public string[] Parse(SyslogMessage message) { Trace.WriteLine("Parsing message"); lock (typeRegex) { if (message == null || String.IsNullOrWhiteSpace(message.Message)) { Trace.WriteLine("Empty message"); return null; } // Is this an interesting message? if (!typeRegex.IsMatch(message.Message) || !subtypeRegex.IsMatch(message.Message)) { Trace.WriteLine("Message rejected - no regex match"); return null; } // Get the bits we want string[] result = new string[5]; result[0] = message.Timestamp.ToUniversalTime().ToString("yyyy-MM-dd HH:mm:ss"); result[1] = srcRegex.Match(message.Message).Groups[1].Value; result[2] = dstRegex.Match(message.Message).Groups[1].Value; result[3] = sentRegex.Match(message.Message).Groups[1].Value; result[4] = rcvdRegex.Match(message.Message).Groups[1].Value; Trace.WriteLine("Message parsed"); return result; } }
/// <summary> /// Parses the <see cref="SyslogMessage"/> into its individual data fields. /// </summary> /// <param name="message">The <see cref="SyslogMessage"/> to process.</param> /// <returns>Returns a string array of the parsed fields. Returns <see cref="null"/> if there is an error processing the messages.</returns> string[] IParser.Parse(SyslogMessage message) { if (message == null || message.Message == null) { return null; } string[] msgParts = message.Message.Split(' '); string[] msg = null; if (msgParts.Length >= 26) { msg = new string[18]; msg[0] = message.Timestamp.ToString(); //MsgDateTime msg[1] = msgParts[3]; //SourceIP msg[2] = msgParts[4]; //DestIP msg[3] = msgParts[5]; //ContentType msg[4] = msgParts[7]; //URL msg[5] = msgParts[10]; //Action msg[6] = msgParts[11]; //Reason msg[7] = msgParts[13]; //FormatVersion msg[8] = msgParts[14]; //MatchFlag msg[9] = msgParts[15]; //TQFlag msg[10] = msgParts[16]; //ActionType msg[11] = msgParts[17]; //SrcType //SrcDetail int srcDetailPartsCount; if (msgParts[18].Contains("(") && msgParts[18].Contains(")")) { srcDetailPartsCount = 0; msg[12] = msgParts[18].Replace("(", string.Empty).Replace(")", string.Empty); } else { srcDetailPartsCount = -1; do { srcDetailPartsCount++; msg[12] += msgParts[18 + srcDetailPartsCount] + " "; } while (!msgParts[18 + srcDetailPartsCount].Contains(")")); msg[12] = msg[12].TrimEnd(' '); msg[12] = msg[12].Replace("(", string.Empty).Replace(")", string.Empty); msg[12] = msg[12].Substring(msg[12].IndexOf(':') + 1, msg[12].Length - 1 - msg[12].IndexOf(':')); } msg[13] = msgParts[19 + srcDetailPartsCount]; //DestType msg[14] = msgParts[21 + srcDetailPartsCount]; //SpyType msg[15] = msgParts[24 + srcDetailPartsCount]; //MatchedPart msg[16] = msgParts[25 + srcDetailPartsCount]; //MatchedCategory //UserInfo msg[17] = msgParts[26 + srcDetailPartsCount].Substring(msgParts[26 + srcDetailPartsCount].IndexOf(':') + 1, msgParts[26 + srcDetailPartsCount].Length - 1 - msgParts[26 + srcDetailPartsCount].IndexOf(':') - 1); } return msg; }
protected override void OnMessageReceived(SyslogMessage message) { if (OnServerMessageReceived != null) { OnServerMessageReceived(message); } }
/// <summary> /// Parses the <see cref="SyslogMessage"/> into its individual data fields. /// </summary> /// <param name="message">The <see cref="SyslogMessage"/> to process.</param> /// <returns>Returns a string array of the parsed fields. Returns <see cref="null"/> if there is an error processing the messages.</returns> string[] IParser.Parse(SyslogMessage message) { string[] msgParts = new string[13]; if (message == null || message.Message == null) { return null; } Match headerMatches = headerRegex.Match(message.Message); if (headerMatches.Groups.Count > 0) { msgParts[0] = message.Timestamp.ToString(); //MsgDateTime switch (headerMatches.Groups["NAME"].Value) { case "SCAN": Match scanMatches = scanRegex.Match(headerMatches.Groups["INFO"].Value); //Header info msgParts[1] = headerMatches.Groups["IP"].Value; msgParts[2] = headerMatches.Groups["ID"].Value; msgParts[3] = headerMatches.Groups["START_TIME"].Value; msgParts[4] = headerMatches.Groups["END_TIME"].Value; //Scan info msgParts[5] = scanMatches.Groups["ENCRYPTION"].Value; msgParts[6] = scanMatches.Groups["SENDER"].Value; msgParts[7] = scanMatches.Groups["RECIPIENT"].Value; if (scanMatches.Groups["SCORE"].Value != "-") { msgParts[8] = scanMatches.Groups["SCORE"].Value; } else { msgParts[8] = "0"; } msgParts[9] = scanMatches.Groups["ACTION"].Value; msgParts[10] = scanMatches.Groups["REASON"].Value; msgParts[11] = scanMatches.Groups["REASON_EXTRA"].Value; msgParts[12] = scanMatches.Groups["SUBJECT"].Value; break; case "SEND": case "RECV": default: msgParts = null; break; } } return msgParts; }
private void ListenerMessageReceived(SyslogMessage e) { if (e != null) { // Add syslog message to the top of the grid. dataGridView1.Rows.Insert(0,e.Timestamp.ToShortDateString(), e.Timestamp.ToShortTimeString(), e.Hostname, e.Message); } }
void MessageReceivedSink_OnServerMessageReceived(SyslogMessage message) { if (!IsDisposed) { if (!Disposing) { // Use Invoke to ensure that the event is fired on the forms thread. Invoke(new HandleMessageReceived(Listener_MessageReceived), message); } else { client.Disconnect(); } } }
/// <summary> /// Processes a message received event. /// </summary> /// <param name="result">The result of a receive event.</param> private void ReceiveCallback(IAsyncResult result) { // get a reference to the socket on which the message was received Socket sock = (Socket)result.AsyncState; EndPoint ep = null; IPEndPoint remoteEP = null; // variable to store received data length int inlen; remoteEndpoint = new IPEndPoint(IPAddress.Any, 0); // Gather information about the message and the sender try { ep = (EndPoint)remoteEndpoint; inlen = sock.EndReceiveFrom(result, ref ep); remoteEP = (IPEndPoint)ep; } catch (Exception ex) { // only post messages if class socket reference is not null // in all other cases, the socket has been terminated if (this.socket != null) { EventLogger.LogEvent("Receive operation failed with message: " + ex.Message, System.Diagnostics.EventLogEntryType.Warning); } inlen = -1; } // if socket has been closed, ignore received data and return if (this.socket == null) { return; } // check that received data is long enough if (inlen <= 0) { // request next packet RegisterReceiveOperation(); return; } // If an IP forward is defined for the source of this message, forward the message to the specified IP's if (ipForwards.ContainsKey(remoteEP.Address.ToString())) { if (this.socket != null) { foreach (string ipAddress in ipForwards[remoteEP.Address.ToString()]) { byte[] sendBuffer = new byte[this.receiveBuffer.Length]; this.receiveBuffer.CopyTo(sendBuffer, 0); this.sendSocket.BeginSendTo(sendBuffer, 0, inlen, SocketFlags.None, new IPEndPoint(IPAddress.Parse(ipAddress), 514), new AsyncCallback(SendCallback), sendSocket); } } } string packet = null; // Get the human readable text of the message to process try { packet = System.Text.Encoding.ASCII.GetString(receiveBuffer, 0, inlen); } catch (Exception ex) { EventLogger.LogEvent("Could not parse packet to string because: " + ex.Message, System.Diagnostics.EventLogEntryType.Warning); } // Run the regular expression against the message text to extract the groups Match m = msgRegex.Match(packet); //If a match is not found the message is not valid if (m != null && !string.IsNullOrEmpty(packet)) { //parse PRI section into a priority value int pri; int priority = int.TryParse(m.Groups["PRI"].Value, out pri) ? pri : 0; //parse the HEADER section - contains TIMESTAMP and HOSTNAME string hostname = null; Nullable<DateTime> timestamp = null; // Get the timestamp and hostname from the header of the message if (!string.IsNullOrEmpty(m.Groups["HDR"].Value)) { if (!string.IsNullOrEmpty(m.Groups["TIMESTAMP"].Value)) { try { timestamp = new DateTime( DateTime.Now.Year, MonthNumber(m.Groups["MMM"].Value), int.Parse(m.Groups["DD"].Value), int.Parse(m.Groups["HH"].Value), int.Parse(m.Groups["MM"].Value), int.Parse(m.Groups["SS"].Value) ); } catch (ArgumentException) { //Ignore bad timestamp args. } } if (!string.IsNullOrEmpty(m.Groups["HOSTNAME"].Value)) { hostname = m.Groups["HOSTNAME"].Value; } } if (!timestamp.HasValue) { //add timestamp as per RFC3164 timestamp = DateTime.Now; } if (string.IsNullOrEmpty(hostname)) { hostname = ep.ToString(); } string message = null; // Get the message text part of the message if it was found if ((m.Groups["MSG"].Value) != null) { message = m.Groups["MSG"].Value; try { SyslogMessage sm = new SyslogMessage(priority, timestamp.Value, hostname, message); // Ensure that a handler is defined for the MessageReceived event if (MessageReceived != null) { MessageReceived(new MessageReceivedEventArgs(sm)); } //If the message is from an IP not listed in any filter do not process it if (!ipFilters.ContainsKey(remoteEP.Address.ToString())) { RegisterReceiveOperation(); return; } string[] parsedMsg = null; if (ipFilters[remoteEP.Address.ToString()].ParserClassName != null) { try { // Parse the message using the parser defined for IP from where the message came parsedMsg = ipFilters[remoteEP.Address.ToString()].GetParser().Parse(sm); } catch (Exception ex) { EventLogger.LogEvent("Could not get parser or parse message for ip " + remoteEP.Address.ToString() + " because: " + ex.Message, System.Diagnostics.EventLogEntryType.Warning); } } // Add the message to the LogBuffer if a storage Class is defined and message was parsed successfully. if (parsedMsg != null && buffer != null && ipFilters[remoteEP.Address.ToString()].StorerClassName != null) { buffer.AddEntry(ipFilters[remoteEP.Address.ToString()].AssemblyName, parsedMsg); } } catch (Exception ex) { EventLogger.LogEvent("Could not create new SyslogMessage because: " + ex.Message, System.Diagnostics.EventLogEntryType.Warning); } } } // Return the socket to the listen state RegisterReceiveOperation(); }
/// <summary> /// Creates a new instance of the MessageReceivedEventArgs class. /// </summary> /// <param name="sm">The <see cref="SyslogMessage"/> of the event.</param> public MessageReceivedEventArgs(SyslogMessage sm) : base() { this.syslogMessage = sm; }
/// <summary> /// Creates a new instance of the MessageReceivedEventArgs class. /// </summary> /// <param name="sm">The <see cref="SyslogMessage"/> of the event.</param> public MessageReceivedEventArgs(SyslogMessage sm) { _syslogMessage = sm; }
/// <summary> /// Processes a message received event. /// </summary> /// <param name="result">The result of a receive event.</param> private void ReceiveCallback(IAsyncResult result) { Trace.WriteLine("Receive callback"); // get a reference to the socket on which the message was received Socket sock = (Socket)result.AsyncState; EndPoint ep = null; IPEndPoint remoteEp = null; // variable to store received data length int inlen; _remoteEndpoint = new IPEndPoint(IPAddress.Any, 0); // Gather information about the message and the sender try { ep = _remoteEndpoint; inlen = sock.EndReceiveFrom(result, ref ep); remoteEp = (IPEndPoint)ep; } catch (Exception ex) { // only post messages if class socket reference is not null // in all other cases, the socket has been terminated if (_socket != null) { EventLogger.LogEvent("Receive operation failed with message: " + ex.Message, System.Diagnostics.EventLogEntryType.Warning); } inlen = -1; } // if socket has been closed, ignore received data and return if (_socket == null) { return; } // check that received data is long enough if (inlen <= 0) { // request next packet RegisterReceiveOperation(); return; } // If an IP forward is defined for the source of this message, forward the message to the specified IP's if (_ipForwards.ContainsKey(remoteEp.Address.ToString())) { if (_socket != null) { foreach (string ipAddress in _ipForwards[remoteEp.Address.ToString()]) { var sendBuffer = new byte[_receiveBuffer.Length]; _receiveBuffer.CopyTo(sendBuffer, 0); _sendSocket.BeginSendTo(sendBuffer, 0, inlen, SocketFlags.None, new IPEndPoint(IPAddress.Parse(ipAddress), 514), new AsyncCallback(SendCallback), _sendSocket); } } } string packet = null; // Get the human readable text of the message to process try { packet = System.Text.Encoding.ASCII.GetString(_receiveBuffer, 0, inlen); } catch (Exception ex) { EventLogger.LogEvent("Could not parse packet to string because: " + ex.Message, System.Diagnostics.EventLogEntryType.Warning); } // Run the regular expression against the message text to extract the groups var m = _msgRegex.Match(packet); //If a match is not found the message is not valid if (m != null && !string.IsNullOrEmpty(packet)) { //parse PRI section into a priority value int pri; var priority = int.TryParse(m.Groups["PRI"].Value, out pri) ? pri : 0; //parse the HEADER section - contains TIMESTAMP and HOSTNAME string hostname = null; DateTime?timestamp = null; // Get the timestamp and hostname from the header of the message if (!string.IsNullOrEmpty(m.Groups["HDR"].Value)) { if (!string.IsNullOrEmpty(m.Groups["TIMESTAMP"].Value)) { try { timestamp = new DateTime( DateTime.Now.Year, MonthNumber(m.Groups["MMM"].Value), int.Parse(m.Groups["DD"].Value), int.Parse(m.Groups["HH"].Value), int.Parse(m.Groups["MM"].Value), int.Parse(m.Groups["SS"].Value) ); } catch (ArgumentException) { //Ignore bad timestamp args. } } if (!string.IsNullOrEmpty(m.Groups["HOSTNAME"].Value)) { hostname = m.Groups["HOSTNAME"].Value; } } if (!timestamp.HasValue) { //add timestamp as per RFC3164 timestamp = DateTime.Now; } if (string.IsNullOrEmpty(hostname)) { hostname = ep.ToString(); } // Get the message text part of the message if it was found if ((m.Groups["MSG"].Value) != null) { var message = m.Groups["MSG"].Value; try { var sm = new SyslogMessage(priority, timestamp.Value, hostname, message); // Ensure that a handler is defined for the MessageReceived event if (MessageReceived != null) { Trace.WriteLine("Calling MessageReceived event"); MessageReceived(new MessageReceivedEventArgs(sm)); } //If the message is from an IP not listed in any filter do not process it if (!_ipFilters.ContainsKey(remoteEp.Address.ToString())) { Trace.WriteLine("Remote IP not listed in filter"); RegisterReceiveOperation(); return; } string[] parsedMsg = null; if (_ipFilters[remoteEp.Address.ToString()].ParserClassName != null) { try { // Parse the message using the parser defined for IP from where the message came parsedMsg = _ipFilters[remoteEp.Address.ToString()].GetParser().Parse(sm); } catch (Exception ex) { EventLogger.LogEvent("Could not get parser or parse message for ip " + remoteEp.Address.ToString() + " because: " + ex.Message, System.Diagnostics.EventLogEntryType.Warning); } } // Add the message to the LogBuffer if a storage Class is defined and message was parsed successfully. if (parsedMsg != null && _buffer != null && _ipFilters[remoteEp.Address.ToString()].StorerClassName != null) { Trace.WriteLine("Adding message to buffer"); _buffer.AddEntry(_ipFilters[remoteEp.Address.ToString()].AssemblyName, parsedMsg); } } catch (Exception ex) { EventLogger.LogEvent("Could not create new SyslogMessage because: " + ex.Message, System.Diagnostics.EventLogEntryType.Warning); } } } // Return the socket to the listen state RegisterReceiveOperation(); }
/// <summary> /// Parses the <see cref="SyslogMessage"/> into its individual data fields. /// </summary> /// <param name="message">The <see cref="SyslogMessage"/> to process.</param> /// <returns>Returns a string array of the parsed fields. Returns <see cref="null"/> if there is an error processing the messages.</returns> public string[] Parse(SyslogMessage message) { if (message == null || message.Message == null) { return null; } var msgParts = message.Message.Split(' '); string[] msg; Console.WriteLine(message.Message); return msgParts; //if (msgParts.Length >= 26) //{ // msg = new string[18]; // msg[0] = message.Timestamp.ToString(); //MsgDateTime // msg[1] = msgParts[3]; //SourceIP // msg[2] = msgParts[4]; //DestIP // msg[3] = msgParts[5]; //ContentType // msg[4] = msgParts[7]; //URL // msg[5] = msgParts[10]; //Action // msg[6] = msgParts[11]; //Reason // msg[7] = msgParts[13]; //FormatVersion // msg[8] = msgParts[14]; //MatchFlag // msg[9] = msgParts[15]; //TQFlag // msg[10] = msgParts[16]; //ActionType // msg[11] = msgParts[17]; //SrcType // //SrcDetail // int srcDetailPartsCount; // if (msgParts[18].Contains("(") && msgParts[18].Contains(")")) // { // srcDetailPartsCount = 0; // msg[12] = msgParts[18].Replace("(", string.Empty).Replace(")", string.Empty); // } // else // { // srcDetailPartsCount = -1; // do // { // srcDetailPartsCount++; // msg[12] += msgParts[18 + srcDetailPartsCount] + " "; // } while (!msgParts[18 + srcDetailPartsCount].Contains(")")); // msg[12] = msg[12].TrimEnd(' '); // msg[12] = msg[12].Replace("(", string.Empty).Replace(")", string.Empty); // msg[12] = msg[12].Substring(msg[12].IndexOf(':') + 1, // msg[12].Length - 1 - msg[12].IndexOf(':')); // } // msg[13] = msgParts[19 + srcDetailPartsCount]; //DestType // msg[14] = msgParts[21 + srcDetailPartsCount]; //SpyType // msg[15] = msgParts[24 + srcDetailPartsCount]; //MatchedPart // msg[16] = msgParts[25 + srcDetailPartsCount]; //MatchedCategory // //UserInfo // msg[17] = msgParts[26 + srcDetailPartsCount].Substring(msgParts[26 + srcDetailPartsCount].IndexOf(':') + 1, // msgParts[26 + srcDetailPartsCount].Length - 1 - msgParts[26 + srcDetailPartsCount].IndexOf(':') - 1); //} return msg; }