void slog_SyslogEvent(LogMgrEventArgs args)
{
CustomBase.Rec rec = new CustomBase.Rec();
try
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record");
try
{
rec.LogName = "SysLog Recorder";
rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss");
rec.EventType = args.EventLogEntType.ToString();
if (args.Message.Length > 895)
rec.Description = args.Message.Substring(0, 890);
else
rec.Description = args.Message;
rec.Description = args.Message.Replace("'", "|");
L.Log(LogType.FILE, LogLevel.DEBUG, " Source Is : " + args.Source.ToString());
rec.SourceName = args.Source;
L.Log(LogType.FILE, LogLevel.INFORM, " Log : " + args.Message);
}
catch (Exception e)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "ERROR------------");
L.Log(LogType.FILE, LogLevel.DEBUG, e.Message);
L.Log(LogType.FILE, LogLevel.DEBUG, e.StackTrace);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data");
if (usingRegistry)
{
CustomServiceBase s = base.GetInstanceService("Security Manager Sender");
s.SetData(rec);
}
else
{
CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder");
s.SetData(Dal, virtualhost, rec);
s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data");
}
catch (Exception er)
{
L.Log(LogType.FILE, LogLevel.ERROR, er.ToString());
L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message);
}
}
public Rec ParseSpecific(String line, bool dontSend, LogMgrEventArgs args)
{
L.Log(LogType.FILE, LogLevel.DEBUG, " ParseSpecific() | Parsing Specific line. Line : " + line);
if (string.IsNullOrEmpty(line))
{
L.Log(LogType.FILE, LogLevel.DEBUG, " ParseSpecific() | Line is Null Or Empty. ");
}
CustomBase.Rec rec = new CustomBase.Rec();
L.Log(LogType.FILE, LogLevel.DEBUG, " Source Is : " + args.Source.ToString());
rec.SourceName = args.Source;
L.Log(LogType.FILE, LogLevel.INFORM, " Log : " + args.Message);
rec.LogName = "PaloAltoTrafficV_1_0_0Syslog Recorder";
//rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss");
rec.EventType = args.EventLogEntType.ToString();
if (!string.IsNullOrEmpty(remote_host))
{
rec.ComputerName = remote_host;
}
rec.Description = args.Message;
L.Log(LogType.FILE, LogLevel.DEBUG, " ParseSpecific() | ComputerName: " + rec.ComputerName);
L.Log(LogType.FILE, LogLevel.DEBUG, " ParseSpecific() | Description: " + rec.Description);
L.Log(LogType.FILE, LogLevel.DEBUG, " ParseSpecific() | LogName: " + rec.LogName);
L.Log(LogType.FILE, LogLevel.DEBUG, " ParseSpecific() | SourceName: " + rec.SourceName);
//if (rec.Description.Length > 899)
//{
// rec.Description = rec.Description.Substring(0, 899);
//}
//else
//{
// rec.Description = rec.Description;
//}
//rec.Description = args.Message.Replace("'", "|");
if (!dontSend)
{
// 10 20 30
//threath Domain*,Receive Time*,Serial #*,Type*,Threat/Content Type*,Config Version*,Generate Time*,Source address*,Destination address*,NAT Source IP*,NAT Destination IP*,Rule*,Source User*,Destination User*,Application*,Virtual System*,Source Zone*,Destination Zone*,Inbound Interface*, Outbound Interface*, Log Action*,Time Logged*,Session ID*,Repeat Count*,Source Port*,Destination Port*,NAT Source Port*,NAT Destination Port*,Flags*,IP Protocol*,Action,URL,Threat/Content Name,Category,Severity,Direction
//traffic Domain*,Receive Time*,Serial #*,Type*,Threat/Content Type*,Config Version*,Generate Time*,Source address*,Destination address*,NAT Source IP*, NAT Destination IP*,Rule*,Source User*,Destination User*,Application*,Virtual System*,Source Zone*,Destination Zone*,Inbound Interface*,Outbound Interface*, Log Action*,Time Logged*,Session ID*,Repeat Count*,Source Port*,Destination Port*,NAT Source Port*,NAT Destination Port*,Flags*,IP Protocol*, Action,Bytes,Bytes Sent,Bytes Received,Packets,Start Time,Elapsed Time (sec),Category,Padding(39)
//1,2011/01/25 05:45:17,0004C100832,THREAT,vulnerability,2,2011/01/25 05:45:12,193.189.142.32,168.216.29.89,192.168.0.12,168.216.29.89,Dis_Web_Server_erisim,,,web-browsing,vsys1,DMZ,Internet,ethernet1/1,ethernet1/4,,2011/01/25 05:45:17,56500,1,80,4149,80,4149,0x40,tcp,alert,,HTTP Non RFC-Compliant Response Found(32880),any,informational,server-to-client
string[] parts = line.Split(',');
try
{
try
{
rec.Datetime = Convert.ToDateTime(parts[6]).ToString("yyyy-MM-dd HH:mm:ss");//Date time conversion requeired.
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, " ParseSpecific() | There is a problem converting to date. date : " + parts[4]);
}
for (int i = 0; i < parts.Length; i++)
{
L.Log(LogType.FILE, LogLevel.DEBUG, " ParseSpecific() Parts[" + i + "]: " + parts[i]);
}
try
{
rec.CustomStr1 = parts[18];
rec.CustomStr2 = parts[19];
rec.CustomStr3 = parts[7];
rec.CustomStr4 = parts[8];
rec.CustomStr5 = parts[9];
rec.CustomStr6 = parts[10];
rec.CustomStr7 = parts[29];
rec.CustomStr8 = parts[4];
/*rec.CustomStr9 = parts[11];*/
rec.CustomStr9 = parts[3];
rec.CustomStr10 = parts[14];
rec.UserName = parts[12];
rec.EventType = parts[30];
rec.EventCategory = parts[37];
rec.CustomInt1 = Convert_to_Int32(parts[0]);
rec.CustomInt2 = Convert_to_Int32(parts[23]);
rec.CustomInt3 = Convert_to_Int32(parts[24]);
rec.CustomInt4 = Convert_to_Int32(parts[25]);
rec.CustomInt5 = Convert_to_Int32(parts[26]);
rec.CustomInt6 = Convert_to_Int32(parts[27]);
rec.CustomInt7 = Convert_to_Int32(parts[22]);
/*rec.CustomInt9 = Convert_to_Int32(parts[32]);*/
rec.CustomInt8 = Convert_to_Int32(parts[32]);
rec.CustomInt9 = Convert_to_Int32(parts[33]);
rec.CustomInt10 = Convert_to_Int32(parts[36]);
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR,
" ParseSpecific() | There is a problem parsing log.: " + ex.Message);
}
//172.16.55.55:34062 : local7.info Dec 14 11:15:31 1,2012/12/14 11:15:31,002201000312,THREAT,url,1,2012/12/14 11:15:31,10.104.3.241,2.21.90.227,194.27.49.141,2.21.90.227,TR-2-UNT,,,web-browsing,vsys1,trust,untrust,ethernet1/14,ethernet1/15,au_log_profile,2012/12/14 11:15:30,1013217,1,3868,80,34277,80,0x408000,tcp,alert,"px.owneriq.net/ep?sid[]=302333068&sid[]=302334368&rid[]=1612783&rid[]=1612784",(9999),business-and-economy,informational,client-to-server,1652635554,0x0,10.0.0.0-10.255.255.255,European Union,0,text/html
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, " ParseSpecific() | " + ex.Message);
L.Log(LogType.FILE, LogLevel.ERROR, " ParseSpecific() | " + ex.StackTrace);
L.Log(LogType.FILE, LogLevel.ERROR, " ParseSpecific() | Line : " + line);
}
}
return rec;
}
void slog_SyslogEvent(LogMgrEventArgs args)
{
CustomBase.Rec rec = new CustomBase.Rec();
string[] lineArr = SpaceSplit(args.Message, true);
try
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record");
try
{
rec.LogName = "CyberoamSyslogV_1_0_0Recorder";
//rec.EventType = args.EventLogEntType.ToString();
#region Description
if (args.Message.Length > 899)
rec.Description = args.Message.Substring(0, 899);
else
{
rec.Description = args.Message;
}
L.Log(LogType.FILE, LogLevel.INFORM, "Description: " + args.Message);
#endregion
string dateString = "";
string timeString = "";
for (int i = 0; i < lineArr.Length; i++)
{
#region DateTime
if (lineArr[i].StartsWith("date"))
{
dateString = SubLineSplitter(lineArr[i]);
}
if (lineArr[i].StartsWith("time") && !lineArr[i].StartsWith("timezone"))
{
timeString = SubLineSplitter(lineArr[i]);
}
#endregion
}
L.Log(LogType.FILE, LogLevel.DEBUG, "dateString: " + dateString + " " + timeString);
DateTime dt = Convert.ToDateTime(dateString + " " + timeString);
rec.Datetime = dt.ToString(dateFormat);
L.Log(LogType.FILE, LogLevel.DEBUG, "DateTime: " + rec.Datetime);
for (int i = 0; i < lineArr.Length; i++)
{
#region SOURCENAME
if (lineArr[i].StartsWith("device_name"))
{
rec.SourceName = SubLineSplitter(lineArr[i]);
}
#endregion
#region EVENTCATEGORY
if (lineArr[i].StartsWith("log_component"))
{
rec.EventCategory = SubLineSplitter(lineArr[i]);
}
#endregion
#region EVENTTYPE
if (lineArr[i].StartsWith("log_type"))
{
rec.EventType = SubLineSplitter(lineArr[i]);
}
#endregion
#region USERSID
if (lineArr[i].StartsWith("device_id"))
{
rec.UserName = SubLineSplitter(lineArr[i]);
}
#endregion
#region COMPUTERNAME
if (lineArr[i].StartsWith("user_name"))
{
rec.ComputerName = SubLineSplitter(lineArr[i]);
}
#endregion
#region CUSTOMSTR1
if (lineArr[i].StartsWith("protocol"))
{
rec.CustomStr1 = SubLineSplitter(lineArr[i]);
}
#endregion
#region CUSTOMSTR2
if (lineArr[i].StartsWith("user_gp"))
{
rec.CustomStr2 = SubLineSplitter(lineArr[i]);
}
#endregion
#region CUSTOMSTR3
if (lineArr[i].StartsWith("src_ip"))
{
rec.CustomStr3 = SubLineSplitter(lineArr[i]);
}
#endregion
#region CUSTOMSTR4
if (lineArr[i].StartsWith("dst_ip"))
{
rec.CustomStr4 = SubLineSplitter(lineArr[i]);
}
#endregion
#region CUSTOMSTR5
if (lineArr[i].StartsWith("category"))
{
rec.CustomStr5 = SubLineSplitter(lineArr[i]);
}
#endregion
#region CUSTOMSTR6
if (lineArr[i].StartsWith("contenttype"))
{
rec.CustomStr6 = SubLineSplitter(lineArr[i]);
}
#endregion
#region CUSTOMSTR7
if (lineArr[i].StartsWith("domain"))
{
rec.CustomStr7 = SubLineSplitter(lineArr[i]);
}
#endregion
#region CUSTOMSTR8
if (lineArr[i].StartsWith("status"))
{
rec.CustomStr8 = SubLineSplitter(lineArr[i]);
}
#endregion
#region CUSTOMSTR9
if (lineArr[i].StartsWith("url"))
{
rec.CustomStr9 = SubLineSplitter(lineArr[i]);
}
#endregion
#region CUSTOMSTR10
if (lineArr[i].StartsWith("log_subtype"))
{
rec.CustomStr10 = SubLineSplitter(lineArr[i]);
}
/* if (lineArr[i].StartsWith("log_component"))
{
rec.EventCategory = SubLineSplitter(lineArr[i]);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + rec.EventCategory);*/
#endregion
#region CUSTOMINT1
if (lineArr[i].StartsWith("fw_rule_id"))
{
rec.CustomInt1 = Convert_To_Int32(SubLineSplitter(lineArr[i]));
}
#endregion
#region CUSTOMINT2
if (lineArr[i].StartsWith("iap"))
{
rec.CustomInt2 = Convert_To_Int32(SubLineSplitter(lineArr[i]));
}
#endregion
#region CUSTOMINT3
#endregion
#region CUSTOMINT4
#endregion
#region CUSTOMINT5
if (lineArr[i].StartsWith("src_port"))
{
rec.CustomInt5 = Convert_To_Int32(SubLineSplitter(lineArr[i]));
}
#endregion
#region CUSTOMINT6
if (lineArr[i].StartsWith("dst_port"))
{
rec.CustomInt6 = Convert_To_Int32(SubLineSplitter(lineArr[i]));
}
#endregion
#region CUSTOMINT7
if (lineArr[i].StartsWith("httpresponsecode"))
{
rec.CustomInt7 = Convert_To_Int32(SubLineSplitter(lineArr[i]));
}
#endregion
#region CUSTOMINT8
if (lineArr[i].StartsWith("sent_bytes"))
{
rec.CustomInt8 = Convert_To_Int32(SubLineSplitter(lineArr[i]));
}
#endregion
#region CUSTOMINT9
if (lineArr[i].StartsWith("recv_bytes"))
{
rec.CustomInt9 = Convert_To_Int32(SubLineSplitter(lineArr[i]));
}
#endregion
#region CUSTOMINT10
#endregion
}
L.Log(LogType.FILE, LogLevel.DEBUG, "SourceName: " + rec.SourceName);
L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + rec.EventCategory);
L.Log(LogType.FILE, LogLevel.DEBUG, "EventType: " + rec.EventType);
L.Log(LogType.FILE, LogLevel.DEBUG, "UserName: "******"ComputerName: " + rec.ComputerName);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr1: " + rec.CustomStr1);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2: " + rec.CustomStr2);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr5: " + rec.CustomStr5);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr6: " + rec.CustomStr6);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + rec.CustomStr7);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr8: " + rec.CustomStr8);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr9: " + rec.CustomStr9);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr10: " + rec.CustomStr10);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt1: " + rec.CustomInt1.ToString(CultureInfo.InvariantCulture));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt2: " + rec.CustomInt2.ToString(CultureInfo.InvariantCulture));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt5: " + rec.CustomInt5.ToString(CultureInfo.InvariantCulture));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt6: " + rec.CustomInt6.ToString(CultureInfo.InvariantCulture));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt7: " + rec.CustomInt7.ToString(CultureInfo.InvariantCulture));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt8: " + rec.CustomInt8.ToString(CultureInfo.InvariantCulture));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt9: " + rec.CustomInt9.ToString(CultureInfo.InvariantCulture));
//rec.SourceName = args.Source;
if (SendData(rec))
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data");
}
}
catch (Exception e)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "ERROR------------");
L.Log(LogType.FILE, LogLevel.DEBUG, e.Message);
L.Log(LogType.FILE, LogLevel.DEBUG, e.StackTrace);
}
}
catch (Exception er)
{
L.Log(LogType.FILE, LogLevel.ERROR, er.ToString());
L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message);
}
}
void slog_SyslogEvent(LogMgrEventArgs args)
{
CustomBase.Rec rec = new CustomBase.Rec();
try
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record");
rec.LogName = "SymantecSmsSyslog Recorder";
rec.EventCategory = "sms";
rec.UserName = "******";
rec.EventType = args.EventLogEntType.ToString();
if (args.Message == "")
{
L.Log(LogType.FILE, LogLevel.INFORM, "Message is null.");
return;
}
String[] Desc = args.Message.Split(':');
if (Desc.Length < 5)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Length of message too small: " + args.Message);
return;
}
for (Int32 i = 0; i < Desc.Length; ++i)
{
Desc[i] = Desc[i].Trim();
}
rec.ComputerName = Desc[0] + ":" + Desc[1];
rec.SourceName = args.Source;
String[] dateArr = SpaceSplit(Desc[2].TrimStart(rec.SourceName.ToCharArray()));
if (dateArr.Length < 3)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for datetime (text too small): " + args.Message);
return;
}
try
{
StringBuilder dateString = new StringBuilder();
//Date
dateString.Append(dateArr[0]).Append(" ").Append(dateArr[1]).Append(" ").Append(DateTime.Now.Year.ToString()).Append(" ");
//Time
dateString.Append(dateArr[2]).Append(":").Append(Desc[3]).Append(":").Append(Desc[4].Substring(0, 2));
DateTime dt = DateTime.Parse(dateString.ToString());
rec.Datetime = dt.AddMinutes(zone).ToString("yyyy/MM/dd HH:mm:ss");
}
catch (Exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing datetime text: " + args.Message);
return;
}
try
{
string codeText = Desc[4].Substring(2).Trim().TrimStart(rec.EventCategory.ToCharArray()).Trim();
if (codeText.Contains("[") && codeText.Contains("]"))
{
rec.CustomStr1 = codeText.Split('[')[0].Trim();
rec.CustomInt1 = int.Parse(codeText.Split('[')[1].Trim().Split(']')[0].Trim());
}
else
{
rec.CustomStr1 = Desc[4].Substring(2).Trim(); //.TrimStart(rec.EventCategory.ToCharArray()).Trim(); //codeText;
rec.CustomInt1 = 0;
}
}
catch (Exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing code text: " + args.Message);
return;
}
int lastIndexForDesc = 5;
if (Desc.Length > 5)
{
if (Desc[5].Contains("ML-HOST_DISCONNECTED"))
{
try
{
rec.UserName = "******";
rec.CustomInt2 = int.Parse(Desc[5].Split(']')[0].TrimStart('[').Trim());
rec.EventCategory = "ML-HOST_DISCONNECTED";
if (Desc[7].ToLower().Contains("disconnected"))
{
rec.CustomStr10 = Desc[6] + ":" + Desc[7].Split(' ')[0]; //disconnected from
}
lastIndexForDesc = 6;
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for ML-HOST_DISCONNECTED: " + args.Message + " \nEx: " + ex.Message);
return;
}
}
else if (Desc[5].Contains("ML-HOST_CONNECTED"))
{
try
{
rec.UserName = "******";
rec.CustomInt2 = int.Parse(Desc[5].Split(']')[0].TrimStart('[').Trim());
rec.EventCategory = "ML-HOST_CONNECTED";
if (Desc[7].ToLower().Contains("connected"))
{
rec.CustomStr10 = Desc[6] + ":" + Desc[7].Split(' ')[0]; //connected to
}
lastIndexForDesc = 6;
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for ML-HOST_CONNECTED: " + args.Message + " \nEx: " + ex.Message);
return;
}
}
else if (Desc[5].Contains("ML-RECEIVED"))
{
//195.142.175.69:62754 : mail.info Jul 29 15:19:23 mail ecelerity: [18796] ML-RECEIVED_RECIPIENT: Message ID: E0/0C-18796-B45A23E4, Audit ID: c0a8010e-b7bc5ae00000496c-57-4e32a54bb662, recipient: [email protected]
try
{
rec.UserName = "******";
rec.CustomInt2 = int.Parse(Desc[5].Split(']')[0].TrimStart('[').Trim());
rec.EventCategory = "ML-RECEIVED";
if (Desc[6].Contains("Message ID") && Desc[7].Contains("Audit ID"))
{
try
{
rec.CustomStr2 = Desc[8] + ":" + Desc[9].TrimEnd(", from host".ToCharArray()); //Received on
if (Desc.Length > 10)
{
rec.CustomStr10 = Desc[10] + ":" + Desc[11].TrimEnd(", sender".ToCharArray()); //from host
rec.CustomStr4 = Desc[12].Split(',')[0]; //sender
rec.CustomInt3 = int.Parse(Desc[13].TrimEnd(", Note".ToCharArray())); //size
}
}
catch (Exception ex)
{
rec.CustomStr2 = Desc[8].TrimEnd(", from host".ToCharArray()); //Received on
rec.CustomStr10 = Desc[9].TrimEnd(", sender".ToCharArray()); //from host
rec.CustomStr4 = Desc[10].Split(',')[0]; //sender
rec.CustomInt3 = int.Parse(Desc[11].TrimEnd(", Note".ToCharArray())); //size
}
finally
{
rec.CustomStr5 = Desc[7].Split(',')[0]; //Message ID
rec.CustomStr6 = Desc[7].Split(',')[1].TrimStart("Audit ID".ToCharArray()).Trim(); //Audit ID
}
}
lastIndexForDesc = 6;
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for ML-RECEIVED: " + args.Message + " \nEx: " + ex.Message);
return;
}
}
else if (Desc[5].Contains("ML-REJECT"))
{
try
{
rec.UserName = "******";
rec.CustomInt2 = int.Parse(Desc[5].Split(']')[0].TrimStart('[').Trim());
rec.EventCategory = "ML-REJECT";
if (Desc[6].Contains("Rejection") && Desc[10].Contains("Audit ID"))
{
rec.CustomStr2 = Desc[7] + ":" + Desc[8].TrimEnd(", sent to host".ToCharArray()); //Rejection on
rec.CustomStr10 = Desc[9] + ":" + Desc[10].Split(',')[0] + (Desc[10].Split(',')[1].Contains("Audit ID") ? "" : Desc[10].Split(',')[1]); //sent to host
rec.CustomStr6 = Desc[10].Split(',')[1].Contains("Audit ID") ? Desc[10].Split(',')[1].TrimStart("Audit ID".ToCharArray()).Trim() : Desc[10].Split(',')[2].TrimStart("Audit ID".ToCharArray()).Trim(); //Audit ID
}
lastIndexForDesc = 6;
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for ML-REJECT: " + args.Message + " \nEx: " + ex.Message);
return;
}
}
else if (Desc[5].Contains("ML-DELIVERY_ATTEMPT"))
{
try
{
rec.UserName = "******";
rec.CustomInt2 = int.Parse(Desc[5].Split(']')[0].TrimStart('[').Trim());
rec.EventCategory = "ML-DELIVERY_ATTEMPT";
if (Desc[6].Contains("Message ID") && Desc[7].Contains("Audit ID"))
{
rec.CustomStr4 = Desc[8]; //sender
rec.CustomStr5 = Desc[7].Split(',')[0]; //Message ID
rec.CustomStr6 = Desc[7].Split(',')[1].TrimStart("Audit ID".ToCharArray()).Trim(); //Audit ID
}
lastIndexForDesc = 6;
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for ML-DELIVERY_ATTEMPT: " + args.Message + " \nEx: " + ex.Message);
return;
}
}
else if (Desc[5].Contains("ML-DELIVERY"))
{
try
{
rec.UserName = "******";
rec.CustomInt2 = int.Parse(Desc[5].Split(']')[0].TrimStart('[').Trim());
rec.EventCategory = "ML-DELIVERY";
if (Desc[6].Contains("Message ID") && Desc[7].Contains("Audit ID"))
{
rec.CustomStr10 = Desc[8].TrimEnd(", sender".ToCharArray()); //Delivery succeeded to host
rec.CustomStr4 = Desc[9].TrimEnd(", Note".ToCharArray()); //sender
rec.CustomStr5 = Desc[7].Split(',')[0]; //Message ID
rec.CustomStr6 = Desc[7].Split(',')[1].TrimStart("Audit ID".ToCharArray()).Trim(); //Audit ID
}
lastIndexForDesc = 6;
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for ML-DELIVERY: " + args.Message + " \nEx: " + ex.Message);
return;
}
}
else
{
if (Desc[5].Contains("|SOURCE|"))
{
try
{
rec.UserName = "******";
string[] descText = Desc[5].Split('|');
rec.EventCategory = "MESSAGE SOURCE";
rec.CustomStr5 = descText[0]; //Message ID
rec.CustomStr6 = descText[1]; //Audit ID
rec.CustomStr2 = descText[3]; //Mail Source (internal / external)
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for message SOURCE: " + args.Message + " \nEx: " + ex.Message);
return;
}
}
else if (Desc[5].Contains("|ACCEPT|"))
{
try
{
rec.UserName = "******";
string[] descText = Desc[5].Split('|');
rec.EventCategory = "MESSAGE ACCEPT";
rec.CustomStr5 = descText[0]; //Message ID
rec.CustomStr6 = descText[1]; //Audit ID
rec.CustomStr2 = descText[3] + ":" + Desc[6]; // Mail Server IP Address
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for message ACCEPT: " + args.Message + " \nEx: " + ex.Message);
return;
}
}
else if (Desc[5].Contains("|SUBJECT|"))
{
try
{
rec.UserName = "******";
string[] descText = Desc[5].Split('|');
rec.EventCategory = "MESSAGE SUBJECT";
rec.CustomStr5 = descText[0]; //Message ID
rec.CustomStr6 = descText[1]; //Audit ID
rec.CustomStr8 = descText[3]; // Subject Text
for (int i = 6; i < Desc.Length; i++)
{
rec.CustomStr8 += ":" + Desc[i];
}
if (rec.CustomStr8.Length > 900)
{
rec.CustomStr8 = rec.CustomStr8.Substring(0, 895) + "...";
L.Log(LogType.FILE, LogLevel.INFORM, "Subject length too long. Only 895 characters taken..");
}
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for message SUBJECT: " + args.Message + " \nEx: " + ex.Message);
return;
}
}
else if (Desc[5].Contains("|VERDICT|"))
{
try
{
rec.UserName = "******";
string[] descText = Desc[5].Split('|');
rec.EventCategory = "MESSAGE VERDICT";
rec.CustomStr5 = descText[0]; //Message ID
rec.CustomStr6 = descText[1]; //Audit ID
rec.CustomStr2 = descText[3]; // Mail address
for (int i = 4; i < descText.Length; i++)
{
if (descText[i].Contains("@"))
{
continue;
}
rec.CustomStr3 += descText[i] + "/";
}
rec.CustomStr3 = rec.CustomStr3.TrimEnd("/".ToCharArray()); // Verdict Text
if (rec.CustomStr3.Length > 900)
{
rec.CustomStr3 = rec.CustomStr3.Substring(0, 895) + "...";
L.Log(LogType.FILE, LogLevel.INFORM, "Verdict length too long. Only 895 characters taken..");
}
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for message VERDICT: " + args.Message + " \nEx: " + ex.Message);
return;
}
}
else if (Desc[5].Contains("|IRCPTACTION|"))
{
try
{
rec.UserName = "******";
string[] descText = Desc[5].Split('|');
rec.EventCategory = "MESSAGE IRCPTACTION";
rec.CustomStr5 = descText[0]; //Message ID
rec.CustomStr6 = descText[1]; //Audit ID
for (int i = 3; i < descText.Length - 1; i++)
{
rec.CustomStr2 += descText[i] + ",";
}
rec.CustomStr2 = rec.CustomStr2.TrimEnd(",".ToCharArray()); // Recipient Addresses
rec.CustomStr3 = descText[descText.Length - 1]; // Action
if (rec.CustomStr3.Length > 900)
{
rec.CustomStr3 = rec.CustomStr3.Substring(0, 895) + "...";
L.Log(LogType.FILE, LogLevel.INFORM, "Action length too long. Only 895 characters taken..");
}
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for message IRCPTACTION: " + args.Message + " \nEx: " + ex.Message);
return;
}
}
else if (Desc[5].Contains("|DELIVER|"))
{
try
{
rec.UserName = "******";
string[] descText = args.Message.Split('|');
rec.EventCategory = "MESSAGE DELIVER";
rec.CustomStr5 = descText[descText.Length - 5].Split(':')[descText[descText.Length - 5].Split(':').Length - 1]; //Message ID
rec.CustomStr6 = descText[descText.Length - 4]; //Audit ID
rec.CustomStr2 = descText[descText.Length - 2]; // Mail Server IP Address
rec.CustomStr3 = descText[descText.Length - 1]; // Recipient Address
//dali
//rec.UserName = "******";
//string[] descText = Desc[5].Split('|');
//rec.EventCategory = "MESSAGE DELIVER";
//rec.CustomStr5 = descText[0]; //Message ID
//rec.CustomStr6 = descText[1]; //Audit ID
//rec.CustomStr2 = descText[3]; // Mail Server IP Address
//rec.CustomStr3 = descText[4]; // Recipient Address
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for message DELIVER: " + args.Message + " \nEx: " + ex.Message);
return;
}
}
else if (Desc[5].Contains("|SENDER|"))
{
try
{
rec.UserName = "******";
string[] descText = Desc[5].Split('|');
rec.EventCategory = "MESSAGE SENDER";
rec.CustomStr5 = descText[0]; //Message ID
rec.CustomStr6 = descText[1]; //Audit ID
if (descText[3] == "\\")
{
if (descText.Length > 4)
{
rec.CustomStr4 = descText[4]; // Sender Address
}
else
{
rec.CustomStr4 = "\\"; // Sender Address
}
}
else
{
rec.CustomStr4 = descText[3]; // Sender Address
}
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for message SENDER: " + args.Message + " \nEx: " + ex.Message);
return;
}
}
else if (Desc[5].Contains("|ORCPTS|"))
{
try
{
rec.UserName = "******";
string[] descText = Desc[5].Split('|');
rec.EventCategory = "MESSAGE ORCPTS";
rec.CustomStr5 = descText[0]; //Message ID
rec.CustomStr6 = descText[1]; //Audit ID
for (int i = 3; i < descText.Length; i++)
{
rec.CustomStr3 += descText[i] + ",";
}
rec.CustomStr3 = rec.CustomStr3.TrimEnd(",".ToCharArray()); // Recipient Addresses
if (rec.CustomStr3.Length >= 6300)
{
rec.CustomStr4 = rec.CustomStr3.Substring(900, 900);
rec.CustomStr7 = rec.CustomStr3.Substring(1800, 900);
rec.CustomStr8 = rec.CustomStr3.Substring(2700, 900);
rec.CustomStr9 = rec.CustomStr3.Substring(3600, 900);
rec.CustomStr10 = rec.CustomStr3.Substring(4500, 900);
rec.CustomStr2 = rec.CustomStr3.Substring(5400, 900);
rec.CustomStr3 = rec.CustomStr3.Substring(0, 900);
L.Log(LogType.FILE, LogLevel.INFORM, "Recipient length longer than 6300. Only 6300 characters taken and data has been shared among other table fields..");
}
else if (rec.CustomStr3.Length >= 5400)
{
rec.CustomStr4 = rec.CustomStr3.Substring(900, 900);
rec.CustomStr7 = rec.CustomStr3.Substring(1800, 900);
rec.CustomStr8 = rec.CustomStr3.Substring(2700, 900);
rec.CustomStr9 = rec.CustomStr3.Substring(3600, 900);
rec.CustomStr10 = rec.CustomStr3.Substring(4500, 900);
rec.CustomStr2 = rec.CustomStr3.Substring(5400, rec.CustomStr3.Length - 5400);
rec.CustomStr3 = rec.CustomStr3.Substring(0, 900);
L.Log(LogType.FILE, LogLevel.INFORM, "Recipient length longer than 5400. Data has been shared among other table fields..");
}
else if (rec.CustomStr3.Length >= 4500)
{
rec.CustomStr4 = rec.CustomStr3.Substring(900, 900);
rec.CustomStr7 = rec.CustomStr3.Substring(1800, 900);
rec.CustomStr8 = rec.CustomStr3.Substring(2700, 900);
rec.CustomStr9 = rec.CustomStr3.Substring(3600, 900);
rec.CustomStr10 = rec.CustomStr3.Substring(4500, rec.CustomStr3.Length - 4500);
rec.CustomStr3 = rec.CustomStr3.Substring(0, 900);
L.Log(LogType.FILE, LogLevel.INFORM, "Recipient length longer than 4500. Data has been shared among other table fields.");
}
else if (rec.CustomStr3.Length >= 3600)
{
rec.CustomStr4 = rec.CustomStr3.Substring(900, 900);
rec.CustomStr7 = rec.CustomStr3.Substring(1800, 900);
rec.CustomStr8 = rec.CustomStr3.Substring(2700, 900);
rec.CustomStr9 = rec.CustomStr3.Substring(3600, rec.CustomStr3.Length - 3600);
rec.CustomStr3 = rec.CustomStr3.Substring(0, 900);
L.Log(LogType.FILE, LogLevel.INFORM, "Recipient length longer than 3600. Data has been shared among other table fields.");
}
else if (rec.CustomStr3.Length >= 2700)
{
rec.CustomStr4 = rec.CustomStr3.Substring(900, 900);
rec.CustomStr7 = rec.CustomStr3.Substring(1800, 900);
rec.CustomStr8 = rec.CustomStr3.Substring(2700, rec.CustomStr3.Length - 2700);
rec.CustomStr3 = rec.CustomStr3.Substring(0, 900);
L.Log(LogType.FILE, LogLevel.INFORM, "Recipient length longer than 2700. Data has been shared among other table fields.");
}
else if (rec.CustomStr3.Length >= 1800)
{
rec.CustomStr4 = rec.CustomStr3.Substring(900, 900);
rec.CustomStr7 = rec.CustomStr3.Substring(1800, rec.CustomStr3.Length - 1800);
rec.CustomStr3 = rec.CustomStr3.Substring(0, 900);
L.Log(LogType.FILE, LogLevel.INFORM, "Recipient length longer than 1800. Data has been shared among other table fields.");
}
else if (rec.CustomStr3.Length > 900)
{
rec.CustomStr4 = rec.CustomStr3.Substring(900, rec.CustomStr3.Length - 900);
rec.CustomStr3 = rec.CustomStr3.Substring(0, 900);
L.Log(LogType.FILE, LogLevel.INFORM, "Recipient length longer than 900. Data has been shared among other table fields.");
}
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for message ORCPTS: " + args.Message + " \nEx: " + ex.Message);
return;
}
}
else if (Desc[5].Contains("|ATTACH|"))
{
try
{
rec.UserName = "******";
string[] descText = Desc[5].Split('|');
rec.EventCategory = "MESSAGE ATTACH";
rec.CustomStr5 = descText[0]; //Message ID
rec.CustomStr6 = descText[1]; //Audit ID
for (int i = 3; i < descText.Length; i++)
{
rec.CustomStr3 += descText[i] + ",";
}
rec.CustomStr3 = rec.CustomStr3.TrimEnd(",".ToCharArray()); // Attached Documents
if (rec.CustomStr3.Length > 900)
{
rec.CustomStr3 = rec.CustomStr3.Substring(0, 895) + "...";
L.Log(LogType.FILE, LogLevel.INFORM, "Attachment length too long. Only 895 characters taken..");
}
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for message ATTACH: " + args.Message + " \nEx: " + ex.Message);
return;
}
}
else
{
rec.UserName = "******";
L.Log(LogType.FILE, LogLevel.DEBUG, "Just put in description column. Ignored format: " + args.Message);
}
lastIndexForDesc = 5;
}
}
else
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Just put in description column. Very short message: " + args.Message);
lastIndexForDesc = 5;
}
for (int i = lastIndexForDesc; i < Desc.Length; i++)
{
rec.Description += Desc[i] + ":";
}
rec.Description = rec.Description.TrimEnd(":".ToCharArray());
if (rec.Description.Length > 900)
{
rec.Description = rec.Description.Substring(0, 900);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data");
if (usingRegistry)
{
CustomServiceBase s = base.GetInstanceService("Security Manager Sender");
s.SetData(rec);
}
else
{
CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder");
s.SetData(Dal, virtualhost, rec);
s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data");
}
catch (Exception er)
{
L.LogTimed(LogType.FILE, LogLevel.ERROR, er.ToString());
}
}
void SlogSyslogEvent(LogMgrEventArgs args)
{
try
{
_log.Log(LogType.FILE, LogLevel.DEBUG, " SlogSyslogEvent() --> is STARTED");
_log.Log(LogType.FILE, LogLevel.DEBUG, " SlogSyslogEvent() --> will parse data : " + args.Message);
CustomBase.Rec rec = new CustomBase.Rec();
rec.LogName = "MCAffeeUTMSyslogRecorder";
rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss");
rec.SourceName = args.Source;
if (args.Message.Length > 895)
{
rec.Description = args.Message.Substring(0, 894);
}
else
{
rec.Description = args.Message;
}
CoderParse(args.Message, ref rec);
CustomServiceBase customServiceBase = base.GetInstanceService("Security Manager Remote Recorder");
customServiceBase.SetData(_dal, _virtualHost, rec);
customServiceBase.SetReg(_id, rec.Datetime, "", "", "", rec.Datetime);
_log.Log(LogType.FILE, LogLevel.DEBUG, " SlogSyslogEvent() --> is succesfully FINISHED.");
}
catch (Exception ex)
{
_log.Log(LogType.FILE, LogLevel.ERROR, " SlogSyslogEvent() --> An error occurred : " + ex.ToString());
}
}
void slog_SyslogEvent(LogMgrEventArgs args)
{
L.Log(LogType.FILE, LogLevel.INFORM, "Log Parsing is starte. Line is: " + args.Message);
string line = args.Message;
Rec rec = new Rec();
try
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record");
try
{
rec.LogName = "TrendMicroInterScanWebGatewayV_1_0_0Recorder";
rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss");
string[] lineArr = line.Split(',');
string[] lineArrAlternate = SpaceSplit(line, false);
for (int i = 0; i < lineArr.Length; i++)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "lineArr: " + lineArr[i]);
}
for (int i = 0; i < lineArrAlternate.Length; i++)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "lineArrAlternate: " + lineArr[i]);
}
rec.EventCategory = lineArrAlternate[2];
rec.EventType = Between(lineArr[2], "]", "tk_username", 0);
try
{
DateTime dt = Convert.ToDateTime(lineArr[1]);
rec.Datetime = dt.ToString(dateFormat);
L.Log(LogType.FILE, LogLevel.DEBUG, "Datetime: " + rec.Datetime);
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Datetime Convert error: " + exception.Message);
}
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("tk_username="******"tk_username="******"tk_username="******"UserName: "******"tk_protocol="))
{
rec.CustomStr5 = GetValue(lineArr[i], "tk_protocol=");
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr5: " + rec.CustomStr5);
}
if (lineArr[i].StartsWith("tk_uid="))
{
rec.CustomStr9 = GetValue(lineArr[i], "tk_uid=");
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr9: " + rec.CustomStr9);
}
if (lineArrAlternate[2] == "local0.info")
{
if (lineArr[i].StartsWith("tk_server="))
{
rec.ComputerName = GetValue(lineArr[i], "tk_server=");
L.Log(LogType.FILE, LogLevel.DEBUG, "ComputerName: " + rec.ComputerName);
}
//10.20.1.122:34970 : local0.info iwsva1.dpt.gov.tr: <Tue, 08 Oct 2013 14:32:16,EEST> [EVT_URL_ACCESS_TRACKING|LOG_INFO] Access tracking log tk_username=10.10.11.39,tk_url=http://haber10.com/images/news/100x75/421378.jpg,tk_size=0,tk_date_field=2013-10-08 14:32:16+0300,tk_protocol=http,tk_mime_content=unknown/unknown,tk_server=iwsva1.dpt.gov.tr,tk_client_ip=10.10.11.39,tk_server_ip=176.53.59.192,tk_domain=haber10.com,tk_path=images/news/100x75/421378.jpg,tk_file_name=421378.jpg,tk_operation=GET,tk_uid=1159564668-d32bfc31cafb9b079c18,tk_category=46,tk_category_type=0
if (lineArr[i].StartsWith("tk_operation="))
{
rec.CustomStr1 = GetValue(lineArr[i], "tk_operation=");
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr1: " + rec.CustomStr1);
}
if (lineArr[i].StartsWith("tk_client_ip="))
{
rec.CustomStr3 = GetValue(lineArr[i], "tk_client_ip=");
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3);
}
if (lineArr[i].StartsWith("tk_server_ip="))
{
rec.CustomStr4 = GetValue(lineArr[i], "tk_server_ip=");
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4);
}
if (lineArr[i].StartsWith("tk_mime_content="))
{
rec.CustomStr6 = GetValue(lineArr[i], "tk_mime_content=");
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr6: " + rec.CustomStr6);
}
if (lineArr[i].StartsWith("tk_domain="))
{
rec.CustomStr7 = GetValue(lineArr[i], "tk_domain=");
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + rec.CustomStr7);
}
if (lineArr[i].StartsWith("tk_path="))
{
rec.CustomStr8 = GetValue(lineArr[i], "tk_path=");
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr8: " + rec.CustomStr8);
}
if (lineArr[i].StartsWith("tk_url="))
{
rec.CustomStr10 = GetValue(lineArr[i], "tk_url=");
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr10: " + rec.CustomStr10);
}
try
{
if (lineArr[i].StartsWith("tk_size="))
{
rec.CustomInt1 = Convert.ToInt32(GetValue(lineArr[i], "tk_size="));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt1: " + rec.CustomInt1);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt1 Type Casting Error: " + exception.Message);
}
try
{
if (lineArr[i].StartsWith("tk_category="))
{
rec.CustomInt2 = Convert.ToInt32(GetValue(lineArr[i], "tk_category="));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt2: " + rec.CustomInt2);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt2 Type Casting Error: " + exception.Message);
}
try
{
if (lineArr[i].StartsWith("tk_category_type="))
{
rec.CustomInt3 = Convert.ToInt32(GetValue(lineArr[i], "tk_category_type="));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt3: " + rec.CustomInt3);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt3 Type Casting Error: " + exception.Message);
}
}
if (lineArrAlternate[2] == "local0.critical")
{
if (lineArr[i].StartsWith("tk_url="))
{
rec.CustomStr2 = GetValue(lineArr[i], "tk_url=");
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2: " + rec.CustomStr2);
}
if (lineArr[i].StartsWith("tk_scan_type="))
{
rec.CustomStr6 = GetValue(lineArr[i], "tk_scan_type=");
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr6: " + rec.CustomStr6);
}
if (lineArr[i].StartsWith("tk_blocked_by="))
{
rec.CustomStr7 = GetValue(lineArr[i], "tk_blocked_by=");
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + rec.CustomStr7);
}
if (lineArr[i].StartsWith("tk_rule_name"))
{
rec.CustomStr8 = GetValue(lineArr[i], "tk_rule_name=");
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr8: " + rec.CustomStr8);
}
if (lineArr[i].StartsWith("tk_url="))
{
string sdf = GetValue(lineArr[i], "tk_url=");
string sdfg = Between(sdf, "http://", "/", 0);
rec.CustomStr1 = Before(sdfg, "/", 0);
}
if (lineArr[i].StartsWith("tk_category="))
{
rec.CustomStr10 = GetValue(lineArr[i], "tk_category=");
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr10: " + rec.CustomStr10);
}
try
{
if (lineArr[i].StartsWith("tk_opp_id="))
{
rec.CustomInt5 = Convert.ToInt32(GetValue(lineArr[i], "tk_opp_id="));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt5: " + rec.CustomInt5);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt5 Type Casting Error: " + exception.Message);
}
try
{
if (lineArr[i].StartsWith("tk_filter_action="))
{
rec.CustomInt6 = Convert.ToInt32(GetValue(lineArr[i], "tk_filter_action="));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt6: " + rec.CustomInt6);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt6 Type Casting Error: " + exception.Message);
}
}
}
if (line.Length > 899)
rec.Description = line.Substring(0, 899);
else
rec.Description = line;
//
rec.Description = rec.Description.Replace("'", "|");
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record");
L.Log(LogType.FILE, LogLevel.INFORM, "Start sending Data: " + rec.UserName);
L.Log(LogType.FILE, LogLevel.INFORM, "Start sending Data: " + rec.UserName);
CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder");
s.SetData(Dal, virtualhost, rec);
s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime);
L.Log(LogType.FILE, LogLevel.INFORM, "Finish Sending Data");
}
catch (Exception e)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "ERROR------------");
L.Log(LogType.FILE, LogLevel.DEBUG, e.Message);
L.Log(LogType.FILE, LogLevel.DEBUG, e.StackTrace);
}
}
catch (Exception er)
{
L.Log(LogType.FILE, LogLevel.ERROR, er.ToString());
L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message);
}
}
void slog_SyslogEvent(LogMgrEventArgs args)
{
var rec = new Rec();
L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, " Log : " + args.Message);
try
{
try
{
rec.LogName = "ZimbraMailSyslogV_1_0_0Recorder";
rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss");
var lineSb = new StringBuilder();
L.Log(LogType.FILE, LogLevel.DEBUG, " Decoding Line");
DecodeLine(lineSb, args.Message);
L.Log(LogType.FILE, LogLevel.DEBUG, " Decode Complete. Processing Line..");
var line = lineSb.ToString();
lineSb.Remove(0, lineSb.Length);
rec.Description = line;
if (rec.Description.Length > 900)
{
rec.Description = rec.Description.Substring(0, 900);
}
L.Log(LogType.FILE, LogLevel.DEBUG, " Check Line match");
var m = RegInputLine.Match(line);
if (m.Success)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Line match Ok, split accordingly");
line = m.Groups[6].Value;
var i = line.IndexOf(": ");
rec.CustomStr1 = i > 0 ? line.Substring(0, i).Trim() : string.Empty;
rec.CustomStr2 = m.Groups[4].Value.Trim();
var msub = RegCategory.Match(m.Groups[5].Value);
rec.EventCategory = msub.Success ? msub.Groups[3].Value : m.Groups[5].Value;
msub = RegField.Match(line);
while (msub.Success)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Getting sub part value");
var value = GetMatchValue(msub, 3, 6, string.Empty).Trim();
L.Log(LogType.FILE, LogLevel.DEBUG, "Sub Part: " + value);
switch (msub.Groups[1].Value)
{
case "to":
rec.CustomStr4 = value;
break;
case "from":
rec.CustomStr5 = value;
break;
case "size":
if (rec.EventCategory != "cleanup")
rec.CustomStr6 = value;
break;
case "status":
if (rec.EventCategory != "cleanup")
rec.CustomStr7 = value;
break;
case "relay":
if (rec.EventCategory != "cleanup")
rec.CustomStr8 = value;
break;
case "nrcpt":
rec.CustomStr9 = value;
break;
case "delay":
rec.CustomStr10 = value;
break;
case "proto":
if (rec.EventCategory == "cleanup")
rec.CustomStr6 = value;
break;
case "helo":
if (rec.EventCategory == "cleanup")
rec.CustomStr7 = value;
break;
}
msub = msub.NextMatch();
}
if (rec.EventCategory == "cleanup")
{
msub = RegSubject.Match(line);
if (msub.Success)
{
rec.CustomStr3 = GetMatchValue(msub, 1, 1, string.Empty).Trim();
rec.CustomStr8 = GetMatchValue(msub, 3, 3, string.Empty).Trim();
}
}
}
else
{
L.Log(LogType.FILE, LogLevel.DEBUG, " No match. Insert in raw");
}
}
catch (Exception e)
{
L.Log(LogType.FILE, LogLevel.ERROR, "ERROR------------");
L.Log(LogType.FILE, LogLevel.ERROR, e.Message);
L.Log(LogType.FILE, LogLevel.ERROR, e.StackTrace);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data");
var customServiceBase = GetInstanceService("Security Manager Remote Recorder");
customServiceBase.SetData(Dal, virtualhost, rec);
customServiceBase.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime);
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data");
}
catch (Exception er)
{
L.Log(LogType.FILE, LogLevel.ERROR, er.ToString());
L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message);
}
}
public void SlogSquidSyslogRecorder(LogMgrEventArgs args)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "Line Onur : " + args.Message);
try
{
CustomBase.Rec rec = new CustomBase.Rec();
try
{
rec.LogName = "SquidSyslogV_1_0_1Recorder";
string[] lineArr = SpaceSplit(args.Message, false);
try
{
DateTime dt;
string myDateTimeString = lineArr[4] + lineArr[3] + "," + DateTime.Now.Year + "," + lineArr[5];
dt = Convert.ToDateTime(myDateTimeString);
rec.Datetime = dt.ToString(dateFormat);
L.Log(LogType.FILE, LogLevel.DEBUG, "Datetime: " + rec.Datetime);
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Datetime Error. " + exception.ToString());
}
#region squid
if (lineArr.Length > 6 && lineArr[6].StartsWith("squid"))
{
try
{
if (lineArr.Length > 10)
{
if (lineArr[10].Contains("/"))
{
rec.EventCategory = lineArr[10].Split('/')[0];
rec.CustomInt1 = Convert.ToInt32(lineArr[10].Split('/')[1]);
L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + rec.EventCategory);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt1: " + rec.CustomInt1);
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "EventCategory or CustomInt1 Error. " + exception.ToString());
}
try
{
if (lineArr.Length > 12)
{
rec.EventType = lineArr[12];
L.Log(LogType.FILE, LogLevel.DEBUG, "EventType: " + rec.EventType);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "EventType Error. " + exception.ToString());
}
try
{
if (lineArr.Length > 0)
{
rec.ComputerName = lineArr[0];
L.Log(LogType.FILE, LogLevel.DEBUG, "ComputerName: " + rec.ComputerName);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "ComputerName Error. " + exception.ToString());
}
try
{
rec.CustomStr2 = lineArr[lineArr.Length - 1];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2: " + rec.CustomStr2);
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr2 Error. " + exception.ToString());
}
try
{
if (lineArr.Length > 9)
{
rec.CustomStr3 = lineArr[9];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr3 Error. " + exception.ToString());
}
try
{
if (lineArr.Length > 15)
{
if (lineArr[15].Contains("/"))
{
rec.CustomStr4 = lineArr[15].Split('/')[0];
rec.CustomStr7 = lineArr[15].Split('/')[1];
}
else
{
rec.CustomStr4 = lineArr[15];
}
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr4 or CustomStr7 Error. " + exception.ToString());
}
try
{
//dene
if (lineArr.Length > 13 && lineArr[13].StartsWith("http"))
{
if (lineArr[13].StartsWith("http"))
{
string s1 = After(lineArr[13], "://");
string s2 = Before(s1, "/");
rec.CustomStr8 = s2;
rec.CustomStr9 = After(lineArr[13], s2);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr8: " + rec.CustomStr8);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr9: " + rec.CustomStr9);
}
else
{
if (lineArr[13].Contains(":"))
{
rec.CustomStr8 = lineArr[13].Split(':')[0];
rec.CustomInt2 = Convert.ToInt32(lineArr[13].Split(':')[1]);
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr8 or CustomStr9 Error. " + exception.ToString());
}
}
#endregion
#region pf
else if (lineArr.Length > 6 && lineArr[6].StartsWith("pf"))
{
try
{
if (lineArr.Length > 13)
{
rec.SourceName = lineArr[13];
L.Log(LogType.FILE, LogLevel.DEBUG, "SourceName: " + rec.SourceName);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "SourceName Error. " + exception.ToString());
}
try
{
if (lineArr.Length > 25)
{
rec.EventCategory = lineArr[25];
L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + rec.EventCategory);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "EventCategory Error. " + exception.ToString());
}
try
{
if (lineArr.Length > 10)
{
rec.EventType = lineArr[10];
L.Log(LogType.FILE, LogLevel.DEBUG, "EventType: " + rec.EventType);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "EventType Error. " + exception.ToString());
}
try
{
if (lineArr.Length > 0)
{
rec.ComputerName = lineArr[0];
L.Log(LogType.FILE, LogLevel.DEBUG, "ComputerName : " + rec.ComputerName);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "ComputerName Error. " + exception.ToString());
}
try
{
if (lineArr.Length > 29)
{
rec.CustomStr3 = Before(lineArr[29], ".", 1);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3 : " + rec.CustomStr3);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr3 Error. " + exception.ToString());
}
try
{
if (lineArr.Length > 31)
{
rec.CustomStr7 = Before(lineArr[31], ".", 1);
string int2 = After(lineArr[31], ".", 0).Replace(":", " ").Trim();
rec.CustomInt2 = Convert.ToInt32(int2);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + rec.CustomStr7);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr7 or CustomInt2 Error. " + exception.ToString());
}
}
#endregion
if (args.Message.Length > 899)
{
rec.Description = args.Message.Substring(0, 899);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr9: " + rec.CustomStr9);
}
else
{
rec.Description = args.Message;
}
L.Log(LogType.FILE, LogLevel.INFORM, "Log : " + args.Message);
}
catch (Exception e)
{
L.Log(LogType.FILE, LogLevel.ERROR, "ERROR------------");
L.Log(LogType.FILE, LogLevel.ERROR, e.Message);
L.Log(LogType.FILE, LogLevel.ERROR, e.StackTrace);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data");
CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder");
s.SetData(Dal, virtualhost, rec);
s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime);
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data");
}
catch (Exception er)
{
L.Log(LogType.FILE, LogLevel.ERROR, er.ToString());
L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message);
}
}
void slog_SyslogEvent(LogMgrEventArgs args)
{
CustomBase.Rec rec = new CustomBase.Rec();
try
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record");
rec.LogName = "CiscoPixSyslog Recorder";
rec.Datetime = DateTime.Now.AddMinutes(zone).ToString("yyyy/MM/dd HH:mm:ss");
rec.EventType = args.EventLogEntType.ToString();
//rec.Description = args.Message;
String[] Desc = args.Message.Split(':');
if (args.Message == "")
{
L.Log(LogType.FILE, LogLevel.INFORM, "Message is null " + args.Message);
return;
}
if (Desc.Length < 6)
{
L.Log(LogType.FILE,LogLevel.ERROR,"Error parsing message for 6: "+args.Message);
return;
}
for (Int32 i = 0; i < Desc.Length; ++i)
{
Desc[i] = Desc[i].Trim();
}
//Parsing PIX
//Remove %
Desc[5] = Desc[5].TrimStart('%');
String[] pixArr = Desc[5].Split('-');
if(pixArr.Length < 2)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 2:" + args.Message);
return;
}
//rec.CustomStr4 = pixArr[0] + "-" + pixArr[1];
//Common fields for all pix records
//Parsing Date Field
String [] dateArr = SpaceSplit(Desc[2]);
if(dateArr.Length < 4)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 4: " + args.Message);
return;
}
StringBuilder dateString = new StringBuilder();
//Date
dateString.Append(dateArr[1]).Append(" ").Append(dateArr[2]).Append(" ").Append(dateArr[3]).Append(" ");
//Time
dateString.Append(dateArr[4]).Append(":").Append(Desc[3]).Append(":").Append(Desc[4]);
DateTime dt = DateTime.Parse(dateString.ToString());
rec.Datetime = dt.ToString("yyyy/MM/dd HH:mm:ss");
//Uncommon fields for all pix records
//Now Parse with id
rec.EventId = Convert.ToInt64(pixArr[2]);
switch (pixArr[2])
{
case "106001"://Untested
{
String[] arrInbound = Desc[6].Split(' ');
Int32 firstIp = 0;
Int32 secondIp = 0;
bool first = true;
for (Int32 i = 0; i < arrInbound.Length; i++)
{
if (arrInbound[i].Contains("/"))
{
if (first)
{
firstIp = i;
first = false;
}
else
{
secondIp = i;
break;
}
}
}
StringBuilder customStr2 = new StringBuilder();
for (Int32 i = 0; i < firstIp; i++)
{
customStr2.Append(arrInbound[i]).Append(" ");
}
rec.CustomStr2 = customStr2.ToString().Trim();
StringBuilder customStr4 = new StringBuilder();
for (Int32 i = firstIp + 1; i < secondIp; i++)
{
customStr4.Append(arrInbound[i]).Append(" ");
}
rec.CustomStr7 = customStr4.ToString().Trim();
String[] arrInboundIp = arrInbound[firstIp].Split('/');
rec.CustomStr3 = arrInboundIp[0];
rec.CustomInt1 = Convert.ToInt32(arrInboundIp[1]);
StringBuilder customStr6 = new StringBuilder();
for (Int32 i = secondIp + 1; i < arrInbound.Length; i++)
{
customStr6.Append(arrInbound[i]).Append(" ");
}
rec.Description = customStr6.ToString().Trim();
String[] arrInboundDescIp = arrInbound[secondIp].Split('/');
rec.CustomStr6 = arrInboundDescIp[0];
rec.CustomInt3 = Convert.ToInt32(arrInboundDescIp[1]);
} break;
case "106015":
case "302020":
case "302021":
{
String[] arrInbound = Desc[6].Split(' ');
Int32 firstIp = 0;
Int32 secondIp = 0;
bool first = true;
for (Int32 i = 0; i < arrInbound.Length; i++)
{
if (arrInbound[i].Contains("/"))
{
if (first)
{
firstIp = i;
first = false;
}
else
{
secondIp = i;
break;
}
}
}
StringBuilder customStr2 = new StringBuilder();
for (Int32 i = 0; i < firstIp; i++)
{
customStr2.Append(arrInbound[i]).Append(" ");
}
rec.CustomStr2 = customStr2.ToString().Trim();
StringBuilder customStr4 = new StringBuilder();
for (Int32 i = firstIp + 1; i < secondIp; i++)
{
customStr4.Append(arrInbound[i]).Append(" ");
}
rec.CustomStr4 = customStr4.ToString().Trim();
String[] arrInboundIp = arrInbound[firstIp].Split('/');
rec.CustomStr3 = arrInboundIp[0];
rec.CustomInt1 = Convert.ToInt32(arrInboundIp[1]);
StringBuilder customStr6 = new StringBuilder();
for (Int32 i = secondIp + 1; i < arrInbound.Length; i++)
{
customStr6.Append(arrInbound[i]).Append(" ");
}
rec.Description = customStr6.ToString().Trim();
String[] arrInboundDescIp = arrInbound[secondIp].Split('/');
rec.CustomStr5 = arrInboundDescIp[0];
rec.CustomInt3 = Convert.ToInt32(arrInboundDescIp[1]);
} break;
/* {
String[] arrDenyInbound = Desc[6].Split(' ');
Int32 firstIpDenyInbound = 0;
Int32 secondIpDenyInbound = 0;
bool firstDenyInbound = true;
for (Int32 i = 0; i < arrDenyInbound.Length; i++)
{
if (arrDenyInbound[i].Contains("/"))
{
if (firstDenyInbound)
{
firstIpDenyInbound = i;
firstDenyInbound = false;
}
else
{
secondIpDenyInbound = i;
break;
}
}
}
StringBuilder customStr2DenyInbound = new StringBuilder();
for (Int32 i = 0; i < firstIpDenyInbound; i++)
{
customStr2DenyInbound.Append(arrDenyInbound[i]).Append(" ");
}
rec.CustomStr2 = customStr2DenyInbound.ToString().Trim();
StringBuilder customStr4 = new StringBuilder();
for (Int32 i = firstIpDenyInbound + 1; i < secondIpDenyInbound; i++)
{
customStr4.Append(arrDenyInbound[i]).Append(" ");
}
rec.CustomStr4 = customStr4.ToString().Trim();
String[] arrDenyInboundIp = arrDenyInbound[firstIpDenyInbound].Split('/');
rec.CustomStr3 = arrDenyInboundIp[0];
rec.CustomInt1 = Convert.ToInt32(arrDenyInboundIp[1]);
StringBuilder customStr6 = new StringBuilder();
for (Int32 i = secondIpDenyInbound + 1; i < arrDenyInbound.Length; i++)
{
customStr6.Append(arrDenyInbound[i]).Append(" ");
}
rec.Description = customStr6.ToString().Trim();
String[] arrDenyInboundDescIp = arrDenyInbound[secondIpDenyInbound].Split('/');
rec.CustomStr6 = arrDenyInboundDescIp[0];
rec.CustomInt3 = Convert.ToInt32(arrDenyInboundDescIp[1]);
}
break;
*/
case "106021":
{
String[] arrDeny = Desc[6].Split(' ');
rec.CustomStr3 = arrDeny[6];
rec.CustomStr6 = arrDeny[8];
StringBuilder sbTempDeny = new StringBuilder();
for (Int32 i = 1; i < arrDeny.Length; i++)
{
if (i != 6 && i != 8)
{
sbTempDeny.Append(arrDeny[i].ToString());
sbTempDeny.Append(" ");
}
}
rec.CustomStr2 = sbTempDeny.ToString().Trim();
}
break;
case "106006":
{
String[] arrDeny = Desc[6].Split(' ');
String[] arrDenyIp = arrDeny[4].Split('/');
rec.CustomStr3 = arrDenyIp[0];
if (arrDenyIp.Length > 1)
rec.CustomInt1 = Convert.ToInt32(arrDenyIp[1]);
String[] arrDenyDescIp = arrDeny[6].Split('/');
StringBuilder sbTempDeny = new StringBuilder();
for (Int32 i = 1; i < arrDeny.Length; i++)
{
if (i != 4 && i != 6)
{
sbTempDeny.Append(arrDeny[i].ToString());
sbTempDeny.Append(" ");
}
}
rec.CustomStr2 = sbTempDeny.ToString().Trim();
rec.CustomStr6 = arrDenyDescIp[0];
if (arrDenyDescIp.Length > 1)
rec.CustomInt2 = Convert.ToInt32(arrDenyDescIp[1]);
}
break;
case "106007":
{
String[] arrDeny = Desc[6].Split(' ');
StringBuilder sbTempDeny = new StringBuilder();
for (Int32 i = 1; i < arrDeny.Length; i++)
if(i!=4 && i!=6)
sbTempDeny.Append(arrDeny[i]).Append(" ");
rec.CustomStr2 = sbTempDeny.ToString().Trim();
String[] arrDeny2 = arrDeny[6].Split('/');
String[] arrDeny3 = arrDeny[4].Split('/');
rec.CustomStr6 = arrDeny2[0];
rec.CustomStr3 = arrDeny3[0];
if (arrDeny2.Length > 1)
rec.CustomInt2 = Convert.ToInt32(arrDeny2[1]);
if (arrDeny3.Length > 1)
rec.CustomInt1 = Convert.ToInt32(arrDeny3[1]);
}
break;
case "106017":
{
try
{
String[] arrDeny = Desc[6].Split(' ');
for (Int32 i = 1; i < 6; i++)
rec.CustomStr2 = rec.CustomStr2 + arrDeny[i];
rec.CustomStr3 = arrDeny[7];
rec.CustomStr5 = arrDeny[9];
}
catch (Exception e)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 106023:" + args.Message);
L.Log(LogType.FILE, LogLevel.ERROR, e.ToString());
break;
}
break;
}
case "710003":
{
//Desc[6] = TCP access denied by ACL from 131.162.130.192/43789 to outside
//Desc[7] = 193.140.76.0/80
try
{
String[] spSplit = Desc[6].Split(' ');
String[] destIp = Desc[7].Trim().Split('/');
String[] srcIp = spSplit[6].Split('/');
StringBuilder sb = new StringBuilder();
rec.CustomStr3 = srcIp[0];
rec.CustomInt1 = Convert.ToInt32(srcIp[1]);
rec.CustomStr6 = destIp[0];
rec.CustomInt2 = Convert.ToInt32(destIp[1]);
rec.CustomStr7 = spSplit[7] + spSplit[8];
for (int i = 0; i < 5; i++)
{
sb.Append(spSplit[i]);
}
rec.CustomStr2 = sb.ToString();
}
catch (Exception e)
{
L.Log(LogType.FILE, LogLevel.ERROR, Desc[5] + Desc[6]);
L.Log(LogType.FILE, LogLevel.ERROR, e.ToString());
}
}
break;
case "106016":
case "106014":
case "106023":
{
try
{
rec.CustomStr2 = Desc[6];
String[] arrDeny = Desc[7].Split(' ');
String[] arrDenyIp = arrDeny[0].Split('/');
rec.CustomStr3 = arrDenyIp[0];
if(arrDenyIp.Length > 1)
rec.CustomInt1 = Convert.ToInt32(arrDenyIp[1]);
String[] arrDenyDesc = Desc[8].Split(' ');
String[] arrDenyDescIp = arrDenyDesc[0].Split('/');
StringBuilder sbTempDeny = new StringBuilder();
sbTempDeny.Append(rec.CustomStr2).Append(" ");
for (Int32 i = 1; i < arrDeny.Length; i++)
sbTempDeny.Append(arrDeny[i]).Append(" ");
rec.CustomStr2 = sbTempDeny.ToString().Trim();
rec.CustomStr6 = arrDenyDescIp[0];
if(arrDenyDescIp.Length > 1)
rec.CustomInt2 = Convert.ToInt32(arrDenyDescIp[1]);
StringBuilder sbTempDescDeny = new StringBuilder();
sbTempDescDeny.Append(rec.CustomStr2).Append(" ");
for (Int32 i = 1; i < arrDenyDesc.Length; ++i)
{
sbTempDescDeny.Append(arrDenyDesc[i]).Append(" ");
}
sbTempDescDeny.Remove(sbTempDescDeny.Length - 1, 1);
rec.CustomStr2 = sbTempDescDeny.ToString();
}
catch (Exception e)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 106023:" + args.Message);
L.Log(LogType.FILE, LogLevel.ERROR, e.ToString());
break;
}
break;
}
case "715001":
{
String[] x1 = Desc[6].Split(' ');
String[] x2 = Desc[7].Split('/');
try
{
//CustomStr7 is --> to outside || to inside
//CustomStr3 --> SourceIP
//CustomInt1 is --> SourcePort
if (x1.Length > 5)
{
StringBuilder desc = new StringBuilder();
desc.Append(x1[0]);
desc.Append(' ');
desc.Append(x1[1]);
desc.Append(' ');
desc.Append(x1[2]);
desc.Append(' ');
desc.Append(x1[3]);
String[] part1 = x1[4].Split('/');
rec.CustomStr3 = part1[0];
rec.CustomInt1 = Convert.ToInt32(part1[1]);
rec.CustomStr2 = desc.ToString();
rec.CustomStr7 = x1[5] + x1[6];
}
if (x2.Length > 2)
{
//CustomStr6 --> DestIP
//CustomInt6 is --> DestPort
String[] part2 = x2[0].Split('/');
rec.CustomStr6 = part2[0];
if (part2.Length > 1)
rec.CustomInt6 = Convert.ToInt32(part2[1].Trim());
}
}
catch
{
}
}
break;
case "305009":
{
String[] x1 = Desc[6].Split(' ');
String[] x2 = Desc[7].Split(' ');
try
{
if (x1.Length > 4)
{
StringBuilder desc = new StringBuilder();
desc.Append(x1[0]);
desc.Append(' ');
desc.Append(x1[1]);
desc.Append(' ');
desc.Append(x1[2]);
desc.Append(' ');
desc.Append(x1[3]);
rec.CustomStr2 = desc.ToString();
rec.CustomStr7 = x1[4];
}
if (x2.Length > 2)
{
String[] part2 = x2[0].Split('/');
StringBuilder dest = new StringBuilder();
for (int k = 1; k < x2.Length; k++)
{
dest.Append(x2[k].Trim());
}
//CustomStr7 is --> to outside || to inside
//CustomStr3 --> SourceIP
//CustomInt1 is --> SourcePort
rec.CustomStr7 += dest.ToString();
rec.CustomStr3 = part2[0].Trim();
if (part2.Length > 1)
rec.CustomInt1 = Convert.ToInt32(part2[1].Trim());
}
//CustomStr6 --> DestIP
//CustomInt6 is --> DestPort
rec.CustomStr6 = Desc[8].ToString();
}
catch
{
}
}
break;
case "302015"://Tested
{
String[] arrInbound = Desc[6].Split(':');
String[] x1 = null;
String[] x2 = null;
String[] x3 = null;
if (arrInbound.Length > 2)
{
x1 = arrInbound[0].Trim().Split(' ');
x2 = arrInbound[1].Trim().Split(' ');
x3 = arrInbound[2].Trim().Split(' ');
}
else if (arrInbound.Length == 1 && Desc.Length > 7)
{
x1 = Desc[6].Split(' ');
x2 = Desc[7].Split(' ');
x3 = Desc[8].Split(' ');
}
else
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 302015:" + args.Message);
}
//CustomStr --> Description Ex:Built Outbound TCP Connection
//CustomInt2 --> SessionID
//CustomStr7 --> to outside || to inside
try
{
if (x1.Length > 6)
{
StringBuilder desc = new StringBuilder();
desc.Append(x1[0]);
desc.Append(' ');
desc.Append(x1[1]);
desc.Append(' ');
desc.Append(x1[2]);
desc.Append(' ');
desc.Append(x1[3]);
rec.CustomStr2 = desc.ToString();
rec.CustomStr1 = x1[4].Trim();
rec.CustomStr7 = x1[6];
}
if (x2.Length > 2)
{
String[] part2 = x2[0].Split('/');
String[] part2dest = x2[1].Trim('(', ')').Split('/');
StringBuilder dest = new StringBuilder();
for (int k = 2; k < x2.Length; k++)
{
dest.Append(x2[k].Trim());
}
//CustomStr7 is --> to outside || to inside
//CustomStr3 --> SourceIP
//CustomStr4 --> XSourceIP
//CustomInt1 and CustomInt4 is --> SourcePort and XsourcePort
rec.CustomStr7 += dest.ToString();
rec.CustomStr3 = part2[0].Trim();
if (part2.Length > 1)
rec.CustomInt1 = Convert.ToInt32(part2[1].Trim());
rec.CustomStr4 = part2dest[0].Trim();
rec.CustomInt4 = Convert.ToInt32(part2dest[1].Trim());
}
if (x3.Length > 1)
{
//CustomStr6 --> DestIP
//CustomStr5 --> XDestIP
//CustomInt6 and CustomInt5 is --> DestPort and XDestePort
String[] part3 = x3[0].Split('/');
String[] part3dest = x3[1].Trim('(', ')').Split('/');
rec.CustomStr6 = part3[0].Trim();
if (part3.Length > 1)
rec.CustomInt6 = Convert.ToInt32(part3[1].Trim());
rec.CustomStr5 = part3dest[0].Trim();
rec.CustomInt5 = Convert.ToInt32(part3dest[1].Trim());
}
}
catch (Exception e)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 302015:" + args.Message);
L.Log(LogType.FILE, LogLevel.ERROR, e.ToString());
}
}
break;
case "302013":
{
String[] arrInbound = Desc[6].Split(':');
String[] x1 = null;
String[] x2 = null;
String[] x3 = null;
if (arrInbound.Length > 2)
{
x1 = arrInbound[0].Trim().Split(' ');
x2 = arrInbound[1].Trim().Split(' ');
x3 = arrInbound[2].Trim().Split(' ');
}
else if (arrInbound.Length == 1 && Desc.Length > 7)
{
x1 = Desc[6].Split(' ');
x2 = Desc[7].Split(' ');
x3 = Desc[8].Split(' ');
}
else
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 302013:" + args.Message);
}
//CustomStr --> Description Ex:Built Outbound TCP Connection
//CustomInt2 --> SessionID
//CustomStr7 --> to outside || to inside
try
{
if (x1.Length > 6)
{
StringBuilder desc = new StringBuilder();
desc.Append(x1[0]);
desc.Append(' ');
desc.Append(x1[1]);
desc.Append(' ');
desc.Append(x1[2]);
desc.Append(' ');
desc.Append(x1[3]);
rec.CustomStr2 = desc.ToString();
rec.CustomStr1 = x1[4].Trim();
rec.CustomStr7 = x1[6];
}
if (x2.Length > 2)
{
String[] part2 = x2[0].Split('/');
String[] part2dest = x2[1].Trim('(', ')').Split('/');
StringBuilder dest = new StringBuilder();
for (int k = 2; k < x2.Length; k++)
{
dest.Append(x2[k].Trim());
}
//CustomStr7 is --> to outside || to inside
//CustomStr6 --> DestIP
//CustomStr5 --> XDestIP
//CustomInt6 and CustomInt5 is --> DestPort and XDestePort
rec.CustomStr7 += dest.ToString();
//rec.CustomStr3 = part2[0].Trim();
rec.CustomStr6 = part2[0].Trim();
if (part2.Length > 1)
rec.CustomInt6 = Convert.ToInt32(part2[1].Trim());
//rec.CustomStr4 = part2dest[0].Trim();
rec.CustomStr5 = part2dest[0].Trim();
rec.CustomInt5 = Convert.ToInt32(part2dest[1].Trim());
}
if (x3.Length > 1)
{
//CustomStr3 --> SourceIP
//CustomStr4 --> XSourceIP
//CustomInt1 and CustomInt4 is --> SourcePort and XsourcePort
String[] part3 = x3[0].Split('/');
String[] part3dest = x3[1].Trim('(', ')').Split('/');
rec.CustomStr3 = part3[0].Trim();
if (part3.Length > 1)
rec.CustomInt1 = Convert.ToInt32(part3[1].Trim());
rec.CustomStr4 = part3dest[0].Trim();
rec.CustomInt4 = Convert.ToInt32(part3dest[1].Trim());
}
}
catch (Exception e)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 302013:" + args.Message);
L.Log(LogType.FILE, LogLevel.ERROR, e.ToString());
}
}
break;
case "305010":
case "302016":
case "302014":
{
try
{
String[] arrInbound = Desc[6].Split(':');
String[] x1 = null;
String[] x2 = null;
String[] x3 = null;
String[] x5 = null;
if (arrInbound.Length > 4)
{
x1 = arrInbound[0].Trim().Split(' ');
x2 = arrInbound[1].Trim().Split(' ');
x3 = arrInbound[2].Trim().Split(' ');
x5 = arrInbound[4].Trim().Split(' ');
}
else if (arrInbound.Length == 1 && Desc.Length > 10)
{
x1 = Desc[6].Split(' ');
x2 = Desc[7].Split(' ');
x3 = Desc[8].Split(' ');
x5 = Desc[10].Split(' ');
}
else
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 302014:" + args.Message);
}
//CustomStr2 --> Description Ex:Built Outbound TCP Connection
//CustomInt2 --> SessionID
//CustomStr7 --> to outside || to inside
if (x1.Length > 4)
{
StringBuilder desc = new StringBuilder();
desc.Append(x1[0]);
desc.Append(' ');
desc.Append(x1[1]);
desc.Append(' ');
desc.Append(x1[2]);
desc.Append(' ');
//desc.Append(x1[3]);
if (x5.Length > 4)
{
desc.Append(x5[3]);
desc.Append(' ');
desc.Append(x5[4]);
}
rec.CustomStr2 = desc.ToString();
if (x1.Length > 5)
{
rec.CustomStr7 = x1[5];
rec.CustomStr1 = x1[3].Trim();
}
else
rec.CustomStr7 = x1[4];
}
if (x2.Length > 2)
{
String[] part2 = x2[0].Split('/');
StringBuilder dest = new StringBuilder();
for (int k = 1; k < x2.Length; k++)
{
dest.Append(x2[k].Trim());
}
//CustomStr7 is --> to outside || to inside
//CustomStr3 --> SourceIP
//CustomInt1 and CustomInt4 is --> SourcePort and XsourcePort
rec.CustomStr7 += dest.ToString();
rec.CustomStr3 = part2[0];
if (part2.Length > 1)
rec.CustomInt1 = Convert.ToInt32(part2[1].Trim());
}
if (x3.Length > 2 && x5.Length > 2)
{
//CustomStr6 --> DestIP
//CustomStr8 --> Duration
//CustomInt6 --> DestPort
//CustomInt7 --> Bytes
//CustomStr4 is Reset-O
String[] part3 = x3[0].Split('/');
rec.CustomStr6 = part3[0];
rec.CustomInt6 = Convert.ToInt32(part3[1].Trim());
StringBuilder duration = new StringBuilder();
duration.Append(x3[2]);
duration.Append(':');
duration.Append(Desc[9]);
duration.Append(':');
duration.Append(x5[0]);
rec.CustomStr8 = duration.ToString();
if(x5.Length > 4)
rec.CustomInt7 = Convert.ToInt32(x5[2]);
}
}
catch (Exception e)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 302014:" + args.Message);
L.Log(LogType.FILE, LogLevel.ERROR, e.ToString());
}
}
break;
case "609001":
{
try
{
//Parsing description
//CustomStr3 --> localhost
//CUstomStr6 --> Dest
String[] arrAccess = Desc[6].Split(':');
if (arrAccess.Length > 1)
{
rec.CustomStr3 = arrAccess[0].Split(' ')[1];
rec.CustomStr6 = arrAccess[1];
}
else if (Desc.Length > 7)
{
rec.CustomStr3 = Desc[6].Split(' ')[1];
rec.CustomStr6 = Desc[7];
}
else
{
rec.Description = args.Message;
L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 609001 -insert into description-:" + args.Message);
}
rec.Description = Desc[6];
if (Desc.Length > 7)
rec.CustomStr2 = Desc[6] +' '+ Desc[7];
}
catch (Exception e)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 609001:" + args.Message);
L.Log(LogType.FILE, LogLevel.ERROR, e.ToString());
}
} break;
case "609002":
{
try
{
//Parsing description
//CustomStr3 --> localhost
//CUstomStr6 --> Dest
//CustomStr8 --> Duration
String[] arrAccess = Desc[6].Split(':');
StringBuilder input = new StringBuilder();
if (arrAccess.Length < 4)
{
if (Desc.Length > 9)
{
input.Append(Desc[6]);
input.Append(':');
input.Append(Desc[7]);
input.Append(':');
input.Append(Desc[8]);
input.Append(':');
input.Append(Desc[9]);
arrAccess = input.ToString().Split(':');
}
else
{
rec.Description = args.Message;
L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 609002 -insert into description-:" + args.Message);
break;
}
}
StringBuilder duration = new StringBuilder();
rec.CustomStr3 = arrAccess[0].Split(' ')[1];
rec.CustomStr6 = arrAccess[1].Split(' ')[0];
duration.Append(arrAccess[1].Split(' ')[2]);
duration.Append(':');
duration.Append(arrAccess[2]);
duration.Append(':');
duration.Append(arrAccess[3]);
rec.CustomStr8 = duration.ToString();
rec.Description = Desc[6];
rec.CustomStr2 = input.ToString();
}
catch (Exception e)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 609002:" + args.Message);
L.Log(LogType.FILE, LogLevel.ERROR, e.ToString());
}
} break;
case "305011"://Tested
case "305012"://Tested
{
rec.CustomStr2 = Desc[6].Trim();
Desc[7] += ":";
for (Int32 i = 8; i < Desc.Length; i++)
Desc[7] += Desc[i] + ":";
Desc[7] = Desc[7].TrimEnd(':');
String[] arrInbound = Desc[7].Split(' ');
Int32 firstIp = 0;
Int32 secondIp = 0;
bool first = true;
for (Int32 i = 0; i < arrInbound.Length; i++)
{
if (arrInbound[i].Contains("/") && !arrInbound[i].Contains("("))
{
if (first)
{
firstIp = i;
first = false;
}
else
{
secondIp = i;
break;
}
}
}
StringBuilder customStr4 = new StringBuilder();
for (Int32 i = firstIp + 1; i < secondIp; i++)
{
customStr4.Append(arrInbound[i]).Append(" ");
}
rec.CustomStr4 = customStr4.ToString().Trim();
String[] arrInboundIp = arrInbound[firstIp].Split('/');
if (arrInboundIp[0].Contains(":"))
{
String[] DescIpSplit = arrInboundIp[0].Split(':');
rec.CustomStr2 += " " + DescIpSplit[0];
rec.CustomStr3 = DescIpSplit[1];
}
else
{
rec.CustomStr3 = arrInboundIp[0];
}
rec.CustomInt1 = Convert.ToInt32(arrInboundIp[1]);
StringBuilder customStr6 = new StringBuilder();
for (Int32 i = secondIp + 1; i < arrInbound.Length; i++)
{
customStr6.Append(arrInbound[i]).Append(" ");
}
rec.Description = customStr6.ToString().Trim();
String[] arrInboundDescIp = arrInbound[secondIp].Split('/');
if (arrInboundDescIp[0].Contains(":"))
{
String[] DescIpSplit = arrInboundDescIp[0].Split(':');
rec.CustomStr4 += " " + DescIpSplit[0];
rec.CustomStr6 = DescIpSplit[1];
}
else
{
rec.CustomStr6 = arrInboundDescIp[0];
}
rec.CustomInt3 = Convert.ToInt32(arrInboundDescIp[1]);
} break;
case "304001":
{
StringBuilder sbTemp = new StringBuilder();
//Parsing description
String[] arrAccess = Desc[6].Split(' ');
for (Int32 i = 1; i < arrAccess.Length; ++i)
{
sbTemp.Append(arrAccess[i]).Append(' ');
}
sbTemp.Remove(sbTemp.Length - 1, 1);
sbTemp.Append(':').Append(Desc[7]);
rec.CustomStr5 = arrAccess[0];
rec.Description = sbTemp.ToString();
} break;
case "419001":
rec.CustomStr2 = Desc[6];
String[] arrDrop = Desc[7].Split(' ');
String[] arrDropIp = arrDrop[0].Split('/');
rec.CustomStr3 = arrDropIp[0];
rec.CustomInt1 = Convert.ToInt32(arrDropIp[1]);
String[] arrDropDesc = Desc[8].Split(',');
String[] arrDropDescIp = arrDropDesc[0].Split('/');
StringBuilder sbTempDrop = new StringBuilder();
sbTempDrop.Append(arrDropDescIp[0]);
rec.CustomStr7 = sbTempDrop.ToString();
rec.CustomInt3 = Convert.ToInt32(arrDropDescIp[1]);
StringBuilder sbTempDescDrop = new StringBuilder();
for (Int32 i = 1; i < arrDropDesc.Length; ++i)
{
sbTempDescDrop.Append(arrDropDesc[i]).Append(" ");
}
if (sbTempDescDrop.Length > 0)
sbTempDescDrop.Remove(sbTempDescDrop.Length - 1, 1);
rec.Description = sbTempDescDrop.ToString();
break;
default:
L.Log(LogType.FILE, LogLevel.DEBUG, "No match for the mesage: "+args.Message);
rec.Description = args.Message;
break;
}
rec.SourceName = args.Source;
// Fields are changed like other firewall for standartization
string backup = null;
backup = rec.CustomStr4;
rec.CustomStr4 = rec.CustomStr6;
rec.CustomStr6 = rec.CustomStr5;
rec.CustomStr5 = backup;
int bakcup = 0;
rec.CustomInt2 = rec.CustomInt1;
rec.CustomInt1 = rec.CustomInt3;
rec.CustomInt3 = bakcup;
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data");
if (usingRegistry)
{
CustomServiceBase s = base.GetInstanceService("Security Manager Sender");
s.SetData(rec);
}
else
{
CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder");
s.SetData(Dal,virtualhost, rec);
s.SetReg(Id, rec.Datetime, "","", "",rec.Datetime);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data");
}
catch (Exception er)
{
L.LogTimed(LogType.FILE, LogLevel.ERROR, er.ToString());
L.LogTimed(LogType.FILE, LogLevel.ERROR,args.Message);
}
}
void slog_SyslogEvent(LogMgrEventArgs args)
{
CustomBase.Rec rec = new CustomBase.Rec();
try
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "Log is :" + args.Message);
rec.LogName = "CiscoPixSyslog Recorder";
rec.Datetime = DateTime.Now.AddMinutes(zone).ToString("yyyy/MM/dd HH:mm:ss");
rec.EventType = args.EventLogEntType.ToString();
//rec.Description = args.Message;
String[] Desc = args.Message.Split(':');
if (Desc.Length < 5)
{
L.Log(LogType.FILE,LogLevel.ERROR,"Error parsing message: "+args.Message);
return;
}
for (Int32 i = 0; i < Desc.Length; ++i)
{
Desc[i] = Desc[i].Trim();
}
//Parsing PIX
//Remove %
//Desc[2] = Desc[2].TrimStart('%');
String[] pixArr = Desc[3].Split('-');
if(pixArr.Length < 2)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message: " + args.Message);
return;
}
rec.CustomStr10 = Desc[0].Trim();
rec.CustomStr9 = Desc[1].Trim();
//Common fields for all pix records
//Parsing Date Field
////if(dateArr.Length < 4)
////{
//// L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message: " + args.Message);
//// return;
////}
//StringBuilder dateString = new StringBuilder();
//Date
//dateString.Append(Desc[0]).Append(":").Append(Desc[1]).Append(":").Append(genArr[0]);
//DateTime dt = DateTime.Parse(dateString.ToString());
//rec.Datetime = dt.ToString("yyyy/MM/dd HH:mm:ss");
rec.EventType = pixArr[2];
//Uncommon fields for all pix records
//Now Parse with id
//switch (pixArr[2])
//{
// case "106001"://Untested
// {
// rec.CustomStr3 = Desc[6];
// String[] arrInbound = Desc[7].Split(' ');
// String[] arrInboundIp = arrInbound[0].Split('/');
// rec.CustomStr5 = arrInboundIp[0];
// rec.CustomInt2 = Convert.ToInt32(arrInboundIp[1]);
// String[] arrInboundDesc = Desc[8].Split(' ');
// String[] arrInboundDescIp = arrInboundDesc[0].Split('/');
// StringBuilder sbTempInbound = new StringBuilder();
// sbTempInbound.Append(arrInbound[2]).Append(":").Append(arrInboundDescIp[0]);
// rec.CustomStr6 = sbTempInbound.ToString();
// rec.CustomInt3 = Convert.ToInt32(arrInboundDescIp[1]);
// StringBuilder sbTempDescInbound = new StringBuilder();
// for (Int32 i = 1; i < arrInboundDesc.Length; ++i)
// {
// sbTempDescInbound.Append(arrInboundDesc[i]).Append(" ");
// }
// if (sbTempDescInbound.Length > 0)
// sbTempDescInbound.Remove(sbTempDescInbound.Length - 1, 1);
// rec.Description = sbTempDescInbound.ToString();
// } break;
// case "106006"://Untested
// {
// rec.CustomStr3 = Desc[6];
// String[] arrDenyTcp = Desc[7].Split(' ');
// String[] arrDenyTcpIp = arrDenyTcp[0].Split('/');
// rec.CustomStr5 = arrDenyTcpIp[0];
// rec.CustomInt2 = Convert.ToInt32(arrDenyTcpIp[1]);
// String[] arrDenyTcpDesc = Desc[8].Split(' ');
// String[] arrDenyTcpDescIp = arrDenyTcpDesc[0].Split('/');
// StringBuilder sbTempDenyTcp = new StringBuilder();
// sbTempDenyTcp.Append(arrDenyTcp[2]).Append(":").Append(arrDenyTcpDescIp[0]);
// rec.CustomStr6 = sbTempDenyTcp.ToString();
// rec.CustomInt3 = Convert.ToInt32(arrDenyTcpDescIp[1]);
// StringBuilder sbTempDescDenyTcp = new StringBuilder();
// for (Int32 i = 1; i < arrDenyTcpDesc.Length; ++i)
// {
// sbTempDescDenyTcp.Append(arrDenyTcpDesc[i]).Append(" ");
// }
// if (sbTempDescDenyTcp.Length > 0)
// sbTempDescDenyTcp.Remove(sbTempDescDenyTcp.Length - 1, 1);
// rec.Description = sbTempDescDenyTcp.ToString();
// } break;
// case "106023":
// {
// rec.CustomStr3 = Desc[6];
// String[] arrDeny = Desc[7].Split(' ');
// String[] arrDenyIp = arrDeny[0].Split('/');
// rec.CustomStr5 = arrDenyIp[0];
// rec.CustomInt2 = Convert.ToInt32(arrDenyIp[1]);
// String[] arrDenyDesc = Desc[8].Split(' ');
// String[] arrDenyDescIp = arrDenyDesc[0].Split('/');
// StringBuilder sbTempDeny = new StringBuilder();
// sbTempDeny.Append(arrDeny[1]).Append(" ").Append(arrDeny[2]).Append(":").Append(arrDenyDescIp[0]);
// rec.CustomStr6 = sbTempDeny.ToString();
// rec.CustomInt3 = Convert.ToInt32(arrDenyDescIp[1]);
// StringBuilder sbTempDescDeny = new StringBuilder();
// for (Int32 i = 1; i < arrDenyDesc.Length; ++i)
// {
// sbTempDescDeny.Append(arrDenyDesc[i]).Append(" ");
// }
// sbTempDescDeny.Remove(sbTempDescDeny.Length - 1, 1);
// rec.Description = sbTempDescDeny.ToString();
// } break;
// case "304001":
// {
// StringBuilder sbTemp = new StringBuilder();
// //Parsing description
// String[] arrAccess = Desc[6].Split(' ');
// for (Int32 i = 1; i < arrAccess.Length; ++i)
// {
// sbTemp.Append(arrAccess[i]).Append(' ');
// }
// sbTemp.Remove(sbTemp.Length - 1, 1);
// sbTemp.Append(':').Append(Desc[7]);
// rec.CustomStr5 = arrAccess[0];
// rec.Description = sbTemp.ToString();
// } break;
// case "419001":
// {
// rec.CustomStr3 = Desc[6];
// String[] arrDrop = Desc[7].Split(' ');
// String[] arrDropIp = arrDrop[0].Split('/');
// rec.CustomStr5 = arrDropIp[0];
// rec.CustomInt2 = Convert.ToInt32(arrDropIp[1]);
// String[] arrDropDesc = Desc[8].Split(' ');
// String[] arrDropDescIp = arrDropDesc[0].Split('/');
// StringBuilder sbTempDrop = new StringBuilder();
// sbTempDrop.Append(arrDrop[2]).Append(":").Append(arrDropDescIp[0]);
// rec.CustomStr6 = sbTempDrop.ToString();
// rec.CustomInt3 = Convert.ToInt32(arrDropDescIp[1]);
// StringBuilder sbTempDescDrop = new StringBuilder();
// for (Int32 i = 1; i < arrDropDesc.Length; ++i)
// {
// sbTempDescDrop.Append(arrDropDesc[i]).Append(" ");
// }
// if (sbTempDescDrop.Length > 0)
// sbTempDescDrop.Remove(sbTempDescDrop.Length - 1, 1);
// rec.Description = sbTempDescDrop.ToString();
// } break;
// default:
// rec.Description = args.Message;
// break;
//}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record");
switch(pixArr[2])
{
case "304001"://Untested
{
StringBuilder sbTemp = new StringBuilder();
//Parsing description
String[] arrAccess = Desc[4].Split(' ');
rec.CustomStr3 = arrAccess[0];
rec.CustomStr6 = arrAccess[3];
rec.CustomStr2 = sbTemp.Append(arrAccess[1]).Append(arrAccess[2]).ToString();
rec.Description = Desc[5];
} break;
case "106023"://Untested
{
StringBuilder sbTemp = new StringBuilder();
StringBuilder sbDesc = new StringBuilder();
//Parsing description
String[] arrAccess = Desc[5].Split(' ');
String[] arrDest = Desc[6].Split(' ');
rec.CustomStr3 = arrAccess[0].Split('/')[0];
rec.CustomInt3 = Convert.ToInt32(arrAccess[0].Split('/')[1]);
rec.CustomStr6 = arrDest[0].Split('/')[0];
rec.CustomInt1 = Convert.ToInt32(arrDest[0].Split('/')[1]);
rec.CustomStr2 = sbTemp.Append(Desc[4].Trim()).Append(' ').Append(arrAccess[1]).Append(arrAccess[2]).ToString();
for(int i=1;i < arrDest.Length;i++)
{
sbDesc.Append(arrDest[i]);
}
rec.Description = sbDesc.ToString();
} break;
default:
rec.Description = args.Message;
L.Log(LogType.FILE, LogLevel.WARN, "Could not parse this log: " + args.Message);
break;
}
rec.SourceName = args.Source;
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data");
if (usingRegistry)
{
CustomServiceBase s = base.GetInstanceService("Security Manager Sender");
s.SetData(rec);
}
else
{
CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder");
s.SetData(Dal,virtualhost, rec);
s.SetReg(Id, rec.Datetime, "","","",rec.Datetime);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data");
}
catch (Exception er)
{
L.LogTimed(LogType.FILE, LogLevel.ERROR, er.ToString());
L.Log(LogType.FILE, LogLevel.DEBUG, "Exception:"+args.Message);
}
}
void slog_SyslogEvent(LogMgrEventArgs args)
{
CustomBase.Rec rec = new CustomBase.Rec();
try
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record");
rec.LogName = "CiscoAsaV6_4_1Recorder Recorder";
rec.Datetime = DateTime.Now.AddMinutes(zone).ToString("yyyy/MM/dd HH:mm:ss");
rec.EventType = args.EventLogEntType.ToString();
rec.Description = args.Message;
//10.10.0.254:514 : local4.info %ASA-6-305011: Built dynamic TCP translation from Inside:192.168.111.10/56298 to Outside(Inside_nat_outbound):212.156.67.62/12694
String[] parts = args.Message.Split('%')[1].Split(new char[] { ' ' }, StringSplitOptions.RemoveEmptyEntries);
if (args.Message == "")
{
L.Log(LogType.FILE, LogLevel.INFORM, " Message is null " + args.Message);
return;
}
if (parts.Length < 2)
{
L.Log(LogType.FILE, LogLevel.ERROR, " Message is not in proper format. Log : " + args.Message);
return;
}
string type = parts[0].Split('-')[2].TrimEnd(':');
//Uncommon fields for all pix records. Now Parse with id
rec.EventId = Convert.ToInt64(type);
switch (type)
{
case "106001"://Untested
{
} break;
//10.10.0.254:514 : local4.info %ASA-6-106015: Deny TCP (no connection) from 172.16.100.142/53916 to 83.66.140.10/80 flags RST on interface Fabrikalar
case "106015":
{
try
{
rec.CustomStr2 = "";
rec.CustomStr7 = "";
for (int i = 1; i < parts.Length; i++)
{
if (!parts[i].Contains("("))
{
rec.CustomStr2 += parts[i] + " ";
}
else
{
break;
}
}
rec.CustomStr2 = rec.CustomStr2.Trim();
rec.EventCategory = rec.CustomStr2;
bool getRest = false;
for (int i = 1; i < parts.Length; i++)
{
if (parts[i].ToLower().Equals("from"))
{
rec.CustomStr3 = parts[i + 1].Split(new char[] { '/' })[0];
rec.CustomInt2 = Convert_To_Int32(parts[i + 1].Split(new char[] { ':', '/' })[1]);
}
else if (parts[i].ToLower().Equals("to"))
{
rec.CustomStr4 = parts[i + 1].Split(new char[] { '/' })[0];
rec.CustomInt3 = Convert_To_Int32(parts[i + 1].Split(new char[] { '/' })[1]);
i++;
getRest = true;
}
else if (getRest)
{
rec.CustomStr7 += parts[i] + " ";
}
rec.CustomStr7 = rec.CustomStr7.Trim();
}
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Error On : 106015. Log : " + args.Message);
}
} break;
//10.10.0.254:514 : local4.info %ASA-6-302020: Built outbound ICMP connection for faddr 74.55.143.146/0 gaddr 212.156.67.62/5157 laddr 172.16.140.77/512
//10.10.0.254:514 : local4.info %ASA-6-302021: Teardown ICMP connection for faddr 172.16.204.66/0 gaddr 10.10.0.2/0 laddr 10.10.0.2/0
case "302020":
case "302021":
{
try
{
rec.CustomStr2 = "";
rec.CustomStr7 = "";
for (int i = 1; i < parts.Length; i++)
{
if (!parts[i].Contains("for"))
{
rec.CustomStr2 += parts[i] + " ";
}
else
{
break;
}
}
rec.CustomStr2 = rec.CustomStr2.Trim();
rec.EventCategory = rec.CustomStr2;
for (int i = 1; i < parts.Length; i++)
{
if (parts[i].ToLower().Equals("faddr"))
{
rec.CustomStr3 = parts[i + 1].Split(new char[] { '/' })[0];
rec.CustomInt2 = Convert_To_Int32(parts[i + 1].Split(new char[] { ':', '/' })[1]);
}
else if (parts[i].ToLower().Equals("gaddr"))
{
rec.CustomStr4 = parts[i + 1].Split(new char[] { '/' })[0];
rec.CustomInt3 = Convert_To_Int32(parts[i + 1].Split(new char[] { '/' })[1]);
}
else if (parts[i].ToLower().Equals("laddr"))
{
rec.CustomStr5 = parts[i + 1].Split(new char[] { '/' })[0];
rec.CustomInt4 = Convert_To_Int32(parts[i + 1].Split(new char[] { '/' })[1]);
}
}
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Error On : 302020, 302021. Log : " + args.Message);
}
} break;
//10.10.0.254:514 : local4.alert %ASA-1-106021: Deny TCP reverse path check from 192.168.34.73 to 212.156.67.62 on interface Outside
case "106021":
{
rec.CustomStr2 = "";
for (int i = 1; i < parts.Length; i++)
{
if (!parts[i].Contains("from"))
rec.CustomStr2 += parts[i] + " ";
else
break;
}
bool continueStr2 = false;
rec.CustomStr8 = "";
for (int i = 1; i < parts.Length; i++)
{
if (parts[i].Equals("from"))
{
rec.CustomStr3 = parts[i + 1];
}
else if (parts[i].ToLower().Equals("to"))
{
rec.CustomStr4 = parts[i + 1];
}
if (parts[i].Contains("on"))
{
continueStr2 = true;
}
if (continueStr2)
{
rec.CustomStr2 += " " + parts[i];
}
}
rec.CustomStr2 = rec.CustomStr2.Trim();
rec.EventCategory = parts[1] + " " + parts[2];
}
break;
case "106006":
{
L.Log(LogType.FILE, LogLevel.INFORM, "Boş içi. Hazırlanması lazım : 106006. Log : " + args.Message);
}
break;
case "106007":
{
L.Log(LogType.FILE, LogLevel.INFORM, "Boş içi. Hazırlanması lazım : 106007. Log : " + args.Message);
}
break;
case "106017":
{
L.Log(LogType.FILE, LogLevel.INFORM, "Boş içi. Hazırlanması lazım : 106017. Log : " + args.Message);
}
break;
//10.10.0.254:514 : local4.error %ASA-3-710003: TCP access denied by ACL from 88.249.67.204/2305 to Outside:212.156.67.62/23
case "710003":
{
L.Log(LogType.FILE, LogLevel.INFORM, "Boş içi. Hazırlanması lazım : 710003. Log : " + args.Message);
}
break;
//10.10.0.254:514 : local4.warning %ASA-4-106023: Deny udp src Outside:24.101.147.41/19971 dst Fabrikalar:212.156.67.62/39772 by access-group "Outside_access_in" [0x0, 0x0]
case "106016":
case "106014":
case "106023":
{
try
{
rec.CustomStr2 = "";
rec.CustomStr7 = "";
for (int i = 1; i < parts.Length; i++)
{
if (!parts[i].Contains(":"))
{
rec.CustomStr2 += parts[i] + " ";
}
else
{
break;
}
}
rec.CustomStr2 = rec.CustomStr2.Trim();
rec.EventCategory = rec.CustomStr2;
for (int i = 1; i < parts.Length; i++)
{
if (parts[i].Contains(":"))
{
if (parts[i].ToLower().Contains("inside"))
{
rec.CustomStr7 += parts[i].Split(new char[] { ':', '/' })[0] + " ";
rec.CustomStr3 = parts[i].Split(new char[] { ':', '/' })[1];
rec.CustomInt2 = Convert_To_Int32(parts[i].Split(new char[] { ':', '/' })[2]);
}
else if (parts[i].ToLower().Contains("outside"))
{
rec.CustomStr7 += parts[i].Split(new char[] { ':', '/' })[0] + " ";
rec.CustomStr4 = parts[i].Split(new char[] { ':', '/' })[1];
rec.CustomInt3 = Convert_To_Int32(parts[i].Split(new char[] { ':', '/' })[2]);
}
else
{
rec.CustomStr7 += parts[i].Split(new char[] { ':', '/' })[0] + " ";
rec.CustomStr3 = parts[i].Split(new char[] { ':', '/' })[1];
rec.CustomInt2 = Convert_To_Int32(parts[i].Split(new char[] { ':', '/' })[2]);
}
}
else
{
rec.CustomStr8 += parts[i] + " ";
}
}
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Error On : 106016, 106014, 106023. Log : " + args.Message);
}
}
break;
case "715001":
{
L.Log(LogType.FILE, LogLevel.INFORM, "Boş içi. Hazırlanması lazım : 715001. Log : " + args.Message);
}
break;
case "305009":
{
L.Log(LogType.FILE, LogLevel.INFORM, "Boş içi. Hazırlanması lazım : 305009. Log : " + args.Message);
}
break;
//10.10.0.254:514 : local4.info %ASA-6-302015: Built inbound UDP connection 53527882 for Fabrikalar:172.16.100.73/1025 (172.16.100.73/1025) to Inside:10.30.0.7/53 (10.30.0.7/53)
//10.10.0.254:514 : local4.info %ASA-6-302013: Built outbound TCP connection 53527880 for Outside:212.174.187.34/80 (212.174.187.34/80) to Inside:192.168.115.13/50417 (212.156.67.62/47279)
case "302015":
case "302013":
{
try
{
rec.CustomStr2 = "";
rec.CustomStr7 = "";
long sayi;
for (int i = 1; i < parts.Length; i++)
{
if (!Int64.TryParse(parts[i], out sayi))
{
rec.CustomStr2 += parts[i] + " ";
}
else
{
rec.CustomStr1 = parts[i];
break;
}
}
rec.CustomStr2 = rec.CustomStr2.Trim();
rec.EventCategory = rec.CustomStr2;
bool ilkIpAlindi = false;
bool ilkParantezIpAlindi = false;
for (int i = 1; i < parts.Length; i++)
{
if (parts[i].Contains(":") && parts[i].Contains("/"))
{
if (!ilkIpAlindi)
{
ilkIpAlindi = true;
rec.CustomStr7 += parts[i].Split(new char[] { ':', '/' })[0] + " ";
rec.CustomStr3 = parts[i].Split(new char[] { ':', '/' })[1];
rec.CustomInt2 = Convert_To_Int32(parts[i].Split(new char[] { ':', '/' })[2]);
}
else if (ilkIpAlindi)
{
rec.CustomStr7 += parts[i].Split(new char[] { ':', '/' })[0] + " ";
rec.CustomStr4 = parts[i].Split(new char[] { ':', '/' })[1];
rec.CustomInt3 = Convert_To_Int32(parts[i].Split(new char[] { ':', '/' })[2]);
}
}
else if (parts[i].Contains("(") && parts[i].Contains("/"))
{
if (!ilkParantezIpAlindi)
{
ilkParantezIpAlindi = true;
rec.CustomStr5 = parts[i].Split(new char[] { '/' })[0].TrimStart('(');
rec.CustomInt4 = Convert_To_Int32(parts[i].Split(new char[] { '/' })[1].TrimEnd(')'));
}
else if (ilkParantezIpAlindi)
{
rec.CustomStr6 = parts[i].Split(new char[] { '/' })[0].TrimStart('(');
rec.CustomInt5 = Convert_To_Int32(parts[i].Split(new char[] { '/' })[1].TrimEnd(')'));
}
}
}
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Error On : 305010, 302016, 302014. Log : " + args.Message);
}
}
break;
//10.10.0.254:514 : local4.info %ASA-6-302016: Teardown UDP connection 53527868 for Outside:216.239.36.10/53 to Inside:10.30.0.7/52945 duration 0:00:00 bytes 193
//10.10.0.254:514 : local4.info %ASA-6-302014: Teardown TCP connection 53527230 for Outside:92.45.106.106/80 to Fabrikalar:172.16.194.52/3473 duration 0:00:05 bytes 3920 TCP FINs
case "305010":
case "302016":
case "302014":
{
try
{
rec.CustomStr2 = "";
rec.CustomStr7 = "";
long sayi;
for (int i = 1; i < parts.Length; i++)
{
if (!Int64.TryParse(parts[i], out sayi))
{
rec.CustomStr2 += parts[i] + " ";
}
else
{
rec.CustomStr1 = parts[i];
break;
}
}
rec.CustomStr2 = rec.CustomStr2.Trim();
rec.EventCategory = rec.CustomStr2;
for (int i = 1; i < parts.Length; i++)
{
if (parts[i].Contains(":"))
{
if (parts[i].ToLower().Contains("inside"))
{
rec.CustomStr7 += parts[i].Split(new char[] { ':', '/' })[0] + " ";
rec.CustomStr3 = parts[i].Split(new char[] { ':', '/' })[1];
rec.CustomInt2 = Convert_To_Int32(parts[i].Split(new char[] { ':', '/' })[2]);
}
else if (parts[i].ToLower().Contains("outside"))
{
rec.CustomStr7 += parts[i].Split(new char[] { ':', '/' })[0] + " ";
rec.CustomStr4 = parts[i].Split(new char[] { ':', '/' })[1];
rec.CustomInt3 = Convert_To_Int32(parts[i].Split(new char[] { ':', '/' })[2]);
}
}
else if (parts[i].Contains("duration"))
{
rec.CustomStr8 = parts[i + 1];
}
else if (parts[i].Contains("bytes"))
{
rec.CustomInt7 = Convert_To_Int32(parts[i + 1]);
}
else if (parts[i].Contains("TCP"))
{
rec.CustomStr7 = parts[i] + " " + parts[i + 1];
}
}
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Error On : 305010, 302016, 302014. Log : " + args.Message);
}
}
break;
case "609001":
{
L.Log(LogType.FILE, LogLevel.INFORM, "Boş içi. Hazırlanması lazım : 609001. Log : " + args.Message);
} break;
case "609002":
{
L.Log(LogType.FILE, LogLevel.INFORM, "Boş içi. Hazırlanması lazım : 609002. Log : " + args.Message);
} break;
//10.10.0.254:514 : local4.info %ASA-6-305011: Built dynamic TCP translation from Inside:192.168.111.10/56298 to Outside(Inside_nat_outbound):212.156.67.62/12694
//10.10.0.254:514 : local4.info %ASA-6-305012: Teardown dynamic TCP translation from Fabrikalar:172.16.211.108/2599 to Outside(Fabrikalar_nat_outbound):212.156.67.62/13200 duration 0:00:30
case "305011"://Tested
case "305012"://Tested
{
try
{
rec.CustomStr2 = "";
rec.CustomStr7 = "";
for (int i = 1; i < parts.Length; i++)
{
if (!parts[i].Contains(":"))
{
rec.CustomStr2 += parts[i] + " ";
}
else
{
break;
}
}
rec.CustomStr2 = rec.CustomStr2.Trim();
rec.EventCategory = rec.CustomStr2;
for (int i = 1; i < parts.Length; i++)
{
if (parts[i].Contains(":"))
{
if (parts[i].ToLower().Contains("inside"))
{
rec.CustomStr7 += parts[i].Split(new char[] { ':', '/' })[0] + " ";
rec.CustomStr3 = parts[i].Split(new char[] { ':', '/' })[1];
rec.CustomInt2 = Convert_To_Int32(parts[i].Split(new char[] { ':', '/' })[2]);
}
else if (parts[i].ToLower().Contains("outside"))
{
rec.CustomStr7 += parts[i].Split(new char[] { ':', '/' })[0] + " ";
rec.CustomStr4 = parts[i].Split(new char[] { ':', '/' })[1];
rec.CustomInt3 = Convert_To_Int32(parts[i].Split(new char[] { ':', '/' })[2]);
}
}
else if (parts[i].Contains("duration"))
{
rec.CustomStr8 = parts[i + 1];
}
}
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Error On : 305011, 305012. Log : " + args.Message);
}
} break;
//10.10.0.254:514 : local4.notice %ASA-5-304001: 172.16.120.166 Accessed URL 209.85.149.106:/news/tbn/UpaJuRRf32EJ
case "304001":
{
rec.CustomStr3 = parts[1];
for (int i = 0; i < parts.Length; i++)
{
L.Log(LogType.FILE, LogLevel.INFORM, "Parts " + parts[i]);
}
rec.CustomStr2 = "";
for (int i = 2; i < parts.Length; i++)
{
if (!parts[i].Contains(":"))
{
rec.CustomStr2 += parts[i] + " ";
}
else
{
rec.CustomStr4 = parts[i].Split('/')[0].TrimEnd(':');
string urlWithIp = parts[i];
string urlWithoutIp = After(urlWithIp, "://");
string realUrl = urlWithoutIp.Split('/')[0];
rec.CustomStr9 = realUrl;
rec.CustomStr10 = After(parts[i], "://");
//for (int j = 1; j < realUrl.Split('/').Length; j++)
//{
// rec.CustomStr10 += "/" + realUrl.Split('/')[j];
//}
if (rec.CustomStr4.ToLower().Contains(":http"))
{
rec.CustomStr4 = rec.CustomStr4.Replace(":http", " ").Trim();
}
}
}
L.Log(LogType.FILE, LogLevel.INFORM, "CustomStr4 " + rec.CustomStr4);
rec.CustomStr2 = rec.CustomStr2.Trim();
rec.EventCategory = rec.CustomStr2;
} break;
case "419001":
{
L.Log(LogType.FILE, LogLevel.INFORM, "Boş içi. Hazırlanması lazım : 419001. Log : " + args.Message);
}
break;
//10.10.0.254:514 : local4.warning %ASA-4-419002: Duplicate TCP SYN from Inside:172.16.231.99/2268 to Inside:192.168.101.7/9100 with different initial sequence number
case "419002":
{
try
{
rec.CustomStr2 = "";
rec.CustomStr7 = "";
for (int i = 1; i < parts.Length; i++)
{
if (!parts[i].Contains("from"))
{
rec.CustomStr2 += parts[i] + " ";
}
else
{
break;
}
}
rec.CustomStr2 = rec.CustomStr2.Trim();
rec.EventCategory = rec.CustomStr2;
bool getRest = false;
for (int i = 1; i < parts.Length; i++)
{
if (parts[i].Equals("from"))
{
rec.CustomStr3 = parts[i + 1].Split(new char[] { ':', '/' })[1];
rec.CustomInt2 = Convert_To_Int32(parts[i + 1].Split(new char[] { ':', '/' })[2]);
}
else if (parts[i].ToLower().Equals("to"))
{
rec.CustomStr4 = parts[i + 1].Split(new char[] { ':', '/' })[1];
rec.CustomInt3 = Convert_To_Int32(parts[i + 1].Split(new char[] { ':', '/' })[2]);
getRest = true;
i++;
}
else if (getRest)
{
rec.CustomStr7 += parts[i] + " ";
}
rec.CustomStr7 = rec.CustomStr7.Trim();
}
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Error On : 419002. Log : " + args.Message);
}
}
break;
//10.10.0.254:514 : local4.warning %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 49 per second, max configured rate is 10; Current average rate is 63 per second, max configured rate is 5; Cumulative total count is 38337
case "733100":
{
rec.CustomStr2 = parts[2].TrimEnd(']');
rec.CustomStr8 = "";
for (int i = 3; i < parts.Length; i++)
{
rec.CustomStr8 += parts[i] + " ";
}
rec.CustomStr8 = rec.CustomStr8.Trim();
rec.CustomStr2 = rec.CustomStr2.Trim();
rec.EventCategory = rec.CustomStr2;
} break;
//10.10.0.254:514 : local4.error %ASA-3-313001: Denied ICMP type=3, code=1 from 195.140.196.2 on interface Outside
case "313001":
{
rec.CustomStr2 = "";
for (int i = 1; i < parts.Length; i++)
{
if (!parts[i].Contains("="))
rec.CustomStr2 += parts[i] + " ";
else
break;
}
rec.CustomStr2 = rec.CustomStr2.Trim();
rec.EventCategory = rec.CustomStr2;
bool continueStr2 = false;
for (int i = 1; i < parts.Length; i++)
{
if (parts[i].Contains("from"))
{
rec.CustomStr3 = parts[i + 1];
}
if (parts[i].Contains("on"))
{
continueStr2 = true;
}
if (continueStr2)
{
rec.CustomStr2 += " " + parts[i];
}
}
rec.CustomStr2 = rec.CustomStr2.Trim();
} break;
//10.10.0.254:514 : local4.warning %ASA-4-313005: No matching connection for ICMP error message: icmp src Fabrikalar:172.16.210.109 dst Fabrikalar:11.11.11.33 (type 3, code 3) on Fabrikalar interface. Original IP payload: udp src 11.11.11.33/58505 dst 224.0.0.252/5355.
//parts=ASA-4-313005: No matching connection for ICMP error message: icmp src Fabrikalar:172.16.210.109 dst Fabrikalar:11.11.11.33 (type 3, code 3) on Fabrikalar interface. Original IP payload: udp src 11.11.11.33/58505 dst 224.0.0.252/5355.
case "313005":
{
rec.EventId = 313005;
rec.EventType = parts[5] + " " + parts[6];
rec.EventCategory = parts[1] + " " + parts[2] + " " + parts[3];
rec.SourceName = args.Message.Split(new char[] { ' ' }, StringSplitOptions.RemoveEmptyEntries)[2];
rec.CustomStr3 = parts[10].Split(new char[] { ':' })[1];
rec.CustomStr4 = parts[12].Split(new char[] { ':' })[1];
rec.CustomStr7 = parts[18] + " " + parts[19];
rec.CustomStr8 = parts[20] + " " + parts[21] + " " + parts[22];
rec.CustomStr5 = parts[25].Split(new char[] { '/' })[0];
rec.CustomStr6 = parts[27].Split(new char[] { '/' })[0];
rec.CustomInt2 = Convert_To_Int32(parts[25].Split(new char[] { '/' })[1]);
rec.CustomInt3 = Convert_To_Int32(parts[27].Split(new char[] { '/' })[1]);
} break;
//10.10.0.254:514 : local4.error %ASA-3-305006: portmap translation creation failed for icmp src Inside:192.168.125.15 dst Inside:192.168.2.200 (type 8, code 0)
//parts=ASA-3-305006: portmap translation creation failed for icmp src Inside:192.168.125.15 dst Inside:192.168.2.200 (type 8, code 0)
case "305006":
{
rec.EventId = 3005006;
rec.EventType = "";
rec.EventCategory = parts[1] + " " + parts[2] + " " + parts[3] + " " + parts[4];
rec.SourceName = args.Message.Split(new char[] { ' ' })[2];
rec.CustomStr3 = parts[8].Split(new char[] { ':' })[1];
rec.CustomStr4 = parts[10].Split(new char[] { ':' })[1];
} break;
//10.10.0.254:514 : local4.warning %ASA-4-410001: Dropped UDP DNS request from Fabrikalar:172.16.204.234/4521 to Outside:193.2.122.51/53; label length 154 bytes exceeds protocol limit of 63 bytes
case "410001":
{
rec.CustomStr2 = "";
for (int i = 1; i < parts.Length; i++)
{
if (!parts[i].Contains("from"))
rec.CustomStr2 += parts[i] + " ";
else
break;
}
bool getRest = false;
bool firstByteGot = false;
rec.CustomStr8 = "";
for (int i = 1; i < parts.Length; i++)
{
if (parts[i].Equals("from"))
{
rec.CustomStr5 = parts[i + 1].Split(new char[] { ':', '/' })[0];
rec.CustomStr3 = parts[i + 1].Split(new char[] { ':', '/' })[1];
rec.CustomInt2 = Convert_To_Int32(parts[i + 1].Split(new char[] { ':', '/' })[2]);
}
else if (parts[i].ToLower().Equals("to"))
{
rec.CustomStr6 = parts[i + 1].Split(new char[] { ':', '/' })[1];
rec.CustomStr4 = parts[i + 1].Split(new char[] { ':', '/' })[1].TrimEnd(':');
rec.CustomInt3 = Convert_To_Int32(parts[i + 1].Split(new char[] { ':', '/' })[2]);
getRest = true;
i++;
continue;
}
if (getRest)
{
rec.CustomStr8 += parts[i] + " ";
}
if (parts[i].Equals("bytes"))
{
if (firstByteGot)
{
rec.CustomInt6 = Convert_To_Int32(parts[i - 1]);
}
else
{
rec.CustomInt5 = Convert_To_Int32(parts[i - 1]);
firstByteGot = true;
}
}
}
rec.CustomStr8 = rec.CustomStr8.Trim();
rec.CustomStr2 = rec.CustomStr2.Trim();
rec.EventCategory = rec.CustomStr2;
} break;
default:
{
L.Log(LogType.FILE, LogLevel.INFORM, "Event tanımlanmamış. Event ID : " + type + " , Log : " + args.Message);
}
break;
}
rec.SourceName = args.Source;
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record");
if (args.Message.Length>4000)
{
rec.Description = args.Message.Substring(0, 3999);
}
else
{
rec.Description = args.Message;
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data");
if (usingRegistry)
{
CustomServiceBase s = base.GetInstanceService("Security Manager Sender");
s.SetData(rec);
}
else
{
CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder");
s.SetData(Dal, virtualhost, rec);
s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data");
}
catch (Exception er)
{
L.LogTimed(LogType.FILE, LogLevel.ERROR, er.ToString());
L.LogTimed(LogType.FILE, LogLevel.ERROR, args.Message);
}
}
public Rec ParseSpecific(String line, bool dontSend, LogMgrEventArgs args)
{
L.Log(LogType.FILE, LogLevel.DEBUG, " ParseSpecific() | Parsing Specific line. Line : " + line);
if (string.IsNullOrEmpty(line))
{
L.Log(LogType.FILE, LogLevel.DEBUG, " ParseSpecific() | Line is Null Or Empty. ");
}
CustomBase.Rec rec = new CustomBase.Rec();
rec.LogName = "PaloAltoTrafficV_1_0_1SyslogRecorder";
//rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss");
rec.EventType = args.EventLogEntType.ToString();
if (!string.IsNullOrEmpty(remote_host))
rec.ComputerName = remote_host;
rec.Description = args.Message;
if (rec.Description.Length > 899)
{
rec.Description = rec.Description.Substring(0, 899);
}
else
{
rec.Description = rec.Description;
}
//rec.Description = args.Message.Replace("'", "|");
L.Log(LogType.FILE, LogLevel.DEBUG, " Source Is : " + args.Source.ToString());
rec.SourceName = args.Source;
L.Log(LogType.FILE, LogLevel.INFORM, " Log : " + args.Message);
if (!dontSend)
{
string[] parts = line.Split(',');
try
{
for (int i = 0; i < parts.Length; i++)
{
L.Log(LogType.FILE, LogLevel.DEBUG, " ParseSpecific() Parts[" + i + "]: " + parts[i]);
}
string type01 = parts[3];
if (type01 == "TRAFFIC")
{
#region TRAFFIC
try
{
rec.Datetime = Convert.ToDateTime(parts[6]).ToString("yyyy-MM-dd HH:mm:ss");//Date time conversion requeired.
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, " ParseSpecific() | There is a problem converting to date. date : " + parts[4]);
}
rec.CustomStr1 = StringParsingOperation(parts[18], 18, "CustomStr1", parts.Length);
rec.CustomStr2 = StringParsingOperation(parts[19], 19, "CustomStr2", parts.Length);
rec.CustomStr3 = StringParsingOperation(parts[7], 7, "CustomStr3", parts.Length);
rec.CustomStr4 = StringParsingOperation(parts[8], 8, "CustomStr4", parts.Length);
rec.CustomStr5 = StringParsingOperation(parts[9], 9, "CustomStr5", parts.Length);
rec.CustomStr6 = StringParsingOperation(parts[10], 10, "CustomStr6", parts.Length);
rec.CustomStr7 = StringParsingOperation(parts[29], 29, "CustomStr7", parts.Length);
rec.CustomStr8 = StringParsingOperation(parts[4], 4, "CustomStr8", parts.Length);
rec.CustomStr9 = StringParsingOperation(parts[3], 3, "CustomStr9", parts.Length);
rec.CustomStr10 = StringParsingOperation(parts[14], 14, "CustomStr10", parts.Length);
rec.UserName = StringParsingOperation(parts[12], 12, "UserName", parts.Length);
rec.EventType = StringParsingOperation(parts[30], 30, "EventType", parts.Length);
rec.EventCategory = StringParsingOperation(parts[37], 37, "EventCategory", parts.Length);
rec.CustomInt1 = IntegerParsingOperation(parts[0], 0, "rec.CustomInt1", parts.Length);
rec.CustomInt2 = IntegerParsingOperation(parts[23], 23, "rec.CustomInt2", parts.Length);
rec.CustomInt3 = IntegerParsingOperation(parts[24], 24, "rec.CustomInt3", parts.Length);
rec.CustomInt4 = IntegerParsingOperation(parts[25], 25, "rec.CustomInt4", parts.Length);
rec.CustomInt5 = IntegerParsingOperation(parts[26], 26, "rec.CustomInt5", parts.Length);
rec.CustomInt6 = IntegerParsingOperation(parts[27], 27, "rec.CustomInt6", parts.Length);
rec.CustomInt7 = IntegerParsingOperation(parts[22], 22, "rec.CustomInt7", parts.Length);
rec.CustomInt8 = IntegerParsingOperation(parts[32], 32, "rec.CustomInt8", parts.Length);
rec.CustomInt9 = IntegerParsingOperation(parts[33], 33, "rec.CustomInt9", parts.Length);
rec.CustomInt10 = IntegerParsingOperation(parts[36], 36, "rec.CustomInt10", parts.Length);
#endregion TRAFFIC
}
else if (type01 == "THREAT")
{
#region THREAT
try
{
rec.Datetime = Convert.ToDateTime(parts[1]).ToString("yyyy-MM-dd HH:mm:ss");//Date time conversion requeired.
L.Log(LogType.FILE, LogLevel.DEBUG, " ParseSpecific() -- Datetime : " + rec.Datetime);
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, " ParseSpecific() | There is a problem converting to date. date : " + parts[4]);
}
string eventType = parts[30];
if (eventType.ToLower() == "alert")
{
rec.EventCategory = StringParsingOperation(parts[4], 4, "EventCategory", parts.Length);
rec.EventType = StringParsingOperation(parts[30], 30, "EventType", parts.Length);
rec.ComputerName = StringParsingOperation(parts[0].Split(':')[0], 0, "ComputerName", parts.Length);
rec.CustomStr1 = StringParsingOperation(parts[31].Split('/')[0], 31, "CustomStr1", parts.Length);
rec.CustomStr2 = StringParsingOperation(parts[31].Split('/')[1], 31, "CustomStr2", parts.Length);
rec.CustomStr3 = StringParsingOperation(parts[7], 7, "CustomStr3", parts.Length);
rec.CustomStr4 = StringParsingOperation(parts[8], 8, "CustomStr4", parts.Length);
rec.CustomStr5 = StringParsingOperation(parts[9], 9, "CustomStr5", parts.Length);
rec.CustomStr6 = StringParsingOperation(parts[10], 10, "CustomStr6", parts.Length);
rec.CustomStr7 = StringParsingOperation(parts[29], 29, "CustomStr7", parts.Length);
rec.CustomStr8 = StringParsingOperation(parts[4], 4, "CustomStr8", parts.Length);
rec.CustomStr9 = StringParsingOperation(parts[3], 3, "CustomStr9", parts.Length);
rec.CustomStr10 = StringParsingOperation(parts[14], 14, "CustomStr10", parts.Length);
rec.CustomInt1 = IntegerParsingOperation(parts[40], 40, "rec.CustomInt1", parts.Length);
rec.CustomInt2 = IntegerParsingOperation(parts[5], 5, "rec.CustomInt2", parts.Length);
rec.CustomInt3 = IntegerParsingOperation(parts[24], 24, "rec.CustomInt3", parts.Length);
rec.CustomInt4 = IntegerParsingOperation(parts[25], 25, "rec.CustomInt4", parts.Length);
rec.CustomInt5 = IntegerParsingOperation(parts[22], 22, "rec.CustomInt5", parts.Length);
rec.CustomInt6 = IntegerParsingOperation(parts[27], 27, "rec.CustomInt6", parts.Length);
rec.CustomInt7 = IntegerParsingOperation(parts[26], 26, "rec.CustomInt7", parts.Length);
rec.CustomInt10 = IntegerParsingOperation(parts[36], 36, "rec.CustomInt10", parts.Length);
}
else if (eventType.ToLower() == "block-url")
{
rec.ComputerName = StringParsingOperation(parts[0].Split(':')[0] + ":" + parts[0].Split(':')[1], 0, "ComputerName", parts.Length);
rec.EventCategory = StringParsingOperation(parts[37], 37, "EventCategory", parts.Length);
rec.EventType = StringParsingOperation(parts[30], 30, "EventType", parts.Length);
rec.CustomStr1 = StringParsingOperation(parts[31].Split('/')[0], 31, "CustomStr1", parts.Length);
rec.CustomStr2 = StringParsingOperation(parts[31], 31, "CustomStr2", parts.Length);
rec.CustomStr3 = StringParsingOperation(parts[7], 7, "CustomStr3", parts.Length);
rec.CustomStr4 = StringParsingOperation(parts[8], 8, "CustomStr4", parts.Length);
rec.CustomStr5 = StringParsingOperation(parts[9], 9, "CustomStr5", parts.Length);
rec.CustomStr6 = StringParsingOperation(parts[10], 10, "CustomStr6", parts.Length);
rec.CustomStr7 = StringParsingOperation(parts[29], 29, "CustomStr7", parts.Length);
rec.CustomStr8 = StringParsingOperation(parts[4], 4, "CustomStr8", parts.Length);
rec.CustomStr9 = StringParsingOperation(parts[3], 3, "CustomStr9", parts.Length);
rec.CustomStr10 = StringParsingOperation(parts[14], 14, "CustomStr10", parts.Length);
rec.CustomInt1 = IntegerParsingOperation(parts[40], 40, "CustomInt1", parts.Length);
rec.CustomInt2 = IntegerParsingOperation(parts[5], 5, "CustomInt2", parts.Length);
rec.CustomInt3 = IntegerParsingOperation(parts[24], 24, "CustomInt3", parts.Length);
rec.CustomInt4 = IntegerParsingOperation(parts[25], 25, "CustomInt4", parts.Length);
rec.CustomInt5 = IntegerParsingOperation(parts[26], 26, "CustomInt5", parts.Length);
rec.CustomInt6 = IntegerParsingOperation(parts[27], 27, "CustomInt6", parts.Length);
rec.CustomInt10 = IntegerParsingOperation(parts[36], 36, "CustomInt10", parts.Length);
}
else if (eventType.ToLower() == "drop-all-packets")
{
rec.ComputerName = StringParsingOperation(parts[0].Split(':')[0] + ":" + parts[0].Split(':')[1], 0, "ComputerName", parts.Length);
rec.EventCategory = StringParsingOperation(parts[33], 33, "EventCategory", parts.Length);
rec.EventType = StringParsingOperation(parts[37], 37, "EventType", parts.Length);
rec.CustomStr1 = StringParsingOperation(parts[18], 18, "CustomStr1", parts.Length);
rec.CustomStr2 = StringParsingOperation(parts[19], 19, "CustomStr2", parts.Length);
rec.CustomStr3 = StringParsingOperation(parts[7], 7, "CustomStr3", parts.Length);
rec.CustomStr4 = StringParsingOperation(parts[8], 8, "CustomStr4", parts.Length);
rec.CustomStr5 = StringParsingOperation(parts[9], 9, "CustomStr5", parts.Length);
rec.CustomStr6 = StringParsingOperation(parts[10], 10, "CustomStr6", parts.Length);
rec.CustomStr7 = StringParsingOperation(parts[29], 29, "CustomStr7", parts.Length);
rec.CustomStr8 = StringParsingOperation(parts[33], 33, "CustomStr8", parts.Length);
rec.CustomStr9 = StringParsingOperation(parts[3], 3, "CustomStr9", parts.Length);
rec.CustomStr10 = StringParsingOperation(parts[14], 14, "CustomStr10", parts.Length);
rec.CustomInt1 = IntegerParsingOperation(parts[40], 40, "CustomInt1", parts.Length);
rec.CustomInt2 = IntegerParsingOperation(parts[5], 5, "CustomInt2", parts.Length);
rec.CustomInt3 = IntegerParsingOperation(parts[22], 22, "CustomInt3", parts.Length);
rec.CustomInt4 = IntegerParsingOperation(parts[23], 23, "CustomInt4", parts.Length);
rec.CustomInt5 = IntegerParsingOperation(parts[24], 24, "CustomInt5", parts.Length);
rec.CustomInt6 = IntegerParsingOperation(parts[25], 25, "CustomInt6", parts.Length);
rec.CustomInt7 = IntegerParsingOperation(parts[26], 26, "CustomInt7", parts.Length);
rec.CustomInt8 = IntegerParsingOperation(parts[27], 27, "CustomInt8", parts.Length);
rec.CustomInt10 = IntegerParsingOperation(parts[36], 36, "CustomInt10", parts.Length);
}
#endregion THREAT
}
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, " ParseSpecific() | " + ex.Message);
L.Log(LogType.FILE, LogLevel.ERROR, " ParseSpecific() | " + ex.StackTrace);
L.Log(LogType.FILE, LogLevel.ERROR, " ParseSpecific() | Line : " + line);
}
}
return rec;
}
void slog_SyslogEvent(LogMgrEventArgs args)
{
CustomBase.Rec rec = new CustomBase.Rec();
try
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record");
try
{
rec.LogName = "SurMailSyslogV_1_0_0Recorder";
string line = args.Message;
string[] lineArr = SpaceSplit(line, false);
for (int i = 0; i < lineArr.Length; i++)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "lineArr: " + lineArr[i]);
}
try
{
int year = DateTime.Now.Year;
string myDateString = lineArr[3] + " " + lineArr[4] + " " + year + " " + lineArr[5];
DateTime dt = Convert.ToDateTime(myDateString);
string s = dt.ToString("yyyy-MM-dd HH:mm:ss");
rec.Datetime = s;
L.Log(LogType.FILE, LogLevel.DEBUG, "Datetime: " + rec.Datetime);
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "DateTime Error: " + exception.Message);
}
rec.UserName = Between(line, "[", "]");
L.Log(LogType.FILE, LogLevel.DEBUG, "UserName: "******":"))
{
rec.SourceName = lineArr[0].Split(':')[0];
L.Log(LogType.FILE, LogLevel.DEBUG, "SourceName: " + rec.SourceName);
//
try
{
rec.CustomInt1 = Convert.ToInt32(lineArr[0].Split(':')[1]);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt1: " + rec.CustomInt1);
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt1 type casting error: " + exception.Message);
}
}
if (line.Contains("sender:") || line.Contains("recipient:"))
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].Trim() == "sender:")
{
rec.CustomStr3 = lineArr[i + 1];
}
if (lineArr[i].Trim() == "recipient:")
{
rec.CustomStr4 = lineArr[i + 1];
}
}
if (line.Contains("sender:"))
{
rec.EventType = Between(line, "surmail-queue :", "for sender:");
}
if (line.Contains("recipient:"))
{
rec.EventType = Between(line, "surmail-queue :", "for recipient:");
}
}
if (args.Message.Length > 899)
rec.Description = args.Message.Substring(0, 899);
else
rec.Description = args.Message;
rec.Description = args.Message.Replace("'", "|");
}
catch (Exception e)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "ERROR------------");
L.Log(LogType.FILE, LogLevel.DEBUG, e.Message);
L.Log(LogType.FILE, LogLevel.DEBUG, e.StackTrace);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data");
if (usingRegistry)
{
CustomServiceBase s = base.GetInstanceService("Security Manager Sender");
s.SetData(rec);
}
else
{
CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder");
s.SetData(Dal, virtualhost, rec);
s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data");
}
catch (Exception er)
{
L.Log(LogType.FILE, LogLevel.ERROR, er.ToString());
L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message);
}
}
void SlogSyslogEvent(LogMgrEventArgs args)
{
Rec rec = new Rec();
try
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "Log: " + args.Message);
string line = args.Message;
if (string.IsNullOrEmpty(args.Message))
return;
char[] separator = new char[] { ' ' };
string[] lineArr = line.Split(separator, StringSplitOptions.None);
try
{
rec.LogName = "IlbankF5UserV_1_0_0Recorder";
rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss");
string tmpEventCategory1 = After(line, "F5-1");
string tmpEventCategory2 = Before(tmpEventCategory1, ":");
rec.EventCategory = tmpEventCategory2;
if (rec.EventCategory.Contains("tmm"))
{
string subLine = After(line, tmpEventCategory2);
try
{
rec.CustomStr1 = After(subLine, "Server:").Split(' ')[0];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr1: " + rec.CustomStr1);
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr1 parsing error: " + exception.Message);
}
try
{
rec.CustomStr3 = Between(subLine, "ClientIP:", "***", 1);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3);
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr3 parsing error: " + exception.Message);
}
try
{
rec.CustomStr4 = After(subLine, "Server:").Split(' ')[1];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4);
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr4 parsing error: " + exception.Message);
}
try
{
rec.CustomStr5 = subLine.Split(' ')[subLine.Split(' ').Length - 1];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr5: " + rec.CustomStr5);
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr5 parsing error: " + exception.Message);
}
try
{
rec.CustomInt3 = Convert.ToInt32(Between(subLine, "ClientPort:", "***", 0));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt3: " + rec.CustomInt3);
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt3 type casting error: " + exception.Message);
rec.CustomInt3 = 0;
}
}
if (tmpEventCategory2.Trim() == "info logger")
{
//foreach (var v in lineArr)
//{
// if (v == "[ssl_acc]")
// {
// MessageBox.Show("[ssl_acc]");
// }
//}
if (Between(line, "[", "]", 1) == "ssl_acc")
{
try
{
if (lineArr.Length > 15)
{
rec.CustomStr1 = lineArr[15].Replace('"', ' ').Trim();
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr1: " + rec.CustomStr1);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr1 parsing error: " + exception.Message);
}
try
{
if (lineArr.Length > 10)
{
rec.CustomStr3 = lineArr[10];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr3 parsing error: " + exception.Message);
}
try
{
if (lineArr.Length > 11)
{
rec.CustomStr4 = lineArr[11];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr4 parsing error: " + exception.Message);
}
try
{
if (lineArr.Length > 12)
{
rec.CustomStr5 = lineArr[12];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr5: " + rec.CustomStr5);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr5 parsing error: " + exception.Message);
}
try
{
if (lineArr.Length > 16)
{
rec.CustomStr6 = lineArr[16];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr6: " + rec.CustomStr6);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr6 parsing error: " + exception.Message);
}
try
{
if (lineArr.Length > 17)
{
rec.CustomStr7 = lineArr[17];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + rec.CustomStr7);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr7 parsing error: " + exception.Message);
}
}
if (Between(line, "[", "]", 1) == "ssl_req")
{
try
{
if (lineArr.Length > 14)
{
rec.CustomStr1 = lineArr[14].Replace('"', ' ').Trim();
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr1: " + rec.CustomStr1);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr1 parsing error: " + exception.Message);
}
try
{
if (lineArr.Length > 13)
{
rec.CustomStr2 = lineArr[12] + " " + lineArr[13];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2: " + rec.CustomStr2);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr2 parsing error: " + exception.Message);
}
try
{
if (lineArr.Length > 11)
{
rec.CustomStr3 = lineArr[11];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr3 parsing error: " + exception.Message);
}
try
{
if (lineArr.Length > 15)
{
rec.CustomStr6 = lineArr[15];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr6: " + rec.CustomStr6);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr6 parsing error: " + exception.Message);
}
try
{
if (lineArr.Length > 17)
{
rec.CustomStr7 = lineArr[17];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + rec.CustomStr7);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr7 parsing error: " + exception.Message);
}
}
}
}
catch (Exception e)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Log Parsing Error. " + e.Message);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish record parsing.");
L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data");
try
{
rec.Description = args.Message.Length > 899 ? args.Message.Substring(0, 890) : args.Message;
rec.Description = args.Message.Replace("'", "|");
if (!string.IsNullOrEmpty(rec.EventCategory) && !string.IsNullOrEmpty(rec.Description))
{
CustomServiceBase s = GetInstanceService("Security Manager Remote Recorder");
s.SetData(Dal, virtualhost, rec);
s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Record sending error. " + exception.Message);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data");
}
catch (Exception er)
{
L.Log(LogType.FILE, LogLevel.ERROR, er.ToString());
L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message);
}
}
void slog_SyslogEvent(LogMgrEventArgs args)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record");
L.Log(LogType.FILE, LogLevel.INFORM, " Log : " + args.Message);
CustomBase.Rec rec = new CustomBase.Rec();
try
{
try
{
rec.LogName = "WebSenseMailSecuritySyslogV_1_0_0Recorder";
rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss");
rec.EventType = args.EventLogEntType.ToString();
#region Description
if (args.Message.Length > 899)
{
rec.Description = args.Message.Substring(0, 899);
}
else
{
rec.Description = args.Message;
}
rec.Description = args.Message.Replace("'", "|");
#endregion
string line = args.Message;
string[] lineArr = SpaceSplit(line, true);
try
{
if (lineArr.Length > 7)
{
rec.SourceName = lineArr[7];
L.Log(LogType.FILE, LogLevel.DEBUG, "SourceName: " + rec.SourceName);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "SourceName Error: " + exception.Message);
}
try
{
if (lineArr.Length > 8 && lineArr[8].Contains("|"))
{
rec.CustomStr5 = lineArr[8];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr5: " + rec.CustomStr5);
}
else
{
rec.CustomStr5 = GetStringValue(lineArr, "CustomStr5", "src=");
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr5 Error: " + exception.Message);
}
rec.ComputerName = GetStringValue(lineArr, "ComputerName", "dvc=");
rec.CustomStr1 = GetStringValue(lineArr, "CustomStr1", "üşer=");
if (string.IsNullOrEmpty(rec.CustomStr1))
{
rec.CustomStr1 = GetStringValue(lineArr, "CustomStr1", "duser="******"|"))
{
rec.EventCategory = lineArr[i].Split('|')[4];
}
}
rec.EventType = GetStringValue(lineArr, "EventType", "act=");
rec.CustomStr2 = Between(line, "msg=", "in=");
rec.CustomStr3 = GetStringValue(lineArr, "CustomStr3", "suser="******"CustomStr4", "dst=");
rec.CustomStr6 = GetStringValue(lineArr, "CustomStr6", "deviceDirection=");
rec.CustomStr7 = GetStringValue(lineArr, "CustomStr7", "deviceFacility=");
rec.CustomInt6 = GetIntValue(lineArr, "CustomInt6", "externalId=");
rec.CustomInt7 = GetIntValue(lineArr, "CustomInt7", "messageId=");
rec.CustomInt8 = GetIntValue(lineArr, "CustomInt8", "rt=");
}
catch (Exception e)
{
L.Log(LogType.FILE, LogLevel.ERROR, "ERROR------------");
L.Log(LogType.FILE, LogLevel.ERROR, e.Message);
L.Log(LogType.FILE, LogLevel.ERROR, e.StackTrace);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data");
if (usingRegistry)
{
CustomServiceBase s = base.GetInstanceService("Security Manager Sender");
s.SetData(rec);
}
else
{
CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder");
s.SetData(Dal, virtualhost, rec);
s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data");
}
catch (Exception er)
{
L.Log(LogType.FILE, LogLevel.ERROR, er.ToString());
L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message);
}
}
void slog_SyslogEvent(LogMgrEventArgs args)
{
CustomBase.Rec rec = new CustomBase.Rec();
try
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "Line Is : "+ args.Message);
rec.LogName = "CiscoPixFW Recorder";
rec.EventType = args.EventLogEntType.ToString();
//rec.Description = args.Message;
String[] Desc = args.Message.Split(':');
if (args.Message == "")
{
return;
}
if (Desc.Length < 6)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 6: " + args.Message);
return;
}
for (Int32 i = 0; i < Desc.Length; ++i)
{
Desc[i] = Desc[i].Trim();
}
if (logType == 0)
{
Desc[5] = Desc[5].TrimStart('%');
String[] pixArr = Desc[5].Split('-');
if (pixArr.Length < 3)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error for log format --> Event id not like this format %FWSM-6-302014");
return;
}
String[] dateArr = SpaceSplit(Desc[2]);
if (dateArr.Length < 4)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 4: " + args.Message);
return;
}
try
{
string[] tempdate;
tempdate = Desc[2].Split(' ');
string date = "";
date = tempdate[2] + "/" + tempdate[1] + "/" + tempdate[3] + " " + tempdate[4] + ":" + Desc[3] + ":" + Desc[4].Split(' ')[0];
DateTime dt = DateTime.Parse(date.ToString());
rec.Datetime = dt.ToString("yyyy/MM/dd HH:mm:ss");
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, ex.Message);
L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace);
}
rec.EventId = Convert.ToInt64(pixArr[2]);
bool errorControl = false;
switch (pixArr[2])
{
#region 111008
case "111008":
{
try
{
rec.UserName = SpaceSplit(Desc[6])[1].Trim('\'');
rec.EventType = "Command Execution";
for (int i = 4; i < SpaceSplit(Desc[6]).Length - 1; i++)
rec.CustomStr1 += " " + SpaceSplit(Desc[6])[i];
rec.CustomStr1.Trim(' ').Trim('\'');
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error for 111008 ");
L.Log(LogType.FILE, LogLevel.ERROR, ex.Message);
L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace);
errorControl = true;
}
}
break;
#endregion
#region 106023
case "106023":
{
try
{
rec.CustomStr2 = Desc[6];
String[] arrDeny = Desc[7].Split(' ');
String[] arrDenyIp = arrDeny[0].Split('/');
rec.CustomStr3 = arrDenyIp[0];
if (arrDenyIp.Length > 1)
rec.CustomInt1 = Convert.ToInt32(arrDenyIp[1]);
String[] arrDenyDesc = Desc[8].Split(' ');
String[] arrDenyDescIp = arrDenyDesc[0].Split('/');
StringBuilder sbTempDeny = new StringBuilder();
sbTempDeny.Append(rec.CustomStr2).Append(" ");
for (Int32 i = 1; i < arrDeny.Length; i++)
sbTempDeny.Append(arrDeny[i]).Append(" ");
rec.CustomStr2 = sbTempDeny.ToString().Trim();
rec.CustomStr4 = arrDenyDescIp[0];
if (arrDenyDescIp.Length > 1)
rec.CustomInt2 = Convert.ToInt32(arrDenyDescIp[1]);
StringBuilder sbTempDescDeny = new StringBuilder();
sbTempDescDeny.Append(rec.CustomStr2).Append(" ");
for (Int32 i = 1; i < arrDenyDesc.Length; ++i)
{
sbTempDescDeny.Append(arrDenyDesc[i]).Append(" ");
}
sbTempDescDeny.Remove(sbTempDescDeny.Length - 1, 1);
rec.CustomStr2 = sbTempDescDeny.ToString();
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error for 106023 ");
L.Log(LogType.FILE, LogLevel.ERROR, ex.Message);
L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace);
errorControl = true;
}
break;
}
#endregion
#region 302014 & 302016
case "302014":
case "302016":
{
try
{
String[] arrInbound = Desc[6].Split(':');
String[] x1 = null;
String[] x2 = null;
String[] x3 = null;
String[] x5 = null;
if (arrInbound.Length > 4)
{
x1 = arrInbound[0].Trim().Split(' ');
x2 = arrInbound[1].Trim().Split(' ');
x3 = arrInbound[2].Trim().Split(' ');
x5 = arrInbound[4].Trim().Split(' ');
}
else if (arrInbound.Length == 1 && Desc.Length > 10)
{
x1 = Desc[6].Split(' ');
x2 = Desc[7].Split(' ');
x3 = Desc[8].Split(' ');
x5 = Desc[10].Split(' ');
}
else
{
}
if (x1.Length > 4)
{
StringBuilder desc = new StringBuilder();
desc.Append(x1[0]);
desc.Append(' ');
desc.Append(x1[1]);
desc.Append(' ');
desc.Append(x1[2]);
desc.Append(' ');
if (x5.Length > 4)
{
desc.Append(x5[3]);
desc.Append(' ');
desc.Append(x5[4]);
}
rec.CustomStr2 = desc.ToString();
if (x1.Length > 5)
{
rec.CustomStr7 = x1[5].Trim();
rec.CustomStr10 = (x1[3].Trim());
}
else
rec.CustomStr7 = x1[4].Trim();
}
if (x2.Length > 2)
{
String[] part2 = x2[0].Split('/');
StringBuilder dest = new StringBuilder();
for (int k = 1; k < x2.Length; k++)
{
dest.Append(x2[k].Trim()).Append(' ');
}
rec.CustomStr7 += ' ' + dest.ToString();
rec.CustomStr3 = part2[0];
if (part2.Length > 1)
rec.CustomInt1 = Convert.ToInt32(part2[1].Trim());
}
if (x3.Length > 2 && x5.Length > 2)
{
String[] part3 = x3[0].Split('/');
rec.CustomStr4 = part3[0];
rec.CustomInt2 = Convert.ToInt32(part3[1].Trim());
StringBuilder duration = new StringBuilder();
duration.Append(x3[2]);
duration.Append(':');
duration.Append(Desc[9]);
duration.Append(':');
duration.Append(x5[0]);
rec.CustomStr8 = duration.ToString();
for (int k = 0; k < x5.Length; k++)
{
if (x5[k].ToString() == "bytes")
{
rec.CustomInt7 = Convert.ToInt32(x5[k + 1]);
}
}
}
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error for " + pixArr[2].ToString());
L.Log(LogType.FILE, LogLevel.ERROR, ex.Message);
L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace);
errorControl = true;
}
}
break;
#endregion
#region 305011 & 305012
case "305011":
case "305012":
{
try
{
String[] arrInbound = Desc[6].Split(':');
String[] x1 = null;
String[] x2 = null;
String[] x3 = null;
x1 = Desc[6].Split(' ');
x2 = Desc[7].Split(' ');
x3 = Desc[8].Split(' ');
if (x1.Length > 4)
{
StringBuilder desc = new StringBuilder();
desc.Append(x1[0]);
desc.Append(' ');
desc.Append(x1[1]);
desc.Append(' ');
desc.Append(x1[2]);
desc.Append(' ');
desc.Append(x1[3]);
rec.CustomStr2 = desc.ToString();
if (x1.Length >= 5)
{
rec.CustomStr7 = x1[5].Trim();
}
}
if (x2.Length > 2)
{
String[] part2 = x2[0].Split('/');
StringBuilder dest = new StringBuilder();
for (int k = 1; k < x2.Length; k++)
{
dest.Append(x2[k].Trim()).Append(' ');
}
rec.CustomStr7 += ' ' + dest.ToString();
rec.CustomStr7 = rec.CustomStr7.Trim();
rec.CustomStr3 = part2[0];
if (part2.Length > 1)
rec.CustomInt1 = Convert.ToInt32(part2[1].Trim());
}
if (x3.Length >= 1)
{
//NAT ADRESS
String[] part3 = x3[0].Split('/');
rec.CustomStr5 = part3[0];
rec.CustomInt3 = Convert.ToInt32(part3[1].Trim());
if (x3.Length > 1)
{
StringBuilder duration = new StringBuilder();
duration.Append(x3[2]);
duration.Append(':');
duration.Append(Desc[9]);
duration.Append(':');
duration.Append(Desc[10]);
rec.CustomStr8 = duration.ToString();
}
}
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error for " + pixArr[2].ToString());
L.Log(LogType.FILE, LogLevel.ERROR, ex.Message);
L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace);
errorControl = true;
}
} break;
#endregion
#region 302015 & 302013
case "302015"://Tested
case "302013":
{
String[] arrInbound = Desc[6].Split(':');
String[] x1 = null;
String[] x2 = null;
String[] x3 = null;
if (arrInbound.Length > 2)
{
x1 = arrInbound[0].Trim().Split(' ');
x2 = arrInbound[1].Trim().Split(' ');
x3 = arrInbound[2].Trim().Split(' ');
}
else if (arrInbound.Length == 1 && Desc.Length > 7)
{
x1 = Desc[6].Split(' ');
x2 = Desc[7].Split(' ');
x3 = Desc[8].Split(' ');
}
else
{
//L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 302013:" + args.Message);
}
try
{
if (x1.Length > 6)
{
StringBuilder desc = new StringBuilder();
desc.Append(x1[0]);
desc.Append(' ');
desc.Append(x1[1]);
desc.Append(' ');
desc.Append(x1[2]);
desc.Append(' ');
desc.Append(x1[3]);
rec.CustomStr2 = desc.ToString();
rec.CustomStr10 = (x1[4].Trim());
rec.CustomStr7 = x1[6];
}
if (x2.Length > 2)
{
StringBuilder dest = new StringBuilder();
for (int k = 2; k < x2.Length; k++)
{
dest.Append(x2[k].Trim()).Append(' ');
}
rec.CustomStr7 += ' ' + dest.ToString();
rec.CustomStr7 = rec.CustomStr7.Trim();
String[] part3 = x2[0].Split('/');
String[] part3dest = x2[1].Trim('(', ')').Split('/');
rec.CustomStr3 = part3[0].Trim();
if (part3.Length > 1)
rec.CustomInt1 = Convert.ToInt32(part3[1].Trim());
rec.CustomStr5 = part3dest[0].Trim();
rec.CustomInt3 = Convert.ToInt32(part3dest[1].Trim());
}
if (x3.Length > 1)
{
String[] part2 = x3[0].Split('/');
String[] part2dest = x3[1].Trim('(', ')').Split('/');
rec.CustomStr4 = part2[0].Trim();
if (part2.Length > 1)
rec.CustomInt2 = Convert.ToInt32(part2[1].Trim());
rec.CustomStr6 = part2dest[0].Trim();
rec.CustomInt4 = Convert.ToInt32(part2dest[1].Trim());
}
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error for " + pixArr[2].ToString());
L.Log(LogType.FILE, LogLevel.ERROR, ex.Message);
L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace);
errorControl = true;
}
}
break;
#endregion
#region 109001
case "109001":
{
try
{
String[] arrInbound = Desc[6].Split(':');
String[] x1 = null;
x1 = Desc[6].Split(' ');
if (x1.Length > 4)
{
StringBuilder desc = new StringBuilder();
desc.Append(x1[0]);
desc.Append(' ');
desc.Append(x1[1]);
desc.Append(' ');
desc.Append(x1[2]);
desc.Append(' ');
desc.Append(x1[3]);
rec.CustomStr2 = desc.ToString();
rec.UserName = x1[4].Trim();
int indexSource = 0;
for (int i = 0; i < x1.Length; i++)
{
if (x1[i].Trim() == "from")
{
indexSource = i;
break;
}
}
String[] partsource = x1[indexSource + 1].Split('/');
rec.CustomStr3 = partsource[0];
rec.CustomInt1 = Convert.ToInt32(partsource[1].Trim());
int indexDestination = 0;
for (int j = 0; j < x1.Length; j++)
{
if (x1[j].Trim() == "to")
{
indexDestination = j;
break;
}
}
String[] partdestination = x1[indexDestination + 1].Split('/');
rec.CustomStr4 = partdestination[0];
rec.CustomInt2 = Convert.ToInt32(partdestination[1].Trim());
}
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error for " + pixArr[2].ToString());
L.Log(LogType.FILE, LogLevel.ERROR, ex.Message);
L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace);
errorControl = true;
}
} break;
#endregion
#region 106021
case "106021":
{
try
{
String[] arrDeny = Desc[6].Split(' ');
rec.CustomStr3 = arrDeny[6];
rec.CustomStr4 = arrDeny[8];
rec.CustomStr2 = arrDeny[0] + " " + arrDeny[1] + " " + arrDeny[2] + " " + arrDeny[3];
rec.CustomStr7 = arrDeny[11].Trim();
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error for " + pixArr[2].ToString());
L.Log(LogType.FILE, LogLevel.ERROR, ex.Message);
L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace);
errorControl = true;
}
}
break;
#endregion
#region 111001 & 111002 & 111003 & 111004 & 111005 & 111006 & 111007
case "111001":
case "111002":
case "111003":
case "111004":
case "111005":
case "111006":
case "111007":
{
try
{
rec.EventType = "Admin Action";
string message = "";
for (int i = 6; i < Desc.Length; i++)
{
message += " " + Desc[i];
}
rec.CustomStr7 = message.Trim();
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error for " + pixArr[2].ToString());
L.Log(LogType.FILE, LogLevel.ERROR, ex.Message);
L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace);
errorControl = true;
}
}
break;
#endregion
#region 106015 & 106028 & 302020 & 302021
case "106015":
case "106028": //yeni eklendi
case "302020":
case "302021":
{
try
{
String[] arrInbound = Desc[6].Split(' ');
Int32 firstIp = 0;
Int32 secondIp = 0;
bool first = true;
for (Int32 i = 0; i < arrInbound.Length; i++)
{
if (arrInbound[i].Contains("/"))
{
if (first)
{
firstIp = i;
first = false;
}
else
{
secondIp = i;
break;
}
}
}
StringBuilder customStr7 = new StringBuilder();
rec.CustomStr2 = arrInbound[0] + " " + arrInbound[1];
for (Int32 i = 2; i < firstIp - 1; i++)
{
customStr7.Append(arrInbound[i]).Append(" ");
}
rec.CustomStr7 = customStr7.ToString().Trim();
String[] arrInboundIp = arrInbound[firstIp].Split('/');
if (arrInboundIp[0].Contains("-"))
{
rec.CustomStr3 = arrInboundIp[0].Split('-')[1].Trim();
}
else
{
rec.CustomStr3 = arrInboundIp[0];
}
rec.CustomInt1 = Convert.ToInt32(arrInboundIp[1]);
StringBuilder customStr6 = new StringBuilder();
for (Int32 i = secondIp + 1; i < arrInbound.Length; i++)
{
customStr6.Append(arrInbound[i]).Append(" ");
}
rec.CustomStr7 += " " + customStr6.ToString().Trim();
String[] arrInboundDescIp = arrInbound[secondIp].Split('/');
rec.CustomStr4 = arrInboundDescIp[0];
rec.CustomInt2 = Convert.ToInt32(arrInboundDescIp[1]);
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error for " + pixArr[2].ToString());
L.Log(LogType.FILE, LogLevel.ERROR, ex.Message);
L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace);
errorControl = true;
}
} break;
#endregion
#region 313004
case "313004":
{
try
{
String[] arrInbound = Desc[6].Split(' ');
String[] x1 = null;
x1 = Desc[6].Split(' ');
if (x1.Length > 4)
{
rec.CustomStr2 = x1[0] + " " + x1[1];
rec.CustomStr6 = x1[2].Trim().Split('=')[1].Trim(',');
int indexfrom = 0;
for (int i = 3; i < x1.Length; i++)
{
if (x1[i].Trim() == "from")
{
indexfrom = i;
break;
}
}
int indexto = 0;
for (int j = 0; j < x1.Length; j++)
{
if (x1[j].Trim() == "to")
{
indexto = j;
break;
}
}
int indexon = 0;
for (int k = 0; k < x1.Length; k++)
{
if (x1[k].Trim().Contains("on"))
{
if (x1[k].Trim() == "on" && x1[k + 1] == "interface")
{
indexon = k;
}
if (x1[k].Trim() == "oninterface")
{
indexon = k;
}
}
}
string sourceip = "";
for (int g = indexfrom + 1; g < indexon; g++)
{
sourceip += " " + x1[g];
}
sourceip = sourceip.Trim();
if (sourceip.Contains(" "))
{
string[] tempsourceip = sourceip.Split(' ');
if (tempsourceip.Length > 1)
{
sourceip = tempsourceip[tempsourceip.Length - 1];
}
}
rec.CustomStr3 = sourceip;
string interfacename = "";
for (int y = indexon + 1; y < indexto; y++)
{
if (x1[y].Trim() == "interface")
{
continue;
}
interfacename += " " + x1[y];
}
interfacename = interfacename.Trim();
rec.CustomStr7 = interfacename;
string destinationip = x1[indexto + 1].Trim();
rec.CustomStr4 = destinationip;
rec.CustomStr5 = Desc[7];
}
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error for " + pixArr[2].ToString());
L.Log(LogType.FILE, LogLevel.ERROR, ex.Message);
L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace);
errorControl = true;
}
} break;
#endregion
#region 710003
case "710003":
{
try
{
String[] x1 = null;
x1 = Desc[6].Split(' ');
rec.CustomStr2 = x1[0] + " " + x1[1] + " " + x1[2];
int indexfrom = 0;
for (int i = 3; i < x1.Length; i++)
{
if (x1[i].Trim() == "from")
{
indexfrom = i;
break;
}
}
string sourceip = x1[indexfrom + 1];
string sourceport = "0";
if (sourceip.Contains("/"))
{
string[] source = sourceip.Split('/');
sourceip = source[0];
sourceport = source[1];
}
rec.CustomStr3 = sourceip.Trim();
rec.CustomInt1 = Convert.ToInt32(sourceport);
String[] arrDeny = Desc[7].Split(' ');
String[] arrDenyIp = arrDeny[0].Split('/');
rec.CustomStr4 = arrDenyIp[0];
if (arrDenyIp.Length > 1)
rec.CustomInt2 = Convert.ToInt32(arrDenyIp[1]);
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error for " + pixArr[2].ToString());
L.Log(LogType.FILE, LogLevel.ERROR, ex.Message);
L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace);
errorControl = true;
}
} break;
#endregion
#region 405001
case "405001":
{
try
{
String[] arrInbound = Desc[6].Split(' ');
String[] x1 = null;
x1 = Desc[6].Split(' ');
if (x1.Length > 4)
{
int indexfrom = 0;
for (int i = 0; i < x1.Length; i++)
{
if (x1[i].Trim() == "from")
{
indexfrom = i;
break;
}
}
string customstr2 = "";
for (int g = 0; g < indexfrom; g++)
{
customstr2 += ' ' + x1[g];
}
customstr2 = customstr2.Trim();
rec.CustomStr2 = customstr2;
string sourceipandmacaddress = "";
string sourceip = "";
string sourcemac = "";
sourceipandmacaddress = x1[indexfrom + 1];
if (sourceipandmacaddress.Contains("/"))
{
sourceip = sourceipandmacaddress.Split('/')[0].Trim();
sourcemac = sourceipandmacaddress.Split('/')[1].Trim();
}
rec.CustomStr3 = sourceip;
rec.CustomStr8 = sourcemac;
int indexon = 0;
for (int k = 0; k < x1.Length; k++)
{
if (x1[k].Trim().Contains("on"))
{
if (x1[k].Trim() == "on" && x1[k + 1] == "interface")
{
indexon = k + 1;
break;
}
if (x1[k].Trim() == "oninterface")
{
indexon = k;
break;
}
}
}
string interfacename = "";
interfacename = x1[indexon + 1].Trim();
rec.CustomStr7 = interfacename;
}
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error for " + pixArr[2].ToString());
L.Log(LogType.FILE, LogLevel.ERROR, ex.Message);
L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace);
errorControl = true;
}
} break;
#endregion
default:
L.Log(LogType.FILE, LogLevel.DEBUG, "No match for the mesage: " + args.Message);
rec.Description = args.Message;
break;
}
if (errorControl)
{
rec.Description = args.Message.ToString();
}
}
else if (logType == 0)
{
}
rec.SourceName = Desc[0];
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data");
if (usingRegistry)
{
CustomServiceBase s = base.GetInstanceService("Security Manager Sender");
s.SetData(rec);
}
else
{
CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder");
s.SetData(Dal, virtualhost, rec);
s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data");
}
catch (Exception er)
{
L.Log(LogType.FILE, LogLevel.ERROR, er.ToString());
L.Log(LogType.FILE, LogLevel.ERROR, args.Message);
}
}
void slog_SyslogEvent(LogMgrEventArgs args)
{
CustomBase.Rec rec = new CustomBase.Rec();
string line = args.Message;
try
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record");
try
{
rec.LogName = "CheckPointSyslogV_1_0_0Recorder";
rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss");
if (line.Length > 899)
{
rec.Description = line.Substring(0, 899);
rec.CustomStr10 = line.Substring(899, line.Length - 899);
}
else
{
rec.Description = args.Message;
}
rec.Description = args.Message.Replace("'", "|");
string[] lineArr = line.Split((char[])null, StringSplitOptions.RemoveEmptyEntries);
string[] subLineArr = line.Split(':');
if (lineArr.Length > 6)
rec.EventCategory = lineArr[6];
#region encrypt OK
if (lineArr[6] == "encrypt")
{
L.Log(LogType.FILE, LogLevel.DEBUG, "encrypt record started.");
if (lineArr.Length > 7)
{
rec.SourceName = lineArr[7];
L.Log(LogType.FILE, LogLevel.DEBUG, "SourceName:" + rec.SourceName);
}
rec.CustomStr3 = Between(line, "src:", "dst:").Replace(':', ' ').Trim();
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3:" + rec.CustomStr3);
rec.CustomStr4 = Between(line, "dst:", "proto:").Replace(':', ' ').Trim();
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4:" + rec.CustomStr4);
}
#endregion
#region allow
if (lineArr[6] == "allow")
{
L.Log(LogType.FILE, LogLevel.DEBUG, "allow record started.");
if (lineArr.Length > 7)
{
rec.SourceName = lineArr[7];
L.Log(LogType.FILE, LogLevel.DEBUG, "SourceName:" + rec.SourceName);
} //ok
rec.CustomStr10 = Between(line, "resource:", "product:"); //ok
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr10:" + rec.CustomStr10);
string[] resourceArr = Between(line, "resource:", "product:").Split(new char[] { '/' }, StringSplitOptions.RemoveEmptyEntries);
rec.CustomStr2 = resourceArr[0] + @"//" + resourceArr[1]; //ok
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2:" + rec.CustomStr2);
for (int i = 0; i < subLineArr.Length; i++)
{
if (subLineArr[i].Trim() == "src_user_name")
{
string[] userNameArr = (subLineArr[i + 1]).Split(new char[] { '(', ')' },
StringSplitOptions.RemoveEmptyEntries);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2:" + subLineArr[i + 1]);
rec.UserName = userNameArr[1];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2:" + rec.CustomStr2);
rec.CustomStr1 = userNameArr[0];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2:" + rec.CustomStr2);
}
if (subLineArr[i].Trim() == "src")
{
rec.CustomStr3 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "dst")
{
rec.CustomStr4 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "app_desc")
{
rec.CustomStr5 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "app_category")
{
rec.CustomStr6 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "matched_category")
{
rec.CustomStr7 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "app_risk")
{
rec.CustomStr8 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "app_rule_name")
{
rec.CustomStr9 = subLineArr[i + 1];
}
}
}
#endregion
#region monitor OK
if (lineArr[6] == "monitor")
{
if (lineArr.Length > 7)
{
rec.SourceName = lineArr[7];
}
rec.EventType = Between(line, "proto:", "product:").Replace(':', ' ').Trim();
rec.CustomStr3 = Between(line, "src:", "dst:").Replace(':', ' ').Trim();
rec.CustomStr4 = Between(line, "dst:", "proto:").Replace(':', ' ').Trim();
rec.CustomStr5 = Between(line, "product:", "service:").Replace(':', ' ').Trim();
rec.CustomStr6 = Between(line, "service:", "s_port:").Replace(':', ' ').Trim();
}
#endregion
#region accept
if (lineArr[6] == "accept")
{
if (lineArr.Length > 7)
{
rec.SourceName = lineArr[7];
}
//rec.EventType = Between(line, "proto:", "xlate:");
//rec.CustomStr3 = Between(line, "src:", "dst:").Replace(':', ' ').Trim();
//rec.CustomStr4 = Between(line, "dst:", "proto:").Replace(':', ' ').Trim();
//rec.CustomStr5 = Between(line, "product:", "service:").Replace(':', ' ').Trim();
//rec.CustomStr6 = Between(line, "service:", "s_port:").Replace(':', ' ').Trim();
subLineArr = line.Split(':');
for (int i = 0; i < subLineArr.Length; i++)
{
if (subLineArr[i].Trim() == "proto")
{
rec.EventType = subLineArr[i + 1];
L.Log(LogType.FILE, LogLevel.DEBUG, "EventType: " + rec.EventType);
}
if (subLineArr[i].Trim() == "src_user_name")
{
string[] userNameArr = (subLineArr[i + 1]).Split(new char[] { '(', ')' },
StringSplitOptions.RemoveEmptyEntries);
rec.UserName = userNameArr[1];
rec.CustomStr1 = userNameArr[0];
}
if (subLineArr[i].Trim() == "src")
{
rec.CustomStr3 = subLineArr[i + 1];
L.Log(LogType.FILE, LogLevel.DEBUG, "lineArr: " + lineArr[i] + lineArr);
}
if (subLineArr[i].Trim() == "dst")
{
rec.CustomStr4 = subLineArr[i + 1];
}
}
}
#endregion
#region https
if (lineArr[6] == "HTTPS")
{
if (lineArr.Length > 8)
{
rec.EventCategory = lineArr[6] + " " + lineArr[7];
}
rec.SourceName = lineArr[8];
for (int i = 0; i < subLineArr.Length; i++)
{
if (subLineArr[i].Trim() == "proto")
{
rec.EventType = subLineArr[i + 1];
L.Log(LogType.FILE, LogLevel.DEBUG, "EventType: " + rec.EventType);
}
//if (subLineArr[i].Trim() == "src" || subLineArr[i].Split(' ')[subLineArr[i].Split(' ').Length - 1] == "src")
if (subLineArr[i].Trim() == "src")
{
rec.CustomStr3 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "dst")
{
rec.CustomStr4 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "app_category")
{
rec.CustomStr6 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "matched_category")
{
rec.CustomStr7 = subLineArr[i + 1];
}
}
}
#endregion
#region logout
if (lineArr[6] == "logout")
{
if (lineArr.Length > 8)
{
rec.EventCategory = lineArr[6];
}
rec.SourceName = lineArr[7];
for (int i = 0; i < subLineArr.Length; i++)
{
if (subLineArr[i].Trim() == "src" || subLineArr[i].Split(' ')[subLineArr[i].Split(' ').Length - 1] == "src")
{
rec.CustomStr3 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "src_user_name")
{
string[] userNameArr = (subLineArr[i + 1]).Split(new char[] { '(', ')' },
StringSplitOptions.RemoveEmptyEntries);
rec.UserName = userNameArr[1];
rec.CustomStr1 = userNameArr[0];
}
if (subLineArr[i].Trim() == "duration")
{
rec.CustomStr4 = subLineArr[i + 1];
}
}
}
#endregion
#region authcrypt
if (lineArr[6] == "authcrypt")
{
if (lineArr.Length > 7)
{
rec.EventCategory = lineArr[6];
}
rec.SourceName = lineArr[7];
subLineArr = line.Split(':');
for (int i = 0; i < subLineArr.Length; i++)
{
if (subLineArr[i].Trim() == "src")
{
rec.CustomStr3 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "src_user_name")
{
string[] userNameArr = (subLineArr[i + 1]).Split(new char[] { '(', ')' },
StringSplitOptions.RemoveEmptyEntries);
rec.UserName = userNameArr[1];
rec.CustomStr1 = userNameArr[0];
}
if (subLineArr[i].Trim() == "roles")
{
rec.CustomStr4 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "auth_status")
{
rec.CustomStr2 = subLineArr[i + 1];
}
}
}
#endregion
#region block
if (lineArr[6] == "block")
{
if (lineArr.Length > 7)
{
rec.EventCategory = lineArr[6];
}
rec.SourceName = lineArr[7];
for (int i = 0; i < subLineArr.Length; i++)
{
if (subLineArr[i].Trim() == "src_user_name")
{
string[] userNameArr = (subLineArr[i + 1]).Split(new char[] { '(', ')' },
StringSplitOptions.RemoveEmptyEntries);
rec.UserName = userNameArr[1];
rec.CustomStr1 = userNameArr[0];
}
if (subLineArr[i].Trim() == "src" || subLineArr[i].Split(' ')[subLineArr[i].Split(' ').Length - 1] == "src")
{
rec.CustomStr3 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "dst" || subLineArr[i].Split(' ')[subLineArr[i].Split(' ').Length - 1] == "dst")
{
rec.CustomStr4 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "app_desc")
{
rec.CustomStr5 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "app_category")
{
rec.CustomStr6 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "matched_category")
{
rec.CustomStr7 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "app_risk")
{
rec.CustomStr8 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "app_rule_name")
{
rec.CustomStr9 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "proto")
{
rec.EventType = subLineArr[i + 1];
}
}
}
#endregion
#region drop
if (lineArr[6] == "drop")
{
if (lineArr.Length > 7)
{
rec.EventCategory = lineArr[6];
}
rec.SourceName = lineArr[7];
for (int i = 0; i < subLineArr.Length; i++)
{
if (subLineArr[i].Trim() == "src" || subLineArr[i].Split(' ')[subLineArr[i].Split(' ').Length - 1] == "src")
{
rec.CustomStr3 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "dst" || subLineArr[i].Split(' ')[subLineArr[i].Split(' ').Length - 1] == "dst")
{
rec.CustomStr4 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "proto")
{
rec.EventType = subLineArr[i + 1];
}
}
}
#endregion
#region drop
if (lineArr[6] == "drop")
{
if (lineArr.Length > 7)
{
rec.EventCategory = lineArr[6];
}
rec.SourceName = lineArr[7];
for (int i = 0; i < subLineArr.Length; i++)
{
if (subLineArr[i].Trim() == "src" || subLineArr[i].Split(' ')[subLineArr[i].Split(' ').Length - 1] == "src")
{
rec.CustomStr3 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "dst" || subLineArr[i].Split(' ')[subLineArr[i].Split(' ').Length - 1] == "dst")
{
rec.CustomStr4 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "proto")
{
rec.EventType = subLineArr[i + 1];
}
}
}
#endregion
#region ctl
if (lineArr[6] == "ctl")
{
if (lineArr.Length > 7)
{
rec.EventCategory = lineArr[6];
}
rec.SourceName = lineArr[7];
rec.CustomStr10 = Between(line, "resource:", "product:");
string[] resourceArr = Between(line, "resource:", "product:").Split(new char[] { '/' }, StringSplitOptions.RemoveEmptyEntries);
rec.CustomStr2 = resourceArr[0] + @"//" + resourceArr[1];
for (int i = 0; i < subLineArr.Length; i++)
{
if (subLineArr[i].Trim() == "src_user_name")
{
string[] userNameArr = (subLineArr[i + 1]).Split(new char[] { '(', ')' },
StringSplitOptions.RemoveEmptyEntries);
rec.UserName = userNameArr[1];
rec.CustomStr1 = userNameArr[0];
}
if (subLineArr[i].Trim() == "src" || subLineArr[i].Split(' ')[subLineArr[i].Split(' ').Length - 1] == "src")
{
rec.CustomStr3 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "dst" || subLineArr[i].Split(' ')[subLineArr[i].Split(' ').Length - 1] == "dst")
{
rec.CustomStr4 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "app_desc")
{
rec.CustomStr5 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "app_category")
{
rec.CustomStr6 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "matched_category")
{
rec.CustomStr7 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "app_risk")
{
rec.CustomStr8 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "app_rule_name")
{
rec.CustomStr9 = subLineArr[i + 1];
}
if (subLineArr[i].Trim() == "proto")
{
rec.EventType = subLineArr[i + 1];
}
}
}
#endregion
}
catch (Exception e)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "ERROR------------" + line);
L.Log(LogType.FILE, LogLevel.DEBUG, e.Message);
L.Log(LogType.FILE, LogLevel.DEBUG, e.StackTrace);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data");
if (usingRegistry)
{
CustomServiceBase s = base.GetInstanceService("Security Manager Sender");
s.SetData(rec);
}
else
{
CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder");
s.SetData(Dal, virtualhost, rec);
s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data");
}
catch (Exception er)
{
L.Log(LogType.FILE, LogLevel.ERROR, er.ToString());
L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message);
}
}
void slog_SyslogEvent(LogMgrEventArgs args)
{
CustomBase.Rec rec = new CustomBase.Rec();
try
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record");
try
{
rec.LogName = "CiscoV6500_1_0SyslogRecorder";
rec.Datetime = DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss");
rec.EventType = args.EventLogEntType.ToString();
if (args.Message.Length > 899)
rec.Description = args.Message.Substring(0, 899);
else
rec.Description = args.Message;
L.Log(LogType.FILE, LogLevel.DEBUG, " Source Is : " + args.Source.ToString());
rec.SourceName = args.Source;
L.Log(LogType.FILE, LogLevel.INFORM, " Log : " + args.Message);
string[] lineArr = SpaceSplit(args.Message, false);
rec.ComputerName = lineArr[0];
L.Log(LogType.FILE, LogLevel.DEBUG, " ComputerName : " + rec.ComputerName);
if (lineArr[2].Contains("."))
{
if (lineArr[2].Split('.')[1] == "notice")
{
L.Log(LogType.FILE, LogLevel.DEBUG, " !! Notice Mode !!");
rec.SourceName = lineArr[2].Split('.')[1];
L.Log(LogType.FILE, LogLevel.DEBUG, " SourceName : " + rec.SourceName);
if (lineArr.Length > 10)
{
rec.EventType = lineArr[9] + lineArr[10];
L.Log(LogType.FILE, LogLevel.DEBUG, " EventType : " + rec.EventType);
}
if (lineArr.Length > 8)
{
rec.CustomStr3 = lineArr[8];
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr3 : " + rec.CustomStr3);
}
if (lineArr.Length > 11)
{
rec.CustomStr4 = Before(lineArr[11], ":/");
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr4 : " + rec.CustomStr4);
if (After(lineArr[11], ":/").Length > 900)
{
rec.CustomStr5 = After(lineArr[11], ":/").Substring(0, 900);
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr5 : " + rec.CustomStr5);
rec.CustomStr6 = After(lineArr[11], ":/").Substring(900,
After(lineArr[11], ":/").Length -
900);
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr6 : " + rec.CustomStr6);
}
else
{
rec.CustomStr5 = After(lineArr[11], ":/");
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr5 : " + rec.CustomStr5);
}
}
}
if (lineArr[2].Split('.')[1] == "debug")
{
L.Log(LogType.FILE, LogLevel.DEBUG, " !! Debug Mode !!");
rec.SourceName = lineArr[2].Split('.')[1];
L.Log(LogType.FILE, LogLevel.DEBUG, " SourceName : " + rec.SourceName);
if (lineArr.Length > 8)
{
rec.EventCategory = lineArr[8];
L.Log(LogType.FILE, LogLevel.DEBUG, " EventCategory : " + rec.EventCategory);
}
if (lineArr.Length > 11)
{
rec.EventType = lineArr[11];
L.Log(LogType.FILE, LogLevel.DEBUG, " EventType : " + rec.EventType);
}
if (lineArr.Length > 9)
{
rec.CustomStr1 = lineArr[9];
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr1 : " + rec.CustomStr1);
}
if (lineArr.Length > 12)
{
rec.CustomStr3 = Between(lineArr[12], "/", "(");
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr3 : " + rec.CustomStr3);
rec.CustomInt3 = Convert.ToInt32(Between(lineArr[12], "(", ")"));
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomInt3 : " + rec.CustomInt3);
}
if (lineArr.Length > 14)
{
rec.CustomStr4 = Between(lineArr[14], "/", "(");
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr4 : " + rec.CustomStr4);
rec.CustomStr5 = Before(lineArr[14], "/");
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr5 : " + rec.CustomStr5);
rec.CustomInt4 = Convert.ToInt32(Between(lineArr[14], "(", ")"));
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomInt4 : " + rec.CustomInt4);
}
}
if (lineArr[2].Split('.')[1] == "warning")
{
L.Log(LogType.FILE, LogLevel.DEBUG, " !! Warning Mode !!");
rec.SourceName = lineArr[2].Split('.')[1];
L.Log(LogType.FILE, LogLevel.DEBUG, " SourceName : " + rec.SourceName);
if (lineArr.Length > 8)
{
rec.EventCategory = lineArr[8];
L.Log(LogType.FILE, LogLevel.DEBUG, " EventCategory : " + rec.EventCategory);
}
if (lineArr.Length > 9)
{
rec.EventType = lineArr[9];
L.Log(LogType.FILE, LogLevel.DEBUG, " EventType : " + rec.EventType);
}
if (lineArr.Length > 16)
{
rec.CustomStr1 = lineArr[16].Replace('"', ' ').Trim();
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr1 : " + rec.CustomStr1);
}
if (lineArr.Length > 11)
{
rec.CustomStr2 = Before(lineArr[11], ":");
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr2 : " + rec.CustomStr2);
rec.CustomStr3 = Between(lineArr[11], ":", "/");
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr3 : " + rec.CustomStr3);
rec.CustomInt3 = Convert.ToInt32(After(lineArr[11], "/"));
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomInt3 : " + rec.CustomInt3);
}
if (lineArr.Length > 13)
{
rec.CustomStr4 = Between(lineArr[13], ":", "/");
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr4 : " + rec.CustomStr4);
rec.CustomStr5 = Before(lineArr[13], ":");
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr5 : " + rec.CustomStr5);
rec.CustomInt4 = Convert.ToInt32(After(lineArr[13], "/"));
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomInt4 : " + rec.CustomInt4);
}
}
if (lineArr[2].Split('.')[1] == "error")
{
L.Log(LogType.FILE, LogLevel.DEBUG, " !! Error Mode !!");
if (args.Message.Contains("Denied ICMP"))
{
//-MessageBox.Show("error 1");
L.Log(LogType.FILE, LogLevel.DEBUG, " !! Error Mode 1 !!");
rec.SourceName = lineArr[2].Split('.')[1];
L.Log(LogType.FILE, LogLevel.DEBUG, " SourceName : " + rec.SourceName);
if (lineArr.Length > 8)
{
rec.EventCategory = lineArr[8];
L.Log(LogType.FILE, LogLevel.DEBUG, " EventCategory : " + rec.EventCategory);
}
if (lineArr.Length > 9)
{
rec.EventType = lineArr[9];
L.Log(LogType.FILE, LogLevel.DEBUG, " EventType : " + rec.EventType);
}
if (lineArr.Length > 16)
{
rec.CustomStr2 = lineArr[16];
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr2 : " + rec.CustomStr2);
}
if (lineArr.Length > 13)
{
rec.CustomStr3 = lineArr[13];
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr3: " + rec.CustomStr3);
}
}
else
{
//MessageBox.Show("error 2");
L.Log(LogType.FILE, LogLevel.DEBUG, " !! Error Mode 2 !!");
rec.SourceName = lineArr[2].Split('.')[1];
L.Log(LogType.FILE, LogLevel.DEBUG, " SourceName : " + rec.SourceName);
rec.EventCategory = lineArr[10];
L.Log(LogType.FILE, LogLevel.DEBUG, " EventCategory : " + rec.EventCategory);
rec.EventType = lineArr[8];
L.Log(LogType.FILE, LogLevel.DEBUG, " EventType : " + rec.EventType);
rec.CustomStr3 = Before(lineArr[14], "/");
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr3 : " + rec.CustomStr3);
rec.CustomInt3 = Convert.ToInt32(After(lineArr[14], "/"));
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomInt3 : " + rec.CustomInt3);
rec.CustomStr4 = Between(lineArr[16], ":", "/");
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr4 : " + rec.CustomStr4);
rec.CustomStr5 = Before(lineArr[16], ":");
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr5 : " + rec.CustomStr5);
rec.CustomInt4 = Convert.ToInt32(After(lineArr[16], "/"));
L.Log(LogType.FILE, LogLevel.DEBUG, " CustomInt4 : " + rec.CustomInt4);
}
}
}
}
catch (Exception e)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "ERROR------------");
L.Log(LogType.FILE, LogLevel.DEBUG, e.Message);
L.Log(LogType.FILE, LogLevel.DEBUG, e.StackTrace);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data");
if (usingRegistry)
{
CustomServiceBase s = base.GetInstanceService("Security Manager Sender");
s.SetData(rec);
}
else
{
CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder");
s.SetData(Dal, virtualhost, rec);
s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data");
}
catch (Exception er)
{
L.Log(LogType.FILE, LogLevel.ERROR, er.ToString());
L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message);
}
}
void slog_SyslogEvent(LogMgrEventArgs args)
{
CustomBase.Rec rec = new CustomBase.Rec();
try
{
if (args.Message == "")
{
L.Log(LogType.FILE, LogLevel.INFORM, "Message is null.");
return;
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record");
//2011-01-03 13:27:05 Local1.Info 192.168.2.80 Jan 3 13:28:08 brightmail ecelerity: 1294054057|c0a80250-b7b7aae000007fcf-ca-4d21b2a946ae|ACCEPT|209.85.216.191:42532
//192.168.2.80:45924 : local1.info Feb 17 14:28:25 brightmail ecelerity: 1297945705|c0a80250-b7b6bae000000e0e-f8-4d5d1460c093|DELIVERY_FAILURE|550 5.4.4 [internal] null mx domain does not accept mail|[email protected]
//192.168.2.80:45924 : local1.info Feb 17 14:24:12 brightmail ecelerity: 1297945452|c0a80250-b7b6bae000000e0e-a0-4d5d136b012b|ORCPTS|[email protected]
//*192.168.2.80:48626 : local1.info Mar 1 16:51:34 brightmail ecelerity: 1298991094|c0a80250-b7b8aae000000cca-18-4d65f5d052d6|DELIVERY_FAILURE|554 5.4.7 [internal] exceeded max time without delivery|[email protected]
//*192.168.2.80:48626 : local1.info Mar 1 16:53:35 brightmail bmserver: 1298991215|c0a80250-b7ce9ae000000cc1-bf-4d6d086e8648|MSGID| <*****@*****.**>
//*192.168.2.80:48626 : local1.info Mar 1 16:48:42 brightmail bmserver: 1298990922|c0a80250-b7ce9ae000000cc1-5e-4d6d072bac0f|ATTACH|image001.jpg|kalite y??netimi ve saha i??nceleme raporu no.12.pdf
//*192.168.2.80:55252 : local1.info Feb 23 14:03:48 brightmail bmserver: 1298462628|c0a80250-b7b8aae000000cca-87-4d64f73e0192|ATTACHFILTER|_bbg.exe
//192.168.2.80:46689 : security2.info Feb 18 10:57:05 brightmail xinetd[2225]: START: https pid=6620 from=192.168.111.66
//192.168.2.80:54229 : security2.info Feb 18 11:58:50 brightmail xinetd[2225]: START: https pid=13836 from=192.168.111.66
//192.168.2.80:47547 : local1.info May 5 12:05:33 brightmail ecelerity: 1304586333|c0a80250-b7cb8ae000003006-fb-4dc2681d68ec|DELIVERY_FAILURE|554 5.4.4 [internal] domain lookup failed|[email protected]
string[] parts = args.Message.Split(new char[]{' '}, StringSplitOptions.RemoveEmptyEntries);
rec.LogName = "SymantecBrightmailRecorder";
rec.SourceName = args.Source;
rec.EventType = args.EventLogEntType.ToString();
rec.Description = args.Message;
rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss");
try
{
if (parts.Length > 8)
{
rec.CustomStr6 = parts[0].Split(':')[1];
rec.CustomStr7 = parts[0].Split(':')[0];// 1[1]
rec.CustomStr8 = parts[3] + " " + parts[4] + " " + parts[5];
rec.CustomStr9 = parts[7].TrimEnd(':');//7
if (parts[8].Contains("|"))
{
string[] pipes = parts[8].Split('|');//8
rec.CustomInt1 = Convert_To_Int32(pipes[0]);
rec.EventCategory = "";
try
{
rec.CustomStr10 = pipes[1];
rec.EventCategory = pipes[2];
}
catch (Exception ex)
{ }
if (rec.EventCategory == "ACCEPT")
{
rec.CustomStr1 = pipes[3].Split(':')[0];
rec.CustomInt2 = Convert_To_Int32(pipes[3].Split(':')[1]);
}
else if (rec.EventCategory == "SENDER")
{
rec.CustomStr3 = pipes[3];
}
else if (rec.EventCategory == "ORCPTS")
{
rec.CustomStr4 = pipes[3];
}
else if (rec.EventCategory == "SOURCE")
{
rec.CustomStr4 = pipes[3];
}
else if (rec.EventCategory == "SUBJECT")
{
rec.CustomStr4 = pipes[3];
}
else if (rec.EventCategory == "MSGID")
{
rec.CustomStr4 = pipes[3].Trim().TrimEnd('<').TrimStart('>');//Mail adresi.
}
else if (rec.EventCategory == "ATTACH")
{
rec.CustomStr4 = "";
for (int i = 3; i < pipes.Length; i++)
{
rec.CustomStr4 += pipes[i] + "|";
}
rec.CustomStr4 = rec.CustomStr4.TrimEnd('|');
}
else if (rec.EventCategory == "UNTESTED")
{
rec.CustomStr4 = pipes[3];
rec.CustomStr5 = " ";
for (int i = 4; i < pipes.Length; i++)
{
rec.CustomStr5 += pipes[i] + "|";
}
rec.CustomStr5 = rec.CustomStr5.Trim();
}
else if (rec.EventCategory == "VERDICT")
{
rec.CustomStr4 = pipes[3];
rec.CustomStr5 = " ";
for (int i = 4; i < pipes.Length; i++)
{
rec.CustomStr5 += pipes[i] + "|";
}
rec.CustomStr5 = rec.CustomStr5.Trim();
}
else if (rec.EventCategory == "TRACKERID")
{
rec.CustomStr4 = pipes[3];
rec.CustomStr5 = " ";
for (int i = 4; i < pipes.Length; i++)
{
rec.CustomStr5 += pipes[i] + "|";
}
rec.CustomStr5 = rec.CustomStr5.Trim();
}
else if (rec.EventCategory == "IRCPTACTION")
{
rec.CustomStr4 = pipes[3];
rec.CustomStr5 = " ";
for (int i = 4; i < pipes.Length; i++)
{
rec.CustomStr5 += pipes[i] + "|";
}
rec.CustomStr5 = rec.CustomStr5.TrimEnd('|');
}
else if (rec.EventCategory == "DELIVER")
{
rec.CustomStr5 = pipes[3];
rec.CustomStr4 = pipes[4];
}
else if (rec.EventCategory == "DELIVERY_FAILURE")
{
rec.CustomStr5 = pipes[3];
rec.CustomStr4 = pipes[4];
}
else if (rec.EventCategory == "ATTACHFILTER")
{
rec.CustomStr4 = "";
for (int i = 3; i < pipes.Length; i++)
{
rec.CustomStr4 += pipes[i] + "|";
}
rec.CustomStr4 = rec.CustomStr4.TrimEnd('|');
}
}
else
{
//192.168.2.80:46689 : security2.info Feb 18 10:57:05 brightmail xinetd[2225]: START: https pid=6620 from=192.168.111.66
if (parts[8].Contains("START"))
{
rec.EventCategory = parts[8].TrimEnd(':');
rec.CustomStr1 = parts[9];
rec.CustomInt3 = Convert_To_Int32(parts[10].Split('=')[1]);
rec.CustomStr6 = parts[11].Split('=')[1];
}
}
}
else
{
L.LogTimed(LogType.FILE, LogLevel.ERROR, " Line format is not like we want. Line : " + args.Message);
}
}
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, ex.ToString());
L.Log(LogType.FILE, LogLevel.ERROR, " Error line written in description. Line : " + args.Message);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data");
if (usingRegistry)
{
CustomServiceBase s = base.GetInstanceService("Security Manager Sender");
s.SetData(rec);
}
else
{
CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder");
s.SetData(Dal, virtualhost, rec);
s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data");
}
catch (Exception er)
{
L.LogTimed(LogType.FILE, LogLevel.ERROR, er.ToString());
L.LogTimed(LogType.FILE, LogLevel.ERROR, " Hataya düşen line : " + args.Message);
}
}
void Sep_SyslogEvent(LogMgrEventArgs args)
{
var r = new Rec();
L.Log(LogType.FILE, LogLevel.DEBUG, " Sep_SyslogEvent() Started.");
L.Log(LogType.FILE, LogLevel.DEBUG, " Sep_SyslogEvent() Line : " + args.Message);
r.Description = args.Message.Length > 899 ? args.Message.Substring(0, 899) : args.Message;
r.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss");
//CustomServiceBase s = base.GetInstanceService("Security Manager Sender");
int control = 0;
try
{
String line = "";
// e L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record");
r.LogName = "SymantecSepSyslog Recorder";
//rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss");
//r.EventType = args.EventLogEntType.ToString();
//r.EventCategory = args.Source;
L.Log(LogType.FILE, LogLevel.DEBUG, "Log is:" + args.Message);
//main main main
line = args.Message;
var array = new String[100];
//emr for virus found and array[0] controll
var array2 = new String[100];
array2 = SpaceSplit(line, true);
array = line.Split(',');
var temp3 = new String[100];
temp3 = array2[7].Split(':');
r.ComputerName = temp3[0];
if (array.Length != 0)
{
if (line.Contains("Virus found"))
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Virus found");
r.EventCategory = "Virus found";
r.SourceName = array2[0];
virusFound(ref r, line);
}
else if (line.Contains("Forced TruScan proactive threat detected"))
{
r.EventCategory = "Forced TruScan proactive threat detected";
r.SourceName = array2[1];
forcedTruScanProactive(ref r, line);
}
else if (line.Contains("Scan ID"))
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Scan");
r.EventCategory = "scan";
r.SourceName = array2[0];
scanComplete(ref r, line);
}
else if (line.Contains("Could not scan"))
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Could not scan");
r.EventCategory = "Could not scan";
r.SourceName = array2[0];
couldnotScan(ref r, line);
}
else if (line.Contains("client has downloaded the content package"))
{
L.Log(LogType.FILE, LogLevel.DEBUG, "client has downloaded the content package");
r.EventCategory = "client has downloaded the content package";
r.SourceName = array2[0];
contentPackage(ref r, line);
if (string.IsNullOrEmpty(r.Datetime))
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Colud not set DateTime, log is ignored..");
L.Log(LogType.FILE, LogLevel.DEBUG, "Log:" + line);
}
}
else if (line.Contains("LiveUpdate"))
{
L.Log(LogType.FILE, LogLevel.DEBUG, "LiveUpdate");
r.EventCategory = "LiveUpdate";
r.SourceName = array2[0];
LiveUpdate(ref r, line);
}
else if (line.Contains("Network Threat Protection is unable to download the newest policy"))
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Network Threat Protection is unable to download the newest policy");
r.EventCategory = "Network Threat Protection is unable to download the newest policy";
r.SourceName = array2[0];
unableToDownload(ref r, line);
}
else if (line.Contains("New virus definition file loaded"))
{
L.Log(LogType.FILE, LogLevel.DEBUG, "New virus definition file loaded");
r.EventCategory = "New virus definition file loaded";
r.SourceName = array2[0];
definitionFileLoaded(ref r, line);
}
else if (line.Contains("services shutdown"))
{
L.Log(LogType.FILE, LogLevel.DEBUG, "services shutdown");
r.EventCategory = "services shutdown";
r.SourceName = array2[0];
definitionFileLoaded(ref r, line);
}
else if (line.Contains("services startup "))
{
L.Log(LogType.FILE, LogLevel.DEBUG, "services startup ");
r.EventCategory = "services startup";
r.SourceName = array2[0];
definitionFileLoaded(ref r, line);
}
else if (line.Contains("Auto-Protect failed "))
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Auto-Protect failed");
r.EventCategory = "Auto-Protect failed";
r.SourceName = array2[0];
autoProtectedFailed(ref r, line);
}
else if (line.Contains("disable"))
{
L.Log(LogType.FILE, LogLevel.DEBUG, "disable");
r.EventCategory = "disable";
r.SourceName = array2[0];
disable(ref r, line);
}
else if (line.Contains("Failed to contact server"))
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Failed to contact server");
r.EventCategory = "Failed to contact server";
r.SourceName = array2[0];
failedToContact(ref r, line);
}//bundan sonrakiler obey edilcek satýlar , ,,
else if (line.Contains("Block IPv6") || line.Contains("Traffic from IP address") || line.Contains("Not in GZIP format") || line.Contains("received the client log") || line.Contains("Block all other traffic"))
{
//L.Log(LogType.FILE, LogLevel.DEBUG, "Category: Block IPv6,Traffic from IP address,Not in GZIP format,received the client log,Block all other traffic");
control = 1;
}
else if (line.Contains("Block and log IP traffic") || line.Contains("Host Integrity") || line.Contains("Location has been changed to Default.") || line.Contains("has been activated."))
{
//L.Log(LogType.FILE, LogLevel.DEBUG, "Category: Block IPv6,Traffic from IP address,Not in GZIP format,received the client log,Block all other traffic");
control = 1;
}
else
{
control = 1;
//L.Log(LogType.FILE, LogLevel.DEBUG, "Unknown or not wanted log format. All data written to description field." + args.Message);
r.Description = args.Message;
}
}
}
catch (Exception er)
{
L.LogTimed(LogType.FILE, LogLevel.ERROR, er.ToString());
}
try
{
if (control != 1)
{
r.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss");
r.Description = args.Message.Length > 899 ? args.Message.Substring(0, 899) : args.Message;
//e L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record");
//e L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data");
CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder");
s.SetData(Dal, virtualhost, r);
s.SetReg(Id, r.Datetime, "", "", "", r.Datetime);
//e L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data");
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Record sending Error.");
}
}
void slog_SyslogEvent(LogMgrEventArgs args)
{
CustomBase.Rec rec = new CustomBase.Rec();
L.Log(LogType.FILE, LogLevel.DEBUG, "slog_SyslogEvent Line: " + args.Message);
try
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record");
try
{
rec.LogName = "WSenseSyslogV_1_0_0Recorder";
rec.EventType = args.EventLogEntType.ToString();
L.Log(LogType.FILE, LogLevel.DEBUG, "EventType: " + rec.EventType);
if (args.Message.Length > 899)
{
rec.Description = args.Message.Substring(0, 899);
}
else
{
rec.Description = args.Message;
}
string line = args.Message;
string[] lineArr = SpaceSplit(line, false);
try
{
DateTime dt;
string dateNow = DateTime.Now.Year.ToString(CultureInfo.InvariantCulture);
string myDateTimeString = lineArr[4] + lineArr[3] + "," + dateNow + " ," + lineArr[5];
dt = Convert.ToDateTime(myDateTimeString);
rec.Datetime = dt.ToString(dateFormat);
L.Log(LogType.FILE, LogLevel.DEBUG, "Datetime: " + rec.Datetime);
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Date Error: " + exception.Message);
}
//L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + rec.EventCategory);
if (lineArr.Length > 6)
{
rec.CustomStr1 = lineArr[6];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr1: " + rec.CustomStr1);
}
try
{
//if (lineArr[i].StartsWith("category"))
if (lineArr.Length > 12)
{
if (lineArr[12].Trim().StartsWith("category"))
{
rec.EventCategory = SplitedLine(lineArr[12]);
//Console.WriteLine("EventCategory: " + rec.EventCategory);
L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + rec.EventCategory);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("category"))
{
rec.EventCategory = SplitedLine(lineArr[i]);
//Console.WriteLine("EventCategory: " + rec.EventCategory);
L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + rec.EventCategory);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + exception.Message);
}
try
{
//if (lineArr[i].StartsWith("user"))
if (lineArr.Length > 13)
{
if (lineArr[13].Trim().StartsWith("user"))
{
if (lineArr[13].Contains("://"))
{
rec.ComputerName = After(SplitedLine(lineArr[13]), "://");
//Console.WriteLine("ComputerName: " + rec.ComputerName);
L.Log(LogType.FILE, LogLevel.DEBUG, "ComputerName: " + rec.ComputerName);
if (lineArr.Length > 14)
{
string d = lineArr[14].Split('/')[lineArr[14].Split('/').Length - 1];
rec.UserName = d + " " + lineArr[15];
//Console.WriteLine("UserName: "******"UserName: "******"DC=local");
try
{
if (df.EndsWith(","))
{
rec.SourceName = df.Substring(0, df.Length - 1);
//Console.WriteLine("SourceName: " + rec.SourceName);
L.Log(LogType.FILE, LogLevel.DEBUG, "SourceName: " + rec.SourceName);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "SourceName: " + exception.Message);
}
}
}
else
{
L.Log(LogType.FILE, LogLevel.DEBUG, "ComputerName = null");
}
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("user"))
{
rec.ComputerName = SplitedLine(lineArr[i]);
//Console.WriteLine("ComputerName: " + rec.ComputerName);
L.Log(LogType.FILE, LogLevel.DEBUG, "ComputerName: " + rec.ComputerName);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "ComputerName: " + exception.Message);
}
try
{
//if (lineArr[i].StartsWith("action"))
if (lineArr.Length > 10)
{
if (lineArr[10].Trim().StartsWith("action"))
{
rec.CustomStr2 = SplitedLine(lineArr[10]);
//Console.WriteLine("CustomStr2: " + rec.CustomStr2);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2: " + rec.CustomStr2);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("action"))
{
rec.CustomStr2 = SplitedLine(lineArr[i]);
//Console.WriteLine("CustomStr2: " + rec.CustomStr2);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2: " + rec.CustomStr2);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr2: " + exception.Message);
}
try
{
//if (lineArr[i].StartsWith("src_host"))
if (lineArr.Length > 16)
{
if (lineArr[10].Trim().StartsWith("src_host"))
{
rec.CustomStr3 = SplitedLine(lineArr[16]);
//Console.WriteLine("CustomStr3: " + rec.CustomStr3);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("src_host"))
{
rec.CustomStr3 = SplitedLine(lineArr[i]);
//Console.WriteLine("CustomStr3: " + rec.CustomStr3);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr2: " + exception.Message);
}
try
{
//if (lineArr[i].StartsWith("dst_ip"))
if (lineArr.Length > 19)
{
if (lineArr[19].Trim().StartsWith("dst_ip"))
{
rec.CustomStr4 = SplitedLine(lineArr[19]);
//Console.WriteLine("CustomStr4: " + rec.CustomStr4);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("dst_ip"))
{
rec.CustomStr4 = SplitedLine(lineArr[i]);
//Console.WriteLine("CustomStr4: " + rec.CustomStr4);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr4: " + exception.Message);
}
try
{
//if (lineArr[i].StartsWith("dst_ip"))
if (lineArr.Length > 18)
{
if (lineArr[18].Trim().StartsWith("dst_host"))
{
rec.CustomStr5 = SplitedLine(lineArr[18]);
//Console.WriteLine("CustomStr5: " + rec.CustomStr5);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr5: " + rec.CustomStr5);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("dst_host"))
{
rec.CustomStr5 = SplitedLine(lineArr[i]);
//Console.WriteLine("CustomStr5: " + rec.CustomStr5);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr5: " + rec.CustomStr5);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr5: " + exception.Message);
}
try
{
//if (lineArr[i].StartsWith("url"))
if (lineArr.Length > 33)
{
if (lineArr[33].StartsWith("url"))
{
rec.CustomStr6 = SplitedLine(lineArr[33]);
//Console.WriteLine("CustomStr6: " + rec.CustomStr6);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr6: " + rec.CustomStr6);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("url"))
{
rec.CustomStr6 = SplitedLine(lineArr[i]);
//Console.WriteLine("CustomStr6: " + rec.CustomStr6);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr6: " + rec.CustomStr6);
}
}
}
}
else
{
rec.CustomStr6 = SplitedLine(lineArr[lineArr.Length - 1]);
//Console.WriteLine("CustomStr6: " + rec.CustomStr6);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr6: " + rec.CustomStr6);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr6: " + exception.Message);
}
//try
//{
// if (rec.CustomStr6.Length > 899)
// {
// rec.CustomStr7 = rec.CustomStr6.Substring(899, 1799);
// }
//}
//catch (Exception exception)
//{
// L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + exception.Message);
//}
try
{
//if (lineArr[i].StartsWith("disposition"))
if (lineArr.Length > 29)
{
if (lineArr[29].StartsWith("disposition"))
{
rec.CustomInt1 = Convert.ToInt32(SplitedLine(lineArr[29]));
//Console.WriteLine("CustomInt1: " + rec.CustomInt1);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt1: " + rec.CustomInt1);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("disposition"))
{
rec.CustomInt1 = Convert.ToInt32(SplitedLine(lineArr[i]));
//Console.WriteLine("CustomInt1: " + rec.CustomInt1);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt1: " + rec.CustomInt1);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt1 Casting error, CustomInt1 setted 0 " + exception.Message);
rec.CustomInt1 = 0;
}
try
{
//if (lineArr[i].StartsWith("http_response"))
if (lineArr.Length > 23)
{
if (lineArr[23].StartsWith("http_response"))
{
rec.CustomInt3 = Convert.ToInt32(SplitedLine(lineArr[23]));
//Console.WriteLine("CustomInt3: " + rec.CustomInt3);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt3: " + rec.CustomInt1);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("http_response"))
{
rec.CustomInt3 = Convert.ToInt32(SplitedLine(lineArr[i]));
//Console.WriteLine("CustomInt3: " + rec.CustomInt3);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt3: " + rec.CustomInt3);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt3 Casting error, CustomInt3 setted 0 " + exception.Message);
rec.CustomInt3 = 0;
}
try
{
//if (lineArr[i].StartsWith("severity"))
if (lineArr.Length > 11)
{
if (lineArr[11].StartsWith("severity"))
{
rec.CustomInt5 = Convert.ToInt32(SplitedLine(lineArr[11]));
//Console.WriteLine("CustomInt5: " + rec.CustomInt5);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt5: " + rec.CustomInt5);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("severity"))
{
rec.CustomInt5 = Convert.ToInt32(SplitedLine(lineArr[i]));
//Console.WriteLine("CustomInt5: " + rec.CustomInt5);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt5: " + rec.CustomInt5);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt5 Casting error, CustomInt5 setted 0 " + exception.Message);
rec.CustomInt5 = 0;
}
try
{
//if (lineArr[i].StartsWith("bytes_out"))
if (lineArr.Length > 21)
{
if (lineArr[21].StartsWith("bytes_out"))
{
rec.CustomInt7 = Convert.ToInt32(SplitedLine(lineArr[21]));
//Console.WriteLine("CustomInt7: " + rec.CustomInt7);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt7: " + rec.CustomInt7);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("bytes_out"))
{
rec.CustomInt7 = Convert.ToInt32(SplitedLine(lineArr[i]));
//Console.WriteLine("CustomInt7: " + rec.CustomInt7);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt7: " + rec.CustomInt7);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt7 Casting error, CustomInt7 setted 0 " + exception.Message);
rec.CustomInt7 = 0;
}
try
{
//if (lineArr[i].StartsWith("bytes_in"))
if (lineArr.Length > 22)
{
if (lineArr[22].StartsWith("bytes_in"))
{
rec.CustomInt8 = Convert.ToInt32(SplitedLine(lineArr[22]));
//Console.WriteLine("CustomInt8: " + rec.CustomInt8);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt8: " + rec.CustomInt8);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("bytes_in"))
{
rec.CustomInt8 = Convert.ToInt32(SplitedLine(lineArr[i]));
//Console.WriteLine("CustomInt8: " + rec.CustomInt8);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt8: " + rec.CustomInt8);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt8 Casting error, CustomInt8 setted 0 " + exception.Message);
rec.CustomInt8 = 0;
}
try
{
//if (lineArr[i].StartsWith("src_port"))
if (lineArr.Length > 17)
{
if (lineArr[17].StartsWith("src_port"))
{
rec.CustomInt9 = Convert.ToInt32(SplitedLine(lineArr[17]));
//Console.WriteLine("CustomInt9: " + rec.CustomInt9);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt9: " + rec.CustomInt9);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("src_port"))
{
rec.CustomInt9 = Convert.ToInt32(SplitedLine(lineArr[i]));
////Console.WriteLine("CustomInt9: " + rec.CustomInt9);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt9: " + rec.CustomInt9);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt9 Casting error, CustomInt9 setted 0 " + exception.Message);
rec.CustomInt9 = 0;
}
try
{
//if (lineArr[i].StartsWith("dst_port"))
if (lineArr.Length > 20)
{
if (lineArr[20].StartsWith("dst_port"))
{
rec.CustomInt10 = Convert.ToInt32(SplitedLine(lineArr[20]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt10: " + rec.CustomInt10);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("dst_port"))
{
rec.CustomInt10 = Convert.ToInt32(SplitedLine(lineArr[i]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt10: " + rec.CustomInt10);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt10 Casting error, CustomInt10 setted 0 " + exception.Message);
rec.CustomInt10 = 0;
}
//L.Log(LogType.FILE, LogLevel.DEBUG, " Source Is : " + args.Source.ToString());
//rec.SourceName = args.Source;
L.Log(LogType.FILE, LogLevel.INFORM, " Log : " + args.Message);
}
catch (Exception e)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "ERROR------------");
L.Log(LogType.FILE, LogLevel.DEBUG, e.Message);
L.Log(LogType.FILE, LogLevel.DEBUG, e.StackTrace);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data");
if (usingRegistry)
{
CustomServiceBase s = base.GetInstanceService("Security Manager Sender");
s.SetData(rec);
}
else
{
CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder");
s.SetData(Dal, virtualhost, rec);
s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data");
}
catch (Exception er)
{
L.Log(LogType.FILE, LogLevel.ERROR, er.ToString());
L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message);
}
}
void slog_SyslogEvent(LogMgrEventArgs args)
{
try
{
if (args.Message !=null && args.Message !="")
{
CiscoDEVRecorderProcess devrecorder = new CiscoDEVRecorderProcess();
devrecorder.parsingProcess(args, zone);
CustomBase.Rec rec = new CustomBase.Rec();
rec = devrecorder.createRec();
InitializeLogger.L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record");
if (usingRegistry)
{
CustomServiceBase s = base.GetInstanceService("Security Manager Sender");
s.SetData(rec);
}
else
{
CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder");
s.SetData(Dal, virtualhost, rec);
s.SetReg(Id, rec.Datetime, "","","",rec.Datetime);
}
InitializeLogger.L.Log(LogType.FILE, LogLevel.INFORM, "Finish Sending Data");
}
}
catch (Exception er)
{
InitializeLogger.L.Log(LogType.FILE, LogLevel.ERROR, er.ToString());
InitializeLogger.L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message);
}
}
void slog_SyslogEvent(LogMgrEventArgs args)
{
CustomBase.Rec rec = new CustomBase.Rec();
try
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record");
try
{
string[] logproperties = {"id","sn","time","fw","pri","c","m","msg","n","dst","proto","src",
"sent","rcvd","vpnpolicy","op","result","dstname","code","Category","arg"};
this.log_Name = "SonicWallSyslog Recorder";
this.event_Type = args.EventLogEntType.ToString();
L.Log(LogType.FILE, LogLevel.INFORM, "args.Message" + args.Message);
string[] tempfields = args.Message.Split(' ');
info = tempfields[2];
description = args.Message;
for (int k = 3; k < tempfields.Length; k++)
{
if (!tempfields[k].Contains("="))
{
for (int j = k; j < tempfields.Length; j++)
{
if (tempfields[j].Contains("="))
{
k = j;
break;
}
tempfields[k - 1] += " " + tempfields[j];
tempfields[j] = "";
}
tempfields[k - 1] = tempfields[k - 1].Trim();
}
}
int controlindex = 0;
for (int h = 0; h < tempfields.Length; h++)
{
if (tempfields[h] == "")
{
controlindex++;
}
}
string[] fields = new string[tempfields.Length - controlindex];
int xyz = 0;
for (int i = 0; i < tempfields.Length; i++)
{
if (tempfields[i] != "")
{
fields[xyz] = tempfields[i];
xyz++;
}
}
for (int i = 3; i < fields.Length; i++)
{
int index = -1;
string property = "";
property = fields[i].Split('=')[0];
index = Array.IndexOf(logproperties, property);
if (index != -1)
{
assignpropertyvalue(index, fields[i].Split('=')[1]);
}
else
{
assignundefinedvalue(fields[i].Split('=')[0], fields[i].Split('=')[1]);
}
}
string controltype = "";
for (int i = 0; i < fields.Length; i++)
{
if(fields[i].Contains("dstname"))
{
controltype ="web";
}
if(fields[i].Contains("msg"))
{
controltype ="fw";
}
}
if (controltype == "web")
{
rec = createRec("web");
}
else
{
rec = createRec("fw");
}
}
catch (Exception e)
{
clearProperties();
L.Log(LogType.FILE, LogLevel.DEBUG, "ERROR------------");
L.Log(LogType.FILE, LogLevel.DEBUG, e.Message);
L.Log(LogType.FILE, LogLevel.DEBUG, e.StackTrace);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data");
if (usingRegistry)
{
CustomServiceBase s = base.GetInstanceService("Security Manager Sender");
s.SetData(rec);
}
else
{
CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder");
L.Log(LogType.FILE, LogLevel.DEBUG, Dal + " " + virtualhost + " " + rec.Description);
s.SetData(Dal, virtualhost, rec);
s.SetReg(Id, rec.Datetime, "","","",rec.Datetime);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data");
clearProperties();
}
catch (Exception er)
{
L.Log(LogType.FILE, LogLevel.ERROR, er.ToString());
L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message);
}
}
void slog_SyslogEvent(LogMgrEventArgs args)
{
CustomBase.Rec rec = new CustomBase.Rec();
try
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record");
L.Log(LogType.FILE, LogLevel.INFORM, " Log : " + args.Message);
try
{
rec.Datetime = DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss");
rec.EventType = args.EventLogEntType.ToString();
rec.LogName = "SonicWallV_TZ120_0_0UTMRecorder";
if (args.Message.Length > 899)
{
rec.Description = args.Message.Substring(0, 899);
}
else
{
rec.Description = args.Message;
}
string[] lineArr = SpaceSplit(args.Message, false);
rec.SourceName = lineArr[2];
L.Log(LogType.FILE, LogLevel.DEBUG, "SourceName: " + rec.SourceName);
rec.EventType = lineArr[2].Split('.')[1];
L.Log(LogType.FILE, LogLevel.DEBUG, "EventType: " + rec.EventType);
rec.ComputerName = lineArr[0];
L.Log(LogType.FILE, LogLevel.DEBUG, "ComputerName: " + rec.ComputerName);
//if (lineArr[2] == "local0.info")
{
try
{
if (lineArr.Length > 16)
{
if (lineArr[16].Trim().StartsWith("op="))
{
rec.EventCategory = SplitedLine(lineArr[16]);
L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + rec.EventCategory);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("op="))
{
rec.EventCategory = SplitedLine(lineArr[i]);
L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + rec.EventCategory);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "EventCategory: " + exception.Message);
}
//192.168.3.1:514 : local0.error id=firewall sn=0017C56122AA time="2013-01-28 13:14:13 UTC" fw=none pri=3 c=4 m=14 msg="Web site access denied" n=223847 src=192.168.3.142:49562:X0:MEHMETSsTCs-PC dst=31.13.64.7:80:X1:star-01-01-ams2.facebook.com dstname=www.facebook.com arg=/plugins/like.php?href=http%3A%2F%2Fwww.facebook.com%2Fpages%2Fgazetea24com%2F168179866539250&send=false&layout code=58 Category="Social Networking"
try
{
string userName = "";
if (lineArr.Length > 13)
{
if (lineArr[13].Trim().StartsWith("src="))
{
if (SplitedLine(lineArr[13]).Split(':').Length > 2)
{
userName = After(SplitedLine(lineArr[13]), "X0:");
L.Log(LogType.FILE, LogLevel.DEBUG, "UserName: "******"src="))
{
if (SplitedLine(lineArr[i]).Split(':').Length > 2)
{
userName = After(SplitedLine(lineArr[i]), "X0:");
L.Log(LogType.FILE, LogLevel.DEBUG, "UserName: "******":"))
{
rec.UserName = userName.Split(':')[0];
}
else
{
rec.UserName = userName;
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "UserName: "******"Category="))
{
rec.CustomStr1 = Between(args.Message, "Category=", " ");
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr1: " + rec.CustomStr1);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("Category="))
{
rec.CustomStr1 = Between(args.Message, "Category=", " ");
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr1: " + rec.CustomStr1);
}
}
}
}
rec.CustomStr1 = rec.CustomStr1.Replace('"', ' ').Trim();
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr1: " + exception.Message);
}
try
{
if (lineArr.Length > 15)
{
if (lineArr[15].Trim().StartsWith("proto="))
{
rec.CustomStr2 = SplitedLine(lineArr[15]);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2: " + rec.CustomStr2);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("proto="))
{
rec.CustomStr2 = SplitedLine(lineArr[i]);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2: " + rec.CustomStr2);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr2: " + exception.Message);
}
try
{
if (lineArr.Length > 13)
{
if (lineArr[13].Trim().StartsWith("src"))
{
rec.CustomStr3 =
SplitedLine(lineArr[13]).Split(':')[0];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("src"))
{
rec.CustomStr3 = SplitedLine(lineArr[i]).Split(':')[SplitedLine(lineArr[i]).Split(':').Length - 1];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr3: " + exception.Message);
}
try
{
if (lineArr.Length > 14)
{
if (lineArr[14].Trim().StartsWith("dst"))
{
rec.CustomStr4 =
SplitedLine(lineArr[14]).Split(':')[0];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("dst"))
{
rec.CustomStr4 = SplitedLine(lineArr[i]).Split(':')[SplitedLine(lineArr[i]).Split(':').Length - 1];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr4: " + exception.Message);
}
rec.CustomStr5 = Between(args.Message, "msg=", "n=");
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr5: " + rec.CustomStr5);
try
{
if (lineArr.Length > 20)
{
if (lineArr[20].Trim().StartsWith("arg"))
{
rec.CustomStr7 =
SplitedLine(lineArr[20]);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + rec.CustomStr7);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("arg"))
{
rec.CustomStr7 = SplitedLine(lineArr[i]);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + rec.CustomStr3);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr7: " + exception.Message);
}
try
{
if (lineArr.Length > 19)
{
if (lineArr[19].Trim().StartsWith("dstname"))
{
rec.CustomStr8 =
SplitedLine(lineArr[19]);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr8: " + rec.CustomStr7);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("dstname"))
{
rec.CustomStr8 = SplitedLine(lineArr[i]);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr8: " + rec.CustomStr8);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr8: " + exception.Message);
}
try
{
if (lineArr.Length > 14)
{
if (lineArr[14].Trim().StartsWith("dst"))
{
rec.CustomStr10 =
SplitedLine(lineArr[14]).Split(':')[SplitedLine(lineArr[14]).Split(':').Length - 1];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr10: " + rec.CustomStr10);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("dst"))
{
rec.CustomStr10 = SplitedLine(lineArr[i]).Split(':')[SplitedLine(lineArr[i]).Split(':').Length - 1];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr10: " + rec.CustomStr10);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr10: " + exception.Message);
}
try
{
if (lineArr.Length > 18)
{
if (lineArr[18].Trim().StartsWith("result"))
{
rec.CustomInt1 = Convert.ToInt32(SplitedLine(lineArr[18]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt1: " + rec.CustomStr10);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("result"))
{
rec.CustomInt1 = Convert.ToInt32(SplitedLine(lineArr[18]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt1: " + rec.CustomInt1);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt1: " + exception.Message);
rec.CustomInt1 = 0;
}
try
{
if (lineArr.Length > 17)
{
if (lineArr[17].Trim().StartsWith("rcvd"))
{
rec.CustomInt2 = Convert.ToInt32(SplitedLine(lineArr[17]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt2: " + rec.CustomInt2);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("rcvd"))
{
rec.CustomInt2 = Convert.ToInt32(SplitedLine(lineArr[17]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt2: " + rec.CustomInt2);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt2: " + exception.Message);
rec.CustomInt2 = 0;
}
try
{
if (lineArr.Length > 13)
{
if (lineArr[13].Trim().StartsWith("src"))
{
rec.CustomInt3 = Convert.ToInt32(SplitedLine(lineArr[13].Split(':')[1]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt3: " + rec.CustomInt3);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("src"))
{
rec.CustomInt3 = Convert.ToInt32(SplitedLine(lineArr[i].Split(':')[1]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt3: " + rec.CustomInt3);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt3: " + exception.Message);
rec.CustomInt3 = 0;
}
try
{
if (lineArr.Length > 14)
{
if (lineArr[14].Trim().StartsWith("dst"))
{
rec.CustomInt4 = Convert.ToInt32(SplitedLine(lineArr[14].Split(':')[1]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt4: " + rec.CustomInt4);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("src"))
{
rec.CustomInt4 = Convert.ToInt32(SplitedLine(lineArr[i].Split(':')[1]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt4: " + rec.CustomInt4);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt4: " + exception.Message);
rec.CustomInt4 = 0;
}
try
{
if (lineArr.Length > 9)
{
if (lineArr[9].Trim().StartsWith("pri"))
{
rec.CustomInt5 = Convert.ToInt32(SplitedLine(lineArr[9]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt5: " + rec.CustomInt5);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("pri"))
{
rec.CustomInt5 = Convert.ToInt32(SplitedLine(lineArr[i]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt5: " + rec.CustomInt5);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt5: " + exception.Message);
rec.CustomInt5 = 0;
}
try
{
if (lineArr.Length > 10)
{
if (lineArr[10].Trim().StartsWith("c="))
{
rec.CustomInt6 = Convert.ToInt32(SplitedLine(lineArr[10]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt6: " + rec.CustomInt6);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("c="))
{
rec.CustomInt6 = Convert.ToInt32(SplitedLine(lineArr[i]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt6: " + rec.CustomInt6);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt6: " + exception.Message);
rec.CustomInt6 = 0;
}
try
{
if (lineArr.Length > 11)
{
if (lineArr[11].Trim().StartsWith("m="))
{
rec.CustomInt7 = Convert.ToInt32(SplitedLine(lineArr[11]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt7: " + rec.CustomInt7);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("m="))
{
rec.CustomInt7 = Convert.ToInt32(SplitedLine(lineArr[i]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt7: " + rec.CustomInt7);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt7: " + exception.Message);
rec.CustomInt7 = 0;
}
try
{
if (lineArr.Length > 12)
{
if (lineArr[12].Trim().StartsWith("n="))
{
rec.CustomInt8 = Convert.ToInt32(SplitedLine(lineArr[12]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt8: " + rec.CustomInt8);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("n="))
{
rec.CustomInt8 = Convert.ToInt32(SplitedLine(lineArr[i]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt8: " + rec.CustomInt8);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt8: " + exception.Message);
rec.CustomInt8 = 0;
}
try
{
if (lineArr.Length > 21)
{
if (lineArr[21].Trim().StartsWith("code"))
{
rec.CustomInt9 = Convert.ToInt32(SplitedLine(lineArr[21]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt9: " + rec.CustomInt9);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("n="))
{
rec.CustomInt9 = Convert.ToInt32(SplitedLine(lineArr[i]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt9: " + rec.CustomInt9);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt9: " + exception.Message);
rec.CustomInt9 = 0;
}
try
{
if (lineArr.Length > 21)
{
if (lineArr[21].Trim().StartsWith("code"))
{
rec.CustomInt9 = Convert.ToInt32(SplitedLine(lineArr[21]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt9: " + rec.CustomInt9);
}
else
{
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("n="))
{
rec.CustomInt9 = Convert.ToInt32(SplitedLine(lineArr[i]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt9: " + rec.CustomInt9);
}
}
}
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt9: " + exception.Message);
rec.CustomInt9 = 0;
}
}
}
catch (Exception e)
{
L.Log(LogType.FILE, LogLevel.DEBUG, "ERROR------------");
L.Log(LogType.FILE, LogLevel.DEBUG, e.Message);
L.Log(LogType.FILE, LogLevel.DEBUG, e.StackTrace);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data");
if (usingRegistry)
{
CustomServiceBase s = base.GetInstanceService("Security Manager Sender");
s.SetData(rec);
}
else
{
CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder");
s.SetData(Dal, virtualhost, rec);
s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data");
}
catch (Exception er)
{
L.Log(LogType.FILE, LogLevel.ERROR, er.ToString());
L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message);
}
}
void SlogSyslogEvent(LogMgrEventArgs args)
{
var rec = new Rec();
try
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, " Log : " + args.Message);
try
{
rec.LogName = "WatchGuardWebSyslogV_1_0_0Recorder";
rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss");
rec.Description = args.Message.Length > 899 ? args.Message.Substring(0, 899) : args.Message;
rec.Description = args.Message.Replace("'", "|");
string line = args.Message;
string[] lineArr = line.Split();
string[] subLineArr = line.Split((char[])null, StringSplitOptions.RemoveEmptyEntries);
for (int i = 0; i < lineArr.Length; i++)
{
if (lineArr[i].StartsWith("op"))
{
rec.EventType = SplitFunction(lineArr[i]);
L.Log(LogType.FILE, LogLevel.DEBUG, "EventType: " + rec.EventType);
}
if (lineArr[i].StartsWith("proxy_act"))
{
rec.CustomStr2 = SplitFunction(lineArr[i]);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2: " + rec.CustomStr2);
}
if (lineArr[i].StartsWith("dstname"))
{
rec.CustomStr6 = SplitFunction(lineArr[i]);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr6: " + rec.CustomStr6);
}
if (lineArr[i].StartsWith("arg"))
{
rec.CustomStr7 = SplitFunction(lineArr[i]);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + rec.CustomStr7);
}
try
{
if (lineArr[i].StartsWith("sent_bytes"))
{
rec.CustomInt5 = Convert.ToInt32(SplitFunction(lineArr[i]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt5: " + rec.CustomInt5);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt5 Type Casting Error: " + exception.Message);
}
try
{
if (lineArr[i].StartsWith("rcvd_bytes"))
{
rec.CustomInt6 = Convert.ToInt32(SplitFunction(lineArr[i]));
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt6: " + rec.CustomInt6);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt6 Type Casting Error: " + exception.Message);
}
try
{
if (lineArr[i].StartsWith("elapsed_time"))
{
rec.CustomStr8 = SplitFunction(lineArr[i]);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr8: " + rec.CustomStr8);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr8 Type Casting Error: " + exception.Message);
}
if (lineArr[i].ToLower() == "tcp")
{
try
{
IPAddress sourceIp = IPAddress.Parse(lineArr[i + 1]);
rec.CustomStr3 = sourceIp.ToString(); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3);
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr3 Error: " + exception.Message);
}
try
{
IPAddress destIp = IPAddress.Parse(lineArr[i + 2]);
rec.CustomStr4 = destIp.ToString();
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4);
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr4 Error: " + exception.Message);
}
}
if (lineArr[i].ToLower() == "udp")
{
try
{
IPAddress sourceIp = IPAddress.Parse(lineArr[i + 3]);
rec.CustomStr3 = sourceIp.ToString(); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3);
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr3 Error: " + exception.Message);
}
try
{
IPAddress destIp = IPAddress.Parse(lineArr[i + 4]);
rec.CustomStr4 = destIp.ToString();
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4);
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr4 Error: " + exception.Message);
}
}
}
rec.EventCategory = subLineArr[10];
try
{
string msg1 = After(line, "msg=");
string msg2 = Before(msg1, "\" ");
rec.CustomStr1 = msg2.Replace('"', ' ').Trim();
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr1: " + rec.CustomStr1);
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr1 Error: " + exception.Message);
}
if (lineArr.Length > 8)
{
if (lineArr[8].Contains("-"))
{
rec.CustomStr5 = lineArr[5].Split('-')[0];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr5: " + rec.CustomStr5);
}
}
try
{
if (subLineArr.Length > 16)
{
rec.CustomInt3 = Convert.ToInt32(lineArr[16]);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt3: " + rec.CustomInt3);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt3 Type Casting Error: " + exception.Message);
}
try
{
if (subLineArr.Length > 17)
{
rec.CustomInt4 = Convert.ToInt32(lineArr[17]);
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt4: " + rec.CustomInt4);
}
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt4 Type Casting Error: " + exception.Message);
}
//try
//{
// if (lineArr.Length > 8)
// {
// rec.EventCategory = lineArr[10];
// L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + rec.EventCategory);
// }
//}
//catch (Exception exception)
//{
// L.Log(LogType.FILE, LogLevel.ERROR, "EventCategory Error: " + exception.Message);
//}
}
catch (Exception e)
{
L.Log(LogType.FILE, LogLevel.ERROR, "ERROR------------");
L.Log(LogType.FILE, LogLevel.ERROR, e.Message);
L.Log(LogType.FILE, LogLevel.ERROR, e.StackTrace);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data");
if (usingRegistry)
{
CustomServiceBase s = base.GetInstanceService("Security Manager Sender");
s.SetData(rec);
}
else
{
CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder");
s.SetData(Dal, virtualhost, rec);
s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data");
}
catch (Exception er)
{
L.Log(LogType.FILE, LogLevel.ERROR, er.ToString());
L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message);
}
}
public void SlogSquidSyslogRecorder(LogMgrEventArgs args)
{
var rec = new Rec();
try
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "Line Onur : " + args.Message);
string line = args.Message;
try
{
rec.LogName = "SquidSyslogV_1_0_0Recorder";
string[] arr = line.Split((char[])null, StringSplitOptions.RemoveEmptyEntries);
if (arr.Length > 13)
{
rec.EventType = arr[13];
L.Log(LogType.FILE, LogLevel.DEBUG, "EventType: " + rec.EventType);
}
if (arr.Length > 11)
{
rec.EventCategory = arr[11];
L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + rec.EventCategory);
}
if (arr.Length > 14)
{
rec.CustomStr1 = arr[14];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr1: " + rec.CustomStr1);
}
rec.CustomStr2 = arr[arr.Length - 1];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2: " + rec.CustomStr2);
if (arr.Length > 10)
{
rec.CustomStr3 = arr[10];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3);
}
if (arr.Length > 16)
{
rec.CustomStr4 = arr[16].Contains("/") ? arr[16].Split('/')[1] : arr[16];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4);
}
if (arr.Length > 2)
{
rec.CustomStr5 = arr[2];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr5: " + rec.CustomStr5);
}
if (arr.Length > 8)
{
rec.CustomStr6 = arr[8];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr6: " + rec.CustomStr6);
}
if (arr.Length > 7)
{
rec.CustomStr7 = arr[7];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + rec.CustomStr7);
}
if (arr.Length > 0)
{
rec.CustomStr10 = arr[0];
L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + rec.CustomStr7);
}
try
{
if (arr.Length > 9)
rec.CustomInt2 = Convert.ToInt32(arr[9]);
L.Log(LogType.FILE, LogLevel.DEBUG, "rec.CustomInt2." + rec.CustomInt2);
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt2 Cast Error." + exception.Message);
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt2 expected value: " + arr[8]);
}
try
{
rec.CustomInt3 = Convert.ToInt32(arr[12]);
L.Log(LogType.FILE, LogLevel.DEBUG, "rec.CustomInt3." + rec.CustomInt3);
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt3 Cast Error." + exception.Message);
L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt3 expected value: " + arr[11]);
}
try
{
string myDateTimeString = arr[4] + arr[3] + "," + DateTime.Now.Year + "," + arr[5];
DateTime dt = Convert.ToDateTime(myDateTimeString);
rec.Datetime = dt.ToString(dateFormat);
L.Log(LogType.FILE, LogLevel.DEBUG, "Datetime: " + rec.Datetime);
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Datetime Error " + exception.Message);
}
rec.Description = args.Message.Length > 899 ? args.Message.Substring(0, 899) : args.Message;
//string findChar = "/";
//int Found = (arr[13].Length - arr[13].Replace(findChar, "").Length) / findChar.Length;
//string s = Between(arr[13], "/", "/");
//if (Found > 3)
//{
// string s1 = Between(s, "/", "/");
// if (Found == 3 || Found == 4)
// {
// rec.CustomStr8 = s1;
// L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr8: " + rec.CustomStr8);
// }
// else if (Found > 3)
// {
// rec.CustomStr8 = Before(s1, "/");
// L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr8: " + rec.CustomStr8);
// }
//}
//else if (Found > 1)
//{
// if (s.StartsWith("/"))
// {
// rec.CustomStr8 = After(s, "/");
// L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr8: " + rec.CustomStr8);
// }
//}//
//else if (Found == 0)
//{
// if (rec.CustomStr1.Contains(":"))
// {
// rec.CustomStr8 = rec.CustomStr1.Split(':')[0];
// L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr8: " + rec.CustomStr8);
// }
//}
//try
//{
// if (rec.CustomStr1.Contains(":"))
// {
// rec.CustomInt5 = Convert.ToInt32(rec.CustomStr1.Split(':')[1]);
// }
//}
//catch (Exception exception)
//{
// L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt5 Cast Error." + exception.Message);
// L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt5 expected value: " + arr[13]);
//}
}
catch (Exception e)
{
L.Log(LogType.FILE, LogLevel.ERROR, "ERROR------------");
L.Log(LogType.FILE, LogLevel.ERROR, e.Message);
L.Log(LogType.FILE, LogLevel.ERROR, e.StackTrace);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data");
CustomServiceBase serviceBase = GetInstanceService("Security Manager Remote Recorder");
serviceBase.SetData(Dal, virtualhost, rec);
serviceBase.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime);
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data");
}
catch (Exception er)
{
L.Log(LogType.FILE, LogLevel.ERROR, er.ToString());
L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message);
}
}
void slog_SyslogEvent(LogMgrEventArgs args)
{
CustomBase.Rec rec = ParseSpecific(args.Message, false, args);
L.Log(LogType.FILE, LogLevel.INFORM, "Start preparing record");
L.Log(LogType.FILE, LogLevel.INFORM, "Start sending Data");
try
{
if (usingRegistry)
{
CustomServiceBase s = base.GetInstanceService("Security Manager Sender");
s.SetData(rec);
}
else
{
try
{
CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder");
s.SetData(Dal, virtualhost, rec);
s.SetReg(Id, rec.Datetime, rec.Description, "", "", rec.Datetime);
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Data sending error." + exception.Message);
}
}
L.Log(LogType.FILE, LogLevel.INFORM, "Finish Sending Data");
}
catch (Exception er)
{
L.Log(LogType.FILE, LogLevel.ERROR, er.ToString());
L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message);
}
}
void checkpoint_DHCP(LogMgrEventArgs args)
{
CustomBase.Rec r = new CustomBase.Rec();
CustomServiceBase s;
if (usingRegistry)
{
L.Log(LogType.FILE, LogLevel.INFORM, "Security Manager Sender");
s = base.GetInstanceService("Security Manager Sender");
}
else
{
L.Log(LogType.FILE, LogLevel.INFORM, "Security Manager Remote Recorder");
s = base.GetInstanceService("Security Manager Remote Recorder");
}
try
{
String line = args.Message.Replace('\0', ' ');
r.LogName = "Checkpoint DHCP Recorder";
string tarih;
line = line.Replace('\0', ' ').TrimEnd(' ');
String[] arr = SpaceSplit(args.Message.Replace('\0', ' '), true);
String[] arr2 = line.Split('>');
String[] cat = arr[2].Split('.');
tarih = arr[3] + "/" + ay(arr[4]).ToString() + "/" + arr[5] + " " + arr[6];
L.Log(LogType.FILE, LogLevel.DEBUG, "set datetime");
r.Datetime = Convert.ToDateTime(tarih).AddMinutes(zone).ToString("yyyy/MM/dd HH:mm:ss");
//An IP conflict was detected
if (arr[8] == "<10020>")
{
L.Log(LogType.FILE, LogLevel.DEBUG, "set event category");
r.EventCategory = arr[7];
String[] arr3 = arr2[1].Split(':');
L.Log(LogType.FILE, LogLevel.DEBUG, "set username");
r.UserName = arr[16]; //ip
L.Log(LogType.FILE, LogLevel.DEBUG, "set description");
r.Description = arr2[1]; //The IP 10.33.0.1 is in use by a device with MAC address 00:09:f3:07:26:ab
L.Log(LogType.FILE, LogLevel.DEBUG, "set eventtype");
r.EventType = arr[10] + " " + arr[11]; //iip conflict
L.Log(LogType.FILE, LogLevel.DEBUG, "set event customstr1");
r.CustomStr1 = arr3[0]; //An IP conflict was detected
}
else
if (arr[8] == "<10016>") //spotted
{
L.Log(LogType.FILE, LogLevel.DEBUG, "set event category");
r.EventCategory = arr[7];
L.Log(LogType.FILE, LogLevel.DEBUG, "set username");
r.UserName = arr[arr.Length - 1]; //ip
L.Log(LogType.FILE, LogLevel.DEBUG, "set description");
r.Description = arr2[1]; //Spotted 00:16:17:4d:37:9d (TMO) using IP address 10.25.0.109
L.Log(LogType.FILE, LogLevel.DEBUG, "set event type");
r.EventType = "ADDRESS DETECTION"; //sabit
L.Log(LogType.FILE, LogLevel.DEBUG, "set customstr1");
r.CustomStr1 = arr[9]; //
}
else
if (arr[8] == "<10015>") //assigned
{
L.Log(LogType.FILE, LogLevel.DEBUG, "set event category");
r.EventCategory = arr[7];
L.Log(LogType.FILE, LogLevel.DEBUG, "set username");
r.UserName = arr[10]; //ip
L.Log(LogType.FILE, LogLevel.DEBUG, "set description");
r.Description = arr2[1]; //
L.Log(LogType.FILE, LogLevel.DEBUG, "set eventtype");
r.EventType = "DHCP"; //sabit
L.Log(LogType.FILE, LogLevel.DEBUG, "set customstr1");
r.CustomStr1 = arr[9]; //assigned
}
else {
L.Log(LogType.FILE, LogLevel.DEBUG, "set descriiption ");
r.Description = line;
}
r.SourceName = args.Source;
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data");
if (!usingRegistry)
{
s.SetData(Dal,virtualHost, r);
s.SetReg(identity, r.Datetime, "", "",r.Datetime);
}
else
{
s.SetData(r);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data");
}//end of try
catch (Exception ex)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Wrong data: " + args.Message.Replace('\0', ' '));
r.SourceName = args.Source;
r.LogName = "CheckpointDHCPRecorder";
r.Description = args.Message.Replace('\0', ' ');
L.Log(LogType.FILE, LogLevel.DEBUG, "(err) Finish preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "(err) Start sending Data");
if (!usingRegistry)
{
s.SetData(Dal,virtualHost, r);
s.SetReg(identity, r.Datetime,"","", "",r.Datetime);
}
else
{
s.SetData(r);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "(err)Finish Sending Data");
L.LogTimed(LogType.FILE, LogLevel.ERROR, "Error at parsing" + ex.ToString());
}
finally
{
s.Dispose();
}
}
public void parsingProcess(LogMgrEventArgs args, int zone)
{
string[] logproperties = {"User-Name", "NAS-IP-Address", "NAS-Port", "Group-Name", "Framed-IP-Address", "Calling-Station-Id", "Acct-Status-Type",
"Acct-Session-Id", "NAS-Portname", "Caller-Id", "Acct-Flags", "service", "task_id", "AAA Server",
"Message-Type", "Filter Information", "Access Device", "Message-Type", "Authen-Failure-Code",
"status-class", "text-message", "system-memory-usage", "system-free-disk-space", "System-CPU-usage",
"action-type","cmd","priv-lvl","Caller-ID"};
this.log_Name = "Cisco ACS Recorder";
InitializeLogger.L.Log(LogType.FILE, LogLevel.DEBUG, "Message" + args.Message);
this.event_Type = args.EventLogEntType.ToString();
this.description = args.Message.Replace('\0', ' ');
string[] syslogMessageArr = args.Message.Split(',');
string[] _syslogmessageArrIndex = syslogMessageArr[0].Split(' ');
int count = 0;
for (int i = 0; i < _syslogmessageArrIndex.Length; i++)
{
if (_syslogmessageArrIndex[i] == "")
{
count++;
}
}
string[] syslogmessageArrIndex0 = new string[_syslogmessageArrIndex.Length - count];
int indexa = 0;
for (int i = 0; i < _syslogmessageArrIndex.Length; i++)
{
if (_syslogmessageArrIndex[i] != "")
{
syslogmessageArrIndex0[indexa] = _syslogmessageArrIndex[i];
indexa++;
}
}
try
{
String[] sourceArr = syslogmessageArrIndex0[0].Split(':');
this.sourceName = sourceArr[0]; //Source Name
this.sourceportNumber = Convert.ToInt32(sourceArr[1]); //Source Port
}
catch (Exception e)
{
InitializeLogger.L.Log(LogType.FILE, LogLevel.ERROR, "Couldnt find source port number :" + e.Message);
}
this.logType = syslogmessageArrIndex0[7];
string[] date ={ "", "", "", "" };
date[0] = Convert.ToString(DateTime.Now.Year);
date[1] = syslogmessageArrIndex0[3];
date[2] = syslogmessageArrIndex0[4];
date[3] = syslogmessageArrIndex0[5];
string logDate = "";
for (int i = 0; i < 4; i++)
{
logDate += date[i] + " ";
}
DateTime _logDate = new DateTime();
_logDate = Convert.ToDateTime(logDate.TrimEnd());
this.dateTime = _logDate.AddMinutes(zone).ToString("yyyy/MM/dd HH:mm:ss"); // Date Time
this.message_Id = syslogmessageArrIndex0[8];
int index;
string property="";
try
{
bool kontrol = true;
if (syslogmessageArrIndex0[11].Contains("="))
{
property = syslogmessageArrIndex0[11].Split('=')[0];
}
else
{
if (syslogmessageArrIndex0[11] == "AAA")
{
property = "AAA Server";
}
kontrol = false;
}
index = Array.IndexOf(logproperties, property);
if (kontrol)
{
assignpropertyvalue(index, syslogmessageArrIndex0[11].Split('=')[1]);
}
else
{
assignpropertyvalue(index, syslogmessageArrIndex0[12].Split('=')[1]);
}
}
catch (Exception e)
{
InitializeLogger.L.Log(LogType.FILE, LogLevel.ERROR, "error on parsing the AAA Server :" + e.Message);
}
for (int i = 1; i < syslogMessageArr.Length-1; i++)
{
index = -1;
property ="";
property = syslogMessageArr[i].Split('=')[0];
index = Array.IndexOf(logproperties,property);
if(index != -1)
{
assignpropertyvalue(index, syslogMessageArr[i].Split('=')[1]);
}
else
{
assignundefinedvalue(syslogMessageArr[i].Split('=')[0], syslogMessageArr[i].Split('=')[1]);
}
}
}
void Genuagate_SyslogEvent(LogMgrEventArgs args)
{
CustomBase.Rec rec = new CustomBase.Rec();
//CustomServiceBase s = base.GetInstanceService("Security Manager Sender");
try
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record");
rec.LogName = "GenuagateSyslog Recorder";
L.Log(LogType.FILE, LogLevel.DEBUG, "args.message->" + args.Message);
String[] arr = SpaceSplit(args.Message, true);
// CustomBase.Rec r = new CustomBase.Rec();
rec.ComputerName = arr[0];
//rec.EventType = arr[1];
DateTime dt = DateTime.Parse(arr[4] + " " + arr[3] + " " + DateTime.Now.Year + " " + arr[5]);
rec.Datetime = dt.Day + "/" + dt.Month + "/" + dt.Year + " " + arr[5];
rec.EventCategory = arr[10];
Dictionary<String, String> dictTemp = new Dictionary<String, String>();
switch (rec.EventCategory)
{
case "request":
case "accept":
case "connect":
case "disconnect":
{
for (Int32 i = 11; i < arr.Length; i++)
{
String[] arrTemp = arr[i].Split('=');
if (arrTemp.Length > 1)
{
dictTemp.Add(arrTemp[0], arrTemp[1]);
}
}
try
{
rec.CustomStr6 = dictTemp["laddr"];
}
catch
{
rec.CustomStr6 = "";
}
try
{
rec.CustomInt1 = Convert.ToInt32(dictTemp["lport"]);
}
catch
{
rec.CustomInt1 = -1;
}
try
{
rec.CustomStr2 = dictTemp["baddr"];
}
catch
{
rec.CustomStr2 = "";
}
try
{
rec.CustomInt2 = Convert.ToInt32(dictTemp["bport"]);
}
catch
{
rec.CustomInt2 = -1;
}
try
{
rec.CustomStr3 = dictTemp["caddr"];
}
catch
{
rec.CustomStr3 = "";
}
try
{
rec.CustomInt3 = Convert.ToInt32(dictTemp["cport"]);
}
catch
{
rec.CustomInt3 = -1;
}
try
{
rec.CustomStr4 = dictTemp["saddr"];
}
catch
{
rec.CustomStr4 = "";
}
try
{
rec.CustomInt4 = Convert.ToInt32(dictTemp["sport"]);
}
catch
{
rec.CustomInt4 = -1;
}
try
{
rec.Description = dictTemp["url"];
}
catch
{
rec.Description = "";
}
try
{
rec.CustomStr5 = dictTemp["duration"];
}
catch
{
rec.CustomStr5 = "";
}
try
{
rec.CustomStr1 = dictTemp["rnum"];
}
catch
{
rec.CustomStr1 = "";
}
try
{
rec.CustomStr7 = dictTemp["status"];
}
catch
{
rec.CustomStr7 = "";
}
try
{
rec.CustomStr8 = dictTemp["type"];
}
catch
{
rec.CustomStr8 = "";
}
dictTemp.Clear();
} break;
case "ACCESS":
{
rec.EventCategory += " " + arr[11];
rec.CustomStr10 = "";
Int32 i = 12;
for (i = 12; i < arr.Length; i++)
{
if (Char.IsDigit(arr[i], 0))
{
break;
}
rec.CustomStr10 += arr[i] + " ";
}
rec.CustomStr10 = rec.CustomStr10.Trim();
for (; i < arr.Length; i++)
{
if (arr[i].Contains("from"))
break;
}
i++;
String[] arrTemp = arr[i].Split(':');
rec.CustomStr3 = arrTemp[0];
try
{
rec.CustomInt3 = Convert.ToInt32(arrTemp[1]);
}
catch
{
}
i += 2;
arrTemp = arr[i].Split(':');
rec.CustomStr2 = arrTemp[0];
try
{
rec.CustomInt2 = Convert.ToInt32(arrTemp[1]);
}
catch
{
}
} break;
};
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record");
L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data");
if (usingRegistry)
{
CustomServiceBase s = base.GetInstanceService("Security Manager Sender");
s.SetData(rec);
}
else
{
CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder");
s.SetData(Dal, virtualhost, rec);
s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime);
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data");
}
catch (Exception er)
{
L.Log(LogType.FILE, LogLevel.ERROR, "args.message->" + args.Message);
L.LogTimed(LogType.FILE, LogLevel.ERROR, er.ToString());
}
}
