[jira] [Created] (METRON-331) Creating Redseal Parser

Fri, 15 Jul 2016 11:14:45 -0700 

Catherine Edwards created METRON-331:
----------------------------------------

             Summary: Creating Redseal Parser
                 Key: METRON-331
                 URL: https://issues.apache.org/jira/browse/METRON-331
             Project: Metron
          Issue Type: New Feature
            Reporter: Catherine Edwards
            Priority: Minor


Create Parser for Redseal logs.

Sample RedSeal Server log message:
<134>Jun 29 23:02:00 www.burnbook.com local0: SRM_SERVER [INFO ] 
[com.redsealsys.srm.server.util.PurgeDataUtils.execute | Thread-58 ] - SQL:[ 
DROP TABLE IF EXISTS current_device_purge_id_temp ] 

Data after parsing:
{code:none}
{   "source:type": "redseal-server", 
    "priority": "134",
    "timestamp": "June 29th 2016 23:02:00",
    "hostname": "www.burnbook.com"
    "syslog_facility": "local0",
    "message": "SRM_SERVER [INFO ] 
[com.redsealsys.srm.server.util.PurgeDataUtils.execute | Thread-58 ] - SQL:[ 
DROP TABLE IF EXISTS current_device_purge_id_temp ]"
} 
{code}

Sample RedSeal Audit log message 1:
<150>Jun 22 11:11:33 www.burnbook.com local2: [ aaronsamuels ] https user 
authenticated OK - initial access to /data/reports/vuln_reporting - from remote 
host ' 99.999.99.999 ' 

Data after parsing:
{code:none}
{   "source:type": "redseal-audit",
    "priority": "134",
    "timestamp": "June 22nd 11:11:33",
    "hostname": "www.burnbook.com",
    "syslog_facility": "local2",
    "username": "aaronsamuels",
    "uri_path": "/data/report/vulnreporting",
    "authentication_result": "success",
    "ip_src_addr": "99.999.99.99",
    "protocol": "https"
} 
{code}

Sample RedSeal Audit log message 2:
<150>Jun 22 13:29:33 www.burnbook.com local2: [ gretchenweiners ] user 
authenticated OK - from remote host ' 99.99.999.999 ' 

Data after parsing:
{code:none}
{   "source:type": "redseal-audit",
    "priority": "150",
    "timestamp": "June 22nd 2016 11:11:33",
    "hostname": "www.burnbook.com",
    "syslog_facility": "local2",
    "username": "gretchenweiners",
    "authentication_result": "success",
    "ip_src_addr": "10.218.143.228"
} 
{code}

Sample RedSeal Audit log message 3:
<150>Jun 22 13:29:35 www.burnbook.com local2: [ JMS user connection 
authenticated for: [gretchenweiners] ] 

Data after parsing:
{code:none}
{   "source:type": "redseal-audit",
    "priority": "150",
    "timestamp": "June 22nd 13:29:35",
    "hostname": "www.burnbook.com",
    "syslog_facility": "local2",
    "username": "gretchenweiners",
    "authentication_result": "success",
    "protocol": "JMS" 
}
{code}

Sample RedSeal Audit log message 4:
<150>Jun 8 09:31:27 www.burnbook.com local2: [ gretchenweiners ] user 
authentication FAILED - from remote host ' 99.999.9.999 ' 

Data after parsing:
{code:none}
{   "source:type": "redseal-audit",
    "priority": "150",
    "timestamp": "June 8th 2016 09:31:27",
    "hostname": "www.burnbook.com",
    "syslog_facility": "local2",
    "username": "gretchenweiners",
    "vauthentication_result": "failure",
    "ip_src_addr": "99.999.9.999" 
}
{code}

Sample RedSeal Audit log message 5:
<150>Jun 10 14:58:43 www.burnbook.com local2: [ gretchenweiners ] failed to do 
final environmental check for Actuate reports . (permission denied) 

Data after parsing:
{code:none}
{   "source:type": "redseal-audit",
    "priority": "150",
    "timestamp": "June 10th 2016 14:58:43",
    "hostname": "www.burnbook.com",
    "syslog_facility": "local2",
    "username": "gretchenweiners",
    "message": "failed to do final environmental check for Actuate reports . 
(permission denied)" 
}
{code}

Sample RedSeal Analysis log message:
<142>Jun 26 04:54:11 www.burnbook.com local1: Data Collection Task: RANCID - 
us.nx1k - Completed - Task Detail: data type: Cisco NX-OS (8.2.1); 
communication type: SFTP; credential: gretchenweiners; execution: scheduled 
collection - Summary: All 55 succeeded - 55 (out of 55) devices or hosts 
imported (3 added 52 updated ) 

Data after parsing:
{code:none}
{   "source:type": "redseal-analysis",
    "priority": "142",
    "timestamp": "Jun 26th 2016 04:54:11",
    "hostname": "www.burnbook.com",
    "syslog_facility": "local1",
    "message": "Data Collection Task: RANCID - us.nx1k - Completed - Task 
Detail: data type: Cisco NX-OS (8.2.1); communication type: SFTP; credential: 
gretchenweiners; execution: scheduled collection - Summary: All 55 succeeded - 
55 (out of 55) devices or hosts imported (3 added 52 updated )"
} 
{code}

Sample RedSeal System log message:
<158>Jun 7 10:41:12 www.burnbook.com local3: RedSeal 8.2.1 (Build-1107) 
running... Tue Jun 07 10:41:12 EDT 2016 

Data after parsing:
{code:none}
{   "source:type": "redseal-system"
    "priority": "158"
    "timestamp": "Jun 7th 2016 10:41:12"
    "hostname": "www.burnbook.com"
    "syslog_facility": "local3"
    "message": "RedSeal 8.2.1 (Build-1107) running... Tue Jun 07 10:41:12 EDT 
2016"
}
{code}

Sample RedSeal Event log message:
<134>Jun 29 01:46:30 www.burnbook.com local0: SRM_SERVER [VENTS] 
[.server.services.customevents.EventAggregator.rallAnalysisComplete | ctor 
Timer] - EventAction=RedSeal Network Analysis | EventDate=Jun 29, 2016 1:46:30 
AM EDT | EventName=HostMetricsEvent | DeviceVendor=RedSeal Networks, Inc. | 
DeviceProduct=RedSeal Platform | DeviceVersion=8.2.1 | 
RedSealServerName=www.burnbook.com | RedSealServerIPAddress=99.99.999.999 | 
HostName=www.burnbook.com | HostRedSealID=8aa5577asdf3d101asdf5460c8e9cdfc30 | 
AnalysisDate=Jun 29, 2016 12:51:33 AM EDT | PrimaryService=NetBIOS Session 
Service | OSVendor=Microsoft | OperatingSystem=Windows Server 2012 R2 | 
AttackDepth=-1 | Exposure=0 | Value=10 | ServicesCount=19 | 
VulnerabilityCount=281 | Risk=0 | DownstreamRisk=0 | Confidence=1 | 
Leapfroggable=false | Exploitable=false | PrimaryIp=99.99.99.99 | 
AccessibleFromUntrusted=false | HasAccessToCritical=false | END RSExternal 
event 

Data after parsing:
{code:none}
{   "source:type": "redseal-event",
    "priority": "134",
    "timestamp": "Jun 29th",
    "hostname": "www.burnbook.com",
    "syslog_facility": "local0",
    "EventAction": "RedSeal Network Analysis",
    "EventDate": "Jun 29, 2016 1:46:30 AM EDT",
    "EventName": "HostMetricsEvent",
    "DeviceVendor": "RedSeal Networks, Inc.",
    "DeviceProduct": "RedSeal Platform",
    "DeviceVersion": "8.2.1",
    "RedSealServerName": "www.burnbook.com",
    "RedSealServerIPAddress": "10.37.215.250",
    "event_hostname": "www.example.com",
    "HostRedSealID": "8aa5577asdf3d101asdf5460c8e9cdfc30",
    "AnalysisDate": "Jun 29, 2016 12:51:33 AM EDT",
    "PrimaryService": "NetBIOS Session Service",
    "OSVendor": "Microsoft",
    "OperatingSystem": "Windows Server 2012 R2",
    "AttackDepth": "-1",
    "Exposure": "0",
    "Value": "10",
    "ServicesCount": "19",
    "VulnerabilityCount": "281",
    "Risk": "0",
    "DownstreamRisk": "0",
    "Confidence": "1",
    "Leapfroggable": "false",
    "Exploitable": "false",
    "PrimaryIp": "99.99.99.99",
    "AccessibleFromUntrusted": "false",
    "HasAccessToCritical": "false "
}
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to