/// <summary> /// Forward received AuditedEventDTO to forward them to the configured Syslog receiver. /// </summary> /// <param name="message">The audited event details</param> public override void OnAuditedEventReceived(AuditedEventDTO message) { if (message == null) { return; } if (_killswitch) { return; } // use new connections to reduce connection management overhead. If perf of TCP connection establishment becomes an issue, switch to an // instance of the sender and do connection re-establishment as needed. using (var sender = CreateSender()) { AuditMapFunc map; if (!_mapper.Formatters.TryGetValue(message.Operation, out map)) { map = BaseAuditCallsiteMap.DefaultActionResultMapper; } var syslogM = map(message); sender.Send(syslogM, _serializer); } }
/// <summary> /// AuditedEventDTO to SyslogMessage formatter for the Version Promotion operation family. /// </summary> /// <param name="auditedEvent">The AuditedEventDTO instance to format</param> /// <returns>SyslogMessage representation of the event</returns> private SyslogMessage VersionPromotionFormatter(AuditedEventDTO auditedEvent) { var severity = Severity.Informational; string detail; if (auditedEvent.EventType == AuditEventType.OperationFailed) { severity = Severity.Warning; detail = $"{auditedEvent.Details.StripNewLines()}"; } else { var av = JsonConvert.DeserializeObject <ApplicationVersionDto>(auditedEvent.Details); detail = $"{av.Name} ({av.Alias}) {av.Stage}"; } var message = $"CEF:0|Apprenda|CloudPlatform|{PlatformVersion}|-|{auditedEvent.Operation}|PROMO1|outcome={auditedEvent.EventTypeDescription()} {detail}"; return(new SyslogMessage( auditedEvent.Timestamp, Facility.UserLevelMessages, severity, auditedEvent.SourceIP, "ApprendaCloudPlatform", message: message.StripNewLines(), procId: "-", structuredDataElements: new StructuredDataElement[0], msgId: "-")); }
/// <summary> /// Formatter to handle Login Failure events. /// </summary> /// <param name="auditedEvent">The audited event</param> /// <returns>SyslogMessage representing the event.</returns> private SyslogMessage LoginFailureFormatter(AuditedEventDTO auditedEvent) { var loginDetails = FormatLoginFailureDto(auditedEvent.Details); var message = $"CEF:0|Apprenda|CloudPlatform|{PlatformVersion}|-|{auditedEvent.Operation}|CIT3|outcome={auditedEvent.EventTypeDescription()} {loginDetails}"; return(auditedEvent.ToSyslogMessage(Facility.SecurityOrAuthorizationMessages1, Severity.Notice, message)); }
/// <summary> /// Format an AuditedEventDTO into a syslog message containing a specific message body. /// </summary> /// <param name="auditedEvent">The audited event</param> /// <param name="facility">The Syslog facility identifier</param> /// <param name="severity">The Syslog severity identifier</param> /// <param name="message">The message body</param> /// <returns>Syslog Message containing the requested message and audited event details</returns> public static SyslogMessage ToSyslogMessage(this AuditedEventDTO auditedEvent, Facility facility, Severity severity, string message) { return((auditedEvent == null) ? null : new SyslogMessage( dateTimeOffset: auditedEvent.Timestamp, facility: facility, severity: severity, hostName: auditedEvent.SourceIP, appName: "ApprendaCloudPlatform", message: message.StripNewLines(), procId: "-", structuredDataElements: new StructuredDataElement[] { }, msgId: "-")); }
private SyslogMessage ValueUpdateFormatter(AuditedEventDTO auditedEvent) { if (auditedEvent == null) { return(null); } var details = JsonConvert.DeserializeObject <DetailsObject>(auditedEvent.Details); var message = $"{auditedEvent.Operation} Change from {details.OriginalValue.StripNewLines()} to {details.NewValue.StripNewLines()}"; return(FromEventDTO(auditedEvent, message)); }
private SyslogMessage RegistrySetValueDetailFormatter(AuditedEventDTO auditedEvent) { if (auditedEvent == null) { return(null); } var details = JsonConvert.DeserializeObject <DetailsObject>(auditedEvent.Details); var detail = $"cs1={details.OriginalValue.StripNewLines()} cs2={details.NewValue.StripNewLines()}"; var message = $"CEF:0|Apprenda|CloudPlatform|{PlatformVersion}|-|{auditedEvent.Operation}|PR1|outcome={auditedEvent.EventTypeDescription()} {detail}"; return(auditedEvent.ToSyslogMessage(message)); }
/// <summary> /// Retrieve an English descriptive word for the EventType property of the provided AuditedEventDTO instance. /// </summary> /// <param name="source">An AuditedEventDto</param> /// <returns>en-US Descriptive term for the AuditedEventDTO EventType property</returns> public static string EventTypeDescription(this AuditedEventDTO source) { if (source == null) { return("Unknown event state"); } switch (source.EventType) { case AuditEventType.OperationCompleted: return("Completed"); case AuditEventType.OperationFailed: return("Failed"); case AuditEventType.OperationStarting: return("Starting"); default: return("Unknown event state"); } }
/// <summary> /// Formats an AuditedEventDTO that contains a ReportCard in the Details field. /// </summary> /// <param name="auditedEvent">The audited event to format</param> /// <returns>SyslogMessage representing the provided event</returns> protected SyslogMessage DefaultReportCardCefFormatter(AuditedEventDTO auditedEvent) { if (auditedEvent == null) { return(null); } var details = JsonConvert.DeserializeObject <DetailsObject>(auditedEvent.Details); var messageDetail = string.Empty; var reportCard = JsonConvert.DeserializeObject <ReportCard>(details.Details, new JsonSerializerSettings { Error = (unused, discarded) => messageDetail = $"{details.Details}", }); if (reportCard != null) { messageDetail = $" {string.Join(";", reportCard.ErrorMessages.ToArray())}"; } return(auditedEvent.ToSyslogMessage($"CEF:0|Apprenda|CloudPlatform|{PlatformVersion}|-|{auditedEvent.Operation}|Unknown|outcome={auditedEvent.EventTypeDescription()} {messageDetail}")); }
/// <summary> /// Formats an AuditedEventDTO that contains a ReportCard in the Details field. /// </summary> /// <param name="auditedEvent">The audited event to format</param> /// <returns>SyslogMessage representing the provided event</returns> public static SyslogMessage DefaultReportCardFormatter(AuditedEventDTO auditedEvent) { if (auditedEvent == null) { return(null); } var details = JsonConvert.DeserializeObject <DetailsObject>(auditedEvent.Details); var messageDetail = string.Empty; var reportCard = JsonConvert.DeserializeObject <ReportCard>(details.Details, new JsonSerializerSettings { Error = (unused, discarded) => messageDetail = $"{details.Details}", }); if (reportCard != null) { messageDetail = $" {string.Join(";", reportCard.ErrorMessages.ToArray())}"; } return(FromEventDTO(auditedEvent, $"{auditedEvent.Operation} {auditedEvent.EventTypeDescription()}{messageDetail}")); }
/// <summary> /// Format an AuditedEventDTO into a syslog message containing a specific message body. /// </summary> /// <param name="auditedEvent">The audited event</param> /// <param name="message">The message body</param> /// <returns>Syslog Message containing the requested message and audited event details</returns> public static SyslogMessage ToSyslogMessage(this AuditedEventDTO auditedEvent, string message) => (auditedEvent == null) ? null : ToSyslogMessage(auditedEvent, Facility.LogAudit, Severity.Informational, message);
/// <summary> /// Default formatter for AuditedEventDTO whose EventType is not encoded in the message and which has a non-empty Results body to include. /// </summary> /// <param name="auditedEvent">The audited event</param> /// <returns>Syslos Message representing the event</returns> public SyslogMessage DefaultOpResultFormatter(AuditedEventDTO auditedEvent) => auditedEvent == null ? null : FromEventDTO(auditedEvent, Facility.LogAudit, Severity.Informational, $"{auditedEvent.Operation} {auditedEvent.EventTypeDescription()} {auditedEvent.Details.StripNewLines()}");
/// <summary> /// Default formatter for AuditedEventDTO whose EventType is not encoded in the message. /// </summary> /// <param name="auditedEvent">The audited event</param> /// <returns>Syslos Message representing the event</returns> public static SyslogMessage DefaultActionResultMapper(AuditedEventDTO auditedEvent) => auditedEvent == null ? null : FromEventDTO(auditedEvent, auditedEvent.Operation);
/// <summary> /// Formatter to handle Login Failure events. /// </summary> /// <param name="auditedEvent">The audited event</param> /// <returns>SyslogMessage representing the event.</returns> private static SyslogMessage LoginFailureFormatter(AuditedEventDTO auditedEvent) { var loginDetails = FormatLoginFailureDto(auditedEvent.Details); return(FromEventDTO(auditedEvent, Facility.SecurityOrAuthorizationMessages1, Severity.Notice, $"{auditedEvent.Operation} {loginDetails}")); }