(ipAddress), 514), new AsyncCallback(SendCallback), sendSocket);
}
}
}
string packet = null;
// Get the human readable text of the message to process
try
{
packet = System.Text.Encoding.ASCII.GetString(receiveBuffer, 0, inlen);
}
catch (Exception ex)
{
EventLogger.LogEvent("Could not parse packet to string because: " + ex.Message,
System.Diagnostics.EventLogEntryType.Warning);
}
// Run the regular expression against the message text to extract the groups
Match m = msgRegex.Match(packet);
//If a match is not found the message is not valid
if (m != null && !string.IsNullOrEmpty(packet))
{
//parse PRI section into a priority value
int pri;
int priority = int.TryParse(m.Groups["PRI"].Value, out pri) ? pri : 0;
//parse the HEADER section - contains TIMESTAMP and HOSTNAME
string hostname = null;
Nullable<DateTime> timestamp = null;
// Get the timestamp and hostname from the header of the message
if (!string.IsNullOrEmpty(m.Groups["HDR"].Value))
{
if (!string.IsNullOrEmpty(m.Groups["TIMESTAMP"].Value))
{
try
{
timestamp = new DateTime(
DateTime.Now.Year,
MonthNumber(m.Groups["MMM"].Value),
int.Parse(m.Groups["DD"].Value),
int.Parse(m.Groups["HH"].Value),
int.Parse(m.Groups["MM"].Value),
int.Parse(m.Groups["SS"].Value)
);
}
catch (ArgumentException)
{
//Ignore bad timestamp args.
}
}
if (!string.IsNullOrEmpty(m.Groups["HOSTNAME"].Value))
{
hostname = m.Groups["HOSTNAME"].Value;
}
}
if (!timestamp.HasValue)
{
//add timestamp as per RFC3164
timestamp = DateTime.Now;
}
if (string.IsNullOrEmpty(hostname))
{
hostname = ep.ToString();
}
string message = null;
// Get the message text part of the message if it was found
if ((m.Groups["MSG"].Value) != null)
{
message = m.Groups["MSG"].Value;
try
{
SyslogMessage sm = new SyslogMessage(priority, timestamp.Value, hostname, message);
// Ensure that a handler is defined for the MessageReceived event
if (MessageReceived != null)
{
MessageReceived(new MessageReceivedEventArgs(sm));
}
//If the message is from an IP not listed in any filter do not process it
if (!ipFilters.ContainsKey(remoteEP.Address.ToString()))
{
RegisterReceiveOperation();
return;
}
string[] parsedMsg = null;
if (ipFilters[remoteEP.Address.ToString()].ParserClassName != null)
{
try
{
// Parse the message using the parser defined for IP from where the message came
parsedMsg = ipFilters[remoteEP.Address.ToString()].GetParser().Parse(sm);
}
catch (Exception ex)
{
EventLogger.LogEvent("Could not get parser or parse message for ip " + remoteEP.Address.ToString()
+ " because: " + ex.Message, System.Diagnostics.EventLogEntryType.Warning);
}
}
// Add the message to the LogBuffer if a storage Class is defined and message was parsed successfully.
if (parsedMsg != null && buffer != null && ipFilters[remoteEP.Address.ToString()].StorerClassName != null)
{
buffer.AddEntry(ipFilters[remoteEP.Address.ToString()].AssemblyName, parsedMsg);
}
}
catch (Exception ex)
{
EventLogger.LogEvent("Could not create new SyslogMessage because: " + ex.Message,
System.Diagnostics.EventLogEntryType.Warning);
}
}
}
// Return the socket to the listen state
RegisterReceiveOperation();
}
/// <summary>
/// Creates a new instance of the MessageReceivedEventArgs class.
/// </summary>
/// <param name="sm">The <see cref="SyslogMessage"/> of the event.</param>
public MessageReceivedEventArgs(SyslogMessage sm)
: base()
{
this.syslogMessage = sm;
}
/// <summary>
/// Creates a new instance of the MessageReceivedEventArgs class.
/// </summary>
/// <param name="sm">The <see cref="SyslogMessage"/> of the event.</param>
public MessageReceivedEventArgs(SyslogMessage sm)
: base()
{
this.syslogMessage = sm;
}
/// <summary>
/// Creates a new instance of the MessageReceivedEventArgs class.
/// </summary>
/// <param name="sm">The <see cref="SyslogMessage"/> of the event.</param>
public MessageReceivedEventArgs(SyslogMessage sm)
{
_syslogMessage = sm;
}
/// <summary>
/// Creates a new instance of the MessageReceivedEventArgs class.
/// </summary>
/// <param name="sm">The <see cref="SyslogMessage"/> of the event.</param>
public MessageReceivedEventArgs(SyslogMessage sm)
{
_syslogMessage = sm;
}
/// <summary>
/// Processes a message received event.
/// </summary>
/// <param name="result">The result of a receive event.</param>
private void ReceiveCallback(IAsyncResult result)
{
Trace.WriteLine("Receive callback");
// get a reference to the socket on which the message was received
Socket sock = (Socket)result.AsyncState;
EndPoint ep = null;
IPEndPoint remoteEp = null;
// variable to store received data length
int inlen;
_remoteEndpoint = new IPEndPoint(IPAddress.Any, 0);
// Gather information about the message and the sender
try
{
ep = _remoteEndpoint;
inlen = sock.EndReceiveFrom(result, ref ep);
remoteEp = (IPEndPoint)ep;
}
catch (Exception ex)
{
// only post messages if class socket reference is not null
// in all other cases, the socket has been terminated
if (_socket != null)
{
EventLogger.LogEvent("Receive operation failed with message: " + ex.Message,
System.Diagnostics.EventLogEntryType.Warning);
}
inlen = -1;
}
// if socket has been closed, ignore received data and return
if (_socket == null)
{
return;
}
// check that received data is long enough
if (inlen <= 0)
{
// request next packet
RegisterReceiveOperation();
return;
}
// If an IP forward is defined for the source of this message, forward the message to the specified IP's
if (_ipForwards.ContainsKey(remoteEp.Address.ToString()))
{
if (_socket != null)
{
foreach (string ipAddress in _ipForwards[remoteEp.Address.ToString()])
{
var sendBuffer = new byte[_receiveBuffer.Length];
_receiveBuffer.CopyTo(sendBuffer, 0);
_sendSocket.BeginSendTo(sendBuffer, 0, inlen, SocketFlags.None,
new IPEndPoint(IPAddress.Parse(ipAddress), 514), new AsyncCallback(SendCallback), _sendSocket);
}
}
}
string packet = null;
// Get the human readable text of the message to process
try
{
packet = System.Text.Encoding.ASCII.GetString(_receiveBuffer, 0, inlen);
}
catch (Exception ex)
{
EventLogger.LogEvent("Could not parse packet to string because: " + ex.Message,
System.Diagnostics.EventLogEntryType.Warning);
}
// Run the regular expression against the message text to extract the groups
var m = _msgRegex.Match(packet);
//If a match is not found the message is not valid
if (m != null && !string.IsNullOrEmpty(packet))
{
//parse PRI section into a priority value
int pri;
var priority = int.TryParse(m.Groups["PRI"].Value, out pri) ? pri : 0;
//parse the HEADER section - contains TIMESTAMP and HOSTNAME
string hostname = null;
DateTime?timestamp = null;
// Get the timestamp and hostname from the header of the message
if (!string.IsNullOrEmpty(m.Groups["HDR"].Value))
{
if (!string.IsNullOrEmpty(m.Groups["TIMESTAMP"].Value))
{
try
{
timestamp = new DateTime(
DateTime.Now.Year,
MonthNumber(m.Groups["MMM"].Value),
int.Parse(m.Groups["DD"].Value),
int.Parse(m.Groups["HH"].Value),
int.Parse(m.Groups["MM"].Value),
int.Parse(m.Groups["SS"].Value)
);
}
catch (ArgumentException)
{
//Ignore bad timestamp args.
}
}
if (!string.IsNullOrEmpty(m.Groups["HOSTNAME"].Value))
{
hostname = m.Groups["HOSTNAME"].Value;
}
}
if (!timestamp.HasValue)
{
//add timestamp as per RFC3164
timestamp = DateTime.Now;
}
if (string.IsNullOrEmpty(hostname))
{
hostname = ep.ToString();
}
// Get the message text part of the message if it was found
if ((m.Groups["MSG"].Value) != null)
{
var message = m.Groups["MSG"].Value;
try
{
var sm = new SyslogMessage(priority, timestamp.Value, hostname, message);
// Ensure that a handler is defined for the MessageReceived event
if (MessageReceived != null)
{
Trace.WriteLine("Calling MessageReceived event");
MessageReceived(new MessageReceivedEventArgs(sm));
}
//If the message is from an IP not listed in any filter do not process it
if (!_ipFilters.ContainsKey(remoteEp.Address.ToString()))
{
Trace.WriteLine("Remote IP not listed in filter");
RegisterReceiveOperation();
return;
}
string[] parsedMsg = null;
if (_ipFilters[remoteEp.Address.ToString()].ParserClassName != null)
{
try
{
// Parse the message using the parser defined for IP from where the message came
parsedMsg = _ipFilters[remoteEp.Address.ToString()].GetParser().Parse(sm);
}
catch (Exception ex)
{
EventLogger.LogEvent("Could not get parser or parse message for ip " + remoteEp.Address.ToString()
+ " because: " + ex.Message, System.Diagnostics.EventLogEntryType.Warning);
}
}
// Add the message to the LogBuffer if a storage Class is defined and message was parsed successfully.
if (parsedMsg != null && _buffer != null && _ipFilters[remoteEp.Address.ToString()].StorerClassName != null)
{
Trace.WriteLine("Adding message to buffer");
_buffer.AddEntry(_ipFilters[remoteEp.Address.ToString()].AssemblyName, parsedMsg);
}
}
catch (Exception ex)
{
EventLogger.LogEvent("Could not create new SyslogMessage because: " + ex.Message,
System.Diagnostics.EventLogEntryType.Warning);
}
}
}
// Return the socket to the listen state
RegisterReceiveOperation();
}
/// <summary>
/// Parses the <see cref="SyslogMessage"/> into its individual data fields.
/// </summary>
/// <param name="message">The <see cref="SyslogMessage"/> to process.</param>
/// <returns>Returns a string array of the parsed fields. Returns <see cref="null"/> if there is an error processing the messages.</returns>
public string[] Parse(SyslogMessage message)
{
if (message == null || message.Message == null)
{
return null;
}
var msgParts = message.Message.Split(' ');
string[] msg;
Console.WriteLine(message.Message);
return msgParts;
//if (msgParts.Length >= 26)
//{
// msg = new string[18];
// msg[0] = message.Timestamp.ToString(); //MsgDateTime
// msg[1] = msgParts[3]; //SourceIP
// msg[2] = msgParts[4]; //DestIP
// msg[3] = msgParts[5]; //ContentType
// msg[4] = msgParts[7]; //URL
// msg[5] = msgParts[10]; //Action
// msg[6] = msgParts[11]; //Reason
// msg[7] = msgParts[13]; //FormatVersion
// msg[8] = msgParts[14]; //MatchFlag
// msg[9] = msgParts[15]; //TQFlag
// msg[10] = msgParts[16]; //ActionType
// msg[11] = msgParts[17]; //SrcType
// //SrcDetail
// int srcDetailPartsCount;
// if (msgParts[18].Contains("(") && msgParts[18].Contains(")"))
// {
// srcDetailPartsCount = 0;
// msg[12] = msgParts[18].Replace("(", string.Empty).Replace(")", string.Empty);
// }
// else
// {
// srcDetailPartsCount = -1;
// do
// {
// srcDetailPartsCount++;
// msg[12] += msgParts[18 + srcDetailPartsCount] + " ";
// } while (!msgParts[18 + srcDetailPartsCount].Contains(")"));
// msg[12] = msg[12].TrimEnd(' ');
// msg[12] = msg[12].Replace("(", string.Empty).Replace(")", string.Empty);
// msg[12] = msg[12].Substring(msg[12].IndexOf(':') + 1,
// msg[12].Length - 1 - msg[12].IndexOf(':'));
// }
// msg[13] = msgParts[19 + srcDetailPartsCount]; //DestType
// msg[14] = msgParts[21 + srcDetailPartsCount]; //SpyType
// msg[15] = msgParts[24 + srcDetailPartsCount]; //MatchedPart
// msg[16] = msgParts[25 + srcDetailPartsCount]; //MatchedCategory
// //UserInfo
// msg[17] = msgParts[26 + srcDetailPartsCount].Substring(msgParts[26 + srcDetailPartsCount].IndexOf(':') + 1,
// msgParts[26 + srcDetailPartsCount].Length - 1 - msgParts[26 + srcDetailPartsCount].IndexOf(':') - 1);
//}
return msg;
}
