/// <summary>
/// IIS日志分析器
/// </summary>
/// <param name="filepath"></param>
public static void IISlogAnalyzer(string filepath, Func<IISLogEvent, bool> express, Func<IISLogEvent, bool> whiteExpress, string rulename, int cnt = 1000)
{
List<IISLogEvent> logs = new List<IISLogEvent>();
using (ParserEngine parser = new ParserEngine(filepath))
{
while (parser.MissingRecords)
{
logs = parser.ParseLog().ToList();
}
List<string> ipList = new List<string>();
string hostIp = logs.Select(g => g.sIp).FirstOrDefault();
string expireTS = ConfigurationManager.AppSettings["expirets"].ToString();
ResetFireWallBlackIp(rulename, hostIp, expireTS);//清除防火墙中过期的黑名单Ip
ipList = logs.Where(whiteExpress).Where(express).Select(i => i.cIp).Distinct().ToList();
ipList = ipList.Union(logs.Where(whiteExpress).GroupBy(item => item.cIp).Select(g => new { cip = g.Key, cnt = g.Count() }).Where(g => g.cnt > cnt).Select(i => i.cip).ToList()).ToList();
SaveToDB(hostIp, ipList);
string ips = string.Join(",", ipList);
if (!string.IsNullOrEmpty(ips))
{
LogHelper.WriteLog("warnning", "IISlogAnalyzer", "发现异常IP:" + ips);
PutFireWall(rulename, ips);
}
}
}
/// <summary>
/// 加入防火墙黑名单
/// </summary>
/// <param name="ip"></param>
public static void PutFireWall(string ruleName, string ip)
{
try
{
INetFwPolicy2 firewallPolicy = (INetFwPolicy2)Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FwPolicy2"));
var rule = firewallPolicy.Rules.Item(ruleName);
rule.RemoteAddresses += "," + ip;
}
catch (Exception ex)
{
LogHelper.WriteLog("error", "防火墙操作", ex.ToString());
}
}
