incubator-metron#479

kylerichardson Mon, 20 Mar 2017 08:41:04 -0700

Repository: incubator-metron
Updated Branches:
  refs/heads/master f39873703 -> 4fba50a86



http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/4fba50a8/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/asa/BasicAsaParser.java
----------------------------------------------------------------------
diff --git 
a/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/asa/BasicAsaParser.java
 
b/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/asa/BasicAsaParser.java
index 54cc4f5..8d1f3ce 100644
--- 
a/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/asa/BasicAsaParser.java
+++ 
b/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/asa/BasicAsaParser.java
@@ -140,6 +140,15 @@ public class BasicAsaParser extends BasicParser {
                 metronJson.put("ciscotag", syslogJson.get("CISCOTAG"));
                 metronJson.put("syslog_severity", 
SyslogUtils.getSeverityFromPriority((int) syslogJson.get("syslog_pri")));
                 metronJson.put("syslog_facility", 
SyslogUtils.getFacilityFromPriority((int) syslogJson.get("syslog_pri")));
+                
+                
+                if (syslogJson.get("syslog_host")!=null) { 
+                       metronJson.put("syslog_host", 
syslogJson.get("syslog_host")); 
+               }
+                if (syslogJson.get("syslog_prog")!=null) { 
+                    metronJson.put("syslog_prog", 
syslogJson.get("syslog_prog"));
+                }
+                
             }
             else
                 throw new RuntimeException(String.format("[Metron] Message 
'%s' does not match pattern '%s'", logLine, syslogPattern));

http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/4fba50a8/metron-platform/metron-parsers/src/main/resources/patterns/asa
----------------------------------------------------------------------
diff --git a/metron-platform/metron-parsers/src/main/resources/patterns/asa 
b/metron-platform/metron-parsers/src/main/resources/patterns/asa
index b1080ce..dee2a37 100644
--- a/metron-platform/metron-parsers/src/main/resources/patterns/asa
+++ b/metron-platform/metron-parsers/src/main/resources/patterns/asa
@@ -108,7 +108,7 @@ COMBINEDAPACHELOG %{COMMONAPACHELOG} %{QS:referrer} 
%{QS:agent}
 LOGLEVEL 
([A|a]lert|ALERT|[T|t]race|TRACE|[D|d]ebug|DEBUG|[N|n]otice|NOTICE|[I|i]nfo|INFO|[W|w]arn?(?:ing)?|WARN?(?:ING)?|[E|e]rr?(?:or)?|ERR?(?:OR)?|[C|c]rit?(?:ical)?|CRIT?(?:ICAL)?|[F|f]atal|FATAL|[S|s]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?)
 
 #== Cisco ASA ==
-CISCO_TAGGED_SYSLOG ^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP}( 
%{SYSLOGHOST:sysloghost})? ?:? %%{CISCOTAG}%{GREEDYDATA:message}
+CISCO_TAGGED_SYSLOG ^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP}( 
%{SYSLOGHOST:syslog_host})?( %{SYSLOGPROG:syslog_prog})? ?:? 
%%{CISCOTAG}%{GREEDYDATA:message}
 CISCOTIMESTAMP %{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}
 CISCOTAG [A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)
 

http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/4fba50a8/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/asa/BasicAsaParserTest.java
----------------------------------------------------------------------
diff --git 
a/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/asa/BasicAsaParserTest.java
 
b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/asa/BasicAsaParserTest.java
index b9c24d4..12c39ca 100644
--- 
a/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/asa/BasicAsaParserTest.java
+++ 
b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/asa/BasicAsaParserTest.java
@@ -151,6 +151,28 @@ public class BasicAsaParserTest {
         assertEquals(1452005555000L, asaJson.get("timestamp"));
     }
 
+    @Test 
+    public void testSyslogIpHost() {
+       String rawMessage = "<174>Jan  5 14:52:35 10.22.8.212 %ASA-6-302015: 
Built inbound UDP connection 76245506 for outside:10.22.8.110/49886 
(10.22.8.110/49886) to inside:192.111.72.8/8612 (192.111.72.8/8612) 
(user.name)";
+       JSONObject asaJson = asaParser.parse(rawMessage.getBytes()).get(0);
+        assertEquals("10.22.8.212", asaJson.get("syslog_host"));
+    }
+    
+    @Test 
+    public void testSyslogHost() {
+       String rawMessage = "<174>Jan  5 14:52:35 hostname-2 %ASA-6-302015: 
Built inbound UDP connection 76245506 for outside:10.22.8.110/49886 
(10.22.8.110/49886) to inside:192.111.72.8/8612 (192.111.72.8/8612) 
(user.name)";
+       JSONObject asaJson = asaParser.parse(rawMessage.getBytes()).get(0);
+        assertEquals("hostname-2", asaJson.get("syslog_host"));
+    }
+    
+    @Test 
+    public void testSyslogHostAndProg() {
+       String rawMessage = "<174>Jan  5 14:52:35 hostname-2 progName-2 
%ASA-6-302015: Built inbound UDP connection 76245506 for 
outside:10.22.8.110/49886 (10.22.8.110/49886) to inside:192.111.72.8/8612 
(192.111.72.8/8612) (user.name)";
+       JSONObject asaJson = asaParser.parse(rawMessage.getBytes()).get(0);
+       assertEquals("hostname-2", asaJson.get("syslog_host"));
+       assertEquals("progName-2", asaJson.get("syslog_prog"));
+    }
+    
     @Rule
     public ExpectedException thrown = ExpectedException.none();

[1/3] incubator-metron git commit: METRON-769 Cisco ASA parser doesn't include syslog wrapper fields (simonellistonball via kylerichardson) closes apache/incubator-metron#479

Reply via email to