/// <summary>
/// Forward received AuditedEventDTO to forward them to the configured Syslog receiver.
/// </summary>
/// <param name="message">The audited event details</param>
public override void OnAuditedEventReceived(AuditedEventDTO message)
{
if (message == null)
{
return;
}
if (_killswitch)
{
return;
}
// use new connections to reduce connection management overhead. If perf of TCP connection establishment becomes an issue, switch to an
// instance of the sender and do connection re-establishment as needed.
using (var sender = CreateSender())
{
AuditMapFunc map;
if (!_mapper.Formatters.TryGetValue(message.Operation, out map))
{
map = BaseAuditCallsiteMap.DefaultActionResultMapper;
}
var syslogM = map(message);
sender.Send(syslogM, _serializer);
}
}
/// <summary>
/// AuditedEventDTO to SyslogMessage formatter for the Version Promotion operation family.
/// </summary>
/// <param name="auditedEvent">The AuditedEventDTO instance to format</param>
/// <returns>SyslogMessage representation of the event</returns>
private SyslogMessage VersionPromotionFormatter(AuditedEventDTO auditedEvent)
{
var severity = Severity.Informational;
string detail;
if (auditedEvent.EventType == AuditEventType.OperationFailed)
{
severity = Severity.Warning;
detail = $"{auditedEvent.Details.StripNewLines()}";
}
else
{
var av = JsonConvert.DeserializeObject <ApplicationVersionDto>(auditedEvent.Details);
detail = $"{av.Name} ({av.Alias}) {av.Stage}";
}
var message = $"CEF:0|Apprenda|CloudPlatform|{PlatformVersion}|-|{auditedEvent.Operation}|PROMO1|outcome={auditedEvent.EventTypeDescription()} {detail}";
return(new SyslogMessage(
auditedEvent.Timestamp,
Facility.UserLevelMessages,
severity,
auditedEvent.SourceIP,
"ApprendaCloudPlatform",
message: message.StripNewLines(),
procId: "-",
structuredDataElements: new StructuredDataElement[0],
msgId: "-"));
}
/// <summary>
/// Formatter to handle Login Failure events.
/// </summary>
/// <param name="auditedEvent">The audited event</param>
/// <returns>SyslogMessage representing the event.</returns>
private SyslogMessage LoginFailureFormatter(AuditedEventDTO auditedEvent)
{
var loginDetails = FormatLoginFailureDto(auditedEvent.Details);
var message =
$"CEF:0|Apprenda|CloudPlatform|{PlatformVersion}|-|{auditedEvent.Operation}|CIT3|outcome={auditedEvent.EventTypeDescription()} {loginDetails}";
return(auditedEvent.ToSyslogMessage(Facility.SecurityOrAuthorizationMessages1, Severity.Notice, message));
}
/// <summary>
/// Format an AuditedEventDTO into a syslog message containing a specific message body.
/// </summary>
/// <param name="auditedEvent">The audited event</param>
/// <param name="facility">The Syslog facility identifier</param>
/// <param name="severity">The Syslog severity identifier</param>
/// <param name="message">The message body</param>
/// <returns>Syslog Message containing the requested message and audited event details</returns>
public static SyslogMessage ToSyslogMessage(this AuditedEventDTO auditedEvent, Facility facility, Severity severity, string message)
{
return((auditedEvent == null) ? null : new SyslogMessage(
dateTimeOffset: auditedEvent.Timestamp,
facility: facility,
severity: severity,
hostName: auditedEvent.SourceIP,
appName: "ApprendaCloudPlatform",
message: message.StripNewLines(),
procId: "-",
structuredDataElements: new StructuredDataElement[] { },
msgId: "-"));
}
private SyslogMessage ValueUpdateFormatter(AuditedEventDTO auditedEvent)
{
if (auditedEvent == null)
{
return(null);
}
var details = JsonConvert.DeserializeObject <DetailsObject>(auditedEvent.Details);
var message = $"{auditedEvent.Operation} Change from {details.OriginalValue.StripNewLines()} to {details.NewValue.StripNewLines()}";
return(FromEventDTO(auditedEvent, message));
}
private SyslogMessage RegistrySetValueDetailFormatter(AuditedEventDTO auditedEvent)
{
if (auditedEvent == null)
{
return(null);
}
var details = JsonConvert.DeserializeObject <DetailsObject>(auditedEvent.Details);
var detail = $"cs1={details.OriginalValue.StripNewLines()} cs2={details.NewValue.StripNewLines()}";
var message = $"CEF:0|Apprenda|CloudPlatform|{PlatformVersion}|-|{auditedEvent.Operation}|PR1|outcome={auditedEvent.EventTypeDescription()} {detail}";
return(auditedEvent.ToSyslogMessage(message));
}
/// <summary>
/// Retrieve an English descriptive word for the EventType property of the provided AuditedEventDTO instance.
/// </summary>
/// <param name="source">An AuditedEventDto</param>
/// <returns>en-US Descriptive term for the AuditedEventDTO EventType property</returns>
public static string EventTypeDescription(this AuditedEventDTO source)
{
if (source == null)
{
return("Unknown event state");
}
switch (source.EventType)
{
case AuditEventType.OperationCompleted: return("Completed");
case AuditEventType.OperationFailed: return("Failed");
case AuditEventType.OperationStarting: return("Starting");
default: return("Unknown event state");
}
}
/// <summary>
/// Formats an AuditedEventDTO that contains a ReportCard in the Details field.
/// </summary>
/// <param name="auditedEvent">The audited event to format</param>
/// <returns>SyslogMessage representing the provided event</returns>
protected SyslogMessage DefaultReportCardCefFormatter(AuditedEventDTO auditedEvent)
{
if (auditedEvent == null)
{
return(null);
}
var details = JsonConvert.DeserializeObject <DetailsObject>(auditedEvent.Details);
var messageDetail = string.Empty;
var reportCard = JsonConvert.DeserializeObject <ReportCard>(details.Details, new JsonSerializerSettings
{
Error = (unused, discarded) => messageDetail = $"{details.Details}",
});
if (reportCard != null)
{
messageDetail = $" {string.Join(";", reportCard.ErrorMessages.ToArray())}";
}
return(auditedEvent.ToSyslogMessage($"CEF:0|Apprenda|CloudPlatform|{PlatformVersion}|-|{auditedEvent.Operation}|Unknown|outcome={auditedEvent.EventTypeDescription()} {messageDetail}"));
}
/// <summary>
/// Formats an AuditedEventDTO that contains a ReportCard in the Details field.
/// </summary>
/// <param name="auditedEvent">The audited event to format</param>
/// <returns>SyslogMessage representing the provided event</returns>
public static SyslogMessage DefaultReportCardFormatter(AuditedEventDTO auditedEvent)
{
if (auditedEvent == null)
{
return(null);
}
var details = JsonConvert.DeserializeObject <DetailsObject>(auditedEvent.Details);
var messageDetail = string.Empty;
var reportCard = JsonConvert.DeserializeObject <ReportCard>(details.Details, new JsonSerializerSettings
{
Error = (unused, discarded) => messageDetail = $"{details.Details}",
});
if (reportCard != null)
{
messageDetail = $" {string.Join(";", reportCard.ErrorMessages.ToArray())}";
}
return(FromEventDTO(auditedEvent, $"{auditedEvent.Operation} {auditedEvent.EventTypeDescription()}{messageDetail}"));
}
/// <summary> /// Format an AuditedEventDTO into a syslog message containing a specific message body. /// </summary> /// <param name="auditedEvent">The audited event</param> /// <param name="message">The message body</param> /// <returns>Syslog Message containing the requested message and audited event details</returns> public static SyslogMessage ToSyslogMessage(this AuditedEventDTO auditedEvent, string message) => (auditedEvent == null) ? null : ToSyslogMessage(auditedEvent, Facility.LogAudit, Severity.Informational, message);
/// <summary>
/// Default formatter for AuditedEventDTO whose EventType is not encoded in the message and which has a non-empty Results body to include.
/// </summary>
/// <param name="auditedEvent">The audited event</param>
/// <returns>Syslos Message representing the event</returns>
public SyslogMessage DefaultOpResultFormatter(AuditedEventDTO auditedEvent) => auditedEvent == null ? null : FromEventDTO(auditedEvent, Facility.LogAudit, Severity.Informational, $"{auditedEvent.Operation} {auditedEvent.EventTypeDescription()} {auditedEvent.Details.StripNewLines()}");
/// <summary> /// Default formatter for AuditedEventDTO whose EventType is not encoded in the message. /// </summary> /// <param name="auditedEvent">The audited event</param> /// <returns>Syslos Message representing the event</returns> public static SyslogMessage DefaultActionResultMapper(AuditedEventDTO auditedEvent) => auditedEvent == null ? null : FromEventDTO(auditedEvent, auditedEvent.Operation);
/// <summary>
/// Formatter to handle Login Failure events.
/// </summary>
/// <param name="auditedEvent">The audited event</param>
/// <returns>SyslogMessage representing the event.</returns>
private static SyslogMessage LoginFailureFormatter(AuditedEventDTO auditedEvent)
{
var loginDetails = FormatLoginFailureDto(auditedEvent.Details);
return(FromEventDTO(auditedEvent, Facility.SecurityOrAuthorizationMessages1, Severity.Notice, $"{auditedEvent.Operation} {loginDetails}"));
}
