/// <summary>
/// Invalid message has been received
/// </summary>
public void HandleInvalidMessage(object sender, Syslog.TransportProtocol.SyslogMessageReceivedEventArgs e)
{
lock (m_syncObject)
{
try
{
using (var writer = File.AppendText((sender as SyslogListenerThread).Configuration.LogFileLocation ?? "messages.txt"))
writer.WriteLine("*{0}\t{1:yyyy-MM-dd HH:mm:ss}\t{2}\t{3}\t{4}", sender.GetType().Name, DateTime.Now, e.Message.Facility, e.SolicitorEndpoint.Host, e.Message.Original);
}
catch (Exception ex)
{
this.m_traceSource.TraceError("Error handling invalid message: {0}", ex.ToString());
}
}
}
/// <summary>
/// Message has been received
/// </summary>
public void HandleMessageReceived(object sender, Syslog.TransportProtocol.SyslogMessageReceivedEventArgs e)
{
lock (m_syncObject)
{
try
{
String fileName = (sender as SyslogListenerThread)?.Configuration?.LogFileLocation ?? "messages.txt";
this.m_traceSource.TraceVerbose("Logging audit from {0} on endpoint {1} to file {2}", e.SolicitorEndpoint, e.ReceiveEndpoint, fileName);
using (var writer = File.AppendText(fileName))
writer.WriteLine(" {0}\t{1:yyyy-MM-dd HH:mm:ss}\t<{2}>\t{3}\t{4}\t{5}\t{6}", sender.GetType().Name, DateTime.Now, e.Message.Facility, e.SolicitorEndpoint.Host, e.Message.ProcessId, e.Message.ProcessName, e.Message.Original);
}
catch (Exception ex)
{
this.m_traceSource.TraceError("Error on handling message received: {0}", ex.ToString());
}
}
}
/// <summary>
/// Process a message received by the syslog message handler
/// </summary>
private void ProcessMessage(Syslog.TransportProtocol.SyslogMessageReceivedEventArgs e)
{
try
{
if (e == null || e.Message == null)
{
this.m_traceSource.TraceWarning("Received null SyslogEvent from transport");
return;
}
// Secured copy
AuthenticatedSyslogMessageReceivedEventArgs securedEvent = e as AuthenticatedSyslogMessageReceivedEventArgs;
// Process a result
ApplicationServiceContext.Current.GetService <IThreadPoolService>().QueueUserWorkItem((p) =>
{
using (AuthenticationContext.EnterSystemContext())
{
try
{
var processResult = (ParseAuditResult)p;
// Now does the audit persistence service exist?
if (ApplicationServiceContext.Current.GetService <IRepositoryService <AuditBundle> >() != null)
{
AuditBundle insertBundle = new AuditBundle();
Audit audit = processResult.Message.ToAudit();
// Is this an error?
if (audit != null)
{
bool alertStatus = false;
// Set core properties
audit.CorrelationToken = processResult.SourceMessage.CorrelationId;
Uri solicitorEp = new Uri(String.Format("atna://{0}", e.SolicitorEndpoint.Host)),
receiveEp = new Uri(String.Format("atna://{0}", e.ReceiveEndpoint.Host));
// Create or get node
int tr = 0;
var senderNode = ApplicationServiceContext.Current.GetService <IRepositoryService <AuditNode> >().Find(o => o.HostName == e.Message.HostName.ToLower(), 0, 1, out tr).FirstOrDefault();
if (senderNode == null) // Flag alert
{
alertStatus = true;
processResult.Details.Add(new DetectedIssue(DetectedIssuePriorityType.Warning, "sender.unknown", $"The sender {e.Message.HostName} is unknown", DetectedIssueKeys.SecurityIssue));
senderNode = new AuditNode()
{
Key = Guid.NewGuid(),
HostName = e.Message.HostName.ToLower(),
Name = e.Message.HostName,
Status = AuditStatusType.New,
SecurityDeviceKey = ApplicationServiceContext.Current.GetService <IRepositoryService <SecurityDevice> >().Find(o => o.Name == e.Message.HostName, 0, 1, out tr).FirstOrDefault()?.Key.Value
};
insertBundle.Add(senderNode);
}
var receiverNode = insertBundle.Item.OfType <AuditNode>().FirstOrDefault(o => o.HostName == Environment.MachineName.ToLower()) ??
ApplicationServiceContext.Current.GetService <IRepositoryService <AuditNode> >().Find(o => o.HostName == Environment.MachineName.ToLower(), 0, 1, out tr).FirstOrDefault();
if (receiverNode == null) // Flag alert
{
alertStatus = true;
processResult.Details.Add(new DetectedIssue(DetectedIssuePriorityType.Warning, "receiver.unknown", $"The receiver {Environment.MachineName} is not registered to receive messages", DetectedIssueKeys.SecurityIssue));
receiverNode = new AuditNode()
{
Key = Guid.NewGuid(),
HostName = Environment.MachineName.ToLower(),
Name = Environment.MachineName,
Status = AuditStatusType.New,
SecurityDeviceKey = ApplicationServiceContext.Current.GetService <IRepositoryService <SecurityDevice> >().Find(o => o.Name == Environment.MachineName, 0, 1, out tr).FirstOrDefault()?.Key.Value
};
insertBundle.Add(receiverNode);
}
// Create or get session
var session = ApplicationServiceContext.Current.GetService <IRepositoryService <AuditSession> >().Get(processResult.SourceMessage.SessionId);
if (session == null)
{
insertBundle.Add(new AuditSession()
{
Key = processResult.SourceMessage.SessionId,
Receiver = receiverNode,
Sender = senderNode,
ReceivingEndpoint = receiveEp.ToString(),
SenderEndpoint = solicitorEp.ToString()
});
}
// Get the bundle ready ...
audit.CorrelationToken = processResult.SourceMessage.CorrelationId;
audit.IsAlert = alertStatus;
audit.ProcessId = e.Message.ProcessId;
audit.ProcessName = e.Message.ProcessName;
audit.CreationTime = e.Timestamp;
audit.SessionKey = processResult.SourceMessage.SessionId;
audit.Status = AuditStatusType.New;
audit.Details = processResult.Details?.Select(i => new AuditDetailData()
{
Key = Guid.NewGuid(),
Message = i.Text,
IssueType = (DetectedIssuePriorityType)Enum.Parse(typeof(DetectedIssuePriorityType), i.Priority.ToString())
}).ToList();
insertBundle.Add(audit);
}
else if (processResult.Details.Count() > 0)
{
foreach (var i in processResult.Details.Where(o => o.Priority != DetectedIssuePriorityType.Information))
{
insertBundle.Add(new AuditDetailData()
{
Key = Guid.NewGuid(),
SourceEntityKey = audit.CorrelationToken,
Message = i.Text,
IssueType = i.Priority == DetectedIssuePriorityType.Error ? DetectedIssuePriorityType.Error : DetectedIssuePriorityType.Warning
});
}
}
// Batch persistence service
ApplicationServiceContext.Current.GetService <IRepositoryService <AuditBundle> >().Insert(insertBundle);
}
else
{
// Use "classic" mode
AuditData audit = processResult.Message.ToAuditData();
audit.AddMetadata(AuditMetadataKey.LocalEndpoint, e.ReceiveEndpoint.ToString());
audit.AddMetadata(AuditMetadataKey.ProcessName, e.Message.ProcessName);
audit.AddMetadata(AuditMetadataKey.RemoteHost, e.SolicitorEndpoint.ToString());
audit.AddMetadata(AuditMetadataKey.SessionId, e.Message.SessionId.ToString());
audit.AddMetadata(AuditMetadataKey.SubmissionTime, e.Message.Timestamp.ToString("o"));
AuditUtil.SendAudit(audit);
}
}
catch (Exception ex)
{
this.m_traceSource.TraceError("Error persisting audit: {0}", ex);
}
}
}, MessageUtil.ParseAudit(e.Message));
}
catch (Exception ex)
{
this.m_traceSource.TraceError(ex.ToString());
throw;
}
}
/// <summary>
/// Handles an invalid message being persisted
/// </summary>
public void HandleInvalidMessage(object sender, Syslog.TransportProtocol.SyslogMessageReceivedEventArgs e)
{
this.ProcessMessage(e);
}
