--O

\n"; echo "\n"; echo " --H Displays this help info\n"; echo " --I The input file to process\n"; echo " --O Output to file\n"; echo "\n"; echo " Jamie French - Feb 2004"; exit(0); } else { echo "No Input file specified - we're exiting\n"; echo "\n"; echo "evt_log_parse.php - Usage\n"; echo "\n"; echo " evt_log_parse.php --I --O

\n"; echo "\n"; echo " --H Displays this help info\n"; echo " --I The input file to process\n"; echo " --O Output to file\n"; echo "\n"; echo " Jamie French - Feb 2004"; exit(1); } if ( $argv[3] == "--O" ) { echo "Output file follows\n"; } else { echo "No Output file specified - we're exiting\n"; echo "\n"; echo "evt_log_parse.php - Usage\n"; echo "\n"; echo " evt_log_parse.php --I --O

\n"; echo "\n"; echo " --H Displays this help info\n"; echo " --I The input file to process\n"; echo " --O Output to file\n"; echo "\n"; echo " Jamie French - Feb 2004"; exit(1); } if ( is_file ($argv[4]) ) { echo "$argv[4] exists\n"; echo "\n"; echo "You need to choose a file name that does not already exist!\n"; echo " We're exiting now - please rerun the script and choose an Output\n"; echo " file that doesn't already exist.\n"; echo "\n"; exit(1); } else { echo "$argv[4] does not exist\n"; echo " We can proceed.\n"; echo "\n"; } $OUTPUT_FILENAME = $argv[4]; touch ($OUTPUT_FILENAME); $event=file_get_contents($argv[2]); $event2=bin2hex($event); $pieces=explode("4c664c65", $event2); $thecount=count($pieces); $n=0; while ( $n < $thecount ) { $record_len=strlen($pieces[$n]); if ( $record_len < 92 ) { $source="evt_log_parse.php"; $str1="There was an error processing this event. Binary log not long enough."; $n++; } $msgnum_raw=substr($pieces[$n], 0, 8); $date_created_raw=substr($pieces[$n], 8, 8); $date_written_raw=substr($pieces[$n], 16, 8); $eventid_raw=substr($pieces[$n], 24, 4); $unknown0_raw=substr($pieces[$n], 28, 2); $unknown1_raw=substr($pieces[$n], 30, 2); $eventtype_raw=substr($pieces[$n], 32, 2); $strcount_raw=substr($pieces[$n], 34, 4); $category_raw=substr($pieces[$n], 38, 4); $sid_raw=substr($pieces[$n], 42, 16); $unknown_a_raw=substr($pieces[$n], 58, 8); $unknown_b_raw=substr($pieces[$n], 66, 8); $unknown_c_raw=substr($pieces[$n], 74, 8); $unknown_d_raw=substr($pieces[$n], 82, 8); $msgstr_raw=substr($pieces[$n], 90); // echo "\n\n#####################################################################\n"; // echo "msgnum_raw: $msgnum_raw\n"; // echo "date_created_raw: $date_created_raw\n"; // echo "date_written_raw: $date_written_raw\n"; // echo "eventid_raw: $eventid_raw\n"; // echo "category_raw: $category_raw\n"; // echo "unknown1_raw: $unknown1_raw\n"; // echo "eventtype_raw: $eventtype_raw\n"; // echo "strcount_raw: $strcount_raw\n"; // echo "sid_raw: $sid_raw\n"; // echo "unknown_d_raw: $unknown_d_raw\n"; // echo "unknown_c_raw: $unknown_c_raw\n"; // echo "unknown_b_raw: $unknown_b_raw\n"; // echo "unknown_a_raw: $unknown_a_raw\n"; // msgnum $l=0; $msgnum_array = array(); while ( $l <= 8 ) { $msgnum_1=substr($msgnum_raw, $l, 2); array_push($msgnum_array, $msgnum_1); $l=($l+2); } $msgnum_result = array_reverse($msgnum_array); $msgnum_str = implode("", $msgnum_result); $msgnum=hexdec($msgnum_str); reset($msgnum_array); // date_created $l=0; $date_created_array = array(); while ( $l <= 8 ) { $date_created_1=substr($date_created_raw, $l, 2); array_push($date_created_array, $date_created_1); $l=($l+2); } $date_created_result = array_reverse($date_created_array); $date_created_str = implode("", $date_created_result); $date_created_str=hexdec($date_created_str); $date_created=date("d M y H:i:s", $date_created_str); reset($date_created_array); // date_written $l=0; $date_written_array = array(); while ( $l <= 8 ) { $date_written_1=substr($date_written_raw, $l, 2); array_push($date_written_array, $date_written_1); $l=($l+2); } $date_written_result = array_reverse($date_written_array); $date_written_str = implode("", $date_written_result); $date_written_str=hexdec($date_written_str); $date_written=date("d M y H:i:s", $date_written_str); reset($date_written_array); // eventid $l=0; $eventid_array = array(); while ( $l <= 8 ) { $eventid_1=substr($eventid_raw, $l, 2); array_push($eventid_array, $eventid_1); $l=($l+2); } $eventid_result = array_reverse($eventid_array); $eventid_str = implode("", $eventid_result); $eventid=hexdec($eventid_str); reset($eventid_array); // unknown0 $unknown0=hexdec($unknown0_raw); // unknown1 $unknown1=hexdec($unknown1_raw); // eventtype $eventtype=hexdec($eventtype_raw); // strcount $strcount=hexdec($strcount_raw); if ( $strcount > 10 ) { $str12="There is a problem... String count is too high! We'll allow a max of 10 message strings - evt_log_parse.php."; $strcount=10; } // category $category=hexdec($category_raw); // sid $sid=hexdec($sid_raw); // unknown_d_raw $unknown_d_raw=hexdec($unknown_d_raw); // unknown_c_raw $unknown_c_raw=hexdec($unknown_c_raw); // unknown_b_raw $unknown_b_raw=hexdec($unknown_b_raw); // unknown_a_raw $unknown_a_raw=hexdec($unknown_a_raw); // $l=0; $msgstr_raw2=preg_replace("/^[0]+/i", "", $msgstr_raw); $msgstr_len=strlen($msgstr_raw2); $msgstr_array = array(); $msgstr_byte_count=($msgstr_len/2); $msgstr_byte_count=floor($msgstr_byte_count); while ( $l <= $msgstr_len ) { $msgstr_1=substr($msgstr_raw2, $l, 2); array_push($msgstr_array, $msgstr_1); $l=($l+2); } $counter=0; $z=0; while ( $counter <= $strcount ) { while ( $z < $msgstr_byte_count ) { // source if ($counter == 0) { $z1=$z+1; if ( $msgstr_array[$z] != "00" ) { $tmp_char_hex="0x" . $msgstr_array[$z]; if ( $tmp_char_hex > 0x1f ) { if ( $tmp_char_hex < 0x7f ) { $msgstr_source=$msgstr_source . $msgstr_array[$z]; $offset=$z; } } } elseif ( $msgstr_array[$z1] == "00" ) { while ( $msgstr_array[$z1] == "00" ) { $z1++; } $z=$msgstr_byte_count; $offset=$z1; } else { $CHECK=0; $offset=$z; } } // computer elseif ($counter == 1) { $z1=$z+1; if ( $msgstr_array[$z] != "00" ) { $tmp_char_hex="0x" . $msgstr_array[$z]; if ( $tmp_char_hex > 0x1f ) { if ( $tmp_char_hex < 0x7f ) { $msgstr_computer=$msgstr_computer . $msgstr_array[$z]; $offset=$z; } } } elseif ( $msgstr_array[$z1] == "00" ) { while ( $msgstr_array[$z1] == "00" ) { $z1++; } $z=$msgstr_byte_count; $offset=$z1; } else { $offset=$z; } } // str2 elseif ($counter == 2) { $z1=$z+1; if ( $msgstr_array[$z] != "00" ) { $tmp_char_hex="0x" . $msgstr_array[$z]; if ( $tmp_char_hex > 0x1f ) { if ( $tmp_char_hex < 0x7f ) { $msgstr_str2=$msgstr_str2 . $msgstr_array[$z]; $offset=$z; } } } elseif ( $msgstr_array[$z1] == "00" ) { while ( $msgstr_array[$z1] == "00" ) { $z1++; } $z=$msgstr_byte_count; $offset=$z1; } else { $offset=$z; } } // str3 elseif ($counter == 3) { $z1=$z+1; if ( $msgstr_array[$z] != "00" ) { $tmp_char_hex="0x" . $msgstr_array[$z]; if ( $tmp_char_hex > 0x1f ) { if ( $tmp_char_hex < 0x7f ) { $msgstr_str3=$msgstr_str3 . $msgstr_array[$z]; $offset=$z; } } } elseif ( $msgstr_array[$z1] == "00" ) { while ( $msgstr_array[$z1] == "00" ) { $z1++; } $z=$msgstr_byte_count; $offset=$z1; } else { $offset=$z; } } // str4 elseif ($counter == 4) { $z1=$z+1; if ( $msgstr_array[$z] != "00" ) { $tmp_char_hex="0x" . $msgstr_array[$z]; if ( $tmp_char_hex > 0x1f ) { if ( $tmp_char_hex < 0x7f ) { $msgstr_str4=$msgstr_str4 . $msgstr_array[$z]; $offset=$z; } } } elseif ( $msgstr_array[$z1] == "00" ) { while ( $msgstr_array[$z1] == "00" ) { $z1++; } $z=$msgstr_byte_count; $offset=$z1; } else { $offset=$z; } } // str5 elseif ($counter == 5) { $z1=$z+1; if ( $msgstr_array[$z] != "00" ) { $tmp_char_hex="0x" . $msgstr_array[$z]; if ( $tmp_char_hex > 0x1f ) { if ( $tmp_char_hex < 0x7f ) { $msgstr_str5=$msgstr_str5 . $msgstr_array[$z]; $offset=$z; } } } elseif ( $msgstr_array[$z1] == "00" ) { while ( $msgstr_array[$z1] == "00" ) { $z1++; } $z=$msgstr_byte_count; $offset=$z1; } else { $offset=$z; } } // str6 elseif ($counter == 6) { $z1=$z+1; if ( $msgstr_array[$z] != "00" ) { $tmp_char_hex="0x" . $msgstr_array[$z]; if ( $tmp_char_hex > 0x1f ) { if ( $tmp_char_hex < 0x7f ) { $msgstr_str6=$msgstr_str6 . $msgstr_array[$z]; $offset=$z; } } } elseif ( $msgstr_array[$z1] == "00" ) { while ( $msgstr_array[$z1] == "00" ) { $z1++; } $z=$msgstr_byte_count; $offset=$z1; } else { $offset=$z; } } // str7 elseif ($counter == 7) { $z1=$z+1; if ( $msgstr_array[$z] != "00" ) { $tmp_char_hex="0x" . $msgstr_array[$z]; if ( $tmp_char_hex > 0x1f ) { if ( $tmp_char_hex < 0x7f ) { $msgstr_str7=$msgstr_str7 . $msgstr_array[$z]; $offset=$z; } } } elseif ( $msgstr_array[$z1] == "00" ) { while ( $msgstr_array[$z1] == "00" ) { $z1++; } $z=$msgstr_byte_count; $offset=$z1; } else { $offset=$z; } } // str8 elseif ($counter == 8) { $z1=$z+1; if ( $msgstr_array[$z] != "00" ) { $tmp_char_hex="0x" . $msgstr_array[$z]; if ( $tmp_char_hex > 0x1f ) { if ( $tmp_char_hex < 0x7f ) { $msgstr_str8=$msgstr_str8 . $msgstr_array[$z]; $offset=$z; } } } elseif ( $msgstr_array[$z1] == "00" ) { while ( $msgstr_array[$z1] == "00" ) { $z1++; } $z=$msgstr_byte_count; $offset=$z1; $CHECK=0; } else { $offset=$z; } } // str9 elseif ($counter == 9) { $z1=$z+1; if ( $msgstr_array[$z] != "00" ) { $tmp_char_hex="0x" . $msgstr_array[$z]; if ( $tmp_char_hex > 0x1f ) { if ( $tmp_char_hex < 0x7f ) { $msgstr_str9=$msgstr_str9 . $msgstr_array[$z]; $offset=$z; } } } elseif ( $msgstr_array[$z1] == "00" ) { while ( $msgstr_array[$z1] == "00" ) { $z1++; } $z=$msgstr_byte_count; $offset=$z1; } else { $offset=$z; } } // str10 elseif ($counter == 10) { $z1=$z+1; if ( $msgstr_array[$z] != "00" ) { $tmp_char_hex="0x" . $msgstr_array[$z]; if ( $tmp_char_hex > 0x1f ) { if ( $tmp_char_hex < 0x7f ) { $msgstr_str10=$msgstr_str10 . $msgstr_array[$z]; $offset=$z; } } } elseif ( $msgstr_array[$z1] == "00" ) { while ( $msgstr_array[$z1] == "00" ) { $z1++; } $z=$msgstr_byte_count; $offset=$z1; } else { $offset=$z; } } // str11 elseif ($counter == 11) { $z1=$z+1; if ( $msgstr_array[$z] != "00" ) { $tmp_char_hex="0x" . $msgstr_array[$z]; if ( $tmp_char_hex > 0x1f ) { if ( $tmp_char_hex < 0x7f ) { $msgstr_str11=$msgstr_str11 . $msgstr_array[$z]; $offset=$z; } } } elseif ( $msgstr_array[$z1] == "00" ) { while ( $msgstr_array[$z1] == "00" ) { $z1++; } $z=$msgstr_byte_count; $offset=$z1; } else { $offset=$z; } } // str12 elseif ($counter == 12) { $z1=$z+1; if ( $msgstr_array[$z] != "00" ) { $tmp_char_hex="0x" . $msgstr_array[$z]; if ( $tmp_char_hex > 0x1f ) { if ( $tmp_char_hex < 0x7f ) { $msgstr_str12=$msgstr_str12 . $msgstr_array[$z]; $offset=$z; } } } elseif ( $msgstr_array[$z1] == "00" ) { while ( $msgstr_array[$z1] == "00" ) { $z1++; } $z=$msgstr_byte_count; $offset=$z1; } else { $offset=$z; } } $z++; } $z=$offset; $counter++; } reset($msgstr_array); $source=hexstr($msgstr_source); $msgstr_source=""; $computer=hexstr($msgstr_computer); $msgstr_computer=""; $str1=hexstr($msgstr_str1); $msgstr_str1=""; $str2=hexstr($msgstr_str2); $msgstr_str2=""; $str3=hexstr($msgstr_str3); $msgstr_str3=""; $str4=hexstr($msgstr_str4); $msgstr_str4=""; $str5=hexstr($msgstr_str5); $msgstr_str5=""; $str6=hexstr($msgstr_str6); $msgstr_str6=""; $str7=hexstr($msgstr_str7); $msgstr_str7=""; $str8=hexstr($msgstr_str8); $msgstr_str8=""; $str9=hexstr($msgstr_str9); $msgstr_str9=""; $str10=hexstr($msgstr_str10); $msgstr_str10=""; $str11=hexstr($msgstr_str11); $msgstr_str11=""; $str12=hexstr($msgstr_str12); $msgstr_str12=""; $RESULT=$msgnum . "," . $date_created . "," . $date_written . "," . $eventid . "," . $unknown0 . "," . $unknown1 . "," . $eventtype . "," . $strcount . "," . $category . "," . $sid . "," . $unknown_d_raw . "," . $unknown_c_raw . "," . $unknown_b_raw . "," . $unknown_a_raw . "," . $source . "," . $computer . "," . $str2 . "," . $str3 . "," . $str4 . "," . $str5 . "," . $str6 . "," . $str7 . "," . $str8 . "," . $str9 . "," . $str10 . "," . $str11 . "," . $str12 . "," . $pieces[$n] . "\n"; if (is_writable($OUTPUT_FILENAME)) { // PRINT "File is writeable\n"; // In our example we're opening $filename in append mode. // The file pointer is at the bottom of the file hence // that's where $string will go when we fwrite() it. if (!$handle = fopen($OUTPUT_FILENAME, 'a')) { print "Cannot open file ($OUTPUT_FILENAME)"; exit; } // Write $somecontent to our opened file. if (!fwrite($handle, $RESULT)) { print "Cannot write to file ($OUTPUT_FILENAME)"; exit; } // print "Success, wrote ($string) to file ($OUTPUT_FILENAME)"; fclose($handle); } else { print "The file $OUTPUT_FILENAME is not writable"; } $n++; } ?>