/// <summary>
/// Send event to syslog server
/// </summary>
/// <param name="message">Message to send</param>
/// <param name="evebntLogName">EventLog name</param>
/// <param name="eventLogEntry">Event to transfert to syslog server</param>
/// <param name="filter">Filter with Syslog facility and level</param>
/// <param name="debug">Debug object</param>
/// <returns>True if any error appear</returns>
private Boolean SendEventByUDP(String message, String eventLogName, EventLogEntry eventLogEntry, Filter filter)
{
IPAddress[] ServersAddress;
// Create syslog tag and remove syslog message accents
Int32 pri = (int)Facility[filter.SyslogFacility.ToLower()] * 8 + (int)Level[filter.SyslogLevel.ToLower()];
String body = "<" + pri + ">" + eventLogEntry.MachineName + " " + message;
// Convert final message in bytes
byte[] rawMsg = Encoding.Default.GetBytes(body);
try
{
ServersAddress = Dns.GetHostAddresses(this._ServerAddress);
String temp = ServersAddress.GetValue(0).ToString();
for (int i = 0; i < ServersAddress.Length; i++)
{
UdpClient udp = new UdpClient(ServersAddress.GetValue(i).ToString(), this._ServerPort);
udp.Send(rawMsg, rawMsg.Length);
this._Debug.Write("Syslog Server", "Event send to: " + ServersAddress.GetValue(i).ToString() + " with message: " + message, DateTime.Now, 2);
udp.Close();
udp = null;
}
}
catch (SocketException e)
{
this._Debug.Write("Syslog Server", "SocketException caught because: " + e.Message, DateTime.Now, 1);
return false;
}
catch (ArgumentNullException e)
{
this._Debug.Write("Syslog Server", "ArgumentNullException caught because: " + e.Message, DateTime.Now, 1);
return false;
}
catch (ArgumentOutOfRangeException e)
{
this._Debug.Write("Syslog Server", "ArgumentOutOfRangeException caught because: " + e.Message, DateTime.Now, 1);
return false;
}
catch (ObjectDisposedException e)
{
this._Debug.Write("Syslog Server", "ObjectDisposedException caught because: " + e.Message, DateTime.Now, 1);
return false;
}
catch (InvalidOperationException e)
{
this._Debug.Write("Syslog Server", "InvalidOperationException caught because: " + e.Message, DateTime.Now, 1);
return false;
}
return true;
}
/// <summary>
/// Send event to syslog server using TCP protocol
/// </summary>
/// <param name="message">Message to send</param>
/// <param name="evebntLogName">EventLog name</param>
/// <param name="eventLogEntry">Event to transfert to syslog server</param>
/// <param name="filter">Filter with Syslog facility and level</param>
/// <param name="debug">Debug object</param>
/// <returns>True if any error appear</returns>
private Boolean SendEventByTCP(String message, String eventLogName, EventLogEntry eventLogEntry, Filter filter)
{
IPAddress[] ServersAddress;
// Create syslog tag and remove syslog message accents
Int32 pri = (int)Facility[filter.SyslogFacility.ToLower()] * 8 + (int)Level[filter.SyslogLevel.ToLower()];
string month = eventLogEntry.TimeWritten.ToString("MMM", DateTimeFormatInfo.InvariantInfo);
string day = eventLogEntry.TimeWritten.ToString("dd", DateTimeFormatInfo.InvariantInfo);
if (Convert.ToInt32(day) < 10)
{
day = " " + Convert.ToInt32(day);
}
string date = month + " " + day + " " + eventLogEntry.TimeWritten.ToString("HH:mm:ss", DateTimeFormatInfo.InvariantInfo);
String body = "<" + pri + ">" + date + " " + eventLogEntry.MachineName + " " + message + "\n";
// Convert final message in bytes
byte[] rawMsg = Encoding.Default.GetBytes(body);
try
{
ServersAddress = Dns.GetHostAddresses(this._ServerAddress);
//String temp = ServersAddress.GetValue(0).ToString();
for (int i = 0; i < ServersAddress.Length; i++)
{
//Try to send message by TCP
TcpClient tcp;
NetworkStream flux;
try
{
tcp = new TcpClient(ServersAddress.GetValue(i).ToString(), this._ServerPort);
if (tcp.Connected)
{
flux = tcp.GetStream();
if (flux.CanWrite)
{
flux.Write(rawMsg, 0, rawMsg.Length);
this._Debug.Write("Syslog Server", "Event send to: " + ServersAddress.GetValue(i).ToString() + " with message: " + message, DateTime.Now, 2);
flux.Close();
tcp.Close();
tcp = null;
}
else
{
SetMessageInBuffer(body);
}
}
else
{
SetMessageInBuffer(body);
}
}
catch (SocketException e)
{
SetMessageInBuffer(body);
}
catch (ArgumentNullException e)
{
this._Debug.Write("Syslog Server", "ArgumentNullException caught because: " + e.Message, DateTime.Now, 1);
return false;
}
catch (ArgumentOutOfRangeException e)
{
this._Debug.Write("Syslog Server", "ArgumentOutOfRangeException caught because: " + e.Message, DateTime.Now, 1);
return false;
}
catch (ObjectDisposedException e)
{
this._Debug.Write("Syslog Server", "ObjectDisposedException caught because: " + e.Message, DateTime.Now, 1);
return false;
}
catch (System.IO.IOException e)
{
SetMessageInBuffer(body);
}
}
}
catch (SocketException e)
{
this._Debug.Write("Syslog Server", "SocketException caught because: " + e.Message, DateTime.Now, 1);
return false;
}
catch (ArgumentNullException e)
{
this._Debug.Write("Syslog Server", "ArgumentNullException caught because: " + e.Message, DateTime.Now, 1);
return false;
}
catch (ArgumentOutOfRangeException e)
{
this._Debug.Write("Syslog Server", "ArgumentOutOfRangeException caught because: " + e.Message, DateTime.Now, 1);
return false;
}
catch (ObjectDisposedException e)
{
this._Debug.Write("Syslog Server", "ObjectDisposedException caught because: " + e.Message, DateTime.Now, 1);
return false;
}
catch (InvalidOperationException e)
{
this._Debug.Write("Syslog Server", "InvalidOperationException caught because: " + e.Message, DateTime.Now, 1);
return false;
}
return true;
}
/// <summary>
/// Load filters to find in event log
/// </summary>
/// <param name="node">specific XML including filter parameters</param>
static void LoadFilters(XmlNode node)
{
String patternSyslogLevel = "Emergency|Alert|Critical|Error|Warning|Notice|Informational|Debug";
Regex rSyslogLevel = new Regex(patternSyslogLevel, RegexOptions.IgnoreCase);
String patternSyslogFacility = "Kern|User|Mail|Daemon|Auth|Syslog|LPR|News|UUCP|Cron|AuthPriv|FTP|NTP|Audit|Audit2|CRON2|Local0|Local1|Local2|Local3|Local4|Local5|Local6|Local7";
Regex rSyslogFacility = new Regex(patternSyslogFacility, RegexOptions.IgnoreCase);
String[] eventLogName = null;
Filter iFilter = null;
Filter eFilter = null;
foreach (XmlNode childnode in node.ChildNodes)
{
eventLogName = null;
iFilter = new Filter();
eFilter = new Filter();
foreach (XmlNode cnode in childnode.ChildNodes)
{
if (cnode.Name.ToLower().CompareTo("event") == 0)
{
foreach (XmlNode paramNode in cnode.ChildNodes)
{
if (paramNode.Name.ToLower().CompareTo("eventlogname") == 0)
{
ArrayList temp = new ArrayList();
foreach (XmlNode element in paramNode.ChildNodes)
{
if (element.Name.IndexOf("#comment") < 0)
{
temp.Add(element.InnerText);
}
}
eventLogName = new String[temp.Count];
int i = 0;
foreach (String item in temp)
{
eventLogName.SetValue(item, i);
i++;
}
}
else if (paramNode.Name.ToLower().CompareTo("sources") == 0)
{
ArrayList itemp = new ArrayList();
ArrayList etemp = new ArrayList();
foreach (XmlNode element in paramNode.ChildNodes)
{
if (element.Name.IndexOf("include") >= 0)
{
itemp.Add(element.InnerText);
}
else if (element.Name.IndexOf("exclude") >= 0)
{
etemp.Add(element.InnerText);
}
}
if (itemp.Count > 0)
{
String[] strTemp = new String[itemp.Count];
int i = 0;
foreach (String item in itemp)
{
strTemp.SetValue(item, i);
i++;
}
iFilter.EventLogSources = strTemp;
}
if (etemp.Count > 0)
{
String[] strTemp = new String[etemp.Count];
int i = 0;
foreach (String item in etemp)
{
strTemp.SetValue(item, i);
i++;
}
eFilter.EventLogSources = strTemp;
}
}
else if (paramNode.Name.ToLower().CompareTo("id") == 0)
{
ArrayList itemp = new ArrayList();
ArrayList etemp = new ArrayList();
foreach (XmlNode element in paramNode.ChildNodes)
{
if (element.Name.IndexOf("include") >= 0)
{
itemp.Add(element.InnerText);
}
else if (element.Name.IndexOf("exclude") >= 0)
{
etemp.Add(element.InnerText);
}
}
if (itemp.Count > 0)
{
String[] strTemp = new String[itemp.Count];
int i = 0;
foreach (String item in itemp)
{
strTemp.SetValue(item, i);
i++;
}
iFilter.EventLogID = strTemp;
}
if (etemp.Count > 0)
{
String[] strTemp = new String[etemp.Count];
int i = 0;
foreach (String item in etemp)
{
strTemp.SetValue(item, i);
i++;
}
eFilter.EventLogID = strTemp;
}
}
else if (paramNode.Name.ToLower().CompareTo("users") == 0)
{
ArrayList itemp = new ArrayList();
ArrayList etemp = new ArrayList();
foreach (XmlNode element in paramNode.ChildNodes)
{
if (element.Name.IndexOf("include") >= 0)
{
itemp.Add(element.InnerText);
}
else if (element.Name.IndexOf("exclude") >= 0)
{
etemp.Add(element.InnerText);
}
}
if (itemp.Count > 0)
{
String[] strTemp = new String[itemp.Count];
int i = 0;
foreach (String item in itemp)
{
strTemp.SetValue(item, i);
i++;
}
iFilter.User = strTemp;
}
if (etemp.Count > 0)
{
String[] strTemp = new String[etemp.Count];
int i = 0;
foreach (String item in etemp)
{
strTemp.SetValue(item, i);
i++;
}
eFilter.User = strTemp;
}
}
else if (paramNode.Name.ToLower().CompareTo("computers") == 0)
{
ArrayList itemp = new ArrayList();
ArrayList etemp = new ArrayList();
foreach (XmlNode element in paramNode.ChildNodes)
{
if (element.Name.IndexOf("include") >= 0)
{
itemp.Add(element.InnerText);
}
else if (element.Name.IndexOf("exclude") >= 0)
{
etemp.Add(element.InnerText);
}
}
if (itemp.Count > 0)
{
String[] strTemp = new String[itemp.Count];
int i = 0;
foreach (String item in itemp)
{
strTemp.SetValue(item, i);
i++;
}
iFilter.Computer = strTemp;
}
if (etemp.Count > 0)
{
String[] strTemp = new String[etemp.Count];
int i = 0;
foreach (String item in etemp)
{
strTemp.SetValue(item, i);
i++;
}
eFilter.Computer = strTemp;
}
}
else if (paramNode.Name.ToLower().CompareTo("type") == 0)
{
ArrayList itemp = new ArrayList();
ArrayList etemp = new ArrayList();
foreach (XmlNode element in paramNode.ChildNodes)
{
if (element.Name.IndexOf("include") >= 0)
{
itemp.Add(element.InnerText);
}
else if (element.Name.IndexOf("exclude") >= 0)
{
etemp.Add(element.InnerText);
}
}
if (itemp.Count > 0)
{
String[] strTemp = new String[itemp.Count];
int i = 0;
foreach (String item in itemp)
{
strTemp.SetValue(item, i);
i++;
}
iFilter.EventLogType = strTemp;
}
if (etemp.Count > 0)
{
String[] strTemp = new String[etemp.Count];
int i = 0;
foreach (String item in etemp)
{
strTemp.SetValue(item, i);
i++;
}
eFilter.EventLogType = strTemp;
}
}
else if (paramNode.Name.ToLower().CompareTo("descriptions") == 0)
{
ArrayList itemp = new ArrayList();
ArrayList etemp = new ArrayList();
foreach (XmlNode element in paramNode.ChildNodes)
{
if (element.Name.IndexOf("include") >= 0)
{
itemp.Add(element.InnerText);
}
else if (element.Name.IndexOf("exclude") >= 0)
{
etemp.Add(element.InnerText);
}
}
if (itemp.Count > 0)
{
String[] strTemp = new String[itemp.Count];
int i = 0;
foreach (String item in itemp)
{
strTemp.SetValue(item, i);
i++;
}
iFilter.EventLogDescriptions = strTemp;
}
if (etemp.Count > 0)
{
String[] strTemp = new String[etemp.Count];
int i = 0;
foreach (String item in etemp)
{
strTemp.SetValue(item, i);
i++;
}
eFilter.EventLogDescriptions = strTemp;
}
}
}
}
else if (cnode.Name.ToLower().CompareTo("syslog") == 0)
{
foreach (XmlNode paramNode in cnode.ChildNodes)
{
if (paramNode.Name.ToLower().CompareTo("level") == 0)
{
if (rSyslogLevel.IsMatch(paramNode.InnerText))
{
iFilter.SyslogLevel = paramNode.InnerText;
eFilter.SyslogLevel = paramNode.InnerText;
}
else
{
deb.Write("Load filters configuration", "301 - Uncorrect syslog level : \"" + paramNode.InnerText + "\"", DateTime.Now, 1);
}
}
else if (paramNode.Name.ToLower().CompareTo("facility") == 0)
{
if (rSyslogFacility.IsMatch(paramNode.InnerText))
{
iFilter.SyslogFacility = paramNode.InnerText;
eFilter.SyslogFacility = paramNode.InnerText;
}
else
{
deb.Write("Load filters configuration", "301 - Uncorrect syslog facility : \"" + paramNode.InnerText + "\"", DateTime.Now, 1);
}
}
}
}
}
if (eventLogName != null)
{
foreach (String element in eventLogName)
{
ArrayList itemp = null;
itemp = (ArrayList)iFilters[element];
ArrayList etemp = null;
etemp = (ArrayList)eFilters[element];
if ((itemp != null) && !iFilter.IsEmpty())
{
itemp.Add(iFilter);
deb.Write("Load filters configuration", "Add to filter list for event log " + element + " evement " + iFilter.ToString(), DateTime.Now, 2);
iFilters[element] = itemp;
}
else if ((itemp == null) && !iFilter.IsEmpty())
{
itemp = new ArrayList();
itemp.Add(iFilter);
deb.Write("Load filters configuration", "Add to filter list for event log " + element + " evement " + iFilter.ToString(), DateTime.Now, 2);
iFilters[element] = itemp;
}
if ((etemp != null) && !eFilter.IsEmpty())
{
etemp.Add(eFilter);
deb.Write("Load filters configuration", "Add to exclude filter list for event log " + element + " evement " + iFilter.ToString(), DateTime.Now, 2);
eFilters[element] = etemp;
}
else if ((etemp == null) && !eFilter.IsEmpty())
{
etemp = new ArrayList();
etemp.Add(eFilter);
deb.Write("Load filters configuration", "Add to exclude filter list for event log " + element + " evement " + iFilter.ToString(), DateTime.Now, 2);
eFilters[element] = etemp;
}
}
}
}
}
/// <summary>
/// Send event to syslog server using UDP protocol
/// </summary>
/// <param name="evebntLogName">EventLog name</param>
/// <param name="eventLogEntry">Event to transfert to syslog server</param>
/// <param name="filter">Filter with Syslog facility and level</param>
/// <param name="debug">Debug object</param>
public void SendEvent(String eventLogName, EventLogEntry eventLogEntry, Filter filter)
{
String message = PrepareSyslogEvent(eventLogName, eventLogEntry);
if (_Protocol.CompareTo("udp") == 0)
{
SendEventByUDP(message, eventLogName, eventLogEntry, filter);
}
else if (_Protocol.CompareTo("tcp") == 0)
{
SendEventByTCP(message, eventLogName, eventLogEntry, filter);
}
}
/// <summary>
/// Control if event corresponds to a filter
/// </summary>
/// <param name="actualEventLog">Event from eventLog</param>
/// <param name="filters">List of filters</param>
/// <returns>True if a correspondence is found</returns>
private Boolean TestEvent(EventLogEntry actualEventLog, ArrayList filters)
{
Boolean bEventLogsources = false;
Boolean bEventLogID = false;
Boolean bUser = false;
Boolean bComputer = false;
Boolean bEventLogType = false;
Boolean bEventLogDescriptions = false;
iFilter = null;
foreach (Filter filter in filters)
{
// Check MachineName
if (filter.Computer == null)
{
bComputer = true;
}
else
{
foreach (String Computer in filter.Computer)
{
if ((Computer.CompareTo("*") == 0) || (Computer.CompareTo(actualEventLog.MachineName) == 0))
{
bComputer = true;
break;
}
}
}
// Check Message
if (filter.EventLogDescriptions == null)
{
bEventLogDescriptions = true;
}
else
{
foreach (String Description in filter.EventLogDescriptions)
{
if ((Description.CompareTo("*") == 0) || (Description.IndexOf(actualEventLog.Message) >= 0))
{
bEventLogDescriptions = true;
break;
}
}
}
// Check EventID
if (filter.EventLogID == null)
{
bEventLogID = true;
}
else
{
foreach (String ID in filter.EventLogID)
{
if ((ID.CompareTo("*") == 0) || (ID.CompareTo(actualEventLog.EventID.ToString()) == 0))
{
bEventLogID = true;
break;
}
}
}
// Check Source
if (filter.EventLogSources == null)
{
bEventLogsources = true;
}
else
{
foreach (String Source in filter.EventLogSources)
{
if ((Source.CompareTo("*") == 0) || (Source.CompareTo(actualEventLog.Source) == 0))
{
bEventLogsources = true;
break;
}
}
}
// Check EntryType
if (filter.EventLogType == null)
{
bEventLogType = true;
}
else
{
foreach (String Type in filter.EventLogType)
{
if ((Type.CompareTo("*") == 0) || (Type.ToLower().CompareTo(actualEventLog.EntryType.ToString().ToLower()) == 0))
{
bEventLogType = true;
break;
}
}
}
// Check UserName
if (filter.User == null)
{
bUser = true;
}
else
{
foreach (String User in filter.User)
{
if ((User.CompareTo("*") == 0) || (User.CompareTo(actualEventLog.UserName) == 0))
{
bUser = true;
break;
}
}
}
if (bEventLogsources && bEventLogID && bUser && bComputer && bEventLogType && bEventLogDescriptions)
{
iFilter = filter;
return true;
}
}
return false;
}
