[
https://issues.apache.org/jira/browse/METRON-331?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Catherine Edwards updated METRON-331:
-------------------------------------
Summary: Create Redseal Parser (was: Creating Redseal Parser)
> Create Redseal Parser
> ---------------------
>
> Key: METRON-331
> URL: https://issues.apache.org/jira/browse/METRON-331
> Project: Metron
> Issue Type: New Feature
> Reporter: Catherine Edwards
> Priority: Minor
>
> Create Parser for Redseal logs.
> Sample RedSeal Server log message:
> <134>Jun 29 23:02:00 www.burnbook.com local0: SRM_SERVER [INFO ]
> [com.redsealsys.srm.server.util.PurgeDataUtils.execute | Thread-58 ] - SQL:[
> DROP TABLE IF EXISTS current_device_purge_id_temp ]
> Data after parsing:
> {code:none}
> { "source:type": "redseal-server",
> "priority": "134",
> "timestamp": "June 29th 2016 23:02:00",
> "hostname": "www.burnbook.com"
> "syslog_facility": "local0",
> "message": "SRM_SERVER [INFO ]
> [com.redsealsys.srm.server.util.PurgeDataUtils.execute | Thread-58 ] - SQL:[
> DROP TABLE IF EXISTS current_device_purge_id_temp ]"
> }
> {code}
> Sample RedSeal Audit log message 1:
> <150>Jun 22 11:11:33 www.burnbook.com local2: [ aaronsamuels ] https user
> authenticated OK - initial access to /data/reports/vuln_reporting - from
> remote host ' 99.999.99.999 '
> Data after parsing:
> {code:none}
> { "source:type": "redseal-audit",
> "priority": "134",
> "timestamp": "June 22nd 11:11:33",
> "hostname": "www.burnbook.com",
> "syslog_facility": "local2",
> "username": "aaronsamuels",
> "uri_path": "/data/report/vulnreporting",
> "authentication_result": "success",
> "ip_src_addr": "99.999.99.99",
> "protocol": "https"
> }
> {code}
> Sample RedSeal Audit log message 2:
> <150>Jun 22 13:29:33 www.burnbook.com local2: [ gretchenweiners ] user
> authenticated OK - from remote host ' 99.99.999.999 '
> Data after parsing:
> {code:none}
> { "source:type": "redseal-audit",
> "priority": "150",
> "timestamp": "June 22nd 2016 11:11:33",
> "hostname": "www.burnbook.com",
> "syslog_facility": "local2",
> "username": "gretchenweiners",
> "authentication_result": "success",
> "ip_src_addr": "10.218.143.228"
> }
> {code}
> Sample RedSeal Audit log message 3:
> <150>Jun 22 13:29:35 www.burnbook.com local2: [ JMS user connection
> authenticated for: [gretchenweiners] ]
> Data after parsing:
> {code:none}
> { "source:type": "redseal-audit",
> "priority": "150",
> "timestamp": "June 22nd 13:29:35",
> "hostname": "www.burnbook.com",
> "syslog_facility": "local2",
> "username": "gretchenweiners",
> "authentication_result": "success",
> "protocol": "JMS"
> }
> {code}
> Sample RedSeal Audit log message 4:
> <150>Jun 8 09:31:27 www.burnbook.com local2: [ gretchenweiners ] user
> authentication FAILED - from remote host ' 99.999.9.999 '
> Data after parsing:
> {code:none}
> { "source:type": "redseal-audit",
> "priority": "150",
> "timestamp": "June 8th 2016 09:31:27",
> "hostname": "www.burnbook.com",
> "syslog_facility": "local2",
> "username": "gretchenweiners",
> "vauthentication_result": "failure",
> "ip_src_addr": "99.999.9.999"
> }
> {code}
> Sample RedSeal Audit log message 5:
> <150>Jun 10 14:58:43 www.burnbook.com local2: [ gretchenweiners ] failed to
> do final environmental check for Actuate reports . (permission denied)
> Data after parsing:
> {code:none}
> { "source:type": "redseal-audit",
> "priority": "150",
> "timestamp": "June 10th 2016 14:58:43",
> "hostname": "www.burnbook.com",
> "syslog_facility": "local2",
> "username": "gretchenweiners",
> "message": "failed to do final environmental check for Actuate reports .
> (permission denied)"
> }
> {code}
> Sample RedSeal Analysis log message:
> <142>Jun 26 04:54:11 www.burnbook.com local1: Data Collection Task: RANCID -
> us.nx1k - Completed - Task Detail: data type: Cisco NX-OS (8.2.1);
> communication type: SFTP; credential: gretchenweiners; execution: scheduled
> collection - Summary: All 55 succeeded - 55 (out of 55) devices or hosts
> imported (3 added 52 updated )
> Data after parsing:
> {code:none}
> { "source:type": "redseal-analysis",
> "priority": "142",
> "timestamp": "Jun 26th 2016 04:54:11",
> "hostname": "www.burnbook.com",
> "syslog_facility": "local1",
> "message": "Data Collection Task: RANCID - us.nx1k - Completed - Task
> Detail: data type: Cisco NX-OS (8.2.1); communication type: SFTP; credential:
> gretchenweiners; execution: scheduled collection - Summary: All 55 succeeded
> - 55 (out of 55) devices or hosts imported (3 added 52 updated )"
> }
> {code}
> Sample RedSeal System log message:
> <158>Jun 7 10:41:12 www.burnbook.com local3: RedSeal 8.2.1 (Build-1107)
> running... Tue Jun 07 10:41:12 EDT 2016
> Data after parsing:
> {code:none}
> { "source:type": "redseal-system"
> "priority": "158"
> "timestamp": "Jun 7th 2016 10:41:12"
> "hostname": "www.burnbook.com"
> "syslog_facility": "local3"
> "message": "RedSeal 8.2.1 (Build-1107) running... Tue Jun 07 10:41:12 EDT
> 2016"
> }
> {code}
> Sample RedSeal Event log message:
> <134>Jun 29 01:46:30 www.burnbook.com local0: SRM_SERVER [VENTS]
> [.server.services.customevents.EventAggregator.rallAnalysisComplete | ctor
> Timer] - EventAction=RedSeal Network Analysis | EventDate=Jun 29, 2016
> 1:46:30 AM EDT | EventName=HostMetricsEvent | DeviceVendor=RedSeal Networks,
> Inc. | DeviceProduct=RedSeal Platform | DeviceVersion=8.2.1 |
> RedSealServerName=www.burnbook.com | RedSealServerIPAddress=99.99.999.999 |
> HostName=www.burnbook.com | HostRedSealID=8aa5577asdf3d101asdf5460c8e9cdfc30
> | AnalysisDate=Jun 29, 2016 12:51:33 AM EDT | PrimaryService=NetBIOS Session
> Service | OSVendor=Microsoft | OperatingSystem=Windows Server 2012 R2 |
> AttackDepth=-1 | Exposure=0 | Value=10 | ServicesCount=19 |
> VulnerabilityCount=281 | Risk=0 | DownstreamRisk=0 | Confidence=1 |
> Leapfroggable=false | Exploitable=false | PrimaryIp=99.99.99.99 |
> AccessibleFromUntrusted=false | HasAccessToCritical=false | END RSExternal
> event
> Data after parsing:
> {code:none}
> { "source:type": "redseal-event",
> "priority": "134",
> "timestamp": "Jun 29th",
> "hostname": "www.burnbook.com",
> "syslog_facility": "local0",
> "EventAction": "RedSeal Network Analysis",
> "EventDate": "Jun 29, 2016 1:46:30 AM EDT",
> "EventName": "HostMetricsEvent",
> "DeviceVendor": "RedSeal Networks, Inc.",
> "DeviceProduct": "RedSeal Platform",
> "DeviceVersion": "8.2.1",
> "RedSealServerName": "www.burnbook.com",
> "RedSealServerIPAddress": "10.37.215.250",
> "event_hostname": "www.example.com",
> "HostRedSealID": "8aa5577asdf3d101asdf5460c8e9cdfc30",
> "AnalysisDate": "Jun 29, 2016 12:51:33 AM EDT",
> "PrimaryService": "NetBIOS Session Service",
> "OSVendor": "Microsoft",
> "OperatingSystem": "Windows Server 2012 R2",
> "AttackDepth": "-1",
> "Exposure": "0",
> "Value": "10",
> "ServicesCount": "19",
> "VulnerabilityCount": "281",
> "Risk": "0",
> "DownstreamRisk": "0",
> "Confidence": "1",
> "Leapfroggable": "false",
> "Exploitable": "false",
> "PrimaryIp": "99.99.99.99",
> "AccessibleFromUntrusted": "false",
> "HasAccessToCritical": "false "
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
