in Lib/Collectors/EventLogCollector.cs [35:99]
public void ExecuteLinux(CancellationToken cancellationToken)
{
Regex LogHeader = new Regex("^([A-Z][a-z][a-z][0-9:\\s]*)?[\\s].*?[\\s](.*?): (.*)", RegexOptions.Compiled);
void HandleLinuxEvent(string entry, string path)
{
// New log entries start with a timestamp like so: Sep 7 02:16:16 testbed sudo:
// pam_unix(sudo:session):session opened for user root
if (LogHeader.IsMatch(entry))
{
var obj = new EventLogObject(entry)
{
Summary = LogHeader.Matches(entry).Single().Groups[3].Captures[0].Value,
Source = path,
Process = LogHeader.Matches(entry).Single().Groups[2].Captures[0].Value,
};
if (DateTime.TryParse(LogHeader.Matches(entry).Single().Groups[1].Captures[0].Value, out DateTime Timestamp))
{
obj.Timestamp = Timestamp;
}
HandleChange(obj);
}
}
void ParseLinuxLog(string path)
{
try
{
string[] log = File.ReadAllLines(path);
if (opts.SingleThread)
{
foreach (var entry in log)
{
if (cancellationToken.IsCancellationRequested)
{
break;
}
HandleLinuxEvent(entry, path);
}
}
else
{
ParallelOptions po = new ParallelOptions() { CancellationToken = cancellationToken };
Parallel.ForEach(log, po, entry => HandleLinuxEvent(entry, path));
}
}
catch (Exception e) when (
e is ArgumentException
|| e is ArgumentNullException
|| e is DirectoryNotFoundException
|| e is PathTooLongException
|| e is FileNotFoundException
|| e is IOException
|| e is NotSupportedException
|| e is System.Security.SecurityException
|| e is UnauthorizedAccessException)
{
Log.Debug("Failed to parse {0}", path);
}
}
ParseLinuxLog("/var/log/auth.log");
ParseLinuxLog("/var/log/syslog");
}