void slog_SyslogEvent(LogMgrEventArgs args) { CustomBase.Rec rec = new CustomBase.Rec(); try { L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record"); try { rec.LogName = "SysLog Recorder"; rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss"); rec.EventType = args.EventLogEntType.ToString(); if (args.Message.Length > 895) rec.Description = args.Message.Substring(0, 890); else rec.Description = args.Message; rec.Description = args.Message.Replace("'", "|"); L.Log(LogType.FILE, LogLevel.DEBUG, " Source Is : " + args.Source.ToString()); rec.SourceName = args.Source; L.Log(LogType.FILE, LogLevel.INFORM, " Log : " + args.Message); } catch (Exception e) { L.Log(LogType.FILE, LogLevel.DEBUG, "ERROR------------"); L.Log(LogType.FILE, LogLevel.DEBUG, e.Message); L.Log(LogType.FILE, LogLevel.DEBUG, e.StackTrace); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data"); if (usingRegistry) { CustomServiceBase s = base.GetInstanceService("Security Manager Sender"); s.SetData(rec); } else { CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder"); s.SetData(Dal, virtualhost, rec); s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data"); } catch (Exception er) { L.Log(LogType.FILE, LogLevel.ERROR, er.ToString()); L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message); } }
public Rec ParseSpecific(String line, bool dontSend, LogMgrEventArgs args) { L.Log(LogType.FILE, LogLevel.DEBUG, " ParseSpecific() | Parsing Specific line. Line : " + line); if (string.IsNullOrEmpty(line)) { L.Log(LogType.FILE, LogLevel.DEBUG, " ParseSpecific() | Line is Null Or Empty. "); } CustomBase.Rec rec = new CustomBase.Rec(); L.Log(LogType.FILE, LogLevel.DEBUG, " Source Is : " + args.Source.ToString()); rec.SourceName = args.Source; L.Log(LogType.FILE, LogLevel.INFORM, " Log : " + args.Message); rec.LogName = "PaloAltoTrafficV_1_0_0Syslog Recorder"; //rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss"); rec.EventType = args.EventLogEntType.ToString(); if (!string.IsNullOrEmpty(remote_host)) { rec.ComputerName = remote_host; } rec.Description = args.Message; L.Log(LogType.FILE, LogLevel.DEBUG, " ParseSpecific() | ComputerName: " + rec.ComputerName); L.Log(LogType.FILE, LogLevel.DEBUG, " ParseSpecific() | Description: " + rec.Description); L.Log(LogType.FILE, LogLevel.DEBUG, " ParseSpecific() | LogName: " + rec.LogName); L.Log(LogType.FILE, LogLevel.DEBUG, " ParseSpecific() | SourceName: " + rec.SourceName); //if (rec.Description.Length > 899) //{ // rec.Description = rec.Description.Substring(0, 899); //} //else //{ // rec.Description = rec.Description; //} //rec.Description = args.Message.Replace("'", "|"); if (!dontSend) { // 10 20 30 //threath Domain*,Receive Time*,Serial #*,Type*,Threat/Content Type*,Config Version*,Generate Time*,Source address*,Destination address*,NAT Source IP*,NAT Destination IP*,Rule*,Source User*,Destination User*,Application*,Virtual System*,Source Zone*,Destination Zone*,Inbound Interface*, Outbound Interface*, Log Action*,Time Logged*,Session ID*,Repeat Count*,Source Port*,Destination Port*,NAT Source Port*,NAT Destination Port*,Flags*,IP Protocol*,Action,URL,Threat/Content Name,Category,Severity,Direction //traffic Domain*,Receive Time*,Serial #*,Type*,Threat/Content Type*,Config Version*,Generate Time*,Source address*,Destination address*,NAT Source IP*, NAT Destination IP*,Rule*,Source User*,Destination User*,Application*,Virtual System*,Source Zone*,Destination Zone*,Inbound Interface*,Outbound Interface*, Log Action*,Time Logged*,Session ID*,Repeat Count*,Source Port*,Destination Port*,NAT Source Port*,NAT Destination Port*,Flags*,IP Protocol*, Action,Bytes,Bytes Sent,Bytes Received,Packets,Start Time,Elapsed Time (sec),Category,Padding(39) //1,2011/01/25 05:45:17,0004C100832,THREAT,vulnerability,2,2011/01/25 05:45:12,193.189.142.32,168.216.29.89,192.168.0.12,168.216.29.89,Dis_Web_Server_erisim,,,web-browsing,vsys1,DMZ,Internet,ethernet1/1,ethernet1/4,,2011/01/25 05:45:17,56500,1,80,4149,80,4149,0x40,tcp,alert,,HTTP Non RFC-Compliant Response Found(32880),any,informational,server-to-client string[] parts = line.Split(','); try { try { rec.Datetime = Convert.ToDateTime(parts[6]).ToString("yyyy-MM-dd HH:mm:ss");//Date time conversion requeired. } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, " ParseSpecific() | There is a problem converting to date. date : " + parts[4]); } for (int i = 0; i < parts.Length; i++) { L.Log(LogType.FILE, LogLevel.DEBUG, " ParseSpecific() Parts[" + i + "]: " + parts[i]); } try { rec.CustomStr1 = parts[18]; rec.CustomStr2 = parts[19]; rec.CustomStr3 = parts[7]; rec.CustomStr4 = parts[8]; rec.CustomStr5 = parts[9]; rec.CustomStr6 = parts[10]; rec.CustomStr7 = parts[29]; rec.CustomStr8 = parts[4]; /*rec.CustomStr9 = parts[11];*/ rec.CustomStr9 = parts[3]; rec.CustomStr10 = parts[14]; rec.UserName = parts[12]; rec.EventType = parts[30]; rec.EventCategory = parts[37]; rec.CustomInt1 = Convert_to_Int32(parts[0]); rec.CustomInt2 = Convert_to_Int32(parts[23]); rec.CustomInt3 = Convert_to_Int32(parts[24]); rec.CustomInt4 = Convert_to_Int32(parts[25]); rec.CustomInt5 = Convert_to_Int32(parts[26]); rec.CustomInt6 = Convert_to_Int32(parts[27]); rec.CustomInt7 = Convert_to_Int32(parts[22]); /*rec.CustomInt9 = Convert_to_Int32(parts[32]);*/ rec.CustomInt8 = Convert_to_Int32(parts[32]); rec.CustomInt9 = Convert_to_Int32(parts[33]); rec.CustomInt10 = Convert_to_Int32(parts[36]); } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, " ParseSpecific() | There is a problem parsing log.: " + ex.Message); } //172.16.55.55:34062 : local7.info Dec 14 11:15:31 1,2012/12/14 11:15:31,002201000312,THREAT,url,1,2012/12/14 11:15:31,10.104.3.241,2.21.90.227,194.27.49.141,2.21.90.227,TR-2-UNT,,,web-browsing,vsys1,trust,untrust,ethernet1/14,ethernet1/15,au_log_profile,2012/12/14 11:15:30,1013217,1,3868,80,34277,80,0x408000,tcp,alert,"px.owneriq.net/ep?sid[]=302333068&sid[]=302334368&rid[]=1612783&rid[]=1612784",(9999),business-and-economy,informational,client-to-server,1652635554,0x0,10.0.0.0-10.255.255.255,European Union,0,text/html } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, " ParseSpecific() | " + ex.Message); L.Log(LogType.FILE, LogLevel.ERROR, " ParseSpecific() | " + ex.StackTrace); L.Log(LogType.FILE, LogLevel.ERROR, " ParseSpecific() | Line : " + line); } } return rec; }
void slog_SyslogEvent(LogMgrEventArgs args) { CustomBase.Rec rec = new CustomBase.Rec(); string[] lineArr = SpaceSplit(args.Message, true); try { L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record"); try { rec.LogName = "CyberoamSyslogV_1_0_0Recorder"; //rec.EventType = args.EventLogEntType.ToString(); #region Description if (args.Message.Length > 899) rec.Description = args.Message.Substring(0, 899); else { rec.Description = args.Message; } L.Log(LogType.FILE, LogLevel.INFORM, "Description: " + args.Message); #endregion string dateString = ""; string timeString = ""; for (int i = 0; i < lineArr.Length; i++) { #region DateTime if (lineArr[i].StartsWith("date")) { dateString = SubLineSplitter(lineArr[i]); } if (lineArr[i].StartsWith("time") && !lineArr[i].StartsWith("timezone")) { timeString = SubLineSplitter(lineArr[i]); } #endregion } L.Log(LogType.FILE, LogLevel.DEBUG, "dateString: " + dateString + " " + timeString); DateTime dt = Convert.ToDateTime(dateString + " " + timeString); rec.Datetime = dt.ToString(dateFormat); L.Log(LogType.FILE, LogLevel.DEBUG, "DateTime: " + rec.Datetime); for (int i = 0; i < lineArr.Length; i++) { #region SOURCENAME if (lineArr[i].StartsWith("device_name")) { rec.SourceName = SubLineSplitter(lineArr[i]); } #endregion #region EVENTCATEGORY if (lineArr[i].StartsWith("log_component")) { rec.EventCategory = SubLineSplitter(lineArr[i]); } #endregion #region EVENTTYPE if (lineArr[i].StartsWith("log_type")) { rec.EventType = SubLineSplitter(lineArr[i]); } #endregion #region USERSID if (lineArr[i].StartsWith("device_id")) { rec.UserName = SubLineSplitter(lineArr[i]); } #endregion #region COMPUTERNAME if (lineArr[i].StartsWith("user_name")) { rec.ComputerName = SubLineSplitter(lineArr[i]); } #endregion #region CUSTOMSTR1 if (lineArr[i].StartsWith("protocol")) { rec.CustomStr1 = SubLineSplitter(lineArr[i]); } #endregion #region CUSTOMSTR2 if (lineArr[i].StartsWith("user_gp")) { rec.CustomStr2 = SubLineSplitter(lineArr[i]); } #endregion #region CUSTOMSTR3 if (lineArr[i].StartsWith("src_ip")) { rec.CustomStr3 = SubLineSplitter(lineArr[i]); } #endregion #region CUSTOMSTR4 if (lineArr[i].StartsWith("dst_ip")) { rec.CustomStr4 = SubLineSplitter(lineArr[i]); } #endregion #region CUSTOMSTR5 if (lineArr[i].StartsWith("category")) { rec.CustomStr5 = SubLineSplitter(lineArr[i]); } #endregion #region CUSTOMSTR6 if (lineArr[i].StartsWith("contenttype")) { rec.CustomStr6 = SubLineSplitter(lineArr[i]); } #endregion #region CUSTOMSTR7 if (lineArr[i].StartsWith("domain")) { rec.CustomStr7 = SubLineSplitter(lineArr[i]); } #endregion #region CUSTOMSTR8 if (lineArr[i].StartsWith("status")) { rec.CustomStr8 = SubLineSplitter(lineArr[i]); } #endregion #region CUSTOMSTR9 if (lineArr[i].StartsWith("url")) { rec.CustomStr9 = SubLineSplitter(lineArr[i]); } #endregion #region CUSTOMSTR10 if (lineArr[i].StartsWith("log_subtype")) { rec.CustomStr10 = SubLineSplitter(lineArr[i]); } /* if (lineArr[i].StartsWith("log_component")) { rec.EventCategory = SubLineSplitter(lineArr[i]); } L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + rec.EventCategory);*/ #endregion #region CUSTOMINT1 if (lineArr[i].StartsWith("fw_rule_id")) { rec.CustomInt1 = Convert_To_Int32(SubLineSplitter(lineArr[i])); } #endregion #region CUSTOMINT2 if (lineArr[i].StartsWith("iap")) { rec.CustomInt2 = Convert_To_Int32(SubLineSplitter(lineArr[i])); } #endregion #region CUSTOMINT3 #endregion #region CUSTOMINT4 #endregion #region CUSTOMINT5 if (lineArr[i].StartsWith("src_port")) { rec.CustomInt5 = Convert_To_Int32(SubLineSplitter(lineArr[i])); } #endregion #region CUSTOMINT6 if (lineArr[i].StartsWith("dst_port")) { rec.CustomInt6 = Convert_To_Int32(SubLineSplitter(lineArr[i])); } #endregion #region CUSTOMINT7 if (lineArr[i].StartsWith("httpresponsecode")) { rec.CustomInt7 = Convert_To_Int32(SubLineSplitter(lineArr[i])); } #endregion #region CUSTOMINT8 if (lineArr[i].StartsWith("sent_bytes")) { rec.CustomInt8 = Convert_To_Int32(SubLineSplitter(lineArr[i])); } #endregion #region CUSTOMINT9 if (lineArr[i].StartsWith("recv_bytes")) { rec.CustomInt9 = Convert_To_Int32(SubLineSplitter(lineArr[i])); } #endregion #region CUSTOMINT10 #endregion } L.Log(LogType.FILE, LogLevel.DEBUG, "SourceName: " + rec.SourceName); L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + rec.EventCategory); L.Log(LogType.FILE, LogLevel.DEBUG, "EventType: " + rec.EventType); L.Log(LogType.FILE, LogLevel.DEBUG, "UserName: "******"ComputerName: " + rec.ComputerName); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr1: " + rec.CustomStr1); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2: " + rec.CustomStr2); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr5: " + rec.CustomStr5); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr6: " + rec.CustomStr6); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + rec.CustomStr7); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr8: " + rec.CustomStr8); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr9: " + rec.CustomStr9); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr10: " + rec.CustomStr10); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt1: " + rec.CustomInt1.ToString(CultureInfo.InvariantCulture)); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt2: " + rec.CustomInt2.ToString(CultureInfo.InvariantCulture)); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt5: " + rec.CustomInt5.ToString(CultureInfo.InvariantCulture)); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt6: " + rec.CustomInt6.ToString(CultureInfo.InvariantCulture)); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt7: " + rec.CustomInt7.ToString(CultureInfo.InvariantCulture)); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt8: " + rec.CustomInt8.ToString(CultureInfo.InvariantCulture)); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt9: " + rec.CustomInt9.ToString(CultureInfo.InvariantCulture)); //rec.SourceName = args.Source; if (SendData(rec)) { L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data"); } } catch (Exception e) { L.Log(LogType.FILE, LogLevel.DEBUG, "ERROR------------"); L.Log(LogType.FILE, LogLevel.DEBUG, e.Message); L.Log(LogType.FILE, LogLevel.DEBUG, e.StackTrace); } } catch (Exception er) { L.Log(LogType.FILE, LogLevel.ERROR, er.ToString()); L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message); } }
void slog_SyslogEvent(LogMgrEventArgs args) { CustomBase.Rec rec = new CustomBase.Rec(); try { L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record"); rec.LogName = "SymantecSmsSyslog Recorder"; rec.EventCategory = "sms"; rec.UserName = "******"; rec.EventType = args.EventLogEntType.ToString(); if (args.Message == "") { L.Log(LogType.FILE, LogLevel.INFORM, "Message is null."); return; } String[] Desc = args.Message.Split(':'); if (Desc.Length < 5) { L.Log(LogType.FILE, LogLevel.ERROR, "Length of message too small: " + args.Message); return; } for (Int32 i = 0; i < Desc.Length; ++i) { Desc[i] = Desc[i].Trim(); } rec.ComputerName = Desc[0] + ":" + Desc[1]; rec.SourceName = args.Source; String[] dateArr = SpaceSplit(Desc[2].TrimStart(rec.SourceName.ToCharArray())); if (dateArr.Length < 3) { L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for datetime (text too small): " + args.Message); return; } try { StringBuilder dateString = new StringBuilder(); //Date dateString.Append(dateArr[0]).Append(" ").Append(dateArr[1]).Append(" ").Append(DateTime.Now.Year.ToString()).Append(" "); //Time dateString.Append(dateArr[2]).Append(":").Append(Desc[3]).Append(":").Append(Desc[4].Substring(0, 2)); DateTime dt = DateTime.Parse(dateString.ToString()); rec.Datetime = dt.AddMinutes(zone).ToString("yyyy/MM/dd HH:mm:ss"); } catch (Exception) { L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing datetime text: " + args.Message); return; } try { string codeText = Desc[4].Substring(2).Trim().TrimStart(rec.EventCategory.ToCharArray()).Trim(); if (codeText.Contains("[") && codeText.Contains("]")) { rec.CustomStr1 = codeText.Split('[')[0].Trim(); rec.CustomInt1 = int.Parse(codeText.Split('[')[1].Trim().Split(']')[0].Trim()); } else { rec.CustomStr1 = Desc[4].Substring(2).Trim(); //.TrimStart(rec.EventCategory.ToCharArray()).Trim(); //codeText; rec.CustomInt1 = 0; } } catch (Exception) { L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing code text: " + args.Message); return; } int lastIndexForDesc = 5; if (Desc.Length > 5) { if (Desc[5].Contains("ML-HOST_DISCONNECTED")) { try { rec.UserName = "******"; rec.CustomInt2 = int.Parse(Desc[5].Split(']')[0].TrimStart('[').Trim()); rec.EventCategory = "ML-HOST_DISCONNECTED"; if (Desc[7].ToLower().Contains("disconnected")) { rec.CustomStr10 = Desc[6] + ":" + Desc[7].Split(' ')[0]; //disconnected from } lastIndexForDesc = 6; } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for ML-HOST_DISCONNECTED: " + args.Message + " \nEx: " + ex.Message); return; } } else if (Desc[5].Contains("ML-HOST_CONNECTED")) { try { rec.UserName = "******"; rec.CustomInt2 = int.Parse(Desc[5].Split(']')[0].TrimStart('[').Trim()); rec.EventCategory = "ML-HOST_CONNECTED"; if (Desc[7].ToLower().Contains("connected")) { rec.CustomStr10 = Desc[6] + ":" + Desc[7].Split(' ')[0]; //connected to } lastIndexForDesc = 6; } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for ML-HOST_CONNECTED: " + args.Message + " \nEx: " + ex.Message); return; } } else if (Desc[5].Contains("ML-RECEIVED")) { //195.142.175.69:62754 : mail.info Jul 29 15:19:23 mail ecelerity: [18796] ML-RECEIVED_RECIPIENT: Message ID: E0/0C-18796-B45A23E4, Audit ID: c0a8010e-b7bc5ae00000496c-57-4e32a54bb662, recipient: [email protected] try { rec.UserName = "******"; rec.CustomInt2 = int.Parse(Desc[5].Split(']')[0].TrimStart('[').Trim()); rec.EventCategory = "ML-RECEIVED"; if (Desc[6].Contains("Message ID") && Desc[7].Contains("Audit ID")) { try { rec.CustomStr2 = Desc[8] + ":" + Desc[9].TrimEnd(", from host".ToCharArray()); //Received on if (Desc.Length > 10) { rec.CustomStr10 = Desc[10] + ":" + Desc[11].TrimEnd(", sender".ToCharArray()); //from host rec.CustomStr4 = Desc[12].Split(',')[0]; //sender rec.CustomInt3 = int.Parse(Desc[13].TrimEnd(", Note".ToCharArray())); //size } } catch (Exception ex) { rec.CustomStr2 = Desc[8].TrimEnd(", from host".ToCharArray()); //Received on rec.CustomStr10 = Desc[9].TrimEnd(", sender".ToCharArray()); //from host rec.CustomStr4 = Desc[10].Split(',')[0]; //sender rec.CustomInt3 = int.Parse(Desc[11].TrimEnd(", Note".ToCharArray())); //size } finally { rec.CustomStr5 = Desc[7].Split(',')[0]; //Message ID rec.CustomStr6 = Desc[7].Split(',')[1].TrimStart("Audit ID".ToCharArray()).Trim(); //Audit ID } } lastIndexForDesc = 6; } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for ML-RECEIVED: " + args.Message + " \nEx: " + ex.Message); return; } } else if (Desc[5].Contains("ML-REJECT")) { try { rec.UserName = "******"; rec.CustomInt2 = int.Parse(Desc[5].Split(']')[0].TrimStart('[').Trim()); rec.EventCategory = "ML-REJECT"; if (Desc[6].Contains("Rejection") && Desc[10].Contains("Audit ID")) { rec.CustomStr2 = Desc[7] + ":" + Desc[8].TrimEnd(", sent to host".ToCharArray()); //Rejection on rec.CustomStr10 = Desc[9] + ":" + Desc[10].Split(',')[0] + (Desc[10].Split(',')[1].Contains("Audit ID") ? "" : Desc[10].Split(',')[1]); //sent to host rec.CustomStr6 = Desc[10].Split(',')[1].Contains("Audit ID") ? Desc[10].Split(',')[1].TrimStart("Audit ID".ToCharArray()).Trim() : Desc[10].Split(',')[2].TrimStart("Audit ID".ToCharArray()).Trim(); //Audit ID } lastIndexForDesc = 6; } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for ML-REJECT: " + args.Message + " \nEx: " + ex.Message); return; } } else if (Desc[5].Contains("ML-DELIVERY_ATTEMPT")) { try { rec.UserName = "******"; rec.CustomInt2 = int.Parse(Desc[5].Split(']')[0].TrimStart('[').Trim()); rec.EventCategory = "ML-DELIVERY_ATTEMPT"; if (Desc[6].Contains("Message ID") && Desc[7].Contains("Audit ID")) { rec.CustomStr4 = Desc[8]; //sender rec.CustomStr5 = Desc[7].Split(',')[0]; //Message ID rec.CustomStr6 = Desc[7].Split(',')[1].TrimStart("Audit ID".ToCharArray()).Trim(); //Audit ID } lastIndexForDesc = 6; } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for ML-DELIVERY_ATTEMPT: " + args.Message + " \nEx: " + ex.Message); return; } } else if (Desc[5].Contains("ML-DELIVERY")) { try { rec.UserName = "******"; rec.CustomInt2 = int.Parse(Desc[5].Split(']')[0].TrimStart('[').Trim()); rec.EventCategory = "ML-DELIVERY"; if (Desc[6].Contains("Message ID") && Desc[7].Contains("Audit ID")) { rec.CustomStr10 = Desc[8].TrimEnd(", sender".ToCharArray()); //Delivery succeeded to host rec.CustomStr4 = Desc[9].TrimEnd(", Note".ToCharArray()); //sender rec.CustomStr5 = Desc[7].Split(',')[0]; //Message ID rec.CustomStr6 = Desc[7].Split(',')[1].TrimStart("Audit ID".ToCharArray()).Trim(); //Audit ID } lastIndexForDesc = 6; } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for ML-DELIVERY: " + args.Message + " \nEx: " + ex.Message); return; } } else { if (Desc[5].Contains("|SOURCE|")) { try { rec.UserName = "******"; string[] descText = Desc[5].Split('|'); rec.EventCategory = "MESSAGE SOURCE"; rec.CustomStr5 = descText[0]; //Message ID rec.CustomStr6 = descText[1]; //Audit ID rec.CustomStr2 = descText[3]; //Mail Source (internal / external) } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for message SOURCE: " + args.Message + " \nEx: " + ex.Message); return; } } else if (Desc[5].Contains("|ACCEPT|")) { try { rec.UserName = "******"; string[] descText = Desc[5].Split('|'); rec.EventCategory = "MESSAGE ACCEPT"; rec.CustomStr5 = descText[0]; //Message ID rec.CustomStr6 = descText[1]; //Audit ID rec.CustomStr2 = descText[3] + ":" + Desc[6]; // Mail Server IP Address } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for message ACCEPT: " + args.Message + " \nEx: " + ex.Message); return; } } else if (Desc[5].Contains("|SUBJECT|")) { try { rec.UserName = "******"; string[] descText = Desc[5].Split('|'); rec.EventCategory = "MESSAGE SUBJECT"; rec.CustomStr5 = descText[0]; //Message ID rec.CustomStr6 = descText[1]; //Audit ID rec.CustomStr8 = descText[3]; // Subject Text for (int i = 6; i < Desc.Length; i++) { rec.CustomStr8 += ":" + Desc[i]; } if (rec.CustomStr8.Length > 900) { rec.CustomStr8 = rec.CustomStr8.Substring(0, 895) + "..."; L.Log(LogType.FILE, LogLevel.INFORM, "Subject length too long. Only 895 characters taken.."); } } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for message SUBJECT: " + args.Message + " \nEx: " + ex.Message); return; } } else if (Desc[5].Contains("|VERDICT|")) { try { rec.UserName = "******"; string[] descText = Desc[5].Split('|'); rec.EventCategory = "MESSAGE VERDICT"; rec.CustomStr5 = descText[0]; //Message ID rec.CustomStr6 = descText[1]; //Audit ID rec.CustomStr2 = descText[3]; // Mail address for (int i = 4; i < descText.Length; i++) { if (descText[i].Contains("@")) { continue; } rec.CustomStr3 += descText[i] + "/"; } rec.CustomStr3 = rec.CustomStr3.TrimEnd("/".ToCharArray()); // Verdict Text if (rec.CustomStr3.Length > 900) { rec.CustomStr3 = rec.CustomStr3.Substring(0, 895) + "..."; L.Log(LogType.FILE, LogLevel.INFORM, "Verdict length too long. Only 895 characters taken.."); } } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for message VERDICT: " + args.Message + " \nEx: " + ex.Message); return; } } else if (Desc[5].Contains("|IRCPTACTION|")) { try { rec.UserName = "******"; string[] descText = Desc[5].Split('|'); rec.EventCategory = "MESSAGE IRCPTACTION"; rec.CustomStr5 = descText[0]; //Message ID rec.CustomStr6 = descText[1]; //Audit ID for (int i = 3; i < descText.Length - 1; i++) { rec.CustomStr2 += descText[i] + ","; } rec.CustomStr2 = rec.CustomStr2.TrimEnd(",".ToCharArray()); // Recipient Addresses rec.CustomStr3 = descText[descText.Length - 1]; // Action if (rec.CustomStr3.Length > 900) { rec.CustomStr3 = rec.CustomStr3.Substring(0, 895) + "..."; L.Log(LogType.FILE, LogLevel.INFORM, "Action length too long. Only 895 characters taken.."); } } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for message IRCPTACTION: " + args.Message + " \nEx: " + ex.Message); return; } } else if (Desc[5].Contains("|DELIVER|")) { try { rec.UserName = "******"; string[] descText = args.Message.Split('|'); rec.EventCategory = "MESSAGE DELIVER"; rec.CustomStr5 = descText[descText.Length - 5].Split(':')[descText[descText.Length - 5].Split(':').Length - 1]; //Message ID rec.CustomStr6 = descText[descText.Length - 4]; //Audit ID rec.CustomStr2 = descText[descText.Length - 2]; // Mail Server IP Address rec.CustomStr3 = descText[descText.Length - 1]; // Recipient Address //dali //rec.UserName = "******"; //string[] descText = Desc[5].Split('|'); //rec.EventCategory = "MESSAGE DELIVER"; //rec.CustomStr5 = descText[0]; //Message ID //rec.CustomStr6 = descText[1]; //Audit ID //rec.CustomStr2 = descText[3]; // Mail Server IP Address //rec.CustomStr3 = descText[4]; // Recipient Address } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for message DELIVER: " + args.Message + " \nEx: " + ex.Message); return; } } else if (Desc[5].Contains("|SENDER|")) { try { rec.UserName = "******"; string[] descText = Desc[5].Split('|'); rec.EventCategory = "MESSAGE SENDER"; rec.CustomStr5 = descText[0]; //Message ID rec.CustomStr6 = descText[1]; //Audit ID if (descText[3] == "\\") { if (descText.Length > 4) { rec.CustomStr4 = descText[4]; // Sender Address } else { rec.CustomStr4 = "\\"; // Sender Address } } else { rec.CustomStr4 = descText[3]; // Sender Address } } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for message SENDER: " + args.Message + " \nEx: " + ex.Message); return; } } else if (Desc[5].Contains("|ORCPTS|")) { try { rec.UserName = "******"; string[] descText = Desc[5].Split('|'); rec.EventCategory = "MESSAGE ORCPTS"; rec.CustomStr5 = descText[0]; //Message ID rec.CustomStr6 = descText[1]; //Audit ID for (int i = 3; i < descText.Length; i++) { rec.CustomStr3 += descText[i] + ","; } rec.CustomStr3 = rec.CustomStr3.TrimEnd(",".ToCharArray()); // Recipient Addresses if (rec.CustomStr3.Length >= 6300) { rec.CustomStr4 = rec.CustomStr3.Substring(900, 900); rec.CustomStr7 = rec.CustomStr3.Substring(1800, 900); rec.CustomStr8 = rec.CustomStr3.Substring(2700, 900); rec.CustomStr9 = rec.CustomStr3.Substring(3600, 900); rec.CustomStr10 = rec.CustomStr3.Substring(4500, 900); rec.CustomStr2 = rec.CustomStr3.Substring(5400, 900); rec.CustomStr3 = rec.CustomStr3.Substring(0, 900); L.Log(LogType.FILE, LogLevel.INFORM, "Recipient length longer than 6300. Only 6300 characters taken and data has been shared among other table fields.."); } else if (rec.CustomStr3.Length >= 5400) { rec.CustomStr4 = rec.CustomStr3.Substring(900, 900); rec.CustomStr7 = rec.CustomStr3.Substring(1800, 900); rec.CustomStr8 = rec.CustomStr3.Substring(2700, 900); rec.CustomStr9 = rec.CustomStr3.Substring(3600, 900); rec.CustomStr10 = rec.CustomStr3.Substring(4500, 900); rec.CustomStr2 = rec.CustomStr3.Substring(5400, rec.CustomStr3.Length - 5400); rec.CustomStr3 = rec.CustomStr3.Substring(0, 900); L.Log(LogType.FILE, LogLevel.INFORM, "Recipient length longer than 5400. Data has been shared among other table fields.."); } else if (rec.CustomStr3.Length >= 4500) { rec.CustomStr4 = rec.CustomStr3.Substring(900, 900); rec.CustomStr7 = rec.CustomStr3.Substring(1800, 900); rec.CustomStr8 = rec.CustomStr3.Substring(2700, 900); rec.CustomStr9 = rec.CustomStr3.Substring(3600, 900); rec.CustomStr10 = rec.CustomStr3.Substring(4500, rec.CustomStr3.Length - 4500); rec.CustomStr3 = rec.CustomStr3.Substring(0, 900); L.Log(LogType.FILE, LogLevel.INFORM, "Recipient length longer than 4500. Data has been shared among other table fields."); } else if (rec.CustomStr3.Length >= 3600) { rec.CustomStr4 = rec.CustomStr3.Substring(900, 900); rec.CustomStr7 = rec.CustomStr3.Substring(1800, 900); rec.CustomStr8 = rec.CustomStr3.Substring(2700, 900); rec.CustomStr9 = rec.CustomStr3.Substring(3600, rec.CustomStr3.Length - 3600); rec.CustomStr3 = rec.CustomStr3.Substring(0, 900); L.Log(LogType.FILE, LogLevel.INFORM, "Recipient length longer than 3600. Data has been shared among other table fields."); } else if (rec.CustomStr3.Length >= 2700) { rec.CustomStr4 = rec.CustomStr3.Substring(900, 900); rec.CustomStr7 = rec.CustomStr3.Substring(1800, 900); rec.CustomStr8 = rec.CustomStr3.Substring(2700, rec.CustomStr3.Length - 2700); rec.CustomStr3 = rec.CustomStr3.Substring(0, 900); L.Log(LogType.FILE, LogLevel.INFORM, "Recipient length longer than 2700. Data has been shared among other table fields."); } else if (rec.CustomStr3.Length >= 1800) { rec.CustomStr4 = rec.CustomStr3.Substring(900, 900); rec.CustomStr7 = rec.CustomStr3.Substring(1800, rec.CustomStr3.Length - 1800); rec.CustomStr3 = rec.CustomStr3.Substring(0, 900); L.Log(LogType.FILE, LogLevel.INFORM, "Recipient length longer than 1800. Data has been shared among other table fields."); } else if (rec.CustomStr3.Length > 900) { rec.CustomStr4 = rec.CustomStr3.Substring(900, rec.CustomStr3.Length - 900); rec.CustomStr3 = rec.CustomStr3.Substring(0, 900); L.Log(LogType.FILE, LogLevel.INFORM, "Recipient length longer than 900. Data has been shared among other table fields."); } } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for message ORCPTS: " + args.Message + " \nEx: " + ex.Message); return; } } else if (Desc[5].Contains("|ATTACH|")) { try { rec.UserName = "******"; string[] descText = Desc[5].Split('|'); rec.EventCategory = "MESSAGE ATTACH"; rec.CustomStr5 = descText[0]; //Message ID rec.CustomStr6 = descText[1]; //Audit ID for (int i = 3; i < descText.Length; i++) { rec.CustomStr3 += descText[i] + ","; } rec.CustomStr3 = rec.CustomStr3.TrimEnd(",".ToCharArray()); // Attached Documents if (rec.CustomStr3.Length > 900) { rec.CustomStr3 = rec.CustomStr3.Substring(0, 895) + "..."; L.Log(LogType.FILE, LogLevel.INFORM, "Attachment length too long. Only 895 characters taken.."); } } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Unknown format for message ATTACH: " + args.Message + " \nEx: " + ex.Message); return; } } else { rec.UserName = "******"; L.Log(LogType.FILE, LogLevel.DEBUG, "Just put in description column. Ignored format: " + args.Message); } lastIndexForDesc = 5; } } else { L.Log(LogType.FILE, LogLevel.DEBUG, "Just put in description column. Very short message: " + args.Message); lastIndexForDesc = 5; } for (int i = lastIndexForDesc; i < Desc.Length; i++) { rec.Description += Desc[i] + ":"; } rec.Description = rec.Description.TrimEnd(":".ToCharArray()); if (rec.Description.Length > 900) { rec.Description = rec.Description.Substring(0, 900); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data"); if (usingRegistry) { CustomServiceBase s = base.GetInstanceService("Security Manager Sender"); s.SetData(rec); } else { CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder"); s.SetData(Dal, virtualhost, rec); s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data"); } catch (Exception er) { L.LogTimed(LogType.FILE, LogLevel.ERROR, er.ToString()); } }
void SlogSyslogEvent(LogMgrEventArgs args) { try { _log.Log(LogType.FILE, LogLevel.DEBUG, " SlogSyslogEvent() --> is STARTED"); _log.Log(LogType.FILE, LogLevel.DEBUG, " SlogSyslogEvent() --> will parse data : " + args.Message); CustomBase.Rec rec = new CustomBase.Rec(); rec.LogName = "MCAffeeUTMSyslogRecorder"; rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss"); rec.SourceName = args.Source; if (args.Message.Length > 895) { rec.Description = args.Message.Substring(0, 894); } else { rec.Description = args.Message; } CoderParse(args.Message, ref rec); CustomServiceBase customServiceBase = base.GetInstanceService("Security Manager Remote Recorder"); customServiceBase.SetData(_dal, _virtualHost, rec); customServiceBase.SetReg(_id, rec.Datetime, "", "", "", rec.Datetime); _log.Log(LogType.FILE, LogLevel.DEBUG, " SlogSyslogEvent() --> is succesfully FINISHED."); } catch (Exception ex) { _log.Log(LogType.FILE, LogLevel.ERROR, " SlogSyslogEvent() --> An error occurred : " + ex.ToString()); } }
void slog_SyslogEvent(LogMgrEventArgs args) { L.Log(LogType.FILE, LogLevel.INFORM, "Log Parsing is starte. Line is: " + args.Message); string line = args.Message; Rec rec = new Rec(); try { L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record"); try { rec.LogName = "TrendMicroInterScanWebGatewayV_1_0_0Recorder"; rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss"); string[] lineArr = line.Split(','); string[] lineArrAlternate = SpaceSplit(line, false); for (int i = 0; i < lineArr.Length; i++) { L.Log(LogType.FILE, LogLevel.DEBUG, "lineArr: " + lineArr[i]); } for (int i = 0; i < lineArrAlternate.Length; i++) { L.Log(LogType.FILE, LogLevel.DEBUG, "lineArrAlternate: " + lineArr[i]); } rec.EventCategory = lineArrAlternate[2]; rec.EventType = Between(lineArr[2], "]", "tk_username", 0); try { DateTime dt = Convert.ToDateTime(lineArr[1]); rec.Datetime = dt.ToString(dateFormat); L.Log(LogType.FILE, LogLevel.DEBUG, "Datetime: " + rec.Datetime); } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "Datetime Convert error: " + exception.Message); } for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("tk_username="******"tk_username="******"tk_username="******"UserName: "******"tk_protocol=")) { rec.CustomStr5 = GetValue(lineArr[i], "tk_protocol="); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr5: " + rec.CustomStr5); } if (lineArr[i].StartsWith("tk_uid=")) { rec.CustomStr9 = GetValue(lineArr[i], "tk_uid="); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr9: " + rec.CustomStr9); } if (lineArrAlternate[2] == "local0.info") { if (lineArr[i].StartsWith("tk_server=")) { rec.ComputerName = GetValue(lineArr[i], "tk_server="); L.Log(LogType.FILE, LogLevel.DEBUG, "ComputerName: " + rec.ComputerName); } //10.20.1.122:34970 : local0.info iwsva1.dpt.gov.tr: <Tue, 08 Oct 2013 14:32:16,EEST> [EVT_URL_ACCESS_TRACKING|LOG_INFO] Access tracking log tk_username=10.10.11.39,tk_url=http://haber10.com/images/news/100x75/421378.jpg,tk_size=0,tk_date_field=2013-10-08 14:32:16+0300,tk_protocol=http,tk_mime_content=unknown/unknown,tk_server=iwsva1.dpt.gov.tr,tk_client_ip=10.10.11.39,tk_server_ip=176.53.59.192,tk_domain=haber10.com,tk_path=images/news/100x75/421378.jpg,tk_file_name=421378.jpg,tk_operation=GET,tk_uid=1159564668-d32bfc31cafb9b079c18,tk_category=46,tk_category_type=0 if (lineArr[i].StartsWith("tk_operation=")) { rec.CustomStr1 = GetValue(lineArr[i], "tk_operation="); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr1: " + rec.CustomStr1); } if (lineArr[i].StartsWith("tk_client_ip=")) { rec.CustomStr3 = GetValue(lineArr[i], "tk_client_ip="); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3); } if (lineArr[i].StartsWith("tk_server_ip=")) { rec.CustomStr4 = GetValue(lineArr[i], "tk_server_ip="); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4); } if (lineArr[i].StartsWith("tk_mime_content=")) { rec.CustomStr6 = GetValue(lineArr[i], "tk_mime_content="); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr6: " + rec.CustomStr6); } if (lineArr[i].StartsWith("tk_domain=")) { rec.CustomStr7 = GetValue(lineArr[i], "tk_domain="); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + rec.CustomStr7); } if (lineArr[i].StartsWith("tk_path=")) { rec.CustomStr8 = GetValue(lineArr[i], "tk_path="); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr8: " + rec.CustomStr8); } if (lineArr[i].StartsWith("tk_url=")) { rec.CustomStr10 = GetValue(lineArr[i], "tk_url="); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr10: " + rec.CustomStr10); } try { if (lineArr[i].StartsWith("tk_size=")) { rec.CustomInt1 = Convert.ToInt32(GetValue(lineArr[i], "tk_size=")); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt1: " + rec.CustomInt1); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt1 Type Casting Error: " + exception.Message); } try { if (lineArr[i].StartsWith("tk_category=")) { rec.CustomInt2 = Convert.ToInt32(GetValue(lineArr[i], "tk_category=")); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt2: " + rec.CustomInt2); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt2 Type Casting Error: " + exception.Message); } try { if (lineArr[i].StartsWith("tk_category_type=")) { rec.CustomInt3 = Convert.ToInt32(GetValue(lineArr[i], "tk_category_type=")); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt3: " + rec.CustomInt3); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt3 Type Casting Error: " + exception.Message); } } if (lineArrAlternate[2] == "local0.critical") { if (lineArr[i].StartsWith("tk_url=")) { rec.CustomStr2 = GetValue(lineArr[i], "tk_url="); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2: " + rec.CustomStr2); } if (lineArr[i].StartsWith("tk_scan_type=")) { rec.CustomStr6 = GetValue(lineArr[i], "tk_scan_type="); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr6: " + rec.CustomStr6); } if (lineArr[i].StartsWith("tk_blocked_by=")) { rec.CustomStr7 = GetValue(lineArr[i], "tk_blocked_by="); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + rec.CustomStr7); } if (lineArr[i].StartsWith("tk_rule_name")) { rec.CustomStr8 = GetValue(lineArr[i], "tk_rule_name="); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr8: " + rec.CustomStr8); } if (lineArr[i].StartsWith("tk_url=")) { string sdf = GetValue(lineArr[i], "tk_url="); string sdfg = Between(sdf, "http://", "/", 0); rec.CustomStr1 = Before(sdfg, "/", 0); } if (lineArr[i].StartsWith("tk_category=")) { rec.CustomStr10 = GetValue(lineArr[i], "tk_category="); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr10: " + rec.CustomStr10); } try { if (lineArr[i].StartsWith("tk_opp_id=")) { rec.CustomInt5 = Convert.ToInt32(GetValue(lineArr[i], "tk_opp_id=")); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt5: " + rec.CustomInt5); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt5 Type Casting Error: " + exception.Message); } try { if (lineArr[i].StartsWith("tk_filter_action=")) { rec.CustomInt6 = Convert.ToInt32(GetValue(lineArr[i], "tk_filter_action=")); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt6: " + rec.CustomInt6); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt6 Type Casting Error: " + exception.Message); } } } if (line.Length > 899) rec.Description = line.Substring(0, 899); else rec.Description = line; // rec.Description = rec.Description.Replace("'", "|"); L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record"); L.Log(LogType.FILE, LogLevel.INFORM, "Start sending Data: " + rec.UserName); L.Log(LogType.FILE, LogLevel.INFORM, "Start sending Data: " + rec.UserName); CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder"); s.SetData(Dal, virtualhost, rec); s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime); L.Log(LogType.FILE, LogLevel.INFORM, "Finish Sending Data"); } catch (Exception e) { L.Log(LogType.FILE, LogLevel.DEBUG, "ERROR------------"); L.Log(LogType.FILE, LogLevel.DEBUG, e.Message); L.Log(LogType.FILE, LogLevel.DEBUG, e.StackTrace); } } catch (Exception er) { L.Log(LogType.FILE, LogLevel.ERROR, er.ToString()); L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message); } }
void slog_SyslogEvent(LogMgrEventArgs args) { var rec = new Rec(); L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, " Log : " + args.Message); try { try { rec.LogName = "ZimbraMailSyslogV_1_0_0Recorder"; rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss"); var lineSb = new StringBuilder(); L.Log(LogType.FILE, LogLevel.DEBUG, " Decoding Line"); DecodeLine(lineSb, args.Message); L.Log(LogType.FILE, LogLevel.DEBUG, " Decode Complete. Processing Line.."); var line = lineSb.ToString(); lineSb.Remove(0, lineSb.Length); rec.Description = line; if (rec.Description.Length > 900) { rec.Description = rec.Description.Substring(0, 900); } L.Log(LogType.FILE, LogLevel.DEBUG, " Check Line match"); var m = RegInputLine.Match(line); if (m.Success) { L.Log(LogType.FILE, LogLevel.DEBUG, "Line match Ok, split accordingly"); line = m.Groups[6].Value; var i = line.IndexOf(": "); rec.CustomStr1 = i > 0 ? line.Substring(0, i).Trim() : string.Empty; rec.CustomStr2 = m.Groups[4].Value.Trim(); var msub = RegCategory.Match(m.Groups[5].Value); rec.EventCategory = msub.Success ? msub.Groups[3].Value : m.Groups[5].Value; msub = RegField.Match(line); while (msub.Success) { L.Log(LogType.FILE, LogLevel.DEBUG, "Getting sub part value"); var value = GetMatchValue(msub, 3, 6, string.Empty).Trim(); L.Log(LogType.FILE, LogLevel.DEBUG, "Sub Part: " + value); switch (msub.Groups[1].Value) { case "to": rec.CustomStr4 = value; break; case "from": rec.CustomStr5 = value; break; case "size": if (rec.EventCategory != "cleanup") rec.CustomStr6 = value; break; case "status": if (rec.EventCategory != "cleanup") rec.CustomStr7 = value; break; case "relay": if (rec.EventCategory != "cleanup") rec.CustomStr8 = value; break; case "nrcpt": rec.CustomStr9 = value; break; case "delay": rec.CustomStr10 = value; break; case "proto": if (rec.EventCategory == "cleanup") rec.CustomStr6 = value; break; case "helo": if (rec.EventCategory == "cleanup") rec.CustomStr7 = value; break; } msub = msub.NextMatch(); } if (rec.EventCategory == "cleanup") { msub = RegSubject.Match(line); if (msub.Success) { rec.CustomStr3 = GetMatchValue(msub, 1, 1, string.Empty).Trim(); rec.CustomStr8 = GetMatchValue(msub, 3, 3, string.Empty).Trim(); } } } else { L.Log(LogType.FILE, LogLevel.DEBUG, " No match. Insert in raw"); } } catch (Exception e) { L.Log(LogType.FILE, LogLevel.ERROR, "ERROR------------"); L.Log(LogType.FILE, LogLevel.ERROR, e.Message); L.Log(LogType.FILE, LogLevel.ERROR, e.StackTrace); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data"); var customServiceBase = GetInstanceService("Security Manager Remote Recorder"); customServiceBase.SetData(Dal, virtualhost, rec); customServiceBase.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime); L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data"); } catch (Exception er) { L.Log(LogType.FILE, LogLevel.ERROR, er.ToString()); L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message); } }
public void SlogSquidSyslogRecorder(LogMgrEventArgs args) { L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "Line Onur : " + args.Message); try { CustomBase.Rec rec = new CustomBase.Rec(); try { rec.LogName = "SquidSyslogV_1_0_1Recorder"; string[] lineArr = SpaceSplit(args.Message, false); try { DateTime dt; string myDateTimeString = lineArr[4] + lineArr[3] + "," + DateTime.Now.Year + "," + lineArr[5]; dt = Convert.ToDateTime(myDateTimeString); rec.Datetime = dt.ToString(dateFormat); L.Log(LogType.FILE, LogLevel.DEBUG, "Datetime: " + rec.Datetime); } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "Datetime Error. " + exception.ToString()); } #region squid if (lineArr.Length > 6 && lineArr[6].StartsWith("squid")) { try { if (lineArr.Length > 10) { if (lineArr[10].Contains("/")) { rec.EventCategory = lineArr[10].Split('/')[0]; rec.CustomInt1 = Convert.ToInt32(lineArr[10].Split('/')[1]); L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + rec.EventCategory); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt1: " + rec.CustomInt1); } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "EventCategory or CustomInt1 Error. " + exception.ToString()); } try { if (lineArr.Length > 12) { rec.EventType = lineArr[12]; L.Log(LogType.FILE, LogLevel.DEBUG, "EventType: " + rec.EventType); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "EventType Error. " + exception.ToString()); } try { if (lineArr.Length > 0) { rec.ComputerName = lineArr[0]; L.Log(LogType.FILE, LogLevel.DEBUG, "ComputerName: " + rec.ComputerName); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "ComputerName Error. " + exception.ToString()); } try { rec.CustomStr2 = lineArr[lineArr.Length - 1]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2: " + rec.CustomStr2); } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr2 Error. " + exception.ToString()); } try { if (lineArr.Length > 9) { rec.CustomStr3 = lineArr[9]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr3 Error. " + exception.ToString()); } try { if (lineArr.Length > 15) { if (lineArr[15].Contains("/")) { rec.CustomStr4 = lineArr[15].Split('/')[0]; rec.CustomStr7 = lineArr[15].Split('/')[1]; } else { rec.CustomStr4 = lineArr[15]; } L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr4 or CustomStr7 Error. " + exception.ToString()); } try { //dene if (lineArr.Length > 13 && lineArr[13].StartsWith("http")) { if (lineArr[13].StartsWith("http")) { string s1 = After(lineArr[13], "://"); string s2 = Before(s1, "/"); rec.CustomStr8 = s2; rec.CustomStr9 = After(lineArr[13], s2); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr8: " + rec.CustomStr8); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr9: " + rec.CustomStr9); } else { if (lineArr[13].Contains(":")) { rec.CustomStr8 = lineArr[13].Split(':')[0]; rec.CustomInt2 = Convert.ToInt32(lineArr[13].Split(':')[1]); } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr8 or CustomStr9 Error. " + exception.ToString()); } } #endregion #region pf else if (lineArr.Length > 6 && lineArr[6].StartsWith("pf")) { try { if (lineArr.Length > 13) { rec.SourceName = lineArr[13]; L.Log(LogType.FILE, LogLevel.DEBUG, "SourceName: " + rec.SourceName); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "SourceName Error. " + exception.ToString()); } try { if (lineArr.Length > 25) { rec.EventCategory = lineArr[25]; L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + rec.EventCategory); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "EventCategory Error. " + exception.ToString()); } try { if (lineArr.Length > 10) { rec.EventType = lineArr[10]; L.Log(LogType.FILE, LogLevel.DEBUG, "EventType: " + rec.EventType); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "EventType Error. " + exception.ToString()); } try { if (lineArr.Length > 0) { rec.ComputerName = lineArr[0]; L.Log(LogType.FILE, LogLevel.DEBUG, "ComputerName : " + rec.ComputerName); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "ComputerName Error. " + exception.ToString()); } try { if (lineArr.Length > 29) { rec.CustomStr3 = Before(lineArr[29], ".", 1); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3 : " + rec.CustomStr3); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr3 Error. " + exception.ToString()); } try { if (lineArr.Length > 31) { rec.CustomStr7 = Before(lineArr[31], ".", 1); string int2 = After(lineArr[31], ".", 0).Replace(":", " ").Trim(); rec.CustomInt2 = Convert.ToInt32(int2); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + rec.CustomStr7); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr7 or CustomInt2 Error. " + exception.ToString()); } } #endregion if (args.Message.Length > 899) { rec.Description = args.Message.Substring(0, 899); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr9: " + rec.CustomStr9); } else { rec.Description = args.Message; } L.Log(LogType.FILE, LogLevel.INFORM, "Log : " + args.Message); } catch (Exception e) { L.Log(LogType.FILE, LogLevel.ERROR, "ERROR------------"); L.Log(LogType.FILE, LogLevel.ERROR, e.Message); L.Log(LogType.FILE, LogLevel.ERROR, e.StackTrace); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data"); CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder"); s.SetData(Dal, virtualhost, rec); s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime); L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data"); } catch (Exception er) { L.Log(LogType.FILE, LogLevel.ERROR, er.ToString()); L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message); } }
void slog_SyslogEvent(LogMgrEventArgs args) { CustomBase.Rec rec = new CustomBase.Rec(); try { L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record"); rec.LogName = "CiscoPixSyslog Recorder"; rec.Datetime = DateTime.Now.AddMinutes(zone).ToString("yyyy/MM/dd HH:mm:ss"); rec.EventType = args.EventLogEntType.ToString(); //rec.Description = args.Message; String[] Desc = args.Message.Split(':'); if (args.Message == "") { L.Log(LogType.FILE, LogLevel.INFORM, "Message is null " + args.Message); return; } if (Desc.Length < 6) { L.Log(LogType.FILE,LogLevel.ERROR,"Error parsing message for 6: "+args.Message); return; } for (Int32 i = 0; i < Desc.Length; ++i) { Desc[i] = Desc[i].Trim(); } //Parsing PIX //Remove % Desc[5] = Desc[5].TrimStart('%'); String[] pixArr = Desc[5].Split('-'); if(pixArr.Length < 2) { L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 2:" + args.Message); return; } //rec.CustomStr4 = pixArr[0] + "-" + pixArr[1]; //Common fields for all pix records //Parsing Date Field String [] dateArr = SpaceSplit(Desc[2]); if(dateArr.Length < 4) { L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 4: " + args.Message); return; } StringBuilder dateString = new StringBuilder(); //Date dateString.Append(dateArr[1]).Append(" ").Append(dateArr[2]).Append(" ").Append(dateArr[3]).Append(" "); //Time dateString.Append(dateArr[4]).Append(":").Append(Desc[3]).Append(":").Append(Desc[4]); DateTime dt = DateTime.Parse(dateString.ToString()); rec.Datetime = dt.ToString("yyyy/MM/dd HH:mm:ss"); //Uncommon fields for all pix records //Now Parse with id rec.EventId = Convert.ToInt64(pixArr[2]); switch (pixArr[2]) { case "106001"://Untested { String[] arrInbound = Desc[6].Split(' '); Int32 firstIp = 0; Int32 secondIp = 0; bool first = true; for (Int32 i = 0; i < arrInbound.Length; i++) { if (arrInbound[i].Contains("/")) { if (first) { firstIp = i; first = false; } else { secondIp = i; break; } } } StringBuilder customStr2 = new StringBuilder(); for (Int32 i = 0; i < firstIp; i++) { customStr2.Append(arrInbound[i]).Append(" "); } rec.CustomStr2 = customStr2.ToString().Trim(); StringBuilder customStr4 = new StringBuilder(); for (Int32 i = firstIp + 1; i < secondIp; i++) { customStr4.Append(arrInbound[i]).Append(" "); } rec.CustomStr7 = customStr4.ToString().Trim(); String[] arrInboundIp = arrInbound[firstIp].Split('/'); rec.CustomStr3 = arrInboundIp[0]; rec.CustomInt1 = Convert.ToInt32(arrInboundIp[1]); StringBuilder customStr6 = new StringBuilder(); for (Int32 i = secondIp + 1; i < arrInbound.Length; i++) { customStr6.Append(arrInbound[i]).Append(" "); } rec.Description = customStr6.ToString().Trim(); String[] arrInboundDescIp = arrInbound[secondIp].Split('/'); rec.CustomStr6 = arrInboundDescIp[0]; rec.CustomInt3 = Convert.ToInt32(arrInboundDescIp[1]); } break; case "106015": case "302020": case "302021": { String[] arrInbound = Desc[6].Split(' '); Int32 firstIp = 0; Int32 secondIp = 0; bool first = true; for (Int32 i = 0; i < arrInbound.Length; i++) { if (arrInbound[i].Contains("/")) { if (first) { firstIp = i; first = false; } else { secondIp = i; break; } } } StringBuilder customStr2 = new StringBuilder(); for (Int32 i = 0; i < firstIp; i++) { customStr2.Append(arrInbound[i]).Append(" "); } rec.CustomStr2 = customStr2.ToString().Trim(); StringBuilder customStr4 = new StringBuilder(); for (Int32 i = firstIp + 1; i < secondIp; i++) { customStr4.Append(arrInbound[i]).Append(" "); } rec.CustomStr4 = customStr4.ToString().Trim(); String[] arrInboundIp = arrInbound[firstIp].Split('/'); rec.CustomStr3 = arrInboundIp[0]; rec.CustomInt1 = Convert.ToInt32(arrInboundIp[1]); StringBuilder customStr6 = new StringBuilder(); for (Int32 i = secondIp + 1; i < arrInbound.Length; i++) { customStr6.Append(arrInbound[i]).Append(" "); } rec.Description = customStr6.ToString().Trim(); String[] arrInboundDescIp = arrInbound[secondIp].Split('/'); rec.CustomStr5 = arrInboundDescIp[0]; rec.CustomInt3 = Convert.ToInt32(arrInboundDescIp[1]); } break; /* { String[] arrDenyInbound = Desc[6].Split(' '); Int32 firstIpDenyInbound = 0; Int32 secondIpDenyInbound = 0; bool firstDenyInbound = true; for (Int32 i = 0; i < arrDenyInbound.Length; i++) { if (arrDenyInbound[i].Contains("/")) { if (firstDenyInbound) { firstIpDenyInbound = i; firstDenyInbound = false; } else { secondIpDenyInbound = i; break; } } } StringBuilder customStr2DenyInbound = new StringBuilder(); for (Int32 i = 0; i < firstIpDenyInbound; i++) { customStr2DenyInbound.Append(arrDenyInbound[i]).Append(" "); } rec.CustomStr2 = customStr2DenyInbound.ToString().Trim(); StringBuilder customStr4 = new StringBuilder(); for (Int32 i = firstIpDenyInbound + 1; i < secondIpDenyInbound; i++) { customStr4.Append(arrDenyInbound[i]).Append(" "); } rec.CustomStr4 = customStr4.ToString().Trim(); String[] arrDenyInboundIp = arrDenyInbound[firstIpDenyInbound].Split('/'); rec.CustomStr3 = arrDenyInboundIp[0]; rec.CustomInt1 = Convert.ToInt32(arrDenyInboundIp[1]); StringBuilder customStr6 = new StringBuilder(); for (Int32 i = secondIpDenyInbound + 1; i < arrDenyInbound.Length; i++) { customStr6.Append(arrDenyInbound[i]).Append(" "); } rec.Description = customStr6.ToString().Trim(); String[] arrDenyInboundDescIp = arrDenyInbound[secondIpDenyInbound].Split('/'); rec.CustomStr6 = arrDenyInboundDescIp[0]; rec.CustomInt3 = Convert.ToInt32(arrDenyInboundDescIp[1]); } break; */ case "106021": { String[] arrDeny = Desc[6].Split(' '); rec.CustomStr3 = arrDeny[6]; rec.CustomStr6 = arrDeny[8]; StringBuilder sbTempDeny = new StringBuilder(); for (Int32 i = 1; i < arrDeny.Length; i++) { if (i != 6 && i != 8) { sbTempDeny.Append(arrDeny[i].ToString()); sbTempDeny.Append(" "); } } rec.CustomStr2 = sbTempDeny.ToString().Trim(); } break; case "106006": { String[] arrDeny = Desc[6].Split(' '); String[] arrDenyIp = arrDeny[4].Split('/'); rec.CustomStr3 = arrDenyIp[0]; if (arrDenyIp.Length > 1) rec.CustomInt1 = Convert.ToInt32(arrDenyIp[1]); String[] arrDenyDescIp = arrDeny[6].Split('/'); StringBuilder sbTempDeny = new StringBuilder(); for (Int32 i = 1; i < arrDeny.Length; i++) { if (i != 4 && i != 6) { sbTempDeny.Append(arrDeny[i].ToString()); sbTempDeny.Append(" "); } } rec.CustomStr2 = sbTempDeny.ToString().Trim(); rec.CustomStr6 = arrDenyDescIp[0]; if (arrDenyDescIp.Length > 1) rec.CustomInt2 = Convert.ToInt32(arrDenyDescIp[1]); } break; case "106007": { String[] arrDeny = Desc[6].Split(' '); StringBuilder sbTempDeny = new StringBuilder(); for (Int32 i = 1; i < arrDeny.Length; i++) if(i!=4 && i!=6) sbTempDeny.Append(arrDeny[i]).Append(" "); rec.CustomStr2 = sbTempDeny.ToString().Trim(); String[] arrDeny2 = arrDeny[6].Split('/'); String[] arrDeny3 = arrDeny[4].Split('/'); rec.CustomStr6 = arrDeny2[0]; rec.CustomStr3 = arrDeny3[0]; if (arrDeny2.Length > 1) rec.CustomInt2 = Convert.ToInt32(arrDeny2[1]); if (arrDeny3.Length > 1) rec.CustomInt1 = Convert.ToInt32(arrDeny3[1]); } break; case "106017": { try { String[] arrDeny = Desc[6].Split(' '); for (Int32 i = 1; i < 6; i++) rec.CustomStr2 = rec.CustomStr2 + arrDeny[i]; rec.CustomStr3 = arrDeny[7]; rec.CustomStr5 = arrDeny[9]; } catch (Exception e) { L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 106023:" + args.Message); L.Log(LogType.FILE, LogLevel.ERROR, e.ToString()); break; } break; } case "710003": { //Desc[6] = TCP access denied by ACL from 131.162.130.192/43789 to outside //Desc[7] = 193.140.76.0/80 try { String[] spSplit = Desc[6].Split(' '); String[] destIp = Desc[7].Trim().Split('/'); String[] srcIp = spSplit[6].Split('/'); StringBuilder sb = new StringBuilder(); rec.CustomStr3 = srcIp[0]; rec.CustomInt1 = Convert.ToInt32(srcIp[1]); rec.CustomStr6 = destIp[0]; rec.CustomInt2 = Convert.ToInt32(destIp[1]); rec.CustomStr7 = spSplit[7] + spSplit[8]; for (int i = 0; i < 5; i++) { sb.Append(spSplit[i]); } rec.CustomStr2 = sb.ToString(); } catch (Exception e) { L.Log(LogType.FILE, LogLevel.ERROR, Desc[5] + Desc[6]); L.Log(LogType.FILE, LogLevel.ERROR, e.ToString()); } } break; case "106016": case "106014": case "106023": { try { rec.CustomStr2 = Desc[6]; String[] arrDeny = Desc[7].Split(' '); String[] arrDenyIp = arrDeny[0].Split('/'); rec.CustomStr3 = arrDenyIp[0]; if(arrDenyIp.Length > 1) rec.CustomInt1 = Convert.ToInt32(arrDenyIp[1]); String[] arrDenyDesc = Desc[8].Split(' '); String[] arrDenyDescIp = arrDenyDesc[0].Split('/'); StringBuilder sbTempDeny = new StringBuilder(); sbTempDeny.Append(rec.CustomStr2).Append(" "); for (Int32 i = 1; i < arrDeny.Length; i++) sbTempDeny.Append(arrDeny[i]).Append(" "); rec.CustomStr2 = sbTempDeny.ToString().Trim(); rec.CustomStr6 = arrDenyDescIp[0]; if(arrDenyDescIp.Length > 1) rec.CustomInt2 = Convert.ToInt32(arrDenyDescIp[1]); StringBuilder sbTempDescDeny = new StringBuilder(); sbTempDescDeny.Append(rec.CustomStr2).Append(" "); for (Int32 i = 1; i < arrDenyDesc.Length; ++i) { sbTempDescDeny.Append(arrDenyDesc[i]).Append(" "); } sbTempDescDeny.Remove(sbTempDescDeny.Length - 1, 1); rec.CustomStr2 = sbTempDescDeny.ToString(); } catch (Exception e) { L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 106023:" + args.Message); L.Log(LogType.FILE, LogLevel.ERROR, e.ToString()); break; } break; } case "715001": { String[] x1 = Desc[6].Split(' '); String[] x2 = Desc[7].Split('/'); try { //CustomStr7 is --> to outside || to inside //CustomStr3 --> SourceIP //CustomInt1 is --> SourcePort if (x1.Length > 5) { StringBuilder desc = new StringBuilder(); desc.Append(x1[0]); desc.Append(' '); desc.Append(x1[1]); desc.Append(' '); desc.Append(x1[2]); desc.Append(' '); desc.Append(x1[3]); String[] part1 = x1[4].Split('/'); rec.CustomStr3 = part1[0]; rec.CustomInt1 = Convert.ToInt32(part1[1]); rec.CustomStr2 = desc.ToString(); rec.CustomStr7 = x1[5] + x1[6]; } if (x2.Length > 2) { //CustomStr6 --> DestIP //CustomInt6 is --> DestPort String[] part2 = x2[0].Split('/'); rec.CustomStr6 = part2[0]; if (part2.Length > 1) rec.CustomInt6 = Convert.ToInt32(part2[1].Trim()); } } catch { } } break; case "305009": { String[] x1 = Desc[6].Split(' '); String[] x2 = Desc[7].Split(' '); try { if (x1.Length > 4) { StringBuilder desc = new StringBuilder(); desc.Append(x1[0]); desc.Append(' '); desc.Append(x1[1]); desc.Append(' '); desc.Append(x1[2]); desc.Append(' '); desc.Append(x1[3]); rec.CustomStr2 = desc.ToString(); rec.CustomStr7 = x1[4]; } if (x2.Length > 2) { String[] part2 = x2[0].Split('/'); StringBuilder dest = new StringBuilder(); for (int k = 1; k < x2.Length; k++) { dest.Append(x2[k].Trim()); } //CustomStr7 is --> to outside || to inside //CustomStr3 --> SourceIP //CustomInt1 is --> SourcePort rec.CustomStr7 += dest.ToString(); rec.CustomStr3 = part2[0].Trim(); if (part2.Length > 1) rec.CustomInt1 = Convert.ToInt32(part2[1].Trim()); } //CustomStr6 --> DestIP //CustomInt6 is --> DestPort rec.CustomStr6 = Desc[8].ToString(); } catch { } } break; case "302015"://Tested { String[] arrInbound = Desc[6].Split(':'); String[] x1 = null; String[] x2 = null; String[] x3 = null; if (arrInbound.Length > 2) { x1 = arrInbound[0].Trim().Split(' '); x2 = arrInbound[1].Trim().Split(' '); x3 = arrInbound[2].Trim().Split(' '); } else if (arrInbound.Length == 1 && Desc.Length > 7) { x1 = Desc[6].Split(' '); x2 = Desc[7].Split(' '); x3 = Desc[8].Split(' '); } else { L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 302015:" + args.Message); } //CustomStr --> Description Ex:Built Outbound TCP Connection //CustomInt2 --> SessionID //CustomStr7 --> to outside || to inside try { if (x1.Length > 6) { StringBuilder desc = new StringBuilder(); desc.Append(x1[0]); desc.Append(' '); desc.Append(x1[1]); desc.Append(' '); desc.Append(x1[2]); desc.Append(' '); desc.Append(x1[3]); rec.CustomStr2 = desc.ToString(); rec.CustomStr1 = x1[4].Trim(); rec.CustomStr7 = x1[6]; } if (x2.Length > 2) { String[] part2 = x2[0].Split('/'); String[] part2dest = x2[1].Trim('(', ')').Split('/'); StringBuilder dest = new StringBuilder(); for (int k = 2; k < x2.Length; k++) { dest.Append(x2[k].Trim()); } //CustomStr7 is --> to outside || to inside //CustomStr3 --> SourceIP //CustomStr4 --> XSourceIP //CustomInt1 and CustomInt4 is --> SourcePort and XsourcePort rec.CustomStr7 += dest.ToString(); rec.CustomStr3 = part2[0].Trim(); if (part2.Length > 1) rec.CustomInt1 = Convert.ToInt32(part2[1].Trim()); rec.CustomStr4 = part2dest[0].Trim(); rec.CustomInt4 = Convert.ToInt32(part2dest[1].Trim()); } if (x3.Length > 1) { //CustomStr6 --> DestIP //CustomStr5 --> XDestIP //CustomInt6 and CustomInt5 is --> DestPort and XDestePort String[] part3 = x3[0].Split('/'); String[] part3dest = x3[1].Trim('(', ')').Split('/'); rec.CustomStr6 = part3[0].Trim(); if (part3.Length > 1) rec.CustomInt6 = Convert.ToInt32(part3[1].Trim()); rec.CustomStr5 = part3dest[0].Trim(); rec.CustomInt5 = Convert.ToInt32(part3dest[1].Trim()); } } catch (Exception e) { L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 302015:" + args.Message); L.Log(LogType.FILE, LogLevel.ERROR, e.ToString()); } } break; case "302013": { String[] arrInbound = Desc[6].Split(':'); String[] x1 = null; String[] x2 = null; String[] x3 = null; if (arrInbound.Length > 2) { x1 = arrInbound[0].Trim().Split(' '); x2 = arrInbound[1].Trim().Split(' '); x3 = arrInbound[2].Trim().Split(' '); } else if (arrInbound.Length == 1 && Desc.Length > 7) { x1 = Desc[6].Split(' '); x2 = Desc[7].Split(' '); x3 = Desc[8].Split(' '); } else { L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 302013:" + args.Message); } //CustomStr --> Description Ex:Built Outbound TCP Connection //CustomInt2 --> SessionID //CustomStr7 --> to outside || to inside try { if (x1.Length > 6) { StringBuilder desc = new StringBuilder(); desc.Append(x1[0]); desc.Append(' '); desc.Append(x1[1]); desc.Append(' '); desc.Append(x1[2]); desc.Append(' '); desc.Append(x1[3]); rec.CustomStr2 = desc.ToString(); rec.CustomStr1 = x1[4].Trim(); rec.CustomStr7 = x1[6]; } if (x2.Length > 2) { String[] part2 = x2[0].Split('/'); String[] part2dest = x2[1].Trim('(', ')').Split('/'); StringBuilder dest = new StringBuilder(); for (int k = 2; k < x2.Length; k++) { dest.Append(x2[k].Trim()); } //CustomStr7 is --> to outside || to inside //CustomStr6 --> DestIP //CustomStr5 --> XDestIP //CustomInt6 and CustomInt5 is --> DestPort and XDestePort rec.CustomStr7 += dest.ToString(); //rec.CustomStr3 = part2[0].Trim(); rec.CustomStr6 = part2[0].Trim(); if (part2.Length > 1) rec.CustomInt6 = Convert.ToInt32(part2[1].Trim()); //rec.CustomStr4 = part2dest[0].Trim(); rec.CustomStr5 = part2dest[0].Trim(); rec.CustomInt5 = Convert.ToInt32(part2dest[1].Trim()); } if (x3.Length > 1) { //CustomStr3 --> SourceIP //CustomStr4 --> XSourceIP //CustomInt1 and CustomInt4 is --> SourcePort and XsourcePort String[] part3 = x3[0].Split('/'); String[] part3dest = x3[1].Trim('(', ')').Split('/'); rec.CustomStr3 = part3[0].Trim(); if (part3.Length > 1) rec.CustomInt1 = Convert.ToInt32(part3[1].Trim()); rec.CustomStr4 = part3dest[0].Trim(); rec.CustomInt4 = Convert.ToInt32(part3dest[1].Trim()); } } catch (Exception e) { L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 302013:" + args.Message); L.Log(LogType.FILE, LogLevel.ERROR, e.ToString()); } } break; case "305010": case "302016": case "302014": { try { String[] arrInbound = Desc[6].Split(':'); String[] x1 = null; String[] x2 = null; String[] x3 = null; String[] x5 = null; if (arrInbound.Length > 4) { x1 = arrInbound[0].Trim().Split(' '); x2 = arrInbound[1].Trim().Split(' '); x3 = arrInbound[2].Trim().Split(' '); x5 = arrInbound[4].Trim().Split(' '); } else if (arrInbound.Length == 1 && Desc.Length > 10) { x1 = Desc[6].Split(' '); x2 = Desc[7].Split(' '); x3 = Desc[8].Split(' '); x5 = Desc[10].Split(' '); } else { L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 302014:" + args.Message); } //CustomStr2 --> Description Ex:Built Outbound TCP Connection //CustomInt2 --> SessionID //CustomStr7 --> to outside || to inside if (x1.Length > 4) { StringBuilder desc = new StringBuilder(); desc.Append(x1[0]); desc.Append(' '); desc.Append(x1[1]); desc.Append(' '); desc.Append(x1[2]); desc.Append(' '); //desc.Append(x1[3]); if (x5.Length > 4) { desc.Append(x5[3]); desc.Append(' '); desc.Append(x5[4]); } rec.CustomStr2 = desc.ToString(); if (x1.Length > 5) { rec.CustomStr7 = x1[5]; rec.CustomStr1 = x1[3].Trim(); } else rec.CustomStr7 = x1[4]; } if (x2.Length > 2) { String[] part2 = x2[0].Split('/'); StringBuilder dest = new StringBuilder(); for (int k = 1; k < x2.Length; k++) { dest.Append(x2[k].Trim()); } //CustomStr7 is --> to outside || to inside //CustomStr3 --> SourceIP //CustomInt1 and CustomInt4 is --> SourcePort and XsourcePort rec.CustomStr7 += dest.ToString(); rec.CustomStr3 = part2[0]; if (part2.Length > 1) rec.CustomInt1 = Convert.ToInt32(part2[1].Trim()); } if (x3.Length > 2 && x5.Length > 2) { //CustomStr6 --> DestIP //CustomStr8 --> Duration //CustomInt6 --> DestPort //CustomInt7 --> Bytes //CustomStr4 is Reset-O String[] part3 = x3[0].Split('/'); rec.CustomStr6 = part3[0]; rec.CustomInt6 = Convert.ToInt32(part3[1].Trim()); StringBuilder duration = new StringBuilder(); duration.Append(x3[2]); duration.Append(':'); duration.Append(Desc[9]); duration.Append(':'); duration.Append(x5[0]); rec.CustomStr8 = duration.ToString(); if(x5.Length > 4) rec.CustomInt7 = Convert.ToInt32(x5[2]); } } catch (Exception e) { L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 302014:" + args.Message); L.Log(LogType.FILE, LogLevel.ERROR, e.ToString()); } } break; case "609001": { try { //Parsing description //CustomStr3 --> localhost //CUstomStr6 --> Dest String[] arrAccess = Desc[6].Split(':'); if (arrAccess.Length > 1) { rec.CustomStr3 = arrAccess[0].Split(' ')[1]; rec.CustomStr6 = arrAccess[1]; } else if (Desc.Length > 7) { rec.CustomStr3 = Desc[6].Split(' ')[1]; rec.CustomStr6 = Desc[7]; } else { rec.Description = args.Message; L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 609001 -insert into description-:" + args.Message); } rec.Description = Desc[6]; if (Desc.Length > 7) rec.CustomStr2 = Desc[6] +' '+ Desc[7]; } catch (Exception e) { L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 609001:" + args.Message); L.Log(LogType.FILE, LogLevel.ERROR, e.ToString()); } } break; case "609002": { try { //Parsing description //CustomStr3 --> localhost //CUstomStr6 --> Dest //CustomStr8 --> Duration String[] arrAccess = Desc[6].Split(':'); StringBuilder input = new StringBuilder(); if (arrAccess.Length < 4) { if (Desc.Length > 9) { input.Append(Desc[6]); input.Append(':'); input.Append(Desc[7]); input.Append(':'); input.Append(Desc[8]); input.Append(':'); input.Append(Desc[9]); arrAccess = input.ToString().Split(':'); } else { rec.Description = args.Message; L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 609002 -insert into description-:" + args.Message); break; } } StringBuilder duration = new StringBuilder(); rec.CustomStr3 = arrAccess[0].Split(' ')[1]; rec.CustomStr6 = arrAccess[1].Split(' ')[0]; duration.Append(arrAccess[1].Split(' ')[2]); duration.Append(':'); duration.Append(arrAccess[2]); duration.Append(':'); duration.Append(arrAccess[3]); rec.CustomStr8 = duration.ToString(); rec.Description = Desc[6]; rec.CustomStr2 = input.ToString(); } catch (Exception e) { L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 609002:" + args.Message); L.Log(LogType.FILE, LogLevel.ERROR, e.ToString()); } } break; case "305011"://Tested case "305012"://Tested { rec.CustomStr2 = Desc[6].Trim(); Desc[7] += ":"; for (Int32 i = 8; i < Desc.Length; i++) Desc[7] += Desc[i] + ":"; Desc[7] = Desc[7].TrimEnd(':'); String[] arrInbound = Desc[7].Split(' '); Int32 firstIp = 0; Int32 secondIp = 0; bool first = true; for (Int32 i = 0; i < arrInbound.Length; i++) { if (arrInbound[i].Contains("/") && !arrInbound[i].Contains("(")) { if (first) { firstIp = i; first = false; } else { secondIp = i; break; } } } StringBuilder customStr4 = new StringBuilder(); for (Int32 i = firstIp + 1; i < secondIp; i++) { customStr4.Append(arrInbound[i]).Append(" "); } rec.CustomStr4 = customStr4.ToString().Trim(); String[] arrInboundIp = arrInbound[firstIp].Split('/'); if (arrInboundIp[0].Contains(":")) { String[] DescIpSplit = arrInboundIp[0].Split(':'); rec.CustomStr2 += " " + DescIpSplit[0]; rec.CustomStr3 = DescIpSplit[1]; } else { rec.CustomStr3 = arrInboundIp[0]; } rec.CustomInt1 = Convert.ToInt32(arrInboundIp[1]); StringBuilder customStr6 = new StringBuilder(); for (Int32 i = secondIp + 1; i < arrInbound.Length; i++) { customStr6.Append(arrInbound[i]).Append(" "); } rec.Description = customStr6.ToString().Trim(); String[] arrInboundDescIp = arrInbound[secondIp].Split('/'); if (arrInboundDescIp[0].Contains(":")) { String[] DescIpSplit = arrInboundDescIp[0].Split(':'); rec.CustomStr4 += " " + DescIpSplit[0]; rec.CustomStr6 = DescIpSplit[1]; } else { rec.CustomStr6 = arrInboundDescIp[0]; } rec.CustomInt3 = Convert.ToInt32(arrInboundDescIp[1]); } break; case "304001": { StringBuilder sbTemp = new StringBuilder(); //Parsing description String[] arrAccess = Desc[6].Split(' '); for (Int32 i = 1; i < arrAccess.Length; ++i) { sbTemp.Append(arrAccess[i]).Append(' '); } sbTemp.Remove(sbTemp.Length - 1, 1); sbTemp.Append(':').Append(Desc[7]); rec.CustomStr5 = arrAccess[0]; rec.Description = sbTemp.ToString(); } break; case "419001": rec.CustomStr2 = Desc[6]; String[] arrDrop = Desc[7].Split(' '); String[] arrDropIp = arrDrop[0].Split('/'); rec.CustomStr3 = arrDropIp[0]; rec.CustomInt1 = Convert.ToInt32(arrDropIp[1]); String[] arrDropDesc = Desc[8].Split(','); String[] arrDropDescIp = arrDropDesc[0].Split('/'); StringBuilder sbTempDrop = new StringBuilder(); sbTempDrop.Append(arrDropDescIp[0]); rec.CustomStr7 = sbTempDrop.ToString(); rec.CustomInt3 = Convert.ToInt32(arrDropDescIp[1]); StringBuilder sbTempDescDrop = new StringBuilder(); for (Int32 i = 1; i < arrDropDesc.Length; ++i) { sbTempDescDrop.Append(arrDropDesc[i]).Append(" "); } if (sbTempDescDrop.Length > 0) sbTempDescDrop.Remove(sbTempDescDrop.Length - 1, 1); rec.Description = sbTempDescDrop.ToString(); break; default: L.Log(LogType.FILE, LogLevel.DEBUG, "No match for the mesage: "+args.Message); rec.Description = args.Message; break; } rec.SourceName = args.Source; // Fields are changed like other firewall for standartization string backup = null; backup = rec.CustomStr4; rec.CustomStr4 = rec.CustomStr6; rec.CustomStr6 = rec.CustomStr5; rec.CustomStr5 = backup; int bakcup = 0; rec.CustomInt2 = rec.CustomInt1; rec.CustomInt1 = rec.CustomInt3; rec.CustomInt3 = bakcup; L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data"); if (usingRegistry) { CustomServiceBase s = base.GetInstanceService("Security Manager Sender"); s.SetData(rec); } else { CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder"); s.SetData(Dal,virtualhost, rec); s.SetReg(Id, rec.Datetime, "","", "",rec.Datetime); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data"); } catch (Exception er) { L.LogTimed(LogType.FILE, LogLevel.ERROR, er.ToString()); L.LogTimed(LogType.FILE, LogLevel.ERROR,args.Message); } }
void slog_SyslogEvent(LogMgrEventArgs args) { CustomBase.Rec rec = new CustomBase.Rec(); try { L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "Log is :" + args.Message); rec.LogName = "CiscoPixSyslog Recorder"; rec.Datetime = DateTime.Now.AddMinutes(zone).ToString("yyyy/MM/dd HH:mm:ss"); rec.EventType = args.EventLogEntType.ToString(); //rec.Description = args.Message; String[] Desc = args.Message.Split(':'); if (Desc.Length < 5) { L.Log(LogType.FILE,LogLevel.ERROR,"Error parsing message: "+args.Message); return; } for (Int32 i = 0; i < Desc.Length; ++i) { Desc[i] = Desc[i].Trim(); } //Parsing PIX //Remove % //Desc[2] = Desc[2].TrimStart('%'); String[] pixArr = Desc[3].Split('-'); if(pixArr.Length < 2) { L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message: " + args.Message); return; } rec.CustomStr10 = Desc[0].Trim(); rec.CustomStr9 = Desc[1].Trim(); //Common fields for all pix records //Parsing Date Field ////if(dateArr.Length < 4) ////{ //// L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message: " + args.Message); //// return; ////} //StringBuilder dateString = new StringBuilder(); //Date //dateString.Append(Desc[0]).Append(":").Append(Desc[1]).Append(":").Append(genArr[0]); //DateTime dt = DateTime.Parse(dateString.ToString()); //rec.Datetime = dt.ToString("yyyy/MM/dd HH:mm:ss"); rec.EventType = pixArr[2]; //Uncommon fields for all pix records //Now Parse with id //switch (pixArr[2]) //{ // case "106001"://Untested // { // rec.CustomStr3 = Desc[6]; // String[] arrInbound = Desc[7].Split(' '); // String[] arrInboundIp = arrInbound[0].Split('/'); // rec.CustomStr5 = arrInboundIp[0]; // rec.CustomInt2 = Convert.ToInt32(arrInboundIp[1]); // String[] arrInboundDesc = Desc[8].Split(' '); // String[] arrInboundDescIp = arrInboundDesc[0].Split('/'); // StringBuilder sbTempInbound = new StringBuilder(); // sbTempInbound.Append(arrInbound[2]).Append(":").Append(arrInboundDescIp[0]); // rec.CustomStr6 = sbTempInbound.ToString(); // rec.CustomInt3 = Convert.ToInt32(arrInboundDescIp[1]); // StringBuilder sbTempDescInbound = new StringBuilder(); // for (Int32 i = 1; i < arrInboundDesc.Length; ++i) // { // sbTempDescInbound.Append(arrInboundDesc[i]).Append(" "); // } // if (sbTempDescInbound.Length > 0) // sbTempDescInbound.Remove(sbTempDescInbound.Length - 1, 1); // rec.Description = sbTempDescInbound.ToString(); // } break; // case "106006"://Untested // { // rec.CustomStr3 = Desc[6]; // String[] arrDenyTcp = Desc[7].Split(' '); // String[] arrDenyTcpIp = arrDenyTcp[0].Split('/'); // rec.CustomStr5 = arrDenyTcpIp[0]; // rec.CustomInt2 = Convert.ToInt32(arrDenyTcpIp[1]); // String[] arrDenyTcpDesc = Desc[8].Split(' '); // String[] arrDenyTcpDescIp = arrDenyTcpDesc[0].Split('/'); // StringBuilder sbTempDenyTcp = new StringBuilder(); // sbTempDenyTcp.Append(arrDenyTcp[2]).Append(":").Append(arrDenyTcpDescIp[0]); // rec.CustomStr6 = sbTempDenyTcp.ToString(); // rec.CustomInt3 = Convert.ToInt32(arrDenyTcpDescIp[1]); // StringBuilder sbTempDescDenyTcp = new StringBuilder(); // for (Int32 i = 1; i < arrDenyTcpDesc.Length; ++i) // { // sbTempDescDenyTcp.Append(arrDenyTcpDesc[i]).Append(" "); // } // if (sbTempDescDenyTcp.Length > 0) // sbTempDescDenyTcp.Remove(sbTempDescDenyTcp.Length - 1, 1); // rec.Description = sbTempDescDenyTcp.ToString(); // } break; // case "106023": // { // rec.CustomStr3 = Desc[6]; // String[] arrDeny = Desc[7].Split(' '); // String[] arrDenyIp = arrDeny[0].Split('/'); // rec.CustomStr5 = arrDenyIp[0]; // rec.CustomInt2 = Convert.ToInt32(arrDenyIp[1]); // String[] arrDenyDesc = Desc[8].Split(' '); // String[] arrDenyDescIp = arrDenyDesc[0].Split('/'); // StringBuilder sbTempDeny = new StringBuilder(); // sbTempDeny.Append(arrDeny[1]).Append(" ").Append(arrDeny[2]).Append(":").Append(arrDenyDescIp[0]); // rec.CustomStr6 = sbTempDeny.ToString(); // rec.CustomInt3 = Convert.ToInt32(arrDenyDescIp[1]); // StringBuilder sbTempDescDeny = new StringBuilder(); // for (Int32 i = 1; i < arrDenyDesc.Length; ++i) // { // sbTempDescDeny.Append(arrDenyDesc[i]).Append(" "); // } // sbTempDescDeny.Remove(sbTempDescDeny.Length - 1, 1); // rec.Description = sbTempDescDeny.ToString(); // } break; // case "304001": // { // StringBuilder sbTemp = new StringBuilder(); // //Parsing description // String[] arrAccess = Desc[6].Split(' '); // for (Int32 i = 1; i < arrAccess.Length; ++i) // { // sbTemp.Append(arrAccess[i]).Append(' '); // } // sbTemp.Remove(sbTemp.Length - 1, 1); // sbTemp.Append(':').Append(Desc[7]); // rec.CustomStr5 = arrAccess[0]; // rec.Description = sbTemp.ToString(); // } break; // case "419001": // { // rec.CustomStr3 = Desc[6]; // String[] arrDrop = Desc[7].Split(' '); // String[] arrDropIp = arrDrop[0].Split('/'); // rec.CustomStr5 = arrDropIp[0]; // rec.CustomInt2 = Convert.ToInt32(arrDropIp[1]); // String[] arrDropDesc = Desc[8].Split(' '); // String[] arrDropDescIp = arrDropDesc[0].Split('/'); // StringBuilder sbTempDrop = new StringBuilder(); // sbTempDrop.Append(arrDrop[2]).Append(":").Append(arrDropDescIp[0]); // rec.CustomStr6 = sbTempDrop.ToString(); // rec.CustomInt3 = Convert.ToInt32(arrDropDescIp[1]); // StringBuilder sbTempDescDrop = new StringBuilder(); // for (Int32 i = 1; i < arrDropDesc.Length; ++i) // { // sbTempDescDrop.Append(arrDropDesc[i]).Append(" "); // } // if (sbTempDescDrop.Length > 0) // sbTempDescDrop.Remove(sbTempDescDrop.Length - 1, 1); // rec.Description = sbTempDescDrop.ToString(); // } break; // default: // rec.Description = args.Message; // break; //} L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record"); switch(pixArr[2]) { case "304001"://Untested { StringBuilder sbTemp = new StringBuilder(); //Parsing description String[] arrAccess = Desc[4].Split(' '); rec.CustomStr3 = arrAccess[0]; rec.CustomStr6 = arrAccess[3]; rec.CustomStr2 = sbTemp.Append(arrAccess[1]).Append(arrAccess[2]).ToString(); rec.Description = Desc[5]; } break; case "106023"://Untested { StringBuilder sbTemp = new StringBuilder(); StringBuilder sbDesc = new StringBuilder(); //Parsing description String[] arrAccess = Desc[5].Split(' '); String[] arrDest = Desc[6].Split(' '); rec.CustomStr3 = arrAccess[0].Split('/')[0]; rec.CustomInt3 = Convert.ToInt32(arrAccess[0].Split('/')[1]); rec.CustomStr6 = arrDest[0].Split('/')[0]; rec.CustomInt1 = Convert.ToInt32(arrDest[0].Split('/')[1]); rec.CustomStr2 = sbTemp.Append(Desc[4].Trim()).Append(' ').Append(arrAccess[1]).Append(arrAccess[2]).ToString(); for(int i=1;i < arrDest.Length;i++) { sbDesc.Append(arrDest[i]); } rec.Description = sbDesc.ToString(); } break; default: rec.Description = args.Message; L.Log(LogType.FILE, LogLevel.WARN, "Could not parse this log: " + args.Message); break; } rec.SourceName = args.Source; L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data"); if (usingRegistry) { CustomServiceBase s = base.GetInstanceService("Security Manager Sender"); s.SetData(rec); } else { CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder"); s.SetData(Dal,virtualhost, rec); s.SetReg(Id, rec.Datetime, "","","",rec.Datetime); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data"); } catch (Exception er) { L.LogTimed(LogType.FILE, LogLevel.ERROR, er.ToString()); L.Log(LogType.FILE, LogLevel.DEBUG, "Exception:"+args.Message); } }
void slog_SyslogEvent(LogMgrEventArgs args) { CustomBase.Rec rec = new CustomBase.Rec(); try { L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record"); rec.LogName = "CiscoAsaV6_4_1Recorder Recorder"; rec.Datetime = DateTime.Now.AddMinutes(zone).ToString("yyyy/MM/dd HH:mm:ss"); rec.EventType = args.EventLogEntType.ToString(); rec.Description = args.Message; //10.10.0.254:514 : local4.info %ASA-6-305011: Built dynamic TCP translation from Inside:192.168.111.10/56298 to Outside(Inside_nat_outbound):212.156.67.62/12694 String[] parts = args.Message.Split('%')[1].Split(new char[] { ' ' }, StringSplitOptions.RemoveEmptyEntries); if (args.Message == "") { L.Log(LogType.FILE, LogLevel.INFORM, " Message is null " + args.Message); return; } if (parts.Length < 2) { L.Log(LogType.FILE, LogLevel.ERROR, " Message is not in proper format. Log : " + args.Message); return; } string type = parts[0].Split('-')[2].TrimEnd(':'); //Uncommon fields for all pix records. Now Parse with id rec.EventId = Convert.ToInt64(type); switch (type) { case "106001"://Untested { } break; //10.10.0.254:514 : local4.info %ASA-6-106015: Deny TCP (no connection) from 172.16.100.142/53916 to 83.66.140.10/80 flags RST on interface Fabrikalar case "106015": { try { rec.CustomStr2 = ""; rec.CustomStr7 = ""; for (int i = 1; i < parts.Length; i++) { if (!parts[i].Contains("(")) { rec.CustomStr2 += parts[i] + " "; } else { break; } } rec.CustomStr2 = rec.CustomStr2.Trim(); rec.EventCategory = rec.CustomStr2; bool getRest = false; for (int i = 1; i < parts.Length; i++) { if (parts[i].ToLower().Equals("from")) { rec.CustomStr3 = parts[i + 1].Split(new char[] { '/' })[0]; rec.CustomInt2 = Convert_To_Int32(parts[i + 1].Split(new char[] { ':', '/' })[1]); } else if (parts[i].ToLower().Equals("to")) { rec.CustomStr4 = parts[i + 1].Split(new char[] { '/' })[0]; rec.CustomInt3 = Convert_To_Int32(parts[i + 1].Split(new char[] { '/' })[1]); i++; getRest = true; } else if (getRest) { rec.CustomStr7 += parts[i] + " "; } rec.CustomStr7 = rec.CustomStr7.Trim(); } } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.DEBUG, "Error On : 106015. Log : " + args.Message); } } break; //10.10.0.254:514 : local4.info %ASA-6-302020: Built outbound ICMP connection for faddr 74.55.143.146/0 gaddr 212.156.67.62/5157 laddr 172.16.140.77/512 //10.10.0.254:514 : local4.info %ASA-6-302021: Teardown ICMP connection for faddr 172.16.204.66/0 gaddr 10.10.0.2/0 laddr 10.10.0.2/0 case "302020": case "302021": { try { rec.CustomStr2 = ""; rec.CustomStr7 = ""; for (int i = 1; i < parts.Length; i++) { if (!parts[i].Contains("for")) { rec.CustomStr2 += parts[i] + " "; } else { break; } } rec.CustomStr2 = rec.CustomStr2.Trim(); rec.EventCategory = rec.CustomStr2; for (int i = 1; i < parts.Length; i++) { if (parts[i].ToLower().Equals("faddr")) { rec.CustomStr3 = parts[i + 1].Split(new char[] { '/' })[0]; rec.CustomInt2 = Convert_To_Int32(parts[i + 1].Split(new char[] { ':', '/' })[1]); } else if (parts[i].ToLower().Equals("gaddr")) { rec.CustomStr4 = parts[i + 1].Split(new char[] { '/' })[0]; rec.CustomInt3 = Convert_To_Int32(parts[i + 1].Split(new char[] { '/' })[1]); } else if (parts[i].ToLower().Equals("laddr")) { rec.CustomStr5 = parts[i + 1].Split(new char[] { '/' })[0]; rec.CustomInt4 = Convert_To_Int32(parts[i + 1].Split(new char[] { '/' })[1]); } } } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.DEBUG, "Error On : 302020, 302021. Log : " + args.Message); } } break; //10.10.0.254:514 : local4.alert %ASA-1-106021: Deny TCP reverse path check from 192.168.34.73 to 212.156.67.62 on interface Outside case "106021": { rec.CustomStr2 = ""; for (int i = 1; i < parts.Length; i++) { if (!parts[i].Contains("from")) rec.CustomStr2 += parts[i] + " "; else break; } bool continueStr2 = false; rec.CustomStr8 = ""; for (int i = 1; i < parts.Length; i++) { if (parts[i].Equals("from")) { rec.CustomStr3 = parts[i + 1]; } else if (parts[i].ToLower().Equals("to")) { rec.CustomStr4 = parts[i + 1]; } if (parts[i].Contains("on")) { continueStr2 = true; } if (continueStr2) { rec.CustomStr2 += " " + parts[i]; } } rec.CustomStr2 = rec.CustomStr2.Trim(); rec.EventCategory = parts[1] + " " + parts[2]; } break; case "106006": { L.Log(LogType.FILE, LogLevel.INFORM, "Boş içi. Hazırlanması lazım : 106006. Log : " + args.Message); } break; case "106007": { L.Log(LogType.FILE, LogLevel.INFORM, "Boş içi. Hazırlanması lazım : 106007. Log : " + args.Message); } break; case "106017": { L.Log(LogType.FILE, LogLevel.INFORM, "Boş içi. Hazırlanması lazım : 106017. Log : " + args.Message); } break; //10.10.0.254:514 : local4.error %ASA-3-710003: TCP access denied by ACL from 88.249.67.204/2305 to Outside:212.156.67.62/23 case "710003": { L.Log(LogType.FILE, LogLevel.INFORM, "Boş içi. Hazırlanması lazım : 710003. Log : " + args.Message); } break; //10.10.0.254:514 : local4.warning %ASA-4-106023: Deny udp src Outside:24.101.147.41/19971 dst Fabrikalar:212.156.67.62/39772 by access-group "Outside_access_in" [0x0, 0x0] case "106016": case "106014": case "106023": { try { rec.CustomStr2 = ""; rec.CustomStr7 = ""; for (int i = 1; i < parts.Length; i++) { if (!parts[i].Contains(":")) { rec.CustomStr2 += parts[i] + " "; } else { break; } } rec.CustomStr2 = rec.CustomStr2.Trim(); rec.EventCategory = rec.CustomStr2; for (int i = 1; i < parts.Length; i++) { if (parts[i].Contains(":")) { if (parts[i].ToLower().Contains("inside")) { rec.CustomStr7 += parts[i].Split(new char[] { ':', '/' })[0] + " "; rec.CustomStr3 = parts[i].Split(new char[] { ':', '/' })[1]; rec.CustomInt2 = Convert_To_Int32(parts[i].Split(new char[] { ':', '/' })[2]); } else if (parts[i].ToLower().Contains("outside")) { rec.CustomStr7 += parts[i].Split(new char[] { ':', '/' })[0] + " "; rec.CustomStr4 = parts[i].Split(new char[] { ':', '/' })[1]; rec.CustomInt3 = Convert_To_Int32(parts[i].Split(new char[] { ':', '/' })[2]); } else { rec.CustomStr7 += parts[i].Split(new char[] { ':', '/' })[0] + " "; rec.CustomStr3 = parts[i].Split(new char[] { ':', '/' })[1]; rec.CustomInt2 = Convert_To_Int32(parts[i].Split(new char[] { ':', '/' })[2]); } } else { rec.CustomStr8 += parts[i] + " "; } } } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.DEBUG, "Error On : 106016, 106014, 106023. Log : " + args.Message); } } break; case "715001": { L.Log(LogType.FILE, LogLevel.INFORM, "Boş içi. Hazırlanması lazım : 715001. Log : " + args.Message); } break; case "305009": { L.Log(LogType.FILE, LogLevel.INFORM, "Boş içi. Hazırlanması lazım : 305009. Log : " + args.Message); } break; //10.10.0.254:514 : local4.info %ASA-6-302015: Built inbound UDP connection 53527882 for Fabrikalar:172.16.100.73/1025 (172.16.100.73/1025) to Inside:10.30.0.7/53 (10.30.0.7/53) //10.10.0.254:514 : local4.info %ASA-6-302013: Built outbound TCP connection 53527880 for Outside:212.174.187.34/80 (212.174.187.34/80) to Inside:192.168.115.13/50417 (212.156.67.62/47279) case "302015": case "302013": { try { rec.CustomStr2 = ""; rec.CustomStr7 = ""; long sayi; for (int i = 1; i < parts.Length; i++) { if (!Int64.TryParse(parts[i], out sayi)) { rec.CustomStr2 += parts[i] + " "; } else { rec.CustomStr1 = parts[i]; break; } } rec.CustomStr2 = rec.CustomStr2.Trim(); rec.EventCategory = rec.CustomStr2; bool ilkIpAlindi = false; bool ilkParantezIpAlindi = false; for (int i = 1; i < parts.Length; i++) { if (parts[i].Contains(":") && parts[i].Contains("/")) { if (!ilkIpAlindi) { ilkIpAlindi = true; rec.CustomStr7 += parts[i].Split(new char[] { ':', '/' })[0] + " "; rec.CustomStr3 = parts[i].Split(new char[] { ':', '/' })[1]; rec.CustomInt2 = Convert_To_Int32(parts[i].Split(new char[] { ':', '/' })[2]); } else if (ilkIpAlindi) { rec.CustomStr7 += parts[i].Split(new char[] { ':', '/' })[0] + " "; rec.CustomStr4 = parts[i].Split(new char[] { ':', '/' })[1]; rec.CustomInt3 = Convert_To_Int32(parts[i].Split(new char[] { ':', '/' })[2]); } } else if (parts[i].Contains("(") && parts[i].Contains("/")) { if (!ilkParantezIpAlindi) { ilkParantezIpAlindi = true; rec.CustomStr5 = parts[i].Split(new char[] { '/' })[0].TrimStart('('); rec.CustomInt4 = Convert_To_Int32(parts[i].Split(new char[] { '/' })[1].TrimEnd(')')); } else if (ilkParantezIpAlindi) { rec.CustomStr6 = parts[i].Split(new char[] { '/' })[0].TrimStart('('); rec.CustomInt5 = Convert_To_Int32(parts[i].Split(new char[] { '/' })[1].TrimEnd(')')); } } } } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.DEBUG, "Error On : 305010, 302016, 302014. Log : " + args.Message); } } break; //10.10.0.254:514 : local4.info %ASA-6-302016: Teardown UDP connection 53527868 for Outside:216.239.36.10/53 to Inside:10.30.0.7/52945 duration 0:00:00 bytes 193 //10.10.0.254:514 : local4.info %ASA-6-302014: Teardown TCP connection 53527230 for Outside:92.45.106.106/80 to Fabrikalar:172.16.194.52/3473 duration 0:00:05 bytes 3920 TCP FINs case "305010": case "302016": case "302014": { try { rec.CustomStr2 = ""; rec.CustomStr7 = ""; long sayi; for (int i = 1; i < parts.Length; i++) { if (!Int64.TryParse(parts[i], out sayi)) { rec.CustomStr2 += parts[i] + " "; } else { rec.CustomStr1 = parts[i]; break; } } rec.CustomStr2 = rec.CustomStr2.Trim(); rec.EventCategory = rec.CustomStr2; for (int i = 1; i < parts.Length; i++) { if (parts[i].Contains(":")) { if (parts[i].ToLower().Contains("inside")) { rec.CustomStr7 += parts[i].Split(new char[] { ':', '/' })[0] + " "; rec.CustomStr3 = parts[i].Split(new char[] { ':', '/' })[1]; rec.CustomInt2 = Convert_To_Int32(parts[i].Split(new char[] { ':', '/' })[2]); } else if (parts[i].ToLower().Contains("outside")) { rec.CustomStr7 += parts[i].Split(new char[] { ':', '/' })[0] + " "; rec.CustomStr4 = parts[i].Split(new char[] { ':', '/' })[1]; rec.CustomInt3 = Convert_To_Int32(parts[i].Split(new char[] { ':', '/' })[2]); } } else if (parts[i].Contains("duration")) { rec.CustomStr8 = parts[i + 1]; } else if (parts[i].Contains("bytes")) { rec.CustomInt7 = Convert_To_Int32(parts[i + 1]); } else if (parts[i].Contains("TCP")) { rec.CustomStr7 = parts[i] + " " + parts[i + 1]; } } } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.DEBUG, "Error On : 305010, 302016, 302014. Log : " + args.Message); } } break; case "609001": { L.Log(LogType.FILE, LogLevel.INFORM, "Boş içi. Hazırlanması lazım : 609001. Log : " + args.Message); } break; case "609002": { L.Log(LogType.FILE, LogLevel.INFORM, "Boş içi. Hazırlanması lazım : 609002. Log : " + args.Message); } break; //10.10.0.254:514 : local4.info %ASA-6-305011: Built dynamic TCP translation from Inside:192.168.111.10/56298 to Outside(Inside_nat_outbound):212.156.67.62/12694 //10.10.0.254:514 : local4.info %ASA-6-305012: Teardown dynamic TCP translation from Fabrikalar:172.16.211.108/2599 to Outside(Fabrikalar_nat_outbound):212.156.67.62/13200 duration 0:00:30 case "305011"://Tested case "305012"://Tested { try { rec.CustomStr2 = ""; rec.CustomStr7 = ""; for (int i = 1; i < parts.Length; i++) { if (!parts[i].Contains(":")) { rec.CustomStr2 += parts[i] + " "; } else { break; } } rec.CustomStr2 = rec.CustomStr2.Trim(); rec.EventCategory = rec.CustomStr2; for (int i = 1; i < parts.Length; i++) { if (parts[i].Contains(":")) { if (parts[i].ToLower().Contains("inside")) { rec.CustomStr7 += parts[i].Split(new char[] { ':', '/' })[0] + " "; rec.CustomStr3 = parts[i].Split(new char[] { ':', '/' })[1]; rec.CustomInt2 = Convert_To_Int32(parts[i].Split(new char[] { ':', '/' })[2]); } else if (parts[i].ToLower().Contains("outside")) { rec.CustomStr7 += parts[i].Split(new char[] { ':', '/' })[0] + " "; rec.CustomStr4 = parts[i].Split(new char[] { ':', '/' })[1]; rec.CustomInt3 = Convert_To_Int32(parts[i].Split(new char[] { ':', '/' })[2]); } } else if (parts[i].Contains("duration")) { rec.CustomStr8 = parts[i + 1]; } } } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.DEBUG, "Error On : 305011, 305012. Log : " + args.Message); } } break; //10.10.0.254:514 : local4.notice %ASA-5-304001: 172.16.120.166 Accessed URL 209.85.149.106:/news/tbn/UpaJuRRf32EJ case "304001": { rec.CustomStr3 = parts[1]; for (int i = 0; i < parts.Length; i++) { L.Log(LogType.FILE, LogLevel.INFORM, "Parts " + parts[i]); } rec.CustomStr2 = ""; for (int i = 2; i < parts.Length; i++) { if (!parts[i].Contains(":")) { rec.CustomStr2 += parts[i] + " "; } else { rec.CustomStr4 = parts[i].Split('/')[0].TrimEnd(':'); string urlWithIp = parts[i]; string urlWithoutIp = After(urlWithIp, "://"); string realUrl = urlWithoutIp.Split('/')[0]; rec.CustomStr9 = realUrl; rec.CustomStr10 = After(parts[i], "://"); //for (int j = 1; j < realUrl.Split('/').Length; j++) //{ // rec.CustomStr10 += "/" + realUrl.Split('/')[j]; //} if (rec.CustomStr4.ToLower().Contains(":http")) { rec.CustomStr4 = rec.CustomStr4.Replace(":http", " ").Trim(); } } } L.Log(LogType.FILE, LogLevel.INFORM, "CustomStr4 " + rec.CustomStr4); rec.CustomStr2 = rec.CustomStr2.Trim(); rec.EventCategory = rec.CustomStr2; } break; case "419001": { L.Log(LogType.FILE, LogLevel.INFORM, "Boş içi. Hazırlanması lazım : 419001. Log : " + args.Message); } break; //10.10.0.254:514 : local4.warning %ASA-4-419002: Duplicate TCP SYN from Inside:172.16.231.99/2268 to Inside:192.168.101.7/9100 with different initial sequence number case "419002": { try { rec.CustomStr2 = ""; rec.CustomStr7 = ""; for (int i = 1; i < parts.Length; i++) { if (!parts[i].Contains("from")) { rec.CustomStr2 += parts[i] + " "; } else { break; } } rec.CustomStr2 = rec.CustomStr2.Trim(); rec.EventCategory = rec.CustomStr2; bool getRest = false; for (int i = 1; i < parts.Length; i++) { if (parts[i].Equals("from")) { rec.CustomStr3 = parts[i + 1].Split(new char[] { ':', '/' })[1]; rec.CustomInt2 = Convert_To_Int32(parts[i + 1].Split(new char[] { ':', '/' })[2]); } else if (parts[i].ToLower().Equals("to")) { rec.CustomStr4 = parts[i + 1].Split(new char[] { ':', '/' })[1]; rec.CustomInt3 = Convert_To_Int32(parts[i + 1].Split(new char[] { ':', '/' })[2]); getRest = true; i++; } else if (getRest) { rec.CustomStr7 += parts[i] + " "; } rec.CustomStr7 = rec.CustomStr7.Trim(); } } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.DEBUG, "Error On : 419002. Log : " + args.Message); } } break; //10.10.0.254:514 : local4.warning %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 49 per second, max configured rate is 10; Current average rate is 63 per second, max configured rate is 5; Cumulative total count is 38337 case "733100": { rec.CustomStr2 = parts[2].TrimEnd(']'); rec.CustomStr8 = ""; for (int i = 3; i < parts.Length; i++) { rec.CustomStr8 += parts[i] + " "; } rec.CustomStr8 = rec.CustomStr8.Trim(); rec.CustomStr2 = rec.CustomStr2.Trim(); rec.EventCategory = rec.CustomStr2; } break; //10.10.0.254:514 : local4.error %ASA-3-313001: Denied ICMP type=3, code=1 from 195.140.196.2 on interface Outside case "313001": { rec.CustomStr2 = ""; for (int i = 1; i < parts.Length; i++) { if (!parts[i].Contains("=")) rec.CustomStr2 += parts[i] + " "; else break; } rec.CustomStr2 = rec.CustomStr2.Trim(); rec.EventCategory = rec.CustomStr2; bool continueStr2 = false; for (int i = 1; i < parts.Length; i++) { if (parts[i].Contains("from")) { rec.CustomStr3 = parts[i + 1]; } if (parts[i].Contains("on")) { continueStr2 = true; } if (continueStr2) { rec.CustomStr2 += " " + parts[i]; } } rec.CustomStr2 = rec.CustomStr2.Trim(); } break; //10.10.0.254:514 : local4.warning %ASA-4-313005: No matching connection for ICMP error message: icmp src Fabrikalar:172.16.210.109 dst Fabrikalar:11.11.11.33 (type 3, code 3) on Fabrikalar interface. Original IP payload: udp src 11.11.11.33/58505 dst 224.0.0.252/5355. //parts=ASA-4-313005: No matching connection for ICMP error message: icmp src Fabrikalar:172.16.210.109 dst Fabrikalar:11.11.11.33 (type 3, code 3) on Fabrikalar interface. Original IP payload: udp src 11.11.11.33/58505 dst 224.0.0.252/5355. case "313005": { rec.EventId = 313005; rec.EventType = parts[5] + " " + parts[6]; rec.EventCategory = parts[1] + " " + parts[2] + " " + parts[3]; rec.SourceName = args.Message.Split(new char[] { ' ' }, StringSplitOptions.RemoveEmptyEntries)[2]; rec.CustomStr3 = parts[10].Split(new char[] { ':' })[1]; rec.CustomStr4 = parts[12].Split(new char[] { ':' })[1]; rec.CustomStr7 = parts[18] + " " + parts[19]; rec.CustomStr8 = parts[20] + " " + parts[21] + " " + parts[22]; rec.CustomStr5 = parts[25].Split(new char[] { '/' })[0]; rec.CustomStr6 = parts[27].Split(new char[] { '/' })[0]; rec.CustomInt2 = Convert_To_Int32(parts[25].Split(new char[] { '/' })[1]); rec.CustomInt3 = Convert_To_Int32(parts[27].Split(new char[] { '/' })[1]); } break; //10.10.0.254:514 : local4.error %ASA-3-305006: portmap translation creation failed for icmp src Inside:192.168.125.15 dst Inside:192.168.2.200 (type 8, code 0) //parts=ASA-3-305006: portmap translation creation failed for icmp src Inside:192.168.125.15 dst Inside:192.168.2.200 (type 8, code 0) case "305006": { rec.EventId = 3005006; rec.EventType = ""; rec.EventCategory = parts[1] + " " + parts[2] + " " + parts[3] + " " + parts[4]; rec.SourceName = args.Message.Split(new char[] { ' ' })[2]; rec.CustomStr3 = parts[8].Split(new char[] { ':' })[1]; rec.CustomStr4 = parts[10].Split(new char[] { ':' })[1]; } break; //10.10.0.254:514 : local4.warning %ASA-4-410001: Dropped UDP DNS request from Fabrikalar:172.16.204.234/4521 to Outside:193.2.122.51/53; label length 154 bytes exceeds protocol limit of 63 bytes case "410001": { rec.CustomStr2 = ""; for (int i = 1; i < parts.Length; i++) { if (!parts[i].Contains("from")) rec.CustomStr2 += parts[i] + " "; else break; } bool getRest = false; bool firstByteGot = false; rec.CustomStr8 = ""; for (int i = 1; i < parts.Length; i++) { if (parts[i].Equals("from")) { rec.CustomStr5 = parts[i + 1].Split(new char[] { ':', '/' })[0]; rec.CustomStr3 = parts[i + 1].Split(new char[] { ':', '/' })[1]; rec.CustomInt2 = Convert_To_Int32(parts[i + 1].Split(new char[] { ':', '/' })[2]); } else if (parts[i].ToLower().Equals("to")) { rec.CustomStr6 = parts[i + 1].Split(new char[] { ':', '/' })[1]; rec.CustomStr4 = parts[i + 1].Split(new char[] { ':', '/' })[1].TrimEnd(':'); rec.CustomInt3 = Convert_To_Int32(parts[i + 1].Split(new char[] { ':', '/' })[2]); getRest = true; i++; continue; } if (getRest) { rec.CustomStr8 += parts[i] + " "; } if (parts[i].Equals("bytes")) { if (firstByteGot) { rec.CustomInt6 = Convert_To_Int32(parts[i - 1]); } else { rec.CustomInt5 = Convert_To_Int32(parts[i - 1]); firstByteGot = true; } } } rec.CustomStr8 = rec.CustomStr8.Trim(); rec.CustomStr2 = rec.CustomStr2.Trim(); rec.EventCategory = rec.CustomStr2; } break; default: { L.Log(LogType.FILE, LogLevel.INFORM, "Event tanımlanmamış. Event ID : " + type + " , Log : " + args.Message); } break; } rec.SourceName = args.Source; L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record"); if (args.Message.Length>4000) { rec.Description = args.Message.Substring(0, 3999); } else { rec.Description = args.Message; } L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data"); if (usingRegistry) { CustomServiceBase s = base.GetInstanceService("Security Manager Sender"); s.SetData(rec); } else { CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder"); s.SetData(Dal, virtualhost, rec); s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data"); } catch (Exception er) { L.LogTimed(LogType.FILE, LogLevel.ERROR, er.ToString()); L.LogTimed(LogType.FILE, LogLevel.ERROR, args.Message); } }
public Rec ParseSpecific(String line, bool dontSend, LogMgrEventArgs args) { L.Log(LogType.FILE, LogLevel.DEBUG, " ParseSpecific() | Parsing Specific line. Line : " + line); if (string.IsNullOrEmpty(line)) { L.Log(LogType.FILE, LogLevel.DEBUG, " ParseSpecific() | Line is Null Or Empty. "); } CustomBase.Rec rec = new CustomBase.Rec(); rec.LogName = "PaloAltoTrafficV_1_0_1SyslogRecorder"; //rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss"); rec.EventType = args.EventLogEntType.ToString(); if (!string.IsNullOrEmpty(remote_host)) rec.ComputerName = remote_host; rec.Description = args.Message; if (rec.Description.Length > 899) { rec.Description = rec.Description.Substring(0, 899); } else { rec.Description = rec.Description; } //rec.Description = args.Message.Replace("'", "|"); L.Log(LogType.FILE, LogLevel.DEBUG, " Source Is : " + args.Source.ToString()); rec.SourceName = args.Source; L.Log(LogType.FILE, LogLevel.INFORM, " Log : " + args.Message); if (!dontSend) { string[] parts = line.Split(','); try { for (int i = 0; i < parts.Length; i++) { L.Log(LogType.FILE, LogLevel.DEBUG, " ParseSpecific() Parts[" + i + "]: " + parts[i]); } string type01 = parts[3]; if (type01 == "TRAFFIC") { #region TRAFFIC try { rec.Datetime = Convert.ToDateTime(parts[6]).ToString("yyyy-MM-dd HH:mm:ss");//Date time conversion requeired. } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, " ParseSpecific() | There is a problem converting to date. date : " + parts[4]); } rec.CustomStr1 = StringParsingOperation(parts[18], 18, "CustomStr1", parts.Length); rec.CustomStr2 = StringParsingOperation(parts[19], 19, "CustomStr2", parts.Length); rec.CustomStr3 = StringParsingOperation(parts[7], 7, "CustomStr3", parts.Length); rec.CustomStr4 = StringParsingOperation(parts[8], 8, "CustomStr4", parts.Length); rec.CustomStr5 = StringParsingOperation(parts[9], 9, "CustomStr5", parts.Length); rec.CustomStr6 = StringParsingOperation(parts[10], 10, "CustomStr6", parts.Length); rec.CustomStr7 = StringParsingOperation(parts[29], 29, "CustomStr7", parts.Length); rec.CustomStr8 = StringParsingOperation(parts[4], 4, "CustomStr8", parts.Length); rec.CustomStr9 = StringParsingOperation(parts[3], 3, "CustomStr9", parts.Length); rec.CustomStr10 = StringParsingOperation(parts[14], 14, "CustomStr10", parts.Length); rec.UserName = StringParsingOperation(parts[12], 12, "UserName", parts.Length); rec.EventType = StringParsingOperation(parts[30], 30, "EventType", parts.Length); rec.EventCategory = StringParsingOperation(parts[37], 37, "EventCategory", parts.Length); rec.CustomInt1 = IntegerParsingOperation(parts[0], 0, "rec.CustomInt1", parts.Length); rec.CustomInt2 = IntegerParsingOperation(parts[23], 23, "rec.CustomInt2", parts.Length); rec.CustomInt3 = IntegerParsingOperation(parts[24], 24, "rec.CustomInt3", parts.Length); rec.CustomInt4 = IntegerParsingOperation(parts[25], 25, "rec.CustomInt4", parts.Length); rec.CustomInt5 = IntegerParsingOperation(parts[26], 26, "rec.CustomInt5", parts.Length); rec.CustomInt6 = IntegerParsingOperation(parts[27], 27, "rec.CustomInt6", parts.Length); rec.CustomInt7 = IntegerParsingOperation(parts[22], 22, "rec.CustomInt7", parts.Length); rec.CustomInt8 = IntegerParsingOperation(parts[32], 32, "rec.CustomInt8", parts.Length); rec.CustomInt9 = IntegerParsingOperation(parts[33], 33, "rec.CustomInt9", parts.Length); rec.CustomInt10 = IntegerParsingOperation(parts[36], 36, "rec.CustomInt10", parts.Length); #endregion TRAFFIC } else if (type01 == "THREAT") { #region THREAT try { rec.Datetime = Convert.ToDateTime(parts[1]).ToString("yyyy-MM-dd HH:mm:ss");//Date time conversion requeired. L.Log(LogType.FILE, LogLevel.DEBUG, " ParseSpecific() -- Datetime : " + rec.Datetime); } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, " ParseSpecific() | There is a problem converting to date. date : " + parts[4]); } string eventType = parts[30]; if (eventType.ToLower() == "alert") { rec.EventCategory = StringParsingOperation(parts[4], 4, "EventCategory", parts.Length); rec.EventType = StringParsingOperation(parts[30], 30, "EventType", parts.Length); rec.ComputerName = StringParsingOperation(parts[0].Split(':')[0], 0, "ComputerName", parts.Length); rec.CustomStr1 = StringParsingOperation(parts[31].Split('/')[0], 31, "CustomStr1", parts.Length); rec.CustomStr2 = StringParsingOperation(parts[31].Split('/')[1], 31, "CustomStr2", parts.Length); rec.CustomStr3 = StringParsingOperation(parts[7], 7, "CustomStr3", parts.Length); rec.CustomStr4 = StringParsingOperation(parts[8], 8, "CustomStr4", parts.Length); rec.CustomStr5 = StringParsingOperation(parts[9], 9, "CustomStr5", parts.Length); rec.CustomStr6 = StringParsingOperation(parts[10], 10, "CustomStr6", parts.Length); rec.CustomStr7 = StringParsingOperation(parts[29], 29, "CustomStr7", parts.Length); rec.CustomStr8 = StringParsingOperation(parts[4], 4, "CustomStr8", parts.Length); rec.CustomStr9 = StringParsingOperation(parts[3], 3, "CustomStr9", parts.Length); rec.CustomStr10 = StringParsingOperation(parts[14], 14, "CustomStr10", parts.Length); rec.CustomInt1 = IntegerParsingOperation(parts[40], 40, "rec.CustomInt1", parts.Length); rec.CustomInt2 = IntegerParsingOperation(parts[5], 5, "rec.CustomInt2", parts.Length); rec.CustomInt3 = IntegerParsingOperation(parts[24], 24, "rec.CustomInt3", parts.Length); rec.CustomInt4 = IntegerParsingOperation(parts[25], 25, "rec.CustomInt4", parts.Length); rec.CustomInt5 = IntegerParsingOperation(parts[22], 22, "rec.CustomInt5", parts.Length); rec.CustomInt6 = IntegerParsingOperation(parts[27], 27, "rec.CustomInt6", parts.Length); rec.CustomInt7 = IntegerParsingOperation(parts[26], 26, "rec.CustomInt7", parts.Length); rec.CustomInt10 = IntegerParsingOperation(parts[36], 36, "rec.CustomInt10", parts.Length); } else if (eventType.ToLower() == "block-url") { rec.ComputerName = StringParsingOperation(parts[0].Split(':')[0] + ":" + parts[0].Split(':')[1], 0, "ComputerName", parts.Length); rec.EventCategory = StringParsingOperation(parts[37], 37, "EventCategory", parts.Length); rec.EventType = StringParsingOperation(parts[30], 30, "EventType", parts.Length); rec.CustomStr1 = StringParsingOperation(parts[31].Split('/')[0], 31, "CustomStr1", parts.Length); rec.CustomStr2 = StringParsingOperation(parts[31], 31, "CustomStr2", parts.Length); rec.CustomStr3 = StringParsingOperation(parts[7], 7, "CustomStr3", parts.Length); rec.CustomStr4 = StringParsingOperation(parts[8], 8, "CustomStr4", parts.Length); rec.CustomStr5 = StringParsingOperation(parts[9], 9, "CustomStr5", parts.Length); rec.CustomStr6 = StringParsingOperation(parts[10], 10, "CustomStr6", parts.Length); rec.CustomStr7 = StringParsingOperation(parts[29], 29, "CustomStr7", parts.Length); rec.CustomStr8 = StringParsingOperation(parts[4], 4, "CustomStr8", parts.Length); rec.CustomStr9 = StringParsingOperation(parts[3], 3, "CustomStr9", parts.Length); rec.CustomStr10 = StringParsingOperation(parts[14], 14, "CustomStr10", parts.Length); rec.CustomInt1 = IntegerParsingOperation(parts[40], 40, "CustomInt1", parts.Length); rec.CustomInt2 = IntegerParsingOperation(parts[5], 5, "CustomInt2", parts.Length); rec.CustomInt3 = IntegerParsingOperation(parts[24], 24, "CustomInt3", parts.Length); rec.CustomInt4 = IntegerParsingOperation(parts[25], 25, "CustomInt4", parts.Length); rec.CustomInt5 = IntegerParsingOperation(parts[26], 26, "CustomInt5", parts.Length); rec.CustomInt6 = IntegerParsingOperation(parts[27], 27, "CustomInt6", parts.Length); rec.CustomInt10 = IntegerParsingOperation(parts[36], 36, "CustomInt10", parts.Length); } else if (eventType.ToLower() == "drop-all-packets") { rec.ComputerName = StringParsingOperation(parts[0].Split(':')[0] + ":" + parts[0].Split(':')[1], 0, "ComputerName", parts.Length); rec.EventCategory = StringParsingOperation(parts[33], 33, "EventCategory", parts.Length); rec.EventType = StringParsingOperation(parts[37], 37, "EventType", parts.Length); rec.CustomStr1 = StringParsingOperation(parts[18], 18, "CustomStr1", parts.Length); rec.CustomStr2 = StringParsingOperation(parts[19], 19, "CustomStr2", parts.Length); rec.CustomStr3 = StringParsingOperation(parts[7], 7, "CustomStr3", parts.Length); rec.CustomStr4 = StringParsingOperation(parts[8], 8, "CustomStr4", parts.Length); rec.CustomStr5 = StringParsingOperation(parts[9], 9, "CustomStr5", parts.Length); rec.CustomStr6 = StringParsingOperation(parts[10], 10, "CustomStr6", parts.Length); rec.CustomStr7 = StringParsingOperation(parts[29], 29, "CustomStr7", parts.Length); rec.CustomStr8 = StringParsingOperation(parts[33], 33, "CustomStr8", parts.Length); rec.CustomStr9 = StringParsingOperation(parts[3], 3, "CustomStr9", parts.Length); rec.CustomStr10 = StringParsingOperation(parts[14], 14, "CustomStr10", parts.Length); rec.CustomInt1 = IntegerParsingOperation(parts[40], 40, "CustomInt1", parts.Length); rec.CustomInt2 = IntegerParsingOperation(parts[5], 5, "CustomInt2", parts.Length); rec.CustomInt3 = IntegerParsingOperation(parts[22], 22, "CustomInt3", parts.Length); rec.CustomInt4 = IntegerParsingOperation(parts[23], 23, "CustomInt4", parts.Length); rec.CustomInt5 = IntegerParsingOperation(parts[24], 24, "CustomInt5", parts.Length); rec.CustomInt6 = IntegerParsingOperation(parts[25], 25, "CustomInt6", parts.Length); rec.CustomInt7 = IntegerParsingOperation(parts[26], 26, "CustomInt7", parts.Length); rec.CustomInt8 = IntegerParsingOperation(parts[27], 27, "CustomInt8", parts.Length); rec.CustomInt10 = IntegerParsingOperation(parts[36], 36, "CustomInt10", parts.Length); } #endregion THREAT } } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, " ParseSpecific() | " + ex.Message); L.Log(LogType.FILE, LogLevel.ERROR, " ParseSpecific() | " + ex.StackTrace); L.Log(LogType.FILE, LogLevel.ERROR, " ParseSpecific() | Line : " + line); } } return rec; }
void slog_SyslogEvent(LogMgrEventArgs args) { CustomBase.Rec rec = new CustomBase.Rec(); try { L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record"); try { rec.LogName = "SurMailSyslogV_1_0_0Recorder"; string line = args.Message; string[] lineArr = SpaceSplit(line, false); for (int i = 0; i < lineArr.Length; i++) { L.Log(LogType.FILE, LogLevel.DEBUG, "lineArr: " + lineArr[i]); } try { int year = DateTime.Now.Year; string myDateString = lineArr[3] + " " + lineArr[4] + " " + year + " " + lineArr[5]; DateTime dt = Convert.ToDateTime(myDateString); string s = dt.ToString("yyyy-MM-dd HH:mm:ss"); rec.Datetime = s; L.Log(LogType.FILE, LogLevel.DEBUG, "Datetime: " + rec.Datetime); } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "DateTime Error: " + exception.Message); } rec.UserName = Between(line, "[", "]"); L.Log(LogType.FILE, LogLevel.DEBUG, "UserName: "******":")) { rec.SourceName = lineArr[0].Split(':')[0]; L.Log(LogType.FILE, LogLevel.DEBUG, "SourceName: " + rec.SourceName); // try { rec.CustomInt1 = Convert.ToInt32(lineArr[0].Split(':')[1]); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt1: " + rec.CustomInt1); } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt1 type casting error: " + exception.Message); } } if (line.Contains("sender:") || line.Contains("recipient:")) { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].Trim() == "sender:") { rec.CustomStr3 = lineArr[i + 1]; } if (lineArr[i].Trim() == "recipient:") { rec.CustomStr4 = lineArr[i + 1]; } } if (line.Contains("sender:")) { rec.EventType = Between(line, "surmail-queue :", "for sender:"); } if (line.Contains("recipient:")) { rec.EventType = Between(line, "surmail-queue :", "for recipient:"); } } if (args.Message.Length > 899) rec.Description = args.Message.Substring(0, 899); else rec.Description = args.Message; rec.Description = args.Message.Replace("'", "|"); } catch (Exception e) { L.Log(LogType.FILE, LogLevel.DEBUG, "ERROR------------"); L.Log(LogType.FILE, LogLevel.DEBUG, e.Message); L.Log(LogType.FILE, LogLevel.DEBUG, e.StackTrace); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data"); if (usingRegistry) { CustomServiceBase s = base.GetInstanceService("Security Manager Sender"); s.SetData(rec); } else { CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder"); s.SetData(Dal, virtualhost, rec); s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data"); } catch (Exception er) { L.Log(LogType.FILE, LogLevel.ERROR, er.ToString()); L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message); } }
void SlogSyslogEvent(LogMgrEventArgs args) { Rec rec = new Rec(); try { L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "Log: " + args.Message); string line = args.Message; if (string.IsNullOrEmpty(args.Message)) return; char[] separator = new char[] { ' ' }; string[] lineArr = line.Split(separator, StringSplitOptions.None); try { rec.LogName = "IlbankF5UserV_1_0_0Recorder"; rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss"); string tmpEventCategory1 = After(line, "F5-1"); string tmpEventCategory2 = Before(tmpEventCategory1, ":"); rec.EventCategory = tmpEventCategory2; if (rec.EventCategory.Contains("tmm")) { string subLine = After(line, tmpEventCategory2); try { rec.CustomStr1 = After(subLine, "Server:").Split(' ')[0]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr1: " + rec.CustomStr1); } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr1 parsing error: " + exception.Message); } try { rec.CustomStr3 = Between(subLine, "ClientIP:", "***", 1); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3); } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr3 parsing error: " + exception.Message); } try { rec.CustomStr4 = After(subLine, "Server:").Split(' ')[1]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4); } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr4 parsing error: " + exception.Message); } try { rec.CustomStr5 = subLine.Split(' ')[subLine.Split(' ').Length - 1]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr5: " + rec.CustomStr5); } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr5 parsing error: " + exception.Message); } try { rec.CustomInt3 = Convert.ToInt32(Between(subLine, "ClientPort:", "***", 0)); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt3: " + rec.CustomInt3); } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt3 type casting error: " + exception.Message); rec.CustomInt3 = 0; } } if (tmpEventCategory2.Trim() == "info logger") { //foreach (var v in lineArr) //{ // if (v == "[ssl_acc]") // { // MessageBox.Show("[ssl_acc]"); // } //} if (Between(line, "[", "]", 1) == "ssl_acc") { try { if (lineArr.Length > 15) { rec.CustomStr1 = lineArr[15].Replace('"', ' ').Trim(); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr1: " + rec.CustomStr1); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr1 parsing error: " + exception.Message); } try { if (lineArr.Length > 10) { rec.CustomStr3 = lineArr[10]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr3 parsing error: " + exception.Message); } try { if (lineArr.Length > 11) { rec.CustomStr4 = lineArr[11]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr4 parsing error: " + exception.Message); } try { if (lineArr.Length > 12) { rec.CustomStr5 = lineArr[12]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr5: " + rec.CustomStr5); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr5 parsing error: " + exception.Message); } try { if (lineArr.Length > 16) { rec.CustomStr6 = lineArr[16]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr6: " + rec.CustomStr6); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr6 parsing error: " + exception.Message); } try { if (lineArr.Length > 17) { rec.CustomStr7 = lineArr[17]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + rec.CustomStr7); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr7 parsing error: " + exception.Message); } } if (Between(line, "[", "]", 1) == "ssl_req") { try { if (lineArr.Length > 14) { rec.CustomStr1 = lineArr[14].Replace('"', ' ').Trim(); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr1: " + rec.CustomStr1); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr1 parsing error: " + exception.Message); } try { if (lineArr.Length > 13) { rec.CustomStr2 = lineArr[12] + " " + lineArr[13]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2: " + rec.CustomStr2); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr2 parsing error: " + exception.Message); } try { if (lineArr.Length > 11) { rec.CustomStr3 = lineArr[11]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr3 parsing error: " + exception.Message); } try { if (lineArr.Length > 15) { rec.CustomStr6 = lineArr[15]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr6: " + rec.CustomStr6); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr6 parsing error: " + exception.Message); } try { if (lineArr.Length > 17) { rec.CustomStr7 = lineArr[17]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + rec.CustomStr7); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr7 parsing error: " + exception.Message); } } } } catch (Exception e) { L.Log(LogType.FILE, LogLevel.ERROR, "Log Parsing Error. " + e.Message); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish record parsing."); L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data"); try { rec.Description = args.Message.Length > 899 ? args.Message.Substring(0, 890) : args.Message; rec.Description = args.Message.Replace("'", "|"); if (!string.IsNullOrEmpty(rec.EventCategory) && !string.IsNullOrEmpty(rec.Description)) { CustomServiceBase s = GetInstanceService("Security Manager Remote Recorder"); s.SetData(Dal, virtualhost, rec); s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "Record sending error. " + exception.Message); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data"); } catch (Exception er) { L.Log(LogType.FILE, LogLevel.ERROR, er.ToString()); L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message); } }
void slog_SyslogEvent(LogMgrEventArgs args) { L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record"); L.Log(LogType.FILE, LogLevel.INFORM, " Log : " + args.Message); CustomBase.Rec rec = new CustomBase.Rec(); try { try { rec.LogName = "WebSenseMailSecuritySyslogV_1_0_0Recorder"; rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss"); rec.EventType = args.EventLogEntType.ToString(); #region Description if (args.Message.Length > 899) { rec.Description = args.Message.Substring(0, 899); } else { rec.Description = args.Message; } rec.Description = args.Message.Replace("'", "|"); #endregion string line = args.Message; string[] lineArr = SpaceSplit(line, true); try { if (lineArr.Length > 7) { rec.SourceName = lineArr[7]; L.Log(LogType.FILE, LogLevel.DEBUG, "SourceName: " + rec.SourceName); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "SourceName Error: " + exception.Message); } try { if (lineArr.Length > 8 && lineArr[8].Contains("|")) { rec.CustomStr5 = lineArr[8]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr5: " + rec.CustomStr5); } else { rec.CustomStr5 = GetStringValue(lineArr, "CustomStr5", "src="); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr5 Error: " + exception.Message); } rec.ComputerName = GetStringValue(lineArr, "ComputerName", "dvc="); rec.CustomStr1 = GetStringValue(lineArr, "CustomStr1", "üşer="); if (string.IsNullOrEmpty(rec.CustomStr1)) { rec.CustomStr1 = GetStringValue(lineArr, "CustomStr1", "duser="******"|")) { rec.EventCategory = lineArr[i].Split('|')[4]; } } rec.EventType = GetStringValue(lineArr, "EventType", "act="); rec.CustomStr2 = Between(line, "msg=", "in="); rec.CustomStr3 = GetStringValue(lineArr, "CustomStr3", "suser="******"CustomStr4", "dst="); rec.CustomStr6 = GetStringValue(lineArr, "CustomStr6", "deviceDirection="); rec.CustomStr7 = GetStringValue(lineArr, "CustomStr7", "deviceFacility="); rec.CustomInt6 = GetIntValue(lineArr, "CustomInt6", "externalId="); rec.CustomInt7 = GetIntValue(lineArr, "CustomInt7", "messageId="); rec.CustomInt8 = GetIntValue(lineArr, "CustomInt8", "rt="); } catch (Exception e) { L.Log(LogType.FILE, LogLevel.ERROR, "ERROR------------"); L.Log(LogType.FILE, LogLevel.ERROR, e.Message); L.Log(LogType.FILE, LogLevel.ERROR, e.StackTrace); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data"); if (usingRegistry) { CustomServiceBase s = base.GetInstanceService("Security Manager Sender"); s.SetData(rec); } else { CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder"); s.SetData(Dal, virtualhost, rec); s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data"); } catch (Exception er) { L.Log(LogType.FILE, LogLevel.ERROR, er.ToString()); L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message); } }
void slog_SyslogEvent(LogMgrEventArgs args) { CustomBase.Rec rec = new CustomBase.Rec(); try { L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "Line Is : "+ args.Message); rec.LogName = "CiscoPixFW Recorder"; rec.EventType = args.EventLogEntType.ToString(); //rec.Description = args.Message; String[] Desc = args.Message.Split(':'); if (args.Message == "") { return; } if (Desc.Length < 6) { L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 6: " + args.Message); return; } for (Int32 i = 0; i < Desc.Length; ++i) { Desc[i] = Desc[i].Trim(); } if (logType == 0) { Desc[5] = Desc[5].TrimStart('%'); String[] pixArr = Desc[5].Split('-'); if (pixArr.Length < 3) { L.Log(LogType.FILE, LogLevel.ERROR, "Error for log format --> Event id not like this format %FWSM-6-302014"); return; } String[] dateArr = SpaceSplit(Desc[2]); if (dateArr.Length < 4) { L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 4: " + args.Message); return; } try { string[] tempdate; tempdate = Desc[2].Split(' '); string date = ""; date = tempdate[2] + "/" + tempdate[1] + "/" + tempdate[3] + " " + tempdate[4] + ":" + Desc[3] + ":" + Desc[4].Split(' ')[0]; DateTime dt = DateTime.Parse(date.ToString()); rec.Datetime = dt.ToString("yyyy/MM/dd HH:mm:ss"); } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, ex.Message); L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace); } rec.EventId = Convert.ToInt64(pixArr[2]); bool errorControl = false; switch (pixArr[2]) { #region 111008 case "111008": { try { rec.UserName = SpaceSplit(Desc[6])[1].Trim('\''); rec.EventType = "Command Execution"; for (int i = 4; i < SpaceSplit(Desc[6]).Length - 1; i++) rec.CustomStr1 += " " + SpaceSplit(Desc[6])[i]; rec.CustomStr1.Trim(' ').Trim('\''); } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Error for 111008 "); L.Log(LogType.FILE, LogLevel.ERROR, ex.Message); L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace); errorControl = true; } } break; #endregion #region 106023 case "106023": { try { rec.CustomStr2 = Desc[6]; String[] arrDeny = Desc[7].Split(' '); String[] arrDenyIp = arrDeny[0].Split('/'); rec.CustomStr3 = arrDenyIp[0]; if (arrDenyIp.Length > 1) rec.CustomInt1 = Convert.ToInt32(arrDenyIp[1]); String[] arrDenyDesc = Desc[8].Split(' '); String[] arrDenyDescIp = arrDenyDesc[0].Split('/'); StringBuilder sbTempDeny = new StringBuilder(); sbTempDeny.Append(rec.CustomStr2).Append(" "); for (Int32 i = 1; i < arrDeny.Length; i++) sbTempDeny.Append(arrDeny[i]).Append(" "); rec.CustomStr2 = sbTempDeny.ToString().Trim(); rec.CustomStr4 = arrDenyDescIp[0]; if (arrDenyDescIp.Length > 1) rec.CustomInt2 = Convert.ToInt32(arrDenyDescIp[1]); StringBuilder sbTempDescDeny = new StringBuilder(); sbTempDescDeny.Append(rec.CustomStr2).Append(" "); for (Int32 i = 1; i < arrDenyDesc.Length; ++i) { sbTempDescDeny.Append(arrDenyDesc[i]).Append(" "); } sbTempDescDeny.Remove(sbTempDescDeny.Length - 1, 1); rec.CustomStr2 = sbTempDescDeny.ToString(); } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Error for 106023 "); L.Log(LogType.FILE, LogLevel.ERROR, ex.Message); L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace); errorControl = true; } break; } #endregion #region 302014 & 302016 case "302014": case "302016": { try { String[] arrInbound = Desc[6].Split(':'); String[] x1 = null; String[] x2 = null; String[] x3 = null; String[] x5 = null; if (arrInbound.Length > 4) { x1 = arrInbound[0].Trim().Split(' '); x2 = arrInbound[1].Trim().Split(' '); x3 = arrInbound[2].Trim().Split(' '); x5 = arrInbound[4].Trim().Split(' '); } else if (arrInbound.Length == 1 && Desc.Length > 10) { x1 = Desc[6].Split(' '); x2 = Desc[7].Split(' '); x3 = Desc[8].Split(' '); x5 = Desc[10].Split(' '); } else { } if (x1.Length > 4) { StringBuilder desc = new StringBuilder(); desc.Append(x1[0]); desc.Append(' '); desc.Append(x1[1]); desc.Append(' '); desc.Append(x1[2]); desc.Append(' '); if (x5.Length > 4) { desc.Append(x5[3]); desc.Append(' '); desc.Append(x5[4]); } rec.CustomStr2 = desc.ToString(); if (x1.Length > 5) { rec.CustomStr7 = x1[5].Trim(); rec.CustomStr10 = (x1[3].Trim()); } else rec.CustomStr7 = x1[4].Trim(); } if (x2.Length > 2) { String[] part2 = x2[0].Split('/'); StringBuilder dest = new StringBuilder(); for (int k = 1; k < x2.Length; k++) { dest.Append(x2[k].Trim()).Append(' '); } rec.CustomStr7 += ' ' + dest.ToString(); rec.CustomStr3 = part2[0]; if (part2.Length > 1) rec.CustomInt1 = Convert.ToInt32(part2[1].Trim()); } if (x3.Length > 2 && x5.Length > 2) { String[] part3 = x3[0].Split('/'); rec.CustomStr4 = part3[0]; rec.CustomInt2 = Convert.ToInt32(part3[1].Trim()); StringBuilder duration = new StringBuilder(); duration.Append(x3[2]); duration.Append(':'); duration.Append(Desc[9]); duration.Append(':'); duration.Append(x5[0]); rec.CustomStr8 = duration.ToString(); for (int k = 0; k < x5.Length; k++) { if (x5[k].ToString() == "bytes") { rec.CustomInt7 = Convert.ToInt32(x5[k + 1]); } } } } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Error for " + pixArr[2].ToString()); L.Log(LogType.FILE, LogLevel.ERROR, ex.Message); L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace); errorControl = true; } } break; #endregion #region 305011 & 305012 case "305011": case "305012": { try { String[] arrInbound = Desc[6].Split(':'); String[] x1 = null; String[] x2 = null; String[] x3 = null; x1 = Desc[6].Split(' '); x2 = Desc[7].Split(' '); x3 = Desc[8].Split(' '); if (x1.Length > 4) { StringBuilder desc = new StringBuilder(); desc.Append(x1[0]); desc.Append(' '); desc.Append(x1[1]); desc.Append(' '); desc.Append(x1[2]); desc.Append(' '); desc.Append(x1[3]); rec.CustomStr2 = desc.ToString(); if (x1.Length >= 5) { rec.CustomStr7 = x1[5].Trim(); } } if (x2.Length > 2) { String[] part2 = x2[0].Split('/'); StringBuilder dest = new StringBuilder(); for (int k = 1; k < x2.Length; k++) { dest.Append(x2[k].Trim()).Append(' '); } rec.CustomStr7 += ' ' + dest.ToString(); rec.CustomStr7 = rec.CustomStr7.Trim(); rec.CustomStr3 = part2[0]; if (part2.Length > 1) rec.CustomInt1 = Convert.ToInt32(part2[1].Trim()); } if (x3.Length >= 1) { //NAT ADRESS String[] part3 = x3[0].Split('/'); rec.CustomStr5 = part3[0]; rec.CustomInt3 = Convert.ToInt32(part3[1].Trim()); if (x3.Length > 1) { StringBuilder duration = new StringBuilder(); duration.Append(x3[2]); duration.Append(':'); duration.Append(Desc[9]); duration.Append(':'); duration.Append(Desc[10]); rec.CustomStr8 = duration.ToString(); } } } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Error for " + pixArr[2].ToString()); L.Log(LogType.FILE, LogLevel.ERROR, ex.Message); L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace); errorControl = true; } } break; #endregion #region 302015 & 302013 case "302015"://Tested case "302013": { String[] arrInbound = Desc[6].Split(':'); String[] x1 = null; String[] x2 = null; String[] x3 = null; if (arrInbound.Length > 2) { x1 = arrInbound[0].Trim().Split(' '); x2 = arrInbound[1].Trim().Split(' '); x3 = arrInbound[2].Trim().Split(' '); } else if (arrInbound.Length == 1 && Desc.Length > 7) { x1 = Desc[6].Split(' '); x2 = Desc[7].Split(' '); x3 = Desc[8].Split(' '); } else { //L.Log(LogType.FILE, LogLevel.ERROR, "Error parsing message for 302013:" + args.Message); } try { if (x1.Length > 6) { StringBuilder desc = new StringBuilder(); desc.Append(x1[0]); desc.Append(' '); desc.Append(x1[1]); desc.Append(' '); desc.Append(x1[2]); desc.Append(' '); desc.Append(x1[3]); rec.CustomStr2 = desc.ToString(); rec.CustomStr10 = (x1[4].Trim()); rec.CustomStr7 = x1[6]; } if (x2.Length > 2) { StringBuilder dest = new StringBuilder(); for (int k = 2; k < x2.Length; k++) { dest.Append(x2[k].Trim()).Append(' '); } rec.CustomStr7 += ' ' + dest.ToString(); rec.CustomStr7 = rec.CustomStr7.Trim(); String[] part3 = x2[0].Split('/'); String[] part3dest = x2[1].Trim('(', ')').Split('/'); rec.CustomStr3 = part3[0].Trim(); if (part3.Length > 1) rec.CustomInt1 = Convert.ToInt32(part3[1].Trim()); rec.CustomStr5 = part3dest[0].Trim(); rec.CustomInt3 = Convert.ToInt32(part3dest[1].Trim()); } if (x3.Length > 1) { String[] part2 = x3[0].Split('/'); String[] part2dest = x3[1].Trim('(', ')').Split('/'); rec.CustomStr4 = part2[0].Trim(); if (part2.Length > 1) rec.CustomInt2 = Convert.ToInt32(part2[1].Trim()); rec.CustomStr6 = part2dest[0].Trim(); rec.CustomInt4 = Convert.ToInt32(part2dest[1].Trim()); } } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Error for " + pixArr[2].ToString()); L.Log(LogType.FILE, LogLevel.ERROR, ex.Message); L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace); errorControl = true; } } break; #endregion #region 109001 case "109001": { try { String[] arrInbound = Desc[6].Split(':'); String[] x1 = null; x1 = Desc[6].Split(' '); if (x1.Length > 4) { StringBuilder desc = new StringBuilder(); desc.Append(x1[0]); desc.Append(' '); desc.Append(x1[1]); desc.Append(' '); desc.Append(x1[2]); desc.Append(' '); desc.Append(x1[3]); rec.CustomStr2 = desc.ToString(); rec.UserName = x1[4].Trim(); int indexSource = 0; for (int i = 0; i < x1.Length; i++) { if (x1[i].Trim() == "from") { indexSource = i; break; } } String[] partsource = x1[indexSource + 1].Split('/'); rec.CustomStr3 = partsource[0]; rec.CustomInt1 = Convert.ToInt32(partsource[1].Trim()); int indexDestination = 0; for (int j = 0; j < x1.Length; j++) { if (x1[j].Trim() == "to") { indexDestination = j; break; } } String[] partdestination = x1[indexDestination + 1].Split('/'); rec.CustomStr4 = partdestination[0]; rec.CustomInt2 = Convert.ToInt32(partdestination[1].Trim()); } } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Error for " + pixArr[2].ToString()); L.Log(LogType.FILE, LogLevel.ERROR, ex.Message); L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace); errorControl = true; } } break; #endregion #region 106021 case "106021": { try { String[] arrDeny = Desc[6].Split(' '); rec.CustomStr3 = arrDeny[6]; rec.CustomStr4 = arrDeny[8]; rec.CustomStr2 = arrDeny[0] + " " + arrDeny[1] + " " + arrDeny[2] + " " + arrDeny[3]; rec.CustomStr7 = arrDeny[11].Trim(); } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Error for " + pixArr[2].ToString()); L.Log(LogType.FILE, LogLevel.ERROR, ex.Message); L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace); errorControl = true; } } break; #endregion #region 111001 & 111002 & 111003 & 111004 & 111005 & 111006 & 111007 case "111001": case "111002": case "111003": case "111004": case "111005": case "111006": case "111007": { try { rec.EventType = "Admin Action"; string message = ""; for (int i = 6; i < Desc.Length; i++) { message += " " + Desc[i]; } rec.CustomStr7 = message.Trim(); } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Error for " + pixArr[2].ToString()); L.Log(LogType.FILE, LogLevel.ERROR, ex.Message); L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace); errorControl = true; } } break; #endregion #region 106015 & 106028 & 302020 & 302021 case "106015": case "106028": //yeni eklendi case "302020": case "302021": { try { String[] arrInbound = Desc[6].Split(' '); Int32 firstIp = 0; Int32 secondIp = 0; bool first = true; for (Int32 i = 0; i < arrInbound.Length; i++) { if (arrInbound[i].Contains("/")) { if (first) { firstIp = i; first = false; } else { secondIp = i; break; } } } StringBuilder customStr7 = new StringBuilder(); rec.CustomStr2 = arrInbound[0] + " " + arrInbound[1]; for (Int32 i = 2; i < firstIp - 1; i++) { customStr7.Append(arrInbound[i]).Append(" "); } rec.CustomStr7 = customStr7.ToString().Trim(); String[] arrInboundIp = arrInbound[firstIp].Split('/'); if (arrInboundIp[0].Contains("-")) { rec.CustomStr3 = arrInboundIp[0].Split('-')[1].Trim(); } else { rec.CustomStr3 = arrInboundIp[0]; } rec.CustomInt1 = Convert.ToInt32(arrInboundIp[1]); StringBuilder customStr6 = new StringBuilder(); for (Int32 i = secondIp + 1; i < arrInbound.Length; i++) { customStr6.Append(arrInbound[i]).Append(" "); } rec.CustomStr7 += " " + customStr6.ToString().Trim(); String[] arrInboundDescIp = arrInbound[secondIp].Split('/'); rec.CustomStr4 = arrInboundDescIp[0]; rec.CustomInt2 = Convert.ToInt32(arrInboundDescIp[1]); } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Error for " + pixArr[2].ToString()); L.Log(LogType.FILE, LogLevel.ERROR, ex.Message); L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace); errorControl = true; } } break; #endregion #region 313004 case "313004": { try { String[] arrInbound = Desc[6].Split(' '); String[] x1 = null; x1 = Desc[6].Split(' '); if (x1.Length > 4) { rec.CustomStr2 = x1[0] + " " + x1[1]; rec.CustomStr6 = x1[2].Trim().Split('=')[1].Trim(','); int indexfrom = 0; for (int i = 3; i < x1.Length; i++) { if (x1[i].Trim() == "from") { indexfrom = i; break; } } int indexto = 0; for (int j = 0; j < x1.Length; j++) { if (x1[j].Trim() == "to") { indexto = j; break; } } int indexon = 0; for (int k = 0; k < x1.Length; k++) { if (x1[k].Trim().Contains("on")) { if (x1[k].Trim() == "on" && x1[k + 1] == "interface") { indexon = k; } if (x1[k].Trim() == "oninterface") { indexon = k; } } } string sourceip = ""; for (int g = indexfrom + 1; g < indexon; g++) { sourceip += " " + x1[g]; } sourceip = sourceip.Trim(); if (sourceip.Contains(" ")) { string[] tempsourceip = sourceip.Split(' '); if (tempsourceip.Length > 1) { sourceip = tempsourceip[tempsourceip.Length - 1]; } } rec.CustomStr3 = sourceip; string interfacename = ""; for (int y = indexon + 1; y < indexto; y++) { if (x1[y].Trim() == "interface") { continue; } interfacename += " " + x1[y]; } interfacename = interfacename.Trim(); rec.CustomStr7 = interfacename; string destinationip = x1[indexto + 1].Trim(); rec.CustomStr4 = destinationip; rec.CustomStr5 = Desc[7]; } } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Error for " + pixArr[2].ToString()); L.Log(LogType.FILE, LogLevel.ERROR, ex.Message); L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace); errorControl = true; } } break; #endregion #region 710003 case "710003": { try { String[] x1 = null; x1 = Desc[6].Split(' '); rec.CustomStr2 = x1[0] + " " + x1[1] + " " + x1[2]; int indexfrom = 0; for (int i = 3; i < x1.Length; i++) { if (x1[i].Trim() == "from") { indexfrom = i; break; } } string sourceip = x1[indexfrom + 1]; string sourceport = "0"; if (sourceip.Contains("/")) { string[] source = sourceip.Split('/'); sourceip = source[0]; sourceport = source[1]; } rec.CustomStr3 = sourceip.Trim(); rec.CustomInt1 = Convert.ToInt32(sourceport); String[] arrDeny = Desc[7].Split(' '); String[] arrDenyIp = arrDeny[0].Split('/'); rec.CustomStr4 = arrDenyIp[0]; if (arrDenyIp.Length > 1) rec.CustomInt2 = Convert.ToInt32(arrDenyIp[1]); } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Error for " + pixArr[2].ToString()); L.Log(LogType.FILE, LogLevel.ERROR, ex.Message); L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace); errorControl = true; } } break; #endregion #region 405001 case "405001": { try { String[] arrInbound = Desc[6].Split(' '); String[] x1 = null; x1 = Desc[6].Split(' '); if (x1.Length > 4) { int indexfrom = 0; for (int i = 0; i < x1.Length; i++) { if (x1[i].Trim() == "from") { indexfrom = i; break; } } string customstr2 = ""; for (int g = 0; g < indexfrom; g++) { customstr2 += ' ' + x1[g]; } customstr2 = customstr2.Trim(); rec.CustomStr2 = customstr2; string sourceipandmacaddress = ""; string sourceip = ""; string sourcemac = ""; sourceipandmacaddress = x1[indexfrom + 1]; if (sourceipandmacaddress.Contains("/")) { sourceip = sourceipandmacaddress.Split('/')[0].Trim(); sourcemac = sourceipandmacaddress.Split('/')[1].Trim(); } rec.CustomStr3 = sourceip; rec.CustomStr8 = sourcemac; int indexon = 0; for (int k = 0; k < x1.Length; k++) { if (x1[k].Trim().Contains("on")) { if (x1[k].Trim() == "on" && x1[k + 1] == "interface") { indexon = k + 1; break; } if (x1[k].Trim() == "oninterface") { indexon = k; break; } } } string interfacename = ""; interfacename = x1[indexon + 1].Trim(); rec.CustomStr7 = interfacename; } } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Error for " + pixArr[2].ToString()); L.Log(LogType.FILE, LogLevel.ERROR, ex.Message); L.Log(LogType.FILE, LogLevel.ERROR, ex.StackTrace); errorControl = true; } } break; #endregion default: L.Log(LogType.FILE, LogLevel.DEBUG, "No match for the mesage: " + args.Message); rec.Description = args.Message; break; } if (errorControl) { rec.Description = args.Message.ToString(); } } else if (logType == 0) { } rec.SourceName = Desc[0]; L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data"); if (usingRegistry) { CustomServiceBase s = base.GetInstanceService("Security Manager Sender"); s.SetData(rec); } else { CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder"); s.SetData(Dal, virtualhost, rec); s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data"); } catch (Exception er) { L.Log(LogType.FILE, LogLevel.ERROR, er.ToString()); L.Log(LogType.FILE, LogLevel.ERROR, args.Message); } }
void slog_SyslogEvent(LogMgrEventArgs args) { CustomBase.Rec rec = new CustomBase.Rec(); string line = args.Message; try { L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record"); try { rec.LogName = "CheckPointSyslogV_1_0_0Recorder"; rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss"); if (line.Length > 899) { rec.Description = line.Substring(0, 899); rec.CustomStr10 = line.Substring(899, line.Length - 899); } else { rec.Description = args.Message; } rec.Description = args.Message.Replace("'", "|"); string[] lineArr = line.Split((char[])null, StringSplitOptions.RemoveEmptyEntries); string[] subLineArr = line.Split(':'); if (lineArr.Length > 6) rec.EventCategory = lineArr[6]; #region encrypt OK if (lineArr[6] == "encrypt") { L.Log(LogType.FILE, LogLevel.DEBUG, "encrypt record started."); if (lineArr.Length > 7) { rec.SourceName = lineArr[7]; L.Log(LogType.FILE, LogLevel.DEBUG, "SourceName:" + rec.SourceName); } rec.CustomStr3 = Between(line, "src:", "dst:").Replace(':', ' ').Trim(); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3:" + rec.CustomStr3); rec.CustomStr4 = Between(line, "dst:", "proto:").Replace(':', ' ').Trim(); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4:" + rec.CustomStr4); } #endregion #region allow if (lineArr[6] == "allow") { L.Log(LogType.FILE, LogLevel.DEBUG, "allow record started."); if (lineArr.Length > 7) { rec.SourceName = lineArr[7]; L.Log(LogType.FILE, LogLevel.DEBUG, "SourceName:" + rec.SourceName); } //ok rec.CustomStr10 = Between(line, "resource:", "product:"); //ok L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr10:" + rec.CustomStr10); string[] resourceArr = Between(line, "resource:", "product:").Split(new char[] { '/' }, StringSplitOptions.RemoveEmptyEntries); rec.CustomStr2 = resourceArr[0] + @"//" + resourceArr[1]; //ok L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2:" + rec.CustomStr2); for (int i = 0; i < subLineArr.Length; i++) { if (subLineArr[i].Trim() == "src_user_name") { string[] userNameArr = (subLineArr[i + 1]).Split(new char[] { '(', ')' }, StringSplitOptions.RemoveEmptyEntries); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2:" + subLineArr[i + 1]); rec.UserName = userNameArr[1]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2:" + rec.CustomStr2); rec.CustomStr1 = userNameArr[0]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2:" + rec.CustomStr2); } if (subLineArr[i].Trim() == "src") { rec.CustomStr3 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "dst") { rec.CustomStr4 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "app_desc") { rec.CustomStr5 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "app_category") { rec.CustomStr6 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "matched_category") { rec.CustomStr7 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "app_risk") { rec.CustomStr8 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "app_rule_name") { rec.CustomStr9 = subLineArr[i + 1]; } } } #endregion #region monitor OK if (lineArr[6] == "monitor") { if (lineArr.Length > 7) { rec.SourceName = lineArr[7]; } rec.EventType = Between(line, "proto:", "product:").Replace(':', ' ').Trim(); rec.CustomStr3 = Between(line, "src:", "dst:").Replace(':', ' ').Trim(); rec.CustomStr4 = Between(line, "dst:", "proto:").Replace(':', ' ').Trim(); rec.CustomStr5 = Between(line, "product:", "service:").Replace(':', ' ').Trim(); rec.CustomStr6 = Between(line, "service:", "s_port:").Replace(':', ' ').Trim(); } #endregion #region accept if (lineArr[6] == "accept") { if (lineArr.Length > 7) { rec.SourceName = lineArr[7]; } //rec.EventType = Between(line, "proto:", "xlate:"); //rec.CustomStr3 = Between(line, "src:", "dst:").Replace(':', ' ').Trim(); //rec.CustomStr4 = Between(line, "dst:", "proto:").Replace(':', ' ').Trim(); //rec.CustomStr5 = Between(line, "product:", "service:").Replace(':', ' ').Trim(); //rec.CustomStr6 = Between(line, "service:", "s_port:").Replace(':', ' ').Trim(); subLineArr = line.Split(':'); for (int i = 0; i < subLineArr.Length; i++) { if (subLineArr[i].Trim() == "proto") { rec.EventType = subLineArr[i + 1]; L.Log(LogType.FILE, LogLevel.DEBUG, "EventType: " + rec.EventType); } if (subLineArr[i].Trim() == "src_user_name") { string[] userNameArr = (subLineArr[i + 1]).Split(new char[] { '(', ')' }, StringSplitOptions.RemoveEmptyEntries); rec.UserName = userNameArr[1]; rec.CustomStr1 = userNameArr[0]; } if (subLineArr[i].Trim() == "src") { rec.CustomStr3 = subLineArr[i + 1]; L.Log(LogType.FILE, LogLevel.DEBUG, "lineArr: " + lineArr[i] + lineArr); } if (subLineArr[i].Trim() == "dst") { rec.CustomStr4 = subLineArr[i + 1]; } } } #endregion #region https if (lineArr[6] == "HTTPS") { if (lineArr.Length > 8) { rec.EventCategory = lineArr[6] + " " + lineArr[7]; } rec.SourceName = lineArr[8]; for (int i = 0; i < subLineArr.Length; i++) { if (subLineArr[i].Trim() == "proto") { rec.EventType = subLineArr[i + 1]; L.Log(LogType.FILE, LogLevel.DEBUG, "EventType: " + rec.EventType); } //if (subLineArr[i].Trim() == "src" || subLineArr[i].Split(' ')[subLineArr[i].Split(' ').Length - 1] == "src") if (subLineArr[i].Trim() == "src") { rec.CustomStr3 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "dst") { rec.CustomStr4 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "app_category") { rec.CustomStr6 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "matched_category") { rec.CustomStr7 = subLineArr[i + 1]; } } } #endregion #region logout if (lineArr[6] == "logout") { if (lineArr.Length > 8) { rec.EventCategory = lineArr[6]; } rec.SourceName = lineArr[7]; for (int i = 0; i < subLineArr.Length; i++) { if (subLineArr[i].Trim() == "src" || subLineArr[i].Split(' ')[subLineArr[i].Split(' ').Length - 1] == "src") { rec.CustomStr3 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "src_user_name") { string[] userNameArr = (subLineArr[i + 1]).Split(new char[] { '(', ')' }, StringSplitOptions.RemoveEmptyEntries); rec.UserName = userNameArr[1]; rec.CustomStr1 = userNameArr[0]; } if (subLineArr[i].Trim() == "duration") { rec.CustomStr4 = subLineArr[i + 1]; } } } #endregion #region authcrypt if (lineArr[6] == "authcrypt") { if (lineArr.Length > 7) { rec.EventCategory = lineArr[6]; } rec.SourceName = lineArr[7]; subLineArr = line.Split(':'); for (int i = 0; i < subLineArr.Length; i++) { if (subLineArr[i].Trim() == "src") { rec.CustomStr3 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "src_user_name") { string[] userNameArr = (subLineArr[i + 1]).Split(new char[] { '(', ')' }, StringSplitOptions.RemoveEmptyEntries); rec.UserName = userNameArr[1]; rec.CustomStr1 = userNameArr[0]; } if (subLineArr[i].Trim() == "roles") { rec.CustomStr4 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "auth_status") { rec.CustomStr2 = subLineArr[i + 1]; } } } #endregion #region block if (lineArr[6] == "block") { if (lineArr.Length > 7) { rec.EventCategory = lineArr[6]; } rec.SourceName = lineArr[7]; for (int i = 0; i < subLineArr.Length; i++) { if (subLineArr[i].Trim() == "src_user_name") { string[] userNameArr = (subLineArr[i + 1]).Split(new char[] { '(', ')' }, StringSplitOptions.RemoveEmptyEntries); rec.UserName = userNameArr[1]; rec.CustomStr1 = userNameArr[0]; } if (subLineArr[i].Trim() == "src" || subLineArr[i].Split(' ')[subLineArr[i].Split(' ').Length - 1] == "src") { rec.CustomStr3 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "dst" || subLineArr[i].Split(' ')[subLineArr[i].Split(' ').Length - 1] == "dst") { rec.CustomStr4 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "app_desc") { rec.CustomStr5 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "app_category") { rec.CustomStr6 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "matched_category") { rec.CustomStr7 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "app_risk") { rec.CustomStr8 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "app_rule_name") { rec.CustomStr9 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "proto") { rec.EventType = subLineArr[i + 1]; } } } #endregion #region drop if (lineArr[6] == "drop") { if (lineArr.Length > 7) { rec.EventCategory = lineArr[6]; } rec.SourceName = lineArr[7]; for (int i = 0; i < subLineArr.Length; i++) { if (subLineArr[i].Trim() == "src" || subLineArr[i].Split(' ')[subLineArr[i].Split(' ').Length - 1] == "src") { rec.CustomStr3 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "dst" || subLineArr[i].Split(' ')[subLineArr[i].Split(' ').Length - 1] == "dst") { rec.CustomStr4 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "proto") { rec.EventType = subLineArr[i + 1]; } } } #endregion #region drop if (lineArr[6] == "drop") { if (lineArr.Length > 7) { rec.EventCategory = lineArr[6]; } rec.SourceName = lineArr[7]; for (int i = 0; i < subLineArr.Length; i++) { if (subLineArr[i].Trim() == "src" || subLineArr[i].Split(' ')[subLineArr[i].Split(' ').Length - 1] == "src") { rec.CustomStr3 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "dst" || subLineArr[i].Split(' ')[subLineArr[i].Split(' ').Length - 1] == "dst") { rec.CustomStr4 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "proto") { rec.EventType = subLineArr[i + 1]; } } } #endregion #region ctl if (lineArr[6] == "ctl") { if (lineArr.Length > 7) { rec.EventCategory = lineArr[6]; } rec.SourceName = lineArr[7]; rec.CustomStr10 = Between(line, "resource:", "product:"); string[] resourceArr = Between(line, "resource:", "product:").Split(new char[] { '/' }, StringSplitOptions.RemoveEmptyEntries); rec.CustomStr2 = resourceArr[0] + @"//" + resourceArr[1]; for (int i = 0; i < subLineArr.Length; i++) { if (subLineArr[i].Trim() == "src_user_name") { string[] userNameArr = (subLineArr[i + 1]).Split(new char[] { '(', ')' }, StringSplitOptions.RemoveEmptyEntries); rec.UserName = userNameArr[1]; rec.CustomStr1 = userNameArr[0]; } if (subLineArr[i].Trim() == "src" || subLineArr[i].Split(' ')[subLineArr[i].Split(' ').Length - 1] == "src") { rec.CustomStr3 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "dst" || subLineArr[i].Split(' ')[subLineArr[i].Split(' ').Length - 1] == "dst") { rec.CustomStr4 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "app_desc") { rec.CustomStr5 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "app_category") { rec.CustomStr6 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "matched_category") { rec.CustomStr7 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "app_risk") { rec.CustomStr8 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "app_rule_name") { rec.CustomStr9 = subLineArr[i + 1]; } if (subLineArr[i].Trim() == "proto") { rec.EventType = subLineArr[i + 1]; } } } #endregion } catch (Exception e) { L.Log(LogType.FILE, LogLevel.DEBUG, "ERROR------------" + line); L.Log(LogType.FILE, LogLevel.DEBUG, e.Message); L.Log(LogType.FILE, LogLevel.DEBUG, e.StackTrace); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data"); if (usingRegistry) { CustomServiceBase s = base.GetInstanceService("Security Manager Sender"); s.SetData(rec); } else { CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder"); s.SetData(Dal, virtualhost, rec); s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data"); } catch (Exception er) { L.Log(LogType.FILE, LogLevel.ERROR, er.ToString()); L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message); } }
void slog_SyslogEvent(LogMgrEventArgs args) { CustomBase.Rec rec = new CustomBase.Rec(); try { L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record"); try { rec.LogName = "CiscoV6500_1_0SyslogRecorder"; rec.Datetime = DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss"); rec.EventType = args.EventLogEntType.ToString(); if (args.Message.Length > 899) rec.Description = args.Message.Substring(0, 899); else rec.Description = args.Message; L.Log(LogType.FILE, LogLevel.DEBUG, " Source Is : " + args.Source.ToString()); rec.SourceName = args.Source; L.Log(LogType.FILE, LogLevel.INFORM, " Log : " + args.Message); string[] lineArr = SpaceSplit(args.Message, false); rec.ComputerName = lineArr[0]; L.Log(LogType.FILE, LogLevel.DEBUG, " ComputerName : " + rec.ComputerName); if (lineArr[2].Contains(".")) { if (lineArr[2].Split('.')[1] == "notice") { L.Log(LogType.FILE, LogLevel.DEBUG, " !! Notice Mode !!"); rec.SourceName = lineArr[2].Split('.')[1]; L.Log(LogType.FILE, LogLevel.DEBUG, " SourceName : " + rec.SourceName); if (lineArr.Length > 10) { rec.EventType = lineArr[9] + lineArr[10]; L.Log(LogType.FILE, LogLevel.DEBUG, " EventType : " + rec.EventType); } if (lineArr.Length > 8) { rec.CustomStr3 = lineArr[8]; L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr3 : " + rec.CustomStr3); } if (lineArr.Length > 11) { rec.CustomStr4 = Before(lineArr[11], ":/"); L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr4 : " + rec.CustomStr4); if (After(lineArr[11], ":/").Length > 900) { rec.CustomStr5 = After(lineArr[11], ":/").Substring(0, 900); L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr5 : " + rec.CustomStr5); rec.CustomStr6 = After(lineArr[11], ":/").Substring(900, After(lineArr[11], ":/").Length - 900); L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr6 : " + rec.CustomStr6); } else { rec.CustomStr5 = After(lineArr[11], ":/"); L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr5 : " + rec.CustomStr5); } } } if (lineArr[2].Split('.')[1] == "debug") { L.Log(LogType.FILE, LogLevel.DEBUG, " !! Debug Mode !!"); rec.SourceName = lineArr[2].Split('.')[1]; L.Log(LogType.FILE, LogLevel.DEBUG, " SourceName : " + rec.SourceName); if (lineArr.Length > 8) { rec.EventCategory = lineArr[8]; L.Log(LogType.FILE, LogLevel.DEBUG, " EventCategory : " + rec.EventCategory); } if (lineArr.Length > 11) { rec.EventType = lineArr[11]; L.Log(LogType.FILE, LogLevel.DEBUG, " EventType : " + rec.EventType); } if (lineArr.Length > 9) { rec.CustomStr1 = lineArr[9]; L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr1 : " + rec.CustomStr1); } if (lineArr.Length > 12) { rec.CustomStr3 = Between(lineArr[12], "/", "("); L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr3 : " + rec.CustomStr3); rec.CustomInt3 = Convert.ToInt32(Between(lineArr[12], "(", ")")); L.Log(LogType.FILE, LogLevel.DEBUG, " CustomInt3 : " + rec.CustomInt3); } if (lineArr.Length > 14) { rec.CustomStr4 = Between(lineArr[14], "/", "("); L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr4 : " + rec.CustomStr4); rec.CustomStr5 = Before(lineArr[14], "/"); L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr5 : " + rec.CustomStr5); rec.CustomInt4 = Convert.ToInt32(Between(lineArr[14], "(", ")")); L.Log(LogType.FILE, LogLevel.DEBUG, " CustomInt4 : " + rec.CustomInt4); } } if (lineArr[2].Split('.')[1] == "warning") { L.Log(LogType.FILE, LogLevel.DEBUG, " !! Warning Mode !!"); rec.SourceName = lineArr[2].Split('.')[1]; L.Log(LogType.FILE, LogLevel.DEBUG, " SourceName : " + rec.SourceName); if (lineArr.Length > 8) { rec.EventCategory = lineArr[8]; L.Log(LogType.FILE, LogLevel.DEBUG, " EventCategory : " + rec.EventCategory); } if (lineArr.Length > 9) { rec.EventType = lineArr[9]; L.Log(LogType.FILE, LogLevel.DEBUG, " EventType : " + rec.EventType); } if (lineArr.Length > 16) { rec.CustomStr1 = lineArr[16].Replace('"', ' ').Trim(); L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr1 : " + rec.CustomStr1); } if (lineArr.Length > 11) { rec.CustomStr2 = Before(lineArr[11], ":"); L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr2 : " + rec.CustomStr2); rec.CustomStr3 = Between(lineArr[11], ":", "/"); L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr3 : " + rec.CustomStr3); rec.CustomInt3 = Convert.ToInt32(After(lineArr[11], "/")); L.Log(LogType.FILE, LogLevel.DEBUG, " CustomInt3 : " + rec.CustomInt3); } if (lineArr.Length > 13) { rec.CustomStr4 = Between(lineArr[13], ":", "/"); L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr4 : " + rec.CustomStr4); rec.CustomStr5 = Before(lineArr[13], ":"); L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr5 : " + rec.CustomStr5); rec.CustomInt4 = Convert.ToInt32(After(lineArr[13], "/")); L.Log(LogType.FILE, LogLevel.DEBUG, " CustomInt4 : " + rec.CustomInt4); } } if (lineArr[2].Split('.')[1] == "error") { L.Log(LogType.FILE, LogLevel.DEBUG, " !! Error Mode !!"); if (args.Message.Contains("Denied ICMP")) { //-MessageBox.Show("error 1"); L.Log(LogType.FILE, LogLevel.DEBUG, " !! Error Mode 1 !!"); rec.SourceName = lineArr[2].Split('.')[1]; L.Log(LogType.FILE, LogLevel.DEBUG, " SourceName : " + rec.SourceName); if (lineArr.Length > 8) { rec.EventCategory = lineArr[8]; L.Log(LogType.FILE, LogLevel.DEBUG, " EventCategory : " + rec.EventCategory); } if (lineArr.Length > 9) { rec.EventType = lineArr[9]; L.Log(LogType.FILE, LogLevel.DEBUG, " EventType : " + rec.EventType); } if (lineArr.Length > 16) { rec.CustomStr2 = lineArr[16]; L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr2 : " + rec.CustomStr2); } if (lineArr.Length > 13) { rec.CustomStr3 = lineArr[13]; L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr3: " + rec.CustomStr3); } } else { //MessageBox.Show("error 2"); L.Log(LogType.FILE, LogLevel.DEBUG, " !! Error Mode 2 !!"); rec.SourceName = lineArr[2].Split('.')[1]; L.Log(LogType.FILE, LogLevel.DEBUG, " SourceName : " + rec.SourceName); rec.EventCategory = lineArr[10]; L.Log(LogType.FILE, LogLevel.DEBUG, " EventCategory : " + rec.EventCategory); rec.EventType = lineArr[8]; L.Log(LogType.FILE, LogLevel.DEBUG, " EventType : " + rec.EventType); rec.CustomStr3 = Before(lineArr[14], "/"); L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr3 : " + rec.CustomStr3); rec.CustomInt3 = Convert.ToInt32(After(lineArr[14], "/")); L.Log(LogType.FILE, LogLevel.DEBUG, " CustomInt3 : " + rec.CustomInt3); rec.CustomStr4 = Between(lineArr[16], ":", "/"); L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr4 : " + rec.CustomStr4); rec.CustomStr5 = Before(lineArr[16], ":"); L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr5 : " + rec.CustomStr5); rec.CustomInt4 = Convert.ToInt32(After(lineArr[16], "/")); L.Log(LogType.FILE, LogLevel.DEBUG, " CustomInt4 : " + rec.CustomInt4); } } } } catch (Exception e) { L.Log(LogType.FILE, LogLevel.DEBUG, "ERROR------------"); L.Log(LogType.FILE, LogLevel.DEBUG, e.Message); L.Log(LogType.FILE, LogLevel.DEBUG, e.StackTrace); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data"); if (usingRegistry) { CustomServiceBase s = base.GetInstanceService("Security Manager Sender"); s.SetData(rec); } else { CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder"); s.SetData(Dal, virtualhost, rec); s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data"); } catch (Exception er) { L.Log(LogType.FILE, LogLevel.ERROR, er.ToString()); L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message); } }
void slog_SyslogEvent(LogMgrEventArgs args) { CustomBase.Rec rec = new CustomBase.Rec(); try { if (args.Message == "") { L.Log(LogType.FILE, LogLevel.INFORM, "Message is null."); return; } L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record"); //2011-01-03 13:27:05 Local1.Info 192.168.2.80 Jan 3 13:28:08 brightmail ecelerity: 1294054057|c0a80250-b7b7aae000007fcf-ca-4d21b2a946ae|ACCEPT|209.85.216.191:42532 //192.168.2.80:45924 : local1.info Feb 17 14:28:25 brightmail ecelerity: 1297945705|c0a80250-b7b6bae000000e0e-f8-4d5d1460c093|DELIVERY_FAILURE|550 5.4.4 [internal] null mx domain does not accept mail|[email protected] //192.168.2.80:45924 : local1.info Feb 17 14:24:12 brightmail ecelerity: 1297945452|c0a80250-b7b6bae000000e0e-a0-4d5d136b012b|ORCPTS|[email protected] //*192.168.2.80:48626 : local1.info Mar 1 16:51:34 brightmail ecelerity: 1298991094|c0a80250-b7b8aae000000cca-18-4d65f5d052d6|DELIVERY_FAILURE|554 5.4.7 [internal] exceeded max time without delivery|[email protected] //*192.168.2.80:48626 : local1.info Mar 1 16:53:35 brightmail bmserver: 1298991215|c0a80250-b7ce9ae000000cc1-bf-4d6d086e8648|MSGID| <*****@*****.**> //*192.168.2.80:48626 : local1.info Mar 1 16:48:42 brightmail bmserver: 1298990922|c0a80250-b7ce9ae000000cc1-5e-4d6d072bac0f|ATTACH|image001.jpg|kalite y??netimi ve saha i??nceleme raporu no.12.pdf //*192.168.2.80:55252 : local1.info Feb 23 14:03:48 brightmail bmserver: 1298462628|c0a80250-b7b8aae000000cca-87-4d64f73e0192|ATTACHFILTER|_bbg.exe //192.168.2.80:46689 : security2.info Feb 18 10:57:05 brightmail xinetd[2225]: START: https pid=6620 from=192.168.111.66 //192.168.2.80:54229 : security2.info Feb 18 11:58:50 brightmail xinetd[2225]: START: https pid=13836 from=192.168.111.66 //192.168.2.80:47547 : local1.info May 5 12:05:33 brightmail ecelerity: 1304586333|c0a80250-b7cb8ae000003006-fb-4dc2681d68ec|DELIVERY_FAILURE|554 5.4.4 [internal] domain lookup failed|[email protected] string[] parts = args.Message.Split(new char[]{' '}, StringSplitOptions.RemoveEmptyEntries); rec.LogName = "SymantecBrightmailRecorder"; rec.SourceName = args.Source; rec.EventType = args.EventLogEntType.ToString(); rec.Description = args.Message; rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss"); try { if (parts.Length > 8) { rec.CustomStr6 = parts[0].Split(':')[1]; rec.CustomStr7 = parts[0].Split(':')[0];// 1[1] rec.CustomStr8 = parts[3] + " " + parts[4] + " " + parts[5]; rec.CustomStr9 = parts[7].TrimEnd(':');//7 if (parts[8].Contains("|")) { string[] pipes = parts[8].Split('|');//8 rec.CustomInt1 = Convert_To_Int32(pipes[0]); rec.EventCategory = ""; try { rec.CustomStr10 = pipes[1]; rec.EventCategory = pipes[2]; } catch (Exception ex) { } if (rec.EventCategory == "ACCEPT") { rec.CustomStr1 = pipes[3].Split(':')[0]; rec.CustomInt2 = Convert_To_Int32(pipes[3].Split(':')[1]); } else if (rec.EventCategory == "SENDER") { rec.CustomStr3 = pipes[3]; } else if (rec.EventCategory == "ORCPTS") { rec.CustomStr4 = pipes[3]; } else if (rec.EventCategory == "SOURCE") { rec.CustomStr4 = pipes[3]; } else if (rec.EventCategory == "SUBJECT") { rec.CustomStr4 = pipes[3]; } else if (rec.EventCategory == "MSGID") { rec.CustomStr4 = pipes[3].Trim().TrimEnd('<').TrimStart('>');//Mail adresi. } else if (rec.EventCategory == "ATTACH") { rec.CustomStr4 = ""; for (int i = 3; i < pipes.Length; i++) { rec.CustomStr4 += pipes[i] + "|"; } rec.CustomStr4 = rec.CustomStr4.TrimEnd('|'); } else if (rec.EventCategory == "UNTESTED") { rec.CustomStr4 = pipes[3]; rec.CustomStr5 = " "; for (int i = 4; i < pipes.Length; i++) { rec.CustomStr5 += pipes[i] + "|"; } rec.CustomStr5 = rec.CustomStr5.Trim(); } else if (rec.EventCategory == "VERDICT") { rec.CustomStr4 = pipes[3]; rec.CustomStr5 = " "; for (int i = 4; i < pipes.Length; i++) { rec.CustomStr5 += pipes[i] + "|"; } rec.CustomStr5 = rec.CustomStr5.Trim(); } else if (rec.EventCategory == "TRACKERID") { rec.CustomStr4 = pipes[3]; rec.CustomStr5 = " "; for (int i = 4; i < pipes.Length; i++) { rec.CustomStr5 += pipes[i] + "|"; } rec.CustomStr5 = rec.CustomStr5.Trim(); } else if (rec.EventCategory == "IRCPTACTION") { rec.CustomStr4 = pipes[3]; rec.CustomStr5 = " "; for (int i = 4; i < pipes.Length; i++) { rec.CustomStr5 += pipes[i] + "|"; } rec.CustomStr5 = rec.CustomStr5.TrimEnd('|'); } else if (rec.EventCategory == "DELIVER") { rec.CustomStr5 = pipes[3]; rec.CustomStr4 = pipes[4]; } else if (rec.EventCategory == "DELIVERY_FAILURE") { rec.CustomStr5 = pipes[3]; rec.CustomStr4 = pipes[4]; } else if (rec.EventCategory == "ATTACHFILTER") { rec.CustomStr4 = ""; for (int i = 3; i < pipes.Length; i++) { rec.CustomStr4 += pipes[i] + "|"; } rec.CustomStr4 = rec.CustomStr4.TrimEnd('|'); } } else { //192.168.2.80:46689 : security2.info Feb 18 10:57:05 brightmail xinetd[2225]: START: https pid=6620 from=192.168.111.66 if (parts[8].Contains("START")) { rec.EventCategory = parts[8].TrimEnd(':'); rec.CustomStr1 = parts[9]; rec.CustomInt3 = Convert_To_Int32(parts[10].Split('=')[1]); rec.CustomStr6 = parts[11].Split('=')[1]; } } } else { L.LogTimed(LogType.FILE, LogLevel.ERROR, " Line format is not like we want. Line : " + args.Message); } } catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, ex.ToString()); L.Log(LogType.FILE, LogLevel.ERROR, " Error line written in description. Line : " + args.Message); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data"); if (usingRegistry) { CustomServiceBase s = base.GetInstanceService("Security Manager Sender"); s.SetData(rec); } else { CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder"); s.SetData(Dal, virtualhost, rec); s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data"); } catch (Exception er) { L.LogTimed(LogType.FILE, LogLevel.ERROR, er.ToString()); L.LogTimed(LogType.FILE, LogLevel.ERROR, " Hataya düşen line : " + args.Message); } }
void Sep_SyslogEvent(LogMgrEventArgs args) { var r = new Rec(); L.Log(LogType.FILE, LogLevel.DEBUG, " Sep_SyslogEvent() Started."); L.Log(LogType.FILE, LogLevel.DEBUG, " Sep_SyslogEvent() Line : " + args.Message); r.Description = args.Message.Length > 899 ? args.Message.Substring(0, 899) : args.Message; r.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss"); //CustomServiceBase s = base.GetInstanceService("Security Manager Sender"); int control = 0; try { String line = ""; // e L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record"); r.LogName = "SymantecSepSyslog Recorder"; //rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss"); //r.EventType = args.EventLogEntType.ToString(); //r.EventCategory = args.Source; L.Log(LogType.FILE, LogLevel.DEBUG, "Log is:" + args.Message); //main main main line = args.Message; var array = new String[100]; //emr for virus found and array[0] controll var array2 = new String[100]; array2 = SpaceSplit(line, true); array = line.Split(','); var temp3 = new String[100]; temp3 = array2[7].Split(':'); r.ComputerName = temp3[0]; if (array.Length != 0) { if (line.Contains("Virus found")) { L.Log(LogType.FILE, LogLevel.DEBUG, "Virus found"); r.EventCategory = "Virus found"; r.SourceName = array2[0]; virusFound(ref r, line); } else if (line.Contains("Forced TruScan proactive threat detected")) { r.EventCategory = "Forced TruScan proactive threat detected"; r.SourceName = array2[1]; forcedTruScanProactive(ref r, line); } else if (line.Contains("Scan ID")) { L.Log(LogType.FILE, LogLevel.DEBUG, "Scan"); r.EventCategory = "scan"; r.SourceName = array2[0]; scanComplete(ref r, line); } else if (line.Contains("Could not scan")) { L.Log(LogType.FILE, LogLevel.DEBUG, "Could not scan"); r.EventCategory = "Could not scan"; r.SourceName = array2[0]; couldnotScan(ref r, line); } else if (line.Contains("client has downloaded the content package")) { L.Log(LogType.FILE, LogLevel.DEBUG, "client has downloaded the content package"); r.EventCategory = "client has downloaded the content package"; r.SourceName = array2[0]; contentPackage(ref r, line); if (string.IsNullOrEmpty(r.Datetime)) { L.Log(LogType.FILE, LogLevel.DEBUG, "Colud not set DateTime, log is ignored.."); L.Log(LogType.FILE, LogLevel.DEBUG, "Log:" + line); } } else if (line.Contains("LiveUpdate")) { L.Log(LogType.FILE, LogLevel.DEBUG, "LiveUpdate"); r.EventCategory = "LiveUpdate"; r.SourceName = array2[0]; LiveUpdate(ref r, line); } else if (line.Contains("Network Threat Protection is unable to download the newest policy")) { L.Log(LogType.FILE, LogLevel.DEBUG, "Network Threat Protection is unable to download the newest policy"); r.EventCategory = "Network Threat Protection is unable to download the newest policy"; r.SourceName = array2[0]; unableToDownload(ref r, line); } else if (line.Contains("New virus definition file loaded")) { L.Log(LogType.FILE, LogLevel.DEBUG, "New virus definition file loaded"); r.EventCategory = "New virus definition file loaded"; r.SourceName = array2[0]; definitionFileLoaded(ref r, line); } else if (line.Contains("services shutdown")) { L.Log(LogType.FILE, LogLevel.DEBUG, "services shutdown"); r.EventCategory = "services shutdown"; r.SourceName = array2[0]; definitionFileLoaded(ref r, line); } else if (line.Contains("services startup ")) { L.Log(LogType.FILE, LogLevel.DEBUG, "services startup "); r.EventCategory = "services startup"; r.SourceName = array2[0]; definitionFileLoaded(ref r, line); } else if (line.Contains("Auto-Protect failed ")) { L.Log(LogType.FILE, LogLevel.DEBUG, "Auto-Protect failed"); r.EventCategory = "Auto-Protect failed"; r.SourceName = array2[0]; autoProtectedFailed(ref r, line); } else if (line.Contains("disable")) { L.Log(LogType.FILE, LogLevel.DEBUG, "disable"); r.EventCategory = "disable"; r.SourceName = array2[0]; disable(ref r, line); } else if (line.Contains("Failed to contact server")) { L.Log(LogType.FILE, LogLevel.DEBUG, "Failed to contact server"); r.EventCategory = "Failed to contact server"; r.SourceName = array2[0]; failedToContact(ref r, line); }//bundan sonrakiler obey edilcek satýlar , ,, else if (line.Contains("Block IPv6") || line.Contains("Traffic from IP address") || line.Contains("Not in GZIP format") || line.Contains("received the client log") || line.Contains("Block all other traffic")) { //L.Log(LogType.FILE, LogLevel.DEBUG, "Category: Block IPv6,Traffic from IP address,Not in GZIP format,received the client log,Block all other traffic"); control = 1; } else if (line.Contains("Block and log IP traffic") || line.Contains("Host Integrity") || line.Contains("Location has been changed to Default.") || line.Contains("has been activated.")) { //L.Log(LogType.FILE, LogLevel.DEBUG, "Category: Block IPv6,Traffic from IP address,Not in GZIP format,received the client log,Block all other traffic"); control = 1; } else { control = 1; //L.Log(LogType.FILE, LogLevel.DEBUG, "Unknown or not wanted log format. All data written to description field." + args.Message); r.Description = args.Message; } } } catch (Exception er) { L.LogTimed(LogType.FILE, LogLevel.ERROR, er.ToString()); } try { if (control != 1) { r.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss"); r.Description = args.Message.Length > 899 ? args.Message.Substring(0, 899) : args.Message; //e L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record"); //e L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data"); CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder"); s.SetData(Dal, virtualhost, r); s.SetReg(Id, r.Datetime, "", "", "", r.Datetime); //e L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data"); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "Record sending Error."); } }
void slog_SyslogEvent(LogMgrEventArgs args) { CustomBase.Rec rec = new CustomBase.Rec(); L.Log(LogType.FILE, LogLevel.DEBUG, "slog_SyslogEvent Line: " + args.Message); try { L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record"); try { rec.LogName = "WSenseSyslogV_1_0_0Recorder"; rec.EventType = args.EventLogEntType.ToString(); L.Log(LogType.FILE, LogLevel.DEBUG, "EventType: " + rec.EventType); if (args.Message.Length > 899) { rec.Description = args.Message.Substring(0, 899); } else { rec.Description = args.Message; } string line = args.Message; string[] lineArr = SpaceSplit(line, false); try { DateTime dt; string dateNow = DateTime.Now.Year.ToString(CultureInfo.InvariantCulture); string myDateTimeString = lineArr[4] + lineArr[3] + "," + dateNow + " ," + lineArr[5]; dt = Convert.ToDateTime(myDateTimeString); rec.Datetime = dt.ToString(dateFormat); L.Log(LogType.FILE, LogLevel.DEBUG, "Datetime: " + rec.Datetime); } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "Date Error: " + exception.Message); } //L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + rec.EventCategory); if (lineArr.Length > 6) { rec.CustomStr1 = lineArr[6]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr1: " + rec.CustomStr1); } try { //if (lineArr[i].StartsWith("category")) if (lineArr.Length > 12) { if (lineArr[12].Trim().StartsWith("category")) { rec.EventCategory = SplitedLine(lineArr[12]); //Console.WriteLine("EventCategory: " + rec.EventCategory); L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + rec.EventCategory); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("category")) { rec.EventCategory = SplitedLine(lineArr[i]); //Console.WriteLine("EventCategory: " + rec.EventCategory); L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + rec.EventCategory); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + exception.Message); } try { //if (lineArr[i].StartsWith("user")) if (lineArr.Length > 13) { if (lineArr[13].Trim().StartsWith("user")) { if (lineArr[13].Contains("://")) { rec.ComputerName = After(SplitedLine(lineArr[13]), "://"); //Console.WriteLine("ComputerName: " + rec.ComputerName); L.Log(LogType.FILE, LogLevel.DEBUG, "ComputerName: " + rec.ComputerName); if (lineArr.Length > 14) { string d = lineArr[14].Split('/')[lineArr[14].Split('/').Length - 1]; rec.UserName = d + " " + lineArr[15]; //Console.WriteLine("UserName: "******"UserName: "******"DC=local"); try { if (df.EndsWith(",")) { rec.SourceName = df.Substring(0, df.Length - 1); //Console.WriteLine("SourceName: " + rec.SourceName); L.Log(LogType.FILE, LogLevel.DEBUG, "SourceName: " + rec.SourceName); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "SourceName: " + exception.Message); } } } else { L.Log(LogType.FILE, LogLevel.DEBUG, "ComputerName = null"); } } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("user")) { rec.ComputerName = SplitedLine(lineArr[i]); //Console.WriteLine("ComputerName: " + rec.ComputerName); L.Log(LogType.FILE, LogLevel.DEBUG, "ComputerName: " + rec.ComputerName); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.DEBUG, "ComputerName: " + exception.Message); } try { //if (lineArr[i].StartsWith("action")) if (lineArr.Length > 10) { if (lineArr[10].Trim().StartsWith("action")) { rec.CustomStr2 = SplitedLine(lineArr[10]); //Console.WriteLine("CustomStr2: " + rec.CustomStr2); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2: " + rec.CustomStr2); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("action")) { rec.CustomStr2 = SplitedLine(lineArr[i]); //Console.WriteLine("CustomStr2: " + rec.CustomStr2); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2: " + rec.CustomStr2); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr2: " + exception.Message); } try { //if (lineArr[i].StartsWith("src_host")) if (lineArr.Length > 16) { if (lineArr[10].Trim().StartsWith("src_host")) { rec.CustomStr3 = SplitedLine(lineArr[16]); //Console.WriteLine("CustomStr3: " + rec.CustomStr3); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("src_host")) { rec.CustomStr3 = SplitedLine(lineArr[i]); //Console.WriteLine("CustomStr3: " + rec.CustomStr3); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr2: " + exception.Message); } try { //if (lineArr[i].StartsWith("dst_ip")) if (lineArr.Length > 19) { if (lineArr[19].Trim().StartsWith("dst_ip")) { rec.CustomStr4 = SplitedLine(lineArr[19]); //Console.WriteLine("CustomStr4: " + rec.CustomStr4); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("dst_ip")) { rec.CustomStr4 = SplitedLine(lineArr[i]); //Console.WriteLine("CustomStr4: " + rec.CustomStr4); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr4: " + exception.Message); } try { //if (lineArr[i].StartsWith("dst_ip")) if (lineArr.Length > 18) { if (lineArr[18].Trim().StartsWith("dst_host")) { rec.CustomStr5 = SplitedLine(lineArr[18]); //Console.WriteLine("CustomStr5: " + rec.CustomStr5); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr5: " + rec.CustomStr5); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("dst_host")) { rec.CustomStr5 = SplitedLine(lineArr[i]); //Console.WriteLine("CustomStr5: " + rec.CustomStr5); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr5: " + rec.CustomStr5); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr5: " + exception.Message); } try { //if (lineArr[i].StartsWith("url")) if (lineArr.Length > 33) { if (lineArr[33].StartsWith("url")) { rec.CustomStr6 = SplitedLine(lineArr[33]); //Console.WriteLine("CustomStr6: " + rec.CustomStr6); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr6: " + rec.CustomStr6); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("url")) { rec.CustomStr6 = SplitedLine(lineArr[i]); //Console.WriteLine("CustomStr6: " + rec.CustomStr6); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr6: " + rec.CustomStr6); } } } } else { rec.CustomStr6 = SplitedLine(lineArr[lineArr.Length - 1]); //Console.WriteLine("CustomStr6: " + rec.CustomStr6); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr6: " + rec.CustomStr6); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr6: " + exception.Message); } //try //{ // if (rec.CustomStr6.Length > 899) // { // rec.CustomStr7 = rec.CustomStr6.Substring(899, 1799); // } //} //catch (Exception exception) //{ // L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + exception.Message); //} try { //if (lineArr[i].StartsWith("disposition")) if (lineArr.Length > 29) { if (lineArr[29].StartsWith("disposition")) { rec.CustomInt1 = Convert.ToInt32(SplitedLine(lineArr[29])); //Console.WriteLine("CustomInt1: " + rec.CustomInt1); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt1: " + rec.CustomInt1); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("disposition")) { rec.CustomInt1 = Convert.ToInt32(SplitedLine(lineArr[i])); //Console.WriteLine("CustomInt1: " + rec.CustomInt1); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt1: " + rec.CustomInt1); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt1 Casting error, CustomInt1 setted 0 " + exception.Message); rec.CustomInt1 = 0; } try { //if (lineArr[i].StartsWith("http_response")) if (lineArr.Length > 23) { if (lineArr[23].StartsWith("http_response")) { rec.CustomInt3 = Convert.ToInt32(SplitedLine(lineArr[23])); //Console.WriteLine("CustomInt3: " + rec.CustomInt3); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt3: " + rec.CustomInt1); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("http_response")) { rec.CustomInt3 = Convert.ToInt32(SplitedLine(lineArr[i])); //Console.WriteLine("CustomInt3: " + rec.CustomInt3); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt3: " + rec.CustomInt3); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt3 Casting error, CustomInt3 setted 0 " + exception.Message); rec.CustomInt3 = 0; } try { //if (lineArr[i].StartsWith("severity")) if (lineArr.Length > 11) { if (lineArr[11].StartsWith("severity")) { rec.CustomInt5 = Convert.ToInt32(SplitedLine(lineArr[11])); //Console.WriteLine("CustomInt5: " + rec.CustomInt5); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt5: " + rec.CustomInt5); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("severity")) { rec.CustomInt5 = Convert.ToInt32(SplitedLine(lineArr[i])); //Console.WriteLine("CustomInt5: " + rec.CustomInt5); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt5: " + rec.CustomInt5); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt5 Casting error, CustomInt5 setted 0 " + exception.Message); rec.CustomInt5 = 0; } try { //if (lineArr[i].StartsWith("bytes_out")) if (lineArr.Length > 21) { if (lineArr[21].StartsWith("bytes_out")) { rec.CustomInt7 = Convert.ToInt32(SplitedLine(lineArr[21])); //Console.WriteLine("CustomInt7: " + rec.CustomInt7); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt7: " + rec.CustomInt7); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("bytes_out")) { rec.CustomInt7 = Convert.ToInt32(SplitedLine(lineArr[i])); //Console.WriteLine("CustomInt7: " + rec.CustomInt7); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt7: " + rec.CustomInt7); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt7 Casting error, CustomInt7 setted 0 " + exception.Message); rec.CustomInt7 = 0; } try { //if (lineArr[i].StartsWith("bytes_in")) if (lineArr.Length > 22) { if (lineArr[22].StartsWith("bytes_in")) { rec.CustomInt8 = Convert.ToInt32(SplitedLine(lineArr[22])); //Console.WriteLine("CustomInt8: " + rec.CustomInt8); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt8: " + rec.CustomInt8); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("bytes_in")) { rec.CustomInt8 = Convert.ToInt32(SplitedLine(lineArr[i])); //Console.WriteLine("CustomInt8: " + rec.CustomInt8); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt8: " + rec.CustomInt8); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt8 Casting error, CustomInt8 setted 0 " + exception.Message); rec.CustomInt8 = 0; } try { //if (lineArr[i].StartsWith("src_port")) if (lineArr.Length > 17) { if (lineArr[17].StartsWith("src_port")) { rec.CustomInt9 = Convert.ToInt32(SplitedLine(lineArr[17])); //Console.WriteLine("CustomInt9: " + rec.CustomInt9); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt9: " + rec.CustomInt9); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("src_port")) { rec.CustomInt9 = Convert.ToInt32(SplitedLine(lineArr[i])); ////Console.WriteLine("CustomInt9: " + rec.CustomInt9); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt9: " + rec.CustomInt9); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt9 Casting error, CustomInt9 setted 0 " + exception.Message); rec.CustomInt9 = 0; } try { //if (lineArr[i].StartsWith("dst_port")) if (lineArr.Length > 20) { if (lineArr[20].StartsWith("dst_port")) { rec.CustomInt10 = Convert.ToInt32(SplitedLine(lineArr[20])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt10: " + rec.CustomInt10); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("dst_port")) { rec.CustomInt10 = Convert.ToInt32(SplitedLine(lineArr[i])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt10: " + rec.CustomInt10); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt10 Casting error, CustomInt10 setted 0 " + exception.Message); rec.CustomInt10 = 0; } //L.Log(LogType.FILE, LogLevel.DEBUG, " Source Is : " + args.Source.ToString()); //rec.SourceName = args.Source; L.Log(LogType.FILE, LogLevel.INFORM, " Log : " + args.Message); } catch (Exception e) { L.Log(LogType.FILE, LogLevel.DEBUG, "ERROR------------"); L.Log(LogType.FILE, LogLevel.DEBUG, e.Message); L.Log(LogType.FILE, LogLevel.DEBUG, e.StackTrace); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data"); if (usingRegistry) { CustomServiceBase s = base.GetInstanceService("Security Manager Sender"); s.SetData(rec); } else { CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder"); s.SetData(Dal, virtualhost, rec); s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data"); } catch (Exception er) { L.Log(LogType.FILE, LogLevel.ERROR, er.ToString()); L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message); } }
void slog_SyslogEvent(LogMgrEventArgs args) { try { if (args.Message !=null && args.Message !="") { CiscoDEVRecorderProcess devrecorder = new CiscoDEVRecorderProcess(); devrecorder.parsingProcess(args, zone); CustomBase.Rec rec = new CustomBase.Rec(); rec = devrecorder.createRec(); InitializeLogger.L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record"); if (usingRegistry) { CustomServiceBase s = base.GetInstanceService("Security Manager Sender"); s.SetData(rec); } else { CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder"); s.SetData(Dal, virtualhost, rec); s.SetReg(Id, rec.Datetime, "","","",rec.Datetime); } InitializeLogger.L.Log(LogType.FILE, LogLevel.INFORM, "Finish Sending Data"); } } catch (Exception er) { InitializeLogger.L.Log(LogType.FILE, LogLevel.ERROR, er.ToString()); InitializeLogger.L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message); } }
void slog_SyslogEvent(LogMgrEventArgs args) { CustomBase.Rec rec = new CustomBase.Rec(); try { L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record"); try { string[] logproperties = {"id","sn","time","fw","pri","c","m","msg","n","dst","proto","src", "sent","rcvd","vpnpolicy","op","result","dstname","code","Category","arg"}; this.log_Name = "SonicWallSyslog Recorder"; this.event_Type = args.EventLogEntType.ToString(); L.Log(LogType.FILE, LogLevel.INFORM, "args.Message" + args.Message); string[] tempfields = args.Message.Split(' '); info = tempfields[2]; description = args.Message; for (int k = 3; k < tempfields.Length; k++) { if (!tempfields[k].Contains("=")) { for (int j = k; j < tempfields.Length; j++) { if (tempfields[j].Contains("=")) { k = j; break; } tempfields[k - 1] += " " + tempfields[j]; tempfields[j] = ""; } tempfields[k - 1] = tempfields[k - 1].Trim(); } } int controlindex = 0; for (int h = 0; h < tempfields.Length; h++) { if (tempfields[h] == "") { controlindex++; } } string[] fields = new string[tempfields.Length - controlindex]; int xyz = 0; for (int i = 0; i < tempfields.Length; i++) { if (tempfields[i] != "") { fields[xyz] = tempfields[i]; xyz++; } } for (int i = 3; i < fields.Length; i++) { int index = -1; string property = ""; property = fields[i].Split('=')[0]; index = Array.IndexOf(logproperties, property); if (index != -1) { assignpropertyvalue(index, fields[i].Split('=')[1]); } else { assignundefinedvalue(fields[i].Split('=')[0], fields[i].Split('=')[1]); } } string controltype = ""; for (int i = 0; i < fields.Length; i++) { if(fields[i].Contains("dstname")) { controltype ="web"; } if(fields[i].Contains("msg")) { controltype ="fw"; } } if (controltype == "web") { rec = createRec("web"); } else { rec = createRec("fw"); } } catch (Exception e) { clearProperties(); L.Log(LogType.FILE, LogLevel.DEBUG, "ERROR------------"); L.Log(LogType.FILE, LogLevel.DEBUG, e.Message); L.Log(LogType.FILE, LogLevel.DEBUG, e.StackTrace); } L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data"); if (usingRegistry) { CustomServiceBase s = base.GetInstanceService("Security Manager Sender"); s.SetData(rec); } else { CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder"); L.Log(LogType.FILE, LogLevel.DEBUG, Dal + " " + virtualhost + " " + rec.Description); s.SetData(Dal, virtualhost, rec); s.SetReg(Id, rec.Datetime, "","","",rec.Datetime); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data"); clearProperties(); } catch (Exception er) { L.Log(LogType.FILE, LogLevel.ERROR, er.ToString()); L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message); } }
void slog_SyslogEvent(LogMgrEventArgs args) { CustomBase.Rec rec = new CustomBase.Rec(); try { L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record"); L.Log(LogType.FILE, LogLevel.INFORM, " Log : " + args.Message); try { rec.Datetime = DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss"); rec.EventType = args.EventLogEntType.ToString(); rec.LogName = "SonicWallV_TZ120_0_0UTMRecorder"; if (args.Message.Length > 899) { rec.Description = args.Message.Substring(0, 899); } else { rec.Description = args.Message; } string[] lineArr = SpaceSplit(args.Message, false); rec.SourceName = lineArr[2]; L.Log(LogType.FILE, LogLevel.DEBUG, "SourceName: " + rec.SourceName); rec.EventType = lineArr[2].Split('.')[1]; L.Log(LogType.FILE, LogLevel.DEBUG, "EventType: " + rec.EventType); rec.ComputerName = lineArr[0]; L.Log(LogType.FILE, LogLevel.DEBUG, "ComputerName: " + rec.ComputerName); //if (lineArr[2] == "local0.info") { try { if (lineArr.Length > 16) { if (lineArr[16].Trim().StartsWith("op=")) { rec.EventCategory = SplitedLine(lineArr[16]); L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + rec.EventCategory); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("op=")) { rec.EventCategory = SplitedLine(lineArr[i]); L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + rec.EventCategory); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "EventCategory: " + exception.Message); } //192.168.3.1:514 : local0.error id=firewall sn=0017C56122AA time="2013-01-28 13:14:13 UTC" fw=none pri=3 c=4 m=14 msg="Web site access denied" n=223847 src=192.168.3.142:49562:X0:MEHMETSsTCs-PC dst=31.13.64.7:80:X1:star-01-01-ams2.facebook.com dstname=www.facebook.com arg=/plugins/like.php?href=http%3A%2F%2Fwww.facebook.com%2Fpages%2Fgazetea24com%2F168179866539250&send=false&layout code=58 Category="Social Networking" try { string userName = ""; if (lineArr.Length > 13) { if (lineArr[13].Trim().StartsWith("src=")) { if (SplitedLine(lineArr[13]).Split(':').Length > 2) { userName = After(SplitedLine(lineArr[13]), "X0:"); L.Log(LogType.FILE, LogLevel.DEBUG, "UserName: "******"src=")) { if (SplitedLine(lineArr[i]).Split(':').Length > 2) { userName = After(SplitedLine(lineArr[i]), "X0:"); L.Log(LogType.FILE, LogLevel.DEBUG, "UserName: "******":")) { rec.UserName = userName.Split(':')[0]; } else { rec.UserName = userName; } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "UserName: "******"Category=")) { rec.CustomStr1 = Between(args.Message, "Category=", " "); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr1: " + rec.CustomStr1); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("Category=")) { rec.CustomStr1 = Between(args.Message, "Category=", " "); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr1: " + rec.CustomStr1); } } } } rec.CustomStr1 = rec.CustomStr1.Replace('"', ' ').Trim(); } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr1: " + exception.Message); } try { if (lineArr.Length > 15) { if (lineArr[15].Trim().StartsWith("proto=")) { rec.CustomStr2 = SplitedLine(lineArr[15]); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2: " + rec.CustomStr2); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("proto=")) { rec.CustomStr2 = SplitedLine(lineArr[i]); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2: " + rec.CustomStr2); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr2: " + exception.Message); } try { if (lineArr.Length > 13) { if (lineArr[13].Trim().StartsWith("src")) { rec.CustomStr3 = SplitedLine(lineArr[13]).Split(':')[0]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("src")) { rec.CustomStr3 = SplitedLine(lineArr[i]).Split(':')[SplitedLine(lineArr[i]).Split(':').Length - 1]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr3: " + exception.Message); } try { if (lineArr.Length > 14) { if (lineArr[14].Trim().StartsWith("dst")) { rec.CustomStr4 = SplitedLine(lineArr[14]).Split(':')[0]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("dst")) { rec.CustomStr4 = SplitedLine(lineArr[i]).Split(':')[SplitedLine(lineArr[i]).Split(':').Length - 1]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr4: " + exception.Message); } rec.CustomStr5 = Between(args.Message, "msg=", "n="); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr5: " + rec.CustomStr5); try { if (lineArr.Length > 20) { if (lineArr[20].Trim().StartsWith("arg")) { rec.CustomStr7 = SplitedLine(lineArr[20]); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + rec.CustomStr7); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("arg")) { rec.CustomStr7 = SplitedLine(lineArr[i]); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + rec.CustomStr3); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr7: " + exception.Message); } try { if (lineArr.Length > 19) { if (lineArr[19].Trim().StartsWith("dstname")) { rec.CustomStr8 = SplitedLine(lineArr[19]); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr8: " + rec.CustomStr7); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("dstname")) { rec.CustomStr8 = SplitedLine(lineArr[i]); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr8: " + rec.CustomStr8); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr8: " + exception.Message); } try { if (lineArr.Length > 14) { if (lineArr[14].Trim().StartsWith("dst")) { rec.CustomStr10 = SplitedLine(lineArr[14]).Split(':')[SplitedLine(lineArr[14]).Split(':').Length - 1]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr10: " + rec.CustomStr10); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("dst")) { rec.CustomStr10 = SplitedLine(lineArr[i]).Split(':')[SplitedLine(lineArr[i]).Split(':').Length - 1]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr10: " + rec.CustomStr10); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr10: " + exception.Message); } try { if (lineArr.Length > 18) { if (lineArr[18].Trim().StartsWith("result")) { rec.CustomInt1 = Convert.ToInt32(SplitedLine(lineArr[18])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt1: " + rec.CustomStr10); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("result")) { rec.CustomInt1 = Convert.ToInt32(SplitedLine(lineArr[18])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt1: " + rec.CustomInt1); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt1: " + exception.Message); rec.CustomInt1 = 0; } try { if (lineArr.Length > 17) { if (lineArr[17].Trim().StartsWith("rcvd")) { rec.CustomInt2 = Convert.ToInt32(SplitedLine(lineArr[17])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt2: " + rec.CustomInt2); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("rcvd")) { rec.CustomInt2 = Convert.ToInt32(SplitedLine(lineArr[17])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt2: " + rec.CustomInt2); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt2: " + exception.Message); rec.CustomInt2 = 0; } try { if (lineArr.Length > 13) { if (lineArr[13].Trim().StartsWith("src")) { rec.CustomInt3 = Convert.ToInt32(SplitedLine(lineArr[13].Split(':')[1])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt3: " + rec.CustomInt3); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("src")) { rec.CustomInt3 = Convert.ToInt32(SplitedLine(lineArr[i].Split(':')[1])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt3: " + rec.CustomInt3); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt3: " + exception.Message); rec.CustomInt3 = 0; } try { if (lineArr.Length > 14) { if (lineArr[14].Trim().StartsWith("dst")) { rec.CustomInt4 = Convert.ToInt32(SplitedLine(lineArr[14].Split(':')[1])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt4: " + rec.CustomInt4); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("src")) { rec.CustomInt4 = Convert.ToInt32(SplitedLine(lineArr[i].Split(':')[1])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt4: " + rec.CustomInt4); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt4: " + exception.Message); rec.CustomInt4 = 0; } try { if (lineArr.Length > 9) { if (lineArr[9].Trim().StartsWith("pri")) { rec.CustomInt5 = Convert.ToInt32(SplitedLine(lineArr[9])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt5: " + rec.CustomInt5); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("pri")) { rec.CustomInt5 = Convert.ToInt32(SplitedLine(lineArr[i])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt5: " + rec.CustomInt5); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt5: " + exception.Message); rec.CustomInt5 = 0; } try { if (lineArr.Length > 10) { if (lineArr[10].Trim().StartsWith("c=")) { rec.CustomInt6 = Convert.ToInt32(SplitedLine(lineArr[10])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt6: " + rec.CustomInt6); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("c=")) { rec.CustomInt6 = Convert.ToInt32(SplitedLine(lineArr[i])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt6: " + rec.CustomInt6); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt6: " + exception.Message); rec.CustomInt6 = 0; } try { if (lineArr.Length > 11) { if (lineArr[11].Trim().StartsWith("m=")) { rec.CustomInt7 = Convert.ToInt32(SplitedLine(lineArr[11])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt7: " + rec.CustomInt7); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("m=")) { rec.CustomInt7 = Convert.ToInt32(SplitedLine(lineArr[i])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt7: " + rec.CustomInt7); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt7: " + exception.Message); rec.CustomInt7 = 0; } try { if (lineArr.Length > 12) { if (lineArr[12].Trim().StartsWith("n=")) { rec.CustomInt8 = Convert.ToInt32(SplitedLine(lineArr[12])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt8: " + rec.CustomInt8); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("n=")) { rec.CustomInt8 = Convert.ToInt32(SplitedLine(lineArr[i])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt8: " + rec.CustomInt8); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt8: " + exception.Message); rec.CustomInt8 = 0; } try { if (lineArr.Length > 21) { if (lineArr[21].Trim().StartsWith("code")) { rec.CustomInt9 = Convert.ToInt32(SplitedLine(lineArr[21])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt9: " + rec.CustomInt9); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("n=")) { rec.CustomInt9 = Convert.ToInt32(SplitedLine(lineArr[i])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt9: " + rec.CustomInt9); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt9: " + exception.Message); rec.CustomInt9 = 0; } try { if (lineArr.Length > 21) { if (lineArr[21].Trim().StartsWith("code")) { rec.CustomInt9 = Convert.ToInt32(SplitedLine(lineArr[21])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt9: " + rec.CustomInt9); } else { for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("n=")) { rec.CustomInt9 = Convert.ToInt32(SplitedLine(lineArr[i])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt9: " + rec.CustomInt9); } } } } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt9: " + exception.Message); rec.CustomInt9 = 0; } } } catch (Exception e) { L.Log(LogType.FILE, LogLevel.DEBUG, "ERROR------------"); L.Log(LogType.FILE, LogLevel.DEBUG, e.Message); L.Log(LogType.FILE, LogLevel.DEBUG, e.StackTrace); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data"); if (usingRegistry) { CustomServiceBase s = base.GetInstanceService("Security Manager Sender"); s.SetData(rec); } else { CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder"); s.SetData(Dal, virtualhost, rec); s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data"); } catch (Exception er) { L.Log(LogType.FILE, LogLevel.ERROR, er.ToString()); L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message); } }
void SlogSyslogEvent(LogMgrEventArgs args) { var rec = new Rec(); try { L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, " Log : " + args.Message); try { rec.LogName = "WatchGuardWebSyslogV_1_0_0Recorder"; rec.Datetime = DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss"); rec.Description = args.Message.Length > 899 ? args.Message.Substring(0, 899) : args.Message; rec.Description = args.Message.Replace("'", "|"); string line = args.Message; string[] lineArr = line.Split(); string[] subLineArr = line.Split((char[])null, StringSplitOptions.RemoveEmptyEntries); for (int i = 0; i < lineArr.Length; i++) { if (lineArr[i].StartsWith("op")) { rec.EventType = SplitFunction(lineArr[i]); L.Log(LogType.FILE, LogLevel.DEBUG, "EventType: " + rec.EventType); } if (lineArr[i].StartsWith("proxy_act")) { rec.CustomStr2 = SplitFunction(lineArr[i]); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2: " + rec.CustomStr2); } if (lineArr[i].StartsWith("dstname")) { rec.CustomStr6 = SplitFunction(lineArr[i]); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr6: " + rec.CustomStr6); } if (lineArr[i].StartsWith("arg")) { rec.CustomStr7 = SplitFunction(lineArr[i]); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + rec.CustomStr7); } try { if (lineArr[i].StartsWith("sent_bytes")) { rec.CustomInt5 = Convert.ToInt32(SplitFunction(lineArr[i])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt5: " + rec.CustomInt5); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt5 Type Casting Error: " + exception.Message); } try { if (lineArr[i].StartsWith("rcvd_bytes")) { rec.CustomInt6 = Convert.ToInt32(SplitFunction(lineArr[i])); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt6: " + rec.CustomInt6); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt6 Type Casting Error: " + exception.Message); } try { if (lineArr[i].StartsWith("elapsed_time")) { rec.CustomStr8 = SplitFunction(lineArr[i]); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr8: " + rec.CustomStr8); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr8 Type Casting Error: " + exception.Message); } if (lineArr[i].ToLower() == "tcp") { try { IPAddress sourceIp = IPAddress.Parse(lineArr[i + 1]); rec.CustomStr3 = sourceIp.ToString(); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3); } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr3 Error: " + exception.Message); } try { IPAddress destIp = IPAddress.Parse(lineArr[i + 2]); rec.CustomStr4 = destIp.ToString(); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4); } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr4 Error: " + exception.Message); } } if (lineArr[i].ToLower() == "udp") { try { IPAddress sourceIp = IPAddress.Parse(lineArr[i + 3]); rec.CustomStr3 = sourceIp.ToString(); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3); } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr3 Error: " + exception.Message); } try { IPAddress destIp = IPAddress.Parse(lineArr[i + 4]); rec.CustomStr4 = destIp.ToString(); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4); } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr4 Error: " + exception.Message); } } } rec.EventCategory = subLineArr[10]; try { string msg1 = After(line, "msg="); string msg2 = Before(msg1, "\" "); rec.CustomStr1 = msg2.Replace('"', ' ').Trim(); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr1: " + rec.CustomStr1); } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomStr1 Error: " + exception.Message); } if (lineArr.Length > 8) { if (lineArr[8].Contains("-")) { rec.CustomStr5 = lineArr[5].Split('-')[0]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr5: " + rec.CustomStr5); } } try { if (subLineArr.Length > 16) { rec.CustomInt3 = Convert.ToInt32(lineArr[16]); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt3: " + rec.CustomInt3); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt3 Type Casting Error: " + exception.Message); } try { if (subLineArr.Length > 17) { rec.CustomInt4 = Convert.ToInt32(lineArr[17]); L.Log(LogType.FILE, LogLevel.DEBUG, "CustomInt4: " + rec.CustomInt4); } } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt4 Type Casting Error: " + exception.Message); } //try //{ // if (lineArr.Length > 8) // { // rec.EventCategory = lineArr[10]; // L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + rec.EventCategory); // } //} //catch (Exception exception) //{ // L.Log(LogType.FILE, LogLevel.ERROR, "EventCategory Error: " + exception.Message); //} } catch (Exception e) { L.Log(LogType.FILE, LogLevel.ERROR, "ERROR------------"); L.Log(LogType.FILE, LogLevel.ERROR, e.Message); L.Log(LogType.FILE, LogLevel.ERROR, e.StackTrace); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data"); if (usingRegistry) { CustomServiceBase s = base.GetInstanceService("Security Manager Sender"); s.SetData(rec); } else { CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder"); s.SetData(Dal, virtualhost, rec); s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data"); } catch (Exception er) { L.Log(LogType.FILE, LogLevel.ERROR, er.ToString()); L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message); } }
public void SlogSquidSyslogRecorder(LogMgrEventArgs args) { var rec = new Rec(); try { L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "Line Onur : " + args.Message); string line = args.Message; try { rec.LogName = "SquidSyslogV_1_0_0Recorder"; string[] arr = line.Split((char[])null, StringSplitOptions.RemoveEmptyEntries); if (arr.Length > 13) { rec.EventType = arr[13]; L.Log(LogType.FILE, LogLevel.DEBUG, "EventType: " + rec.EventType); } if (arr.Length > 11) { rec.EventCategory = arr[11]; L.Log(LogType.FILE, LogLevel.DEBUG, "EventCategory: " + rec.EventCategory); } if (arr.Length > 14) { rec.CustomStr1 = arr[14]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr1: " + rec.CustomStr1); } rec.CustomStr2 = arr[arr.Length - 1]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr2: " + rec.CustomStr2); if (arr.Length > 10) { rec.CustomStr3 = arr[10]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr3: " + rec.CustomStr3); } if (arr.Length > 16) { rec.CustomStr4 = arr[16].Contains("/") ? arr[16].Split('/')[1] : arr[16]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr4: " + rec.CustomStr4); } if (arr.Length > 2) { rec.CustomStr5 = arr[2]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr5: " + rec.CustomStr5); } if (arr.Length > 8) { rec.CustomStr6 = arr[8]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr6: " + rec.CustomStr6); } if (arr.Length > 7) { rec.CustomStr7 = arr[7]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + rec.CustomStr7); } if (arr.Length > 0) { rec.CustomStr10 = arr[0]; L.Log(LogType.FILE, LogLevel.DEBUG, "CustomStr7: " + rec.CustomStr7); } try { if (arr.Length > 9) rec.CustomInt2 = Convert.ToInt32(arr[9]); L.Log(LogType.FILE, LogLevel.DEBUG, "rec.CustomInt2." + rec.CustomInt2); } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt2 Cast Error." + exception.Message); L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt2 expected value: " + arr[8]); } try { rec.CustomInt3 = Convert.ToInt32(arr[12]); L.Log(LogType.FILE, LogLevel.DEBUG, "rec.CustomInt3." + rec.CustomInt3); } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt3 Cast Error." + exception.Message); L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt3 expected value: " + arr[11]); } try { string myDateTimeString = arr[4] + arr[3] + "," + DateTime.Now.Year + "," + arr[5]; DateTime dt = Convert.ToDateTime(myDateTimeString); rec.Datetime = dt.ToString(dateFormat); L.Log(LogType.FILE, LogLevel.DEBUG, "Datetime: " + rec.Datetime); } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "Datetime Error " + exception.Message); } rec.Description = args.Message.Length > 899 ? args.Message.Substring(0, 899) : args.Message; //string findChar = "/"; //int Found = (arr[13].Length - arr[13].Replace(findChar, "").Length) / findChar.Length; //string s = Between(arr[13], "/", "/"); //if (Found > 3) //{ // string s1 = Between(s, "/", "/"); // if (Found == 3 || Found == 4) // { // rec.CustomStr8 = s1; // L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr8: " + rec.CustomStr8); // } // else if (Found > 3) // { // rec.CustomStr8 = Before(s1, "/"); // L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr8: " + rec.CustomStr8); // } //} //else if (Found > 1) //{ // if (s.StartsWith("/")) // { // rec.CustomStr8 = After(s, "/"); // L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr8: " + rec.CustomStr8); // } //}// //else if (Found == 0) //{ // if (rec.CustomStr1.Contains(":")) // { // rec.CustomStr8 = rec.CustomStr1.Split(':')[0]; // L.Log(LogType.FILE, LogLevel.DEBUG, " CustomStr8: " + rec.CustomStr8); // } //} //try //{ // if (rec.CustomStr1.Contains(":")) // { // rec.CustomInt5 = Convert.ToInt32(rec.CustomStr1.Split(':')[1]); // } //} //catch (Exception exception) //{ // L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt5 Cast Error." + exception.Message); // L.Log(LogType.FILE, LogLevel.ERROR, "CustomInt5 expected value: " + arr[13]); //} } catch (Exception e) { L.Log(LogType.FILE, LogLevel.ERROR, "ERROR------------"); L.Log(LogType.FILE, LogLevel.ERROR, e.Message); L.Log(LogType.FILE, LogLevel.ERROR, e.StackTrace); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data"); CustomServiceBase serviceBase = GetInstanceService("Security Manager Remote Recorder"); serviceBase.SetData(Dal, virtualhost, rec); serviceBase.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime); L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data"); } catch (Exception er) { L.Log(LogType.FILE, LogLevel.ERROR, er.ToString()); L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message); } }
void slog_SyslogEvent(LogMgrEventArgs args) { CustomBase.Rec rec = ParseSpecific(args.Message, false, args); L.Log(LogType.FILE, LogLevel.INFORM, "Start preparing record"); L.Log(LogType.FILE, LogLevel.INFORM, "Start sending Data"); try { if (usingRegistry) { CustomServiceBase s = base.GetInstanceService("Security Manager Sender"); s.SetData(rec); } else { try { CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder"); s.SetData(Dal, virtualhost, rec); s.SetReg(Id, rec.Datetime, rec.Description, "", "", rec.Datetime); } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, "Data sending error." + exception.Message); } } L.Log(LogType.FILE, LogLevel.INFORM, "Finish Sending Data"); } catch (Exception er) { L.Log(LogType.FILE, LogLevel.ERROR, er.ToString()); L.Log(LogType.FILE, LogLevel.ERROR, args.EventLogEntType + " " + args.Message); } }
void checkpoint_DHCP(LogMgrEventArgs args) { CustomBase.Rec r = new CustomBase.Rec(); CustomServiceBase s; if (usingRegistry) { L.Log(LogType.FILE, LogLevel.INFORM, "Security Manager Sender"); s = base.GetInstanceService("Security Manager Sender"); } else { L.Log(LogType.FILE, LogLevel.INFORM, "Security Manager Remote Recorder"); s = base.GetInstanceService("Security Manager Remote Recorder"); } try { String line = args.Message.Replace('\0', ' '); r.LogName = "Checkpoint DHCP Recorder"; string tarih; line = line.Replace('\0', ' ').TrimEnd(' '); String[] arr = SpaceSplit(args.Message.Replace('\0', ' '), true); String[] arr2 = line.Split('>'); String[] cat = arr[2].Split('.'); tarih = arr[3] + "/" + ay(arr[4]).ToString() + "/" + arr[5] + " " + arr[6]; L.Log(LogType.FILE, LogLevel.DEBUG, "set datetime"); r.Datetime = Convert.ToDateTime(tarih).AddMinutes(zone).ToString("yyyy/MM/dd HH:mm:ss"); //An IP conflict was detected if (arr[8] == "<10020>") { L.Log(LogType.FILE, LogLevel.DEBUG, "set event category"); r.EventCategory = arr[7]; String[] arr3 = arr2[1].Split(':'); L.Log(LogType.FILE, LogLevel.DEBUG, "set username"); r.UserName = arr[16]; //ip L.Log(LogType.FILE, LogLevel.DEBUG, "set description"); r.Description = arr2[1]; //The IP 10.33.0.1 is in use by a device with MAC address 00:09:f3:07:26:ab L.Log(LogType.FILE, LogLevel.DEBUG, "set eventtype"); r.EventType = arr[10] + " " + arr[11]; //iip conflict L.Log(LogType.FILE, LogLevel.DEBUG, "set event customstr1"); r.CustomStr1 = arr3[0]; //An IP conflict was detected } else if (arr[8] == "<10016>") //spotted { L.Log(LogType.FILE, LogLevel.DEBUG, "set event category"); r.EventCategory = arr[7]; L.Log(LogType.FILE, LogLevel.DEBUG, "set username"); r.UserName = arr[arr.Length - 1]; //ip L.Log(LogType.FILE, LogLevel.DEBUG, "set description"); r.Description = arr2[1]; //Spotted 00:16:17:4d:37:9d (TMO) using IP address 10.25.0.109 L.Log(LogType.FILE, LogLevel.DEBUG, "set event type"); r.EventType = "ADDRESS DETECTION"; //sabit L.Log(LogType.FILE, LogLevel.DEBUG, "set customstr1"); r.CustomStr1 = arr[9]; // } else if (arr[8] == "<10015>") //assigned { L.Log(LogType.FILE, LogLevel.DEBUG, "set event category"); r.EventCategory = arr[7]; L.Log(LogType.FILE, LogLevel.DEBUG, "set username"); r.UserName = arr[10]; //ip L.Log(LogType.FILE, LogLevel.DEBUG, "set description"); r.Description = arr2[1]; // L.Log(LogType.FILE, LogLevel.DEBUG, "set eventtype"); r.EventType = "DHCP"; //sabit L.Log(LogType.FILE, LogLevel.DEBUG, "set customstr1"); r.CustomStr1 = arr[9]; //assigned } else { L.Log(LogType.FILE, LogLevel.DEBUG, "set descriiption "); r.Description = line; } r.SourceName = args.Source; L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data"); if (!usingRegistry) { s.SetData(Dal,virtualHost, r); s.SetReg(identity, r.Datetime, "", "",r.Datetime); } else { s.SetData(r); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data"); }//end of try catch (Exception ex) { L.Log(LogType.FILE, LogLevel.ERROR, "Wrong data: " + args.Message.Replace('\0', ' ')); r.SourceName = args.Source; r.LogName = "CheckpointDHCPRecorder"; r.Description = args.Message.Replace('\0', ' '); L.Log(LogType.FILE, LogLevel.DEBUG, "(err) Finish preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "(err) Start sending Data"); if (!usingRegistry) { s.SetData(Dal,virtualHost, r); s.SetReg(identity, r.Datetime,"","", "",r.Datetime); } else { s.SetData(r); } L.Log(LogType.FILE, LogLevel.DEBUG, "(err)Finish Sending Data"); L.LogTimed(LogType.FILE, LogLevel.ERROR, "Error at parsing" + ex.ToString()); } finally { s.Dispose(); } }
public void parsingProcess(LogMgrEventArgs args, int zone) { string[] logproperties = {"User-Name", "NAS-IP-Address", "NAS-Port", "Group-Name", "Framed-IP-Address", "Calling-Station-Id", "Acct-Status-Type", "Acct-Session-Id", "NAS-Portname", "Caller-Id", "Acct-Flags", "service", "task_id", "AAA Server", "Message-Type", "Filter Information", "Access Device", "Message-Type", "Authen-Failure-Code", "status-class", "text-message", "system-memory-usage", "system-free-disk-space", "System-CPU-usage", "action-type","cmd","priv-lvl","Caller-ID"}; this.log_Name = "Cisco ACS Recorder"; InitializeLogger.L.Log(LogType.FILE, LogLevel.DEBUG, "Message" + args.Message); this.event_Type = args.EventLogEntType.ToString(); this.description = args.Message.Replace('\0', ' '); string[] syslogMessageArr = args.Message.Split(','); string[] _syslogmessageArrIndex = syslogMessageArr[0].Split(' '); int count = 0; for (int i = 0; i < _syslogmessageArrIndex.Length; i++) { if (_syslogmessageArrIndex[i] == "") { count++; } } string[] syslogmessageArrIndex0 = new string[_syslogmessageArrIndex.Length - count]; int indexa = 0; for (int i = 0; i < _syslogmessageArrIndex.Length; i++) { if (_syslogmessageArrIndex[i] != "") { syslogmessageArrIndex0[indexa] = _syslogmessageArrIndex[i]; indexa++; } } try { String[] sourceArr = syslogmessageArrIndex0[0].Split(':'); this.sourceName = sourceArr[0]; //Source Name this.sourceportNumber = Convert.ToInt32(sourceArr[1]); //Source Port } catch (Exception e) { InitializeLogger.L.Log(LogType.FILE, LogLevel.ERROR, "Couldnt find source port number :" + e.Message); } this.logType = syslogmessageArrIndex0[7]; string[] date ={ "", "", "", "" }; date[0] = Convert.ToString(DateTime.Now.Year); date[1] = syslogmessageArrIndex0[3]; date[2] = syslogmessageArrIndex0[4]; date[3] = syslogmessageArrIndex0[5]; string logDate = ""; for (int i = 0; i < 4; i++) { logDate += date[i] + " "; } DateTime _logDate = new DateTime(); _logDate = Convert.ToDateTime(logDate.TrimEnd()); this.dateTime = _logDate.AddMinutes(zone).ToString("yyyy/MM/dd HH:mm:ss"); // Date Time this.message_Id = syslogmessageArrIndex0[8]; int index; string property=""; try { bool kontrol = true; if (syslogmessageArrIndex0[11].Contains("=")) { property = syslogmessageArrIndex0[11].Split('=')[0]; } else { if (syslogmessageArrIndex0[11] == "AAA") { property = "AAA Server"; } kontrol = false; } index = Array.IndexOf(logproperties, property); if (kontrol) { assignpropertyvalue(index, syslogmessageArrIndex0[11].Split('=')[1]); } else { assignpropertyvalue(index, syslogmessageArrIndex0[12].Split('=')[1]); } } catch (Exception e) { InitializeLogger.L.Log(LogType.FILE, LogLevel.ERROR, "error on parsing the AAA Server :" + e.Message); } for (int i = 1; i < syslogMessageArr.Length-1; i++) { index = -1; property =""; property = syslogMessageArr[i].Split('=')[0]; index = Array.IndexOf(logproperties,property); if(index != -1) { assignpropertyvalue(index, syslogMessageArr[i].Split('=')[1]); } else { assignundefinedvalue(syslogMessageArr[i].Split('=')[0], syslogMessageArr[i].Split('=')[1]); } } }
void Genuagate_SyslogEvent(LogMgrEventArgs args) { CustomBase.Rec rec = new CustomBase.Rec(); //CustomServiceBase s = base.GetInstanceService("Security Manager Sender"); try { L.Log(LogType.FILE, LogLevel.DEBUG, "Start preparing record"); rec.LogName = "GenuagateSyslog Recorder"; L.Log(LogType.FILE, LogLevel.DEBUG, "args.message->" + args.Message); String[] arr = SpaceSplit(args.Message, true); // CustomBase.Rec r = new CustomBase.Rec(); rec.ComputerName = arr[0]; //rec.EventType = arr[1]; DateTime dt = DateTime.Parse(arr[4] + " " + arr[3] + " " + DateTime.Now.Year + " " + arr[5]); rec.Datetime = dt.Day + "/" + dt.Month + "/" + dt.Year + " " + arr[5]; rec.EventCategory = arr[10]; Dictionary<String, String> dictTemp = new Dictionary<String, String>(); switch (rec.EventCategory) { case "request": case "accept": case "connect": case "disconnect": { for (Int32 i = 11; i < arr.Length; i++) { String[] arrTemp = arr[i].Split('='); if (arrTemp.Length > 1) { dictTemp.Add(arrTemp[0], arrTemp[1]); } } try { rec.CustomStr6 = dictTemp["laddr"]; } catch { rec.CustomStr6 = ""; } try { rec.CustomInt1 = Convert.ToInt32(dictTemp["lport"]); } catch { rec.CustomInt1 = -1; } try { rec.CustomStr2 = dictTemp["baddr"]; } catch { rec.CustomStr2 = ""; } try { rec.CustomInt2 = Convert.ToInt32(dictTemp["bport"]); } catch { rec.CustomInt2 = -1; } try { rec.CustomStr3 = dictTemp["caddr"]; } catch { rec.CustomStr3 = ""; } try { rec.CustomInt3 = Convert.ToInt32(dictTemp["cport"]); } catch { rec.CustomInt3 = -1; } try { rec.CustomStr4 = dictTemp["saddr"]; } catch { rec.CustomStr4 = ""; } try { rec.CustomInt4 = Convert.ToInt32(dictTemp["sport"]); } catch { rec.CustomInt4 = -1; } try { rec.Description = dictTemp["url"]; } catch { rec.Description = ""; } try { rec.CustomStr5 = dictTemp["duration"]; } catch { rec.CustomStr5 = ""; } try { rec.CustomStr1 = dictTemp["rnum"]; } catch { rec.CustomStr1 = ""; } try { rec.CustomStr7 = dictTemp["status"]; } catch { rec.CustomStr7 = ""; } try { rec.CustomStr8 = dictTemp["type"]; } catch { rec.CustomStr8 = ""; } dictTemp.Clear(); } break; case "ACCESS": { rec.EventCategory += " " + arr[11]; rec.CustomStr10 = ""; Int32 i = 12; for (i = 12; i < arr.Length; i++) { if (Char.IsDigit(arr[i], 0)) { break; } rec.CustomStr10 += arr[i] + " "; } rec.CustomStr10 = rec.CustomStr10.Trim(); for (; i < arr.Length; i++) { if (arr[i].Contains("from")) break; } i++; String[] arrTemp = arr[i].Split(':'); rec.CustomStr3 = arrTemp[0]; try { rec.CustomInt3 = Convert.ToInt32(arrTemp[1]); } catch { } i += 2; arrTemp = arr[i].Split(':'); rec.CustomStr2 = arrTemp[0]; try { rec.CustomInt2 = Convert.ToInt32(arrTemp[1]); } catch { } } break; }; L.Log(LogType.FILE, LogLevel.DEBUG, "Finish preparing record"); L.Log(LogType.FILE, LogLevel.DEBUG, "Start sending Data"); if (usingRegistry) { CustomServiceBase s = base.GetInstanceService("Security Manager Sender"); s.SetData(rec); } else { CustomServiceBase s = base.GetInstanceService("Security Manager Remote Recorder"); s.SetData(Dal, virtualhost, rec); s.SetReg(Id, rec.Datetime, "", "", "", rec.Datetime); } L.Log(LogType.FILE, LogLevel.DEBUG, "Finish Sending Data"); } catch (Exception er) { L.Log(LogType.FILE, LogLevel.ERROR, "args.message->" + args.Message); L.LogTimed(LogType.FILE, LogLevel.ERROR, er.ToString()); } }