metron-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kylerichard...@apache.org
Subject [1/3] incubator-metron git commit: METRON-769 Cisco ASA parser doesn't include syslog wrapper fields (simonellistonball via kylerichardson) closes apache/incubator-metron#479
Date Mon, 20 Mar 2017 15:33:52 GMT
Repository: incubator-metron
Updated Branches:
  refs/heads/master f39873703 -> 4fba50a86


http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/4fba50a8/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/asa/BasicAsaParser.java
----------------------------------------------------------------------
diff --git a/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/asa/BasicAsaParser.java
b/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/asa/BasicAsaParser.java
index 54cc4f5..8d1f3ce 100644
--- a/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/asa/BasicAsaParser.java
+++ b/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/asa/BasicAsaParser.java
@@ -140,6 +140,15 @@ public class BasicAsaParser extends BasicParser {
                 metronJson.put("ciscotag", syslogJson.get("CISCOTAG"));
                 metronJson.put("syslog_severity", SyslogUtils.getSeverityFromPriority((int)
syslogJson.get("syslog_pri")));
                 metronJson.put("syslog_facility", SyslogUtils.getFacilityFromPriority((int)
syslogJson.get("syslog_pri")));
+                
+                
+                if (syslogJson.get("syslog_host")!=null) { 
+                	metronJson.put("syslog_host", syslogJson.get("syslog_host")); 
+            	}
+                if (syslogJson.get("syslog_prog")!=null) { 
+                    metronJson.put("syslog_prog", syslogJson.get("syslog_prog"));
+                }
+                
             }
             else
                 throw new RuntimeException(String.format("[Metron] Message '%s' does not
match pattern '%s'", logLine, syslogPattern));

http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/4fba50a8/metron-platform/metron-parsers/src/main/resources/patterns/asa
----------------------------------------------------------------------
diff --git a/metron-platform/metron-parsers/src/main/resources/patterns/asa b/metron-platform/metron-parsers/src/main/resources/patterns/asa
index b1080ce..dee2a37 100644
--- a/metron-platform/metron-parsers/src/main/resources/patterns/asa
+++ b/metron-platform/metron-parsers/src/main/resources/patterns/asa
@@ -108,7 +108,7 @@ COMBINEDAPACHELOG %{COMMONAPACHELOG} %{QS:referrer} %{QS:agent}
 LOGLEVEL ([A|a]lert|ALERT|[T|t]race|TRACE|[D|d]ebug|DEBUG|[N|n]otice|NOTICE|[I|i]nfo|INFO|[W|w]arn?(?:ing)?|WARN?(?:ING)?|[E|e]rr?(?:or)?|ERR?(?:OR)?|[C|c]rit?(?:ical)?|CRIT?(?:ICAL)?|[F|f]atal|FATAL|[S|s]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?)
 
 #== Cisco ASA ==
-CISCO_TAGGED_SYSLOG ^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP}( %{SYSLOGHOST:sysloghost})?
?:? %%{CISCOTAG}%{GREEDYDATA:message}
+CISCO_TAGGED_SYSLOG ^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP}( %{SYSLOGHOST:syslog_host})?(
%{SYSLOGPROG:syslog_prog})? ?:? %%{CISCOTAG}%{GREEDYDATA:message}
 CISCOTIMESTAMP %{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}
 CISCOTAG [A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)
 

http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/4fba50a8/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/asa/BasicAsaParserTest.java
----------------------------------------------------------------------
diff --git a/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/asa/BasicAsaParserTest.java
b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/asa/BasicAsaParserTest.java
index b9c24d4..12c39ca 100644
--- a/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/asa/BasicAsaParserTest.java
+++ b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/asa/BasicAsaParserTest.java
@@ -151,6 +151,28 @@ public class BasicAsaParserTest {
         assertEquals(1452005555000L, asaJson.get("timestamp"));
     }
 
+    @Test 
+    public void testSyslogIpHost() {
+    	String rawMessage = "<174>Jan  5 14:52:35 10.22.8.212 %ASA-6-302015: Built inbound
UDP connection 76245506 for outside:10.22.8.110/49886 (10.22.8.110/49886) to inside:192.111.72.8/8612
(192.111.72.8/8612) (user.name)";
+    	JSONObject asaJson = asaParser.parse(rawMessage.getBytes()).get(0);
+        assertEquals("10.22.8.212", asaJson.get("syslog_host"));
+    }
+    
+    @Test 
+    public void testSyslogHost() {
+    	String rawMessage = "<174>Jan  5 14:52:35 hostname-2 %ASA-6-302015: Built inbound
UDP connection 76245506 for outside:10.22.8.110/49886 (10.22.8.110/49886) to inside:192.111.72.8/8612
(192.111.72.8/8612) (user.name)";
+    	JSONObject asaJson = asaParser.parse(rawMessage.getBytes()).get(0);
+        assertEquals("hostname-2", asaJson.get("syslog_host"));
+    }
+    
+    @Test 
+    public void testSyslogHostAndProg() {
+    	String rawMessage = "<174>Jan  5 14:52:35 hostname-2 progName-2 %ASA-6-302015:
Built inbound UDP connection 76245506 for outside:10.22.8.110/49886 (10.22.8.110/49886) to
inside:192.111.72.8/8612 (192.111.72.8/8612) (user.name)";
+    	JSONObject asaJson = asaParser.parse(rawMessage.getBytes()).get(0);
+    	assertEquals("hostname-2", asaJson.get("syslog_host"));
+    	assertEquals("progName-2", asaJson.get("syslog_prog"));
+    }
+    
     @Rule
     public ExpectedException thrown = ExpectedException.none();
 


Mime
View raw message