[jira] [Commented] (METRON-363) Fix Cisco ASA Parser

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/METRON-363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15568771#comment-15568771
 ] 

ASF GitHub Bot commented on METRON-363:
---------------------------------------

Github user nickwallen commented on a diff in the pull request:

    https://github.com/apache/incubator-metron/pull/276#discussion_r83000386
  
    --- Diff: 
metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/utils/SyslogUtils.java
 ---
    @@ -0,0 +1,125 @@
    +/**
    + * Licensed to the Apache Software Foundation (ASF) under one
    + * or more contributor license agreements.  See the NOTICE file
    + * distributed with this work for additional information
    + * regarding copyright ownership.  The ASF licenses this file
    + * to you under the Apache License, Version 2.0 (the
    + * "License"); you may not use this file except in compliance
    + * with the License.  You may obtain a copy of the License at
    + *
    + *     http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +package org.apache.metron.parsers.utils;
    +
    +import org.apache.metron.parsers.ParseException;
    +
    +import java.time.ZoneId;
    +import java.time.ZonedDateTime;
    +import java.time.format.DateTimeFormatter;
    +import java.time.temporal.TemporalAccessor;
    +import java.util.regex.Pattern;
    +
    +import static java.time.temporal.ChronoField.*;
    +
    +public class SyslogUtils {
    +
    +    public static long parseTimestampToEpochMillis(String logTimestamp, 
ZoneId timeZone) throws ParseException {
    +        // RFC3164 (standard syslog timestamp; no year)
    +        // MMM ppd HH:mm:ss
    +        // Oct  9 2015 13:42:11
    +        if 
(Pattern.matches("[A-Z][a-z]{2}(?:(?:\\s{2}\\d)|(?:\\s\\d{2}))\\s\\d{2}:\\d{2}:\\d{2}",
 logTimestamp)) {
    +            DateTimeFormatter inputFormat = 
DateTimeFormatter.ofPattern("MMM ppd HH:mm:ss").withZone(timeZone);
    +
    +            TemporalAccessor inputDate = inputFormat.parse(logTimestamp);
    +            int inputMonth = inputDate.get(MONTH_OF_YEAR);
    +            int inputDay = inputDate.get(DAY_OF_MONTH);
    +            int inputHour = inputDate.get(HOUR_OF_DAY);
    +            int inputMinute = inputDate.get(MINUTE_OF_HOUR);
    +            int inputSecond = inputDate.get(SECOND_OF_MINUTE);
    +
    +            ZonedDateTime currentDate = ZonedDateTime.now(timeZone);
    +            int normalizedYear = currentDate.getYear();
    +
    +            /**
    +             * Since no year is provided, one must be derived.
    +             *   During the month of January (first 31 days of the year), 
assume logs coming in from
    +             *   November (11) and December (12) are from the previous 
year.
    +             */
    +            if (currentDate.getDayOfYear() <= 31 && inputMonth >= 11)
    +                normalizedYear--;
    +            ZonedDateTime normalizedTimestamp = 
ZonedDateTime.of(normalizedYear, inputMonth, inputDay, inputHour, inputMinute, 
inputSecond, 0, timeZone);
    +            return normalizedTimestamp.toInstant().toEpochMilli();
    +        }
    +
    +        // CISCO timestamp (standard syslog + year)
    +        // MMM dd yyyy HH:mm:ss
    +        // Oct 09 2015 13:42:11
    +        else if 
(Pattern.matches("[A-Z][a-z]{2}\\s\\d{2}\\s\\d{4}\\s\\d{2}:\\d{2}:\\d{2}", 
logTimestamp))
    +            return convertToEpochMillis(logTimestamp, 
DateTimeFormatter.ofPattern("MMM dd yyyy HH:mm:ss").withZone(timeZone));
    +
    +        // RFC5424 (ISO timestamp)
    +        // 2015-10-09T13:42:11.52Z or 2015-10-09T13:42:11.52-04:00
    +        else if 
(Pattern.matches("\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d+)?(?:Z|[+-]\\d{2}:\\d{2})",
 logTimestamp))
    +            return convertToEpochMillis(logTimestamp, 
DateTimeFormatter.ISO_OFFSET_DATE_TIME);
    +
    +        else
    +            throw new ParseException(String.format("Unsupported date 
format: '%s'", logTimestamp));
    --- End diff --
    
    Just curious, any reason we're using a checked exception here?  In other 
places we're just using run time exceptions.  The ParseException that you 
created is used only for this, I believe. 
    
    Not a big deal either way.


> Fix Cisco ASA Parser
> --------------------
>
>                 Key: METRON-363
>                 URL: https://issues.apache.org/jira/browse/METRON-363
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Kyle Richardson
>            Priority: Minor
>
> The current ASA parser is broken. This effort is to rework the current parser 
> to support the variety of syslog messages produced by Cisco ASA devices as 
> well as provide the necessary support files/configs for easier deployment of 
> the Storm topology.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)