/*
 *********************************************************************
 * PhpLogCon is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * PhpLogCon is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with phpLogCon. If not, see <http://www.gnu.org/licenses/>.
 *
 * A copy of the GPL can be found in the file "COPYING" in this
 * distribution.
 *********************************************************************
 */

// --- Avoid directly accessing this file!
if ( !defined('IN_PHPLOGCON') )
{
	die('Hacking attempt');
	exit;
}
// ---

// --- Basic Includes
require_once($gl_root_path . 'classes/enums.class.php');
require_once($gl_root_path . 'classes/msgparser.class.php');
require_once($gl_root_path . 'include/constants_errors.php');
require_once($gl_root_path . 'include/constants_logstream.php');
// ---

class MsgParser_eventlogsnare extends MsgParser {

	// Public Information properties
	public $_ClassName = 'SNARE Eventlog Format';
	public $_ClassDescription = 'This is a parser for a special format which can be created with SNARE Agent.';
	public $_ClassRequiredFields = null;
	public $_ClassHelpArticle = "http://www.intersectalliance.com/projects/SnareWindows/";

	// Constructor
	public function MsgParser_eventlog() {
		return; // Nothing
	}

	/**
	 * ParseLine
	 *
	 * @param arrArguments array in&out: properties of interest. There can be no guarantee the logstream can actually deliver them.
	 * @return integer Error stat
	 */
	public function ParseMsg($szMsg, &$arrArguments)
	{
		global $content, $fields;

		//trim the msg first to remove spaces from begin and end
		$szMsg = trim($szMsg);

		// Sample: Jan 18 12:09:37 winxp MSWinEventLog#0111#011System#011752#011Mon Jan 18 12:09:33 2010#0117036#011Service Control Manager#011Unknown User#011N/A#011Information#011WINXP#011None#011#011The Windows Time service entered the running state.  #011469
		if ( preg_match("/(.*?)\#011(.*?)\#011(.*?)\#011([0-9]{1,12})\#011(.*?)\#011([0-9]{1,12})\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)$/", $szMsg, $out ) || preg_match("/(.*?)\#011(.*?)\#011(.*?)\#011([0-9]{1,12})\#011(.*?)\#011([0-9]{1,12})\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)\#011(.*?)$/", $szMsg, $out ) )
		{
			// If applicable, change a dutch date into an english date
			// strtotime conversion _only_ possible with an english date
			$syslog_date_search = 	array ( 'ma ',	'di ',	'wo ',	'do ',	'vr ',	'za ',	'zo '	,
							'maa ',	'mei ',	'okt ');
			$syslog_date_replace =	array ( 'mon ',	'tue ',	'wed ',	'thu ',	'fri ',	'sat ',	'sun '	,
							'mar ',	'may ',	'oct ');
			$syslog_date = str_replace($syslog_date_search,$syslog_date_replace,$out[5]);
			
			// Copy parsed properties!
			$arrArguments[SYSLOG_EVENT_ID] = $out[6];
			$arrArguments[SYSLOG_EVENT_USER] = $out[9];
			$arrArguments[SYSLOG_EVENT_SOURCE] = $out[7];
			$arrArguments[SYSLOG_EVENT_LOGTYPE] = $out[3];
			$arrArguments[SYSLOG_SEVERITY] = $out[10];
			$arrArguments[SYSLOG_MESSAGE] = $out[14];
			$arrArguments[SYSLOG_HOST] = $out[11];
			$arrArguments[SYSLOG_DATE] = date("Y-m-d H:i:s",strtotime($syslog_date));

			if ( $this->_MsgNormalize == 1 )
			{
				//Init tmp msg
				$szTmpMsg = "";

				// Create Field Array to prepend into msg! Reverse Order here
				$myFields = array( SYSLOG_MESSAGE, SYSLOG_EVENT_CATEGORY, SYSLOG_EVENT_LOGTYPE, SYSLOG_EVENT_SOURCE, SYSLOG_EVENT_USER, SYSLOG_EVENT_ID );

				foreach ( $myFields as $myField )
				{
					// Set Field Caption
					if ( isset($fields[$myField]['FieldCaption']) )
						$szFieldName = $fields[$myField]['FieldCaption'];
					else
						$szFieldName = $myField;

					// Append Field into msg
					$szTmpMsg = $szFieldName . ": '" . $arrArguments[$myField] . "'\n" . $szTmpMsg;
				}

				// copy finished MSG back!
				$arrArguments[SYSLOG_MESSAGE] = $szTmpMsg;

			}
		}
		else
		{
				// return no match in this case!
				return ERROR_MSG_NOMATCH;
		}

		// Set IUT Property if success!
		$arrArguments[SYSLOG_MESSAGETYPE] = IUT_NT_EventReport;

		// If we reached this position, return success!
		return SUCCESS;
	}
}