[ https://issues.apache.org/jira/browse/METRON-363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15568771#comment-15568771 ]
ASF GitHub Bot commented on METRON-363: --------------------------------------- Github user nickwallen commented on a diff in the pull request: https://github.com/apache/incubator-metron/pull/276#discussion_r83000386 --- Diff: metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/utils/SyslogUtils.java --- @@ -0,0 +1,125 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.metron.parsers.utils; + +import org.apache.metron.parsers.ParseException; + +import java.time.ZoneId; +import java.time.ZonedDateTime; +import java.time.format.DateTimeFormatter; +import java.time.temporal.TemporalAccessor; +import java.util.regex.Pattern; + +import static java.time.temporal.ChronoField.*; + +public class SyslogUtils { + + public static long parseTimestampToEpochMillis(String logTimestamp, ZoneId timeZone) throws ParseException { + // RFC3164 (standard syslog timestamp; no year) + // MMM ppd HH:mm:ss + // Oct 9 2015 13:42:11 + if (Pattern.matches("[A-Z][a-z]{2}(?:(?:\\s{2}\\d)|(?:\\s\\d{2}))\\s\\d{2}:\\d{2}:\\d{2}", logTimestamp)) { + DateTimeFormatter inputFormat = DateTimeFormatter.ofPattern("MMM ppd HH:mm:ss").withZone(timeZone); + + TemporalAccessor inputDate = inputFormat.parse(logTimestamp); + int inputMonth = inputDate.get(MONTH_OF_YEAR); + int inputDay = inputDate.get(DAY_OF_MONTH); + int inputHour = inputDate.get(HOUR_OF_DAY); + int inputMinute = inputDate.get(MINUTE_OF_HOUR); + int inputSecond = inputDate.get(SECOND_OF_MINUTE); + + ZonedDateTime currentDate = ZonedDateTime.now(timeZone); + int normalizedYear = currentDate.getYear(); + + /** + * Since no year is provided, one must be derived. + * During the month of January (first 31 days of the year), assume logs coming in from + * November (11) and December (12) are from the previous year. + */ + if (currentDate.getDayOfYear() <= 31 && inputMonth >= 11) + normalizedYear--; + ZonedDateTime normalizedTimestamp = ZonedDateTime.of(normalizedYear, inputMonth, inputDay, inputHour, inputMinute, inputSecond, 0, timeZone); + return normalizedTimestamp.toInstant().toEpochMilli(); + } + + // CISCO timestamp (standard syslog + year) + // MMM dd yyyy HH:mm:ss + // Oct 09 2015 13:42:11 + else if (Pattern.matches("[A-Z][a-z]{2}\\s\\d{2}\\s\\d{4}\\s\\d{2}:\\d{2}:\\d{2}", logTimestamp)) + return convertToEpochMillis(logTimestamp, DateTimeFormatter.ofPattern("MMM dd yyyy HH:mm:ss").withZone(timeZone)); + + // RFC5424 (ISO timestamp) + // 2015-10-09T13:42:11.52Z or 2015-10-09T13:42:11.52-04:00 + else if (Pattern.matches("\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d+)?(?:Z|[+-]\\d{2}:\\d{2})", logTimestamp)) + return convertToEpochMillis(logTimestamp, DateTimeFormatter.ISO_OFFSET_DATE_TIME); + + else + throw new ParseException(String.format("Unsupported date format: '%s'", logTimestamp)); --- End diff -- Just curious, any reason we're using a checked exception here? In other places we're just using run time exceptions. The ParseException that you created is used only for this, I believe. Not a big deal either way. > Fix Cisco ASA Parser > -------------------- > > Key: METRON-363 > URL: https://issues.apache.org/jira/browse/METRON-363 > Project: Metron > Issue Type: Improvement > Reporter: Kyle Richardson > Priority: Minor > > The current ASA parser is broken. This effort is to rework the current parser > to support the variety of syslog messages produced by Cisco ASA devices as > well as provide the necessary support files/configs for easier deployment of > the Storm topology. -- This message was sent by Atlassian JIRA (v6.3.4#6332)