[
https://issues.apache.org/jira/browse/METRON-150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15278725#comment-15278725
]
ASF GitHub Bot commented on METRON-150:
---------------------------------------
Github user merrimanr commented on the pull request:
https://github.com/apache/incubator-metron/pull/115#issuecomment-218266475
@DomenicPuzio, thanks this looks pretty good. Are you able to leverage the
Grok parser that already exists (org.apache.metron.parsers.GrokParser) or is
there some custom behavior needed? I see a lot of overlap between the custom
Java Grok parser you wrote and what's currently there. If the current Grok
parser is not flexible enough I think we should either update it to make it
more flexible or extend it to provide custom behavior (rather than writing a
new one). Thoughts?
> Create WebSphere Parser
> -----------------------
>
> Key: METRON-150
> URL: https://issues.apache.org/jira/browse/METRON-150
> Project: Metron
> Issue Type: New Feature
> Reporter: Domenic Puzio
> Priority: Minor
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> Create a parser for the IBM WebSphere telemetry source. This data source has
> four formats that should be parsed as specified below.
> LOGIN
> <133>Apr 15 17:47:28 ABCXML1413 [rojOut][0x81000033][auth][notice]
> user(rick007): [120.43.200.6]: User logged into 'cohlOut'.
> ...
> {"severity":"notice","hostname":"ABCXML1413","event_type":"auth","original_string":"<133>Apr
> 15 17:47:28 ABCXML1413 [rojOut][0x81000033][auth][notice] user(rick007):
> [120.43.200.6]: User logged into
> 'cohlOut'.","event_code":"0x81000033","security_domain":"rojOut","event_subtype":"login","priority":133,"ip_src_addr":"120.43.200.6","timestamp":1460742448000,"username":"rick007"}
> LOGOUT
> <134>Apr 15 18:02:27 PHIXML3RWD [0x81000019][auth][info] [14.122.2.201]: User
> 'hjpotter' logged out from 'default'.
> ...
> {"severity":"info","hostname":"PHIXML3RWD","event_type":"auth","original_string":"<134>Apr
> 15 18:02:27 PHIXML3RWD [0x81000019][auth][info] [14.122.2.201]: User
> 'hjpotter' logged out from
> 'default'.","event_code":"0x81000019","security_domain":"default","event_subtype":"logout","priority":134,"ip_src_addr":"14.122.2.201","timestamp":1460743347000,"username":"hjpotter"}
> RBM
> <131>Apr 15 17:36:35 ROBXML3QRS [0x80800018][auth][error] rbm(RBM-Settings):
> trans(3502888135)[request] gtid(3502888135): RBM: Resource access denied.
> ...
> {"severity":"error","hostname":"ROBXML3QRS","process":"rbm","event_type":"auth","original_string":"<131>Apr
> 15 17:36:35 ROBXML3QRS [0x80800018][auth][error] rbm(RBM-Settings):
> trans(3502888135)[request] gtid(3502888135): RBM: Resource access
> denied.","event_code":"0x80800018","security_domain":null,"message":"trans(3502888135)[request]
> gtid(3502888135): RBM: Resource access
> denied.","priority":131,"timestamp":1460741795000}
> OTHER
> <134>Apr 15 17:17:34 SAGPXMLQA333 [0x8240001c][audit][info] trans(191):
> (admin:default:system:*): ntp-service 'NTP Service' - Operational state down
> ...
> {"severity":"info","hostname":"SAGPXMLQA333","process":"trans","event_type":"audit","original_string":"<134>Apr
> 15 17:17:34 SAGPXMLQA333 [0x8240001c][audit][info] trans(191):
> (admin:default:system:*): ntp-service 'NTP Service' - Operational state
> down","event_code":"0x8240001c","security_domain":null,"message":"(admin:default:system:*):
> ntp-service 'NTP Service' - Operational state
> down","priority":134,"timestamp":1460740654000}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
