/// <summary> /// Send event to syslog server /// </summary> /// <param name="message">Message to send</param> /// <param name="evebntLogName">EventLog name</param> /// <param name="eventLogEntry">Event to transfert to syslog server</param> /// <param name="filter">Filter with Syslog facility and level</param> /// <param name="debug">Debug object</param> /// <returns>True if any error appear</returns> private Boolean SendEventByUDP(String message, String eventLogName, EventLogEntry eventLogEntry, Filter filter) { IPAddress[] ServersAddress; // Create syslog tag and remove syslog message accents Int32 pri = (int)Facility[filter.SyslogFacility.ToLower()] * 8 + (int)Level[filter.SyslogLevel.ToLower()]; String body = "<" + pri + ">" + eventLogEntry.MachineName + " " + message; // Convert final message in bytes byte[] rawMsg = Encoding.Default.GetBytes(body); try { ServersAddress = Dns.GetHostAddresses(this._ServerAddress); String temp = ServersAddress.GetValue(0).ToString(); for (int i = 0; i < ServersAddress.Length; i++) { UdpClient udp = new UdpClient(ServersAddress.GetValue(i).ToString(), this._ServerPort); udp.Send(rawMsg, rawMsg.Length); this._Debug.Write("Syslog Server", "Event send to: " + ServersAddress.GetValue(i).ToString() + " with message: " + message, DateTime.Now, 2); udp.Close(); udp = null; } } catch (SocketException e) { this._Debug.Write("Syslog Server", "SocketException caught because: " + e.Message, DateTime.Now, 1); return false; } catch (ArgumentNullException e) { this._Debug.Write("Syslog Server", "ArgumentNullException caught because: " + e.Message, DateTime.Now, 1); return false; } catch (ArgumentOutOfRangeException e) { this._Debug.Write("Syslog Server", "ArgumentOutOfRangeException caught because: " + e.Message, DateTime.Now, 1); return false; } catch (ObjectDisposedException e) { this._Debug.Write("Syslog Server", "ObjectDisposedException caught because: " + e.Message, DateTime.Now, 1); return false; } catch (InvalidOperationException e) { this._Debug.Write("Syslog Server", "InvalidOperationException caught because: " + e.Message, DateTime.Now, 1); return false; } return true; }
/// <summary> /// Send event to syslog server using TCP protocol /// </summary> /// <param name="message">Message to send</param> /// <param name="evebntLogName">EventLog name</param> /// <param name="eventLogEntry">Event to transfert to syslog server</param> /// <param name="filter">Filter with Syslog facility and level</param> /// <param name="debug">Debug object</param> /// <returns>True if any error appear</returns> private Boolean SendEventByTCP(String message, String eventLogName, EventLogEntry eventLogEntry, Filter filter) { IPAddress[] ServersAddress; // Create syslog tag and remove syslog message accents Int32 pri = (int)Facility[filter.SyslogFacility.ToLower()] * 8 + (int)Level[filter.SyslogLevel.ToLower()]; string month = eventLogEntry.TimeWritten.ToString("MMM", DateTimeFormatInfo.InvariantInfo); string day = eventLogEntry.TimeWritten.ToString("dd", DateTimeFormatInfo.InvariantInfo); if (Convert.ToInt32(day) < 10) { day = " " + Convert.ToInt32(day); } string date = month + " " + day + " " + eventLogEntry.TimeWritten.ToString("HH:mm:ss", DateTimeFormatInfo.InvariantInfo); String body = "<" + pri + ">" + date + " " + eventLogEntry.MachineName + " " + message + "\n"; // Convert final message in bytes byte[] rawMsg = Encoding.Default.GetBytes(body); try { ServersAddress = Dns.GetHostAddresses(this._ServerAddress); //String temp = ServersAddress.GetValue(0).ToString(); for (int i = 0; i < ServersAddress.Length; i++) { //Try to send message by TCP TcpClient tcp; NetworkStream flux; try { tcp = new TcpClient(ServersAddress.GetValue(i).ToString(), this._ServerPort); if (tcp.Connected) { flux = tcp.GetStream(); if (flux.CanWrite) { flux.Write(rawMsg, 0, rawMsg.Length); this._Debug.Write("Syslog Server", "Event send to: " + ServersAddress.GetValue(i).ToString() + " with message: " + message, DateTime.Now, 2); flux.Close(); tcp.Close(); tcp = null; } else { SetMessageInBuffer(body); } } else { SetMessageInBuffer(body); } } catch (SocketException e) { SetMessageInBuffer(body); } catch (ArgumentNullException e) { this._Debug.Write("Syslog Server", "ArgumentNullException caught because: " + e.Message, DateTime.Now, 1); return false; } catch (ArgumentOutOfRangeException e) { this._Debug.Write("Syslog Server", "ArgumentOutOfRangeException caught because: " + e.Message, DateTime.Now, 1); return false; } catch (ObjectDisposedException e) { this._Debug.Write("Syslog Server", "ObjectDisposedException caught because: " + e.Message, DateTime.Now, 1); return false; } catch (System.IO.IOException e) { SetMessageInBuffer(body); } } } catch (SocketException e) { this._Debug.Write("Syslog Server", "SocketException caught because: " + e.Message, DateTime.Now, 1); return false; } catch (ArgumentNullException e) { this._Debug.Write("Syslog Server", "ArgumentNullException caught because: " + e.Message, DateTime.Now, 1); return false; } catch (ArgumentOutOfRangeException e) { this._Debug.Write("Syslog Server", "ArgumentOutOfRangeException caught because: " + e.Message, DateTime.Now, 1); return false; } catch (ObjectDisposedException e) { this._Debug.Write("Syslog Server", "ObjectDisposedException caught because: " + e.Message, DateTime.Now, 1); return false; } catch (InvalidOperationException e) { this._Debug.Write("Syslog Server", "InvalidOperationException caught because: " + e.Message, DateTime.Now, 1); return false; } return true; }
/// <summary> /// Load filters to find in event log /// </summary> /// <param name="node">specific XML including filter parameters</param> static void LoadFilters(XmlNode node) { String patternSyslogLevel = "Emergency|Alert|Critical|Error|Warning|Notice|Informational|Debug"; Regex rSyslogLevel = new Regex(patternSyslogLevel, RegexOptions.IgnoreCase); String patternSyslogFacility = "Kern|User|Mail|Daemon|Auth|Syslog|LPR|News|UUCP|Cron|AuthPriv|FTP|NTP|Audit|Audit2|CRON2|Local0|Local1|Local2|Local3|Local4|Local5|Local6|Local7"; Regex rSyslogFacility = new Regex(patternSyslogFacility, RegexOptions.IgnoreCase); String[] eventLogName = null; Filter iFilter = null; Filter eFilter = null; foreach (XmlNode childnode in node.ChildNodes) { eventLogName = null; iFilter = new Filter(); eFilter = new Filter(); foreach (XmlNode cnode in childnode.ChildNodes) { if (cnode.Name.ToLower().CompareTo("event") == 0) { foreach (XmlNode paramNode in cnode.ChildNodes) { if (paramNode.Name.ToLower().CompareTo("eventlogname") == 0) { ArrayList temp = new ArrayList(); foreach (XmlNode element in paramNode.ChildNodes) { if (element.Name.IndexOf("#comment") < 0) { temp.Add(element.InnerText); } } eventLogName = new String[temp.Count]; int i = 0; foreach (String item in temp) { eventLogName.SetValue(item, i); i++; } } else if (paramNode.Name.ToLower().CompareTo("sources") == 0) { ArrayList itemp = new ArrayList(); ArrayList etemp = new ArrayList(); foreach (XmlNode element in paramNode.ChildNodes) { if (element.Name.IndexOf("include") >= 0) { itemp.Add(element.InnerText); } else if (element.Name.IndexOf("exclude") >= 0) { etemp.Add(element.InnerText); } } if (itemp.Count > 0) { String[] strTemp = new String[itemp.Count]; int i = 0; foreach (String item in itemp) { strTemp.SetValue(item, i); i++; } iFilter.EventLogSources = strTemp; } if (etemp.Count > 0) { String[] strTemp = new String[etemp.Count]; int i = 0; foreach (String item in etemp) { strTemp.SetValue(item, i); i++; } eFilter.EventLogSources = strTemp; } } else if (paramNode.Name.ToLower().CompareTo("id") == 0) { ArrayList itemp = new ArrayList(); ArrayList etemp = new ArrayList(); foreach (XmlNode element in paramNode.ChildNodes) { if (element.Name.IndexOf("include") >= 0) { itemp.Add(element.InnerText); } else if (element.Name.IndexOf("exclude") >= 0) { etemp.Add(element.InnerText); } } if (itemp.Count > 0) { String[] strTemp = new String[itemp.Count]; int i = 0; foreach (String item in itemp) { strTemp.SetValue(item, i); i++; } iFilter.EventLogID = strTemp; } if (etemp.Count > 0) { String[] strTemp = new String[etemp.Count]; int i = 0; foreach (String item in etemp) { strTemp.SetValue(item, i); i++; } eFilter.EventLogID = strTemp; } } else if (paramNode.Name.ToLower().CompareTo("users") == 0) { ArrayList itemp = new ArrayList(); ArrayList etemp = new ArrayList(); foreach (XmlNode element in paramNode.ChildNodes) { if (element.Name.IndexOf("include") >= 0) { itemp.Add(element.InnerText); } else if (element.Name.IndexOf("exclude") >= 0) { etemp.Add(element.InnerText); } } if (itemp.Count > 0) { String[] strTemp = new String[itemp.Count]; int i = 0; foreach (String item in itemp) { strTemp.SetValue(item, i); i++; } iFilter.User = strTemp; } if (etemp.Count > 0) { String[] strTemp = new String[etemp.Count]; int i = 0; foreach (String item in etemp) { strTemp.SetValue(item, i); i++; } eFilter.User = strTemp; } } else if (paramNode.Name.ToLower().CompareTo("computers") == 0) { ArrayList itemp = new ArrayList(); ArrayList etemp = new ArrayList(); foreach (XmlNode element in paramNode.ChildNodes) { if (element.Name.IndexOf("include") >= 0) { itemp.Add(element.InnerText); } else if (element.Name.IndexOf("exclude") >= 0) { etemp.Add(element.InnerText); } } if (itemp.Count > 0) { String[] strTemp = new String[itemp.Count]; int i = 0; foreach (String item in itemp) { strTemp.SetValue(item, i); i++; } iFilter.Computer = strTemp; } if (etemp.Count > 0) { String[] strTemp = new String[etemp.Count]; int i = 0; foreach (String item in etemp) { strTemp.SetValue(item, i); i++; } eFilter.Computer = strTemp; } } else if (paramNode.Name.ToLower().CompareTo("type") == 0) { ArrayList itemp = new ArrayList(); ArrayList etemp = new ArrayList(); foreach (XmlNode element in paramNode.ChildNodes) { if (element.Name.IndexOf("include") >= 0) { itemp.Add(element.InnerText); } else if (element.Name.IndexOf("exclude") >= 0) { etemp.Add(element.InnerText); } } if (itemp.Count > 0) { String[] strTemp = new String[itemp.Count]; int i = 0; foreach (String item in itemp) { strTemp.SetValue(item, i); i++; } iFilter.EventLogType = strTemp; } if (etemp.Count > 0) { String[] strTemp = new String[etemp.Count]; int i = 0; foreach (String item in etemp) { strTemp.SetValue(item, i); i++; } eFilter.EventLogType = strTemp; } } else if (paramNode.Name.ToLower().CompareTo("descriptions") == 0) { ArrayList itemp = new ArrayList(); ArrayList etemp = new ArrayList(); foreach (XmlNode element in paramNode.ChildNodes) { if (element.Name.IndexOf("include") >= 0) { itemp.Add(element.InnerText); } else if (element.Name.IndexOf("exclude") >= 0) { etemp.Add(element.InnerText); } } if (itemp.Count > 0) { String[] strTemp = new String[itemp.Count]; int i = 0; foreach (String item in itemp) { strTemp.SetValue(item, i); i++; } iFilter.EventLogDescriptions = strTemp; } if (etemp.Count > 0) { String[] strTemp = new String[etemp.Count]; int i = 0; foreach (String item in etemp) { strTemp.SetValue(item, i); i++; } eFilter.EventLogDescriptions = strTemp; } } } } else if (cnode.Name.ToLower().CompareTo("syslog") == 0) { foreach (XmlNode paramNode in cnode.ChildNodes) { if (paramNode.Name.ToLower().CompareTo("level") == 0) { if (rSyslogLevel.IsMatch(paramNode.InnerText)) { iFilter.SyslogLevel = paramNode.InnerText; eFilter.SyslogLevel = paramNode.InnerText; } else { deb.Write("Load filters configuration", "301 - Uncorrect syslog level : \"" + paramNode.InnerText + "\"", DateTime.Now, 1); } } else if (paramNode.Name.ToLower().CompareTo("facility") == 0) { if (rSyslogFacility.IsMatch(paramNode.InnerText)) { iFilter.SyslogFacility = paramNode.InnerText; eFilter.SyslogFacility = paramNode.InnerText; } else { deb.Write("Load filters configuration", "301 - Uncorrect syslog facility : \"" + paramNode.InnerText + "\"", DateTime.Now, 1); } } } } } if (eventLogName != null) { foreach (String element in eventLogName) { ArrayList itemp = null; itemp = (ArrayList)iFilters[element]; ArrayList etemp = null; etemp = (ArrayList)eFilters[element]; if ((itemp != null) && !iFilter.IsEmpty()) { itemp.Add(iFilter); deb.Write("Load filters configuration", "Add to filter list for event log " + element + " evement " + iFilter.ToString(), DateTime.Now, 2); iFilters[element] = itemp; } else if ((itemp == null) && !iFilter.IsEmpty()) { itemp = new ArrayList(); itemp.Add(iFilter); deb.Write("Load filters configuration", "Add to filter list for event log " + element + " evement " + iFilter.ToString(), DateTime.Now, 2); iFilters[element] = itemp; } if ((etemp != null) && !eFilter.IsEmpty()) { etemp.Add(eFilter); deb.Write("Load filters configuration", "Add to exclude filter list for event log " + element + " evement " + iFilter.ToString(), DateTime.Now, 2); eFilters[element] = etemp; } else if ((etemp == null) && !eFilter.IsEmpty()) { etemp = new ArrayList(); etemp.Add(eFilter); deb.Write("Load filters configuration", "Add to exclude filter list for event log " + element + " evement " + iFilter.ToString(), DateTime.Now, 2); eFilters[element] = etemp; } } } } }
/// <summary> /// Send event to syslog server using UDP protocol /// </summary> /// <param name="evebntLogName">EventLog name</param> /// <param name="eventLogEntry">Event to transfert to syslog server</param> /// <param name="filter">Filter with Syslog facility and level</param> /// <param name="debug">Debug object</param> public void SendEvent(String eventLogName, EventLogEntry eventLogEntry, Filter filter) { String message = PrepareSyslogEvent(eventLogName, eventLogEntry); if (_Protocol.CompareTo("udp") == 0) { SendEventByUDP(message, eventLogName, eventLogEntry, filter); } else if (_Protocol.CompareTo("tcp") == 0) { SendEventByTCP(message, eventLogName, eventLogEntry, filter); } }
/// <summary> /// Control if event corresponds to a filter /// </summary> /// <param name="actualEventLog">Event from eventLog</param> /// <param name="filters">List of filters</param> /// <returns>True if a correspondence is found</returns> private Boolean TestEvent(EventLogEntry actualEventLog, ArrayList filters) { Boolean bEventLogsources = false; Boolean bEventLogID = false; Boolean bUser = false; Boolean bComputer = false; Boolean bEventLogType = false; Boolean bEventLogDescriptions = false; iFilter = null; foreach (Filter filter in filters) { // Check MachineName if (filter.Computer == null) { bComputer = true; } else { foreach (String Computer in filter.Computer) { if ((Computer.CompareTo("*") == 0) || (Computer.CompareTo(actualEventLog.MachineName) == 0)) { bComputer = true; break; } } } // Check Message if (filter.EventLogDescriptions == null) { bEventLogDescriptions = true; } else { foreach (String Description in filter.EventLogDescriptions) { if ((Description.CompareTo("*") == 0) || (Description.IndexOf(actualEventLog.Message) >= 0)) { bEventLogDescriptions = true; break; } } } // Check EventID if (filter.EventLogID == null) { bEventLogID = true; } else { foreach (String ID in filter.EventLogID) { if ((ID.CompareTo("*") == 0) || (ID.CompareTo(actualEventLog.EventID.ToString()) == 0)) { bEventLogID = true; break; } } } // Check Source if (filter.EventLogSources == null) { bEventLogsources = true; } else { foreach (String Source in filter.EventLogSources) { if ((Source.CompareTo("*") == 0) || (Source.CompareTo(actualEventLog.Source) == 0)) { bEventLogsources = true; break; } } } // Check EntryType if (filter.EventLogType == null) { bEventLogType = true; } else { foreach (String Type in filter.EventLogType) { if ((Type.CompareTo("*") == 0) || (Type.ToLower().CompareTo(actualEventLog.EntryType.ToString().ToLower()) == 0)) { bEventLogType = true; break; } } } // Check UserName if (filter.User == null) { bUser = true; } else { foreach (String User in filter.User) { if ((User.CompareTo("*") == 0) || (User.CompareTo(actualEventLog.UserName) == 0)) { bUser = true; break; } } } if (bEventLogsources && bEventLogID && bUser && bComputer && bEventLogType && bEventLogDescriptions) { iFilter = filter; return true; } } return false; }