[jira] [Commented] (NIFI-2341) Create a processor to parse logs formated using CEF

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/NIFI-2341?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15525724#comment-15525724
 ] 

ASF GitHub Bot commented on NIFI-2341:
--------------------------------------

Github user trixpan commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/785#discussion_r80663321
  
    --- Diff: 
nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ParseCEF.java
 ---
    @@ -0,0 +1,323 @@
    +/*
    + * Licensed to the Apache Software Foundation (ASF) under one or more
    + * contributor license agreements.  See the NOTICE file distributed with
    + * this work for additional information regarding copyright ownership.
    + * The ASF licenses this file to You under the Apache License, Version 2.0
    + * (the "License"); you may not use this file except in compliance with
    + * the License.  You may obtain a copy of the License at
    + *
    + *     http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +
    +package org.apache.nifi.processors.standard;
    +
    +import com.fasterxml.jackson.core.JsonGenerator;
    +import com.fasterxml.jackson.core.JsonProcessingException;
    +import com.fasterxml.jackson.databind.JsonSerializer;
    +import com.fasterxml.jackson.databind.ObjectMapper;
    +import com.fasterxml.jackson.databind.SerializerProvider;
    +import com.fasterxml.jackson.databind.module.SimpleModule;
    +
    +import com.fasterxml.jackson.databind.node.ObjectNode;
    +import com.fluenda.parcefone.event.CEFHandlingException;
    +import com.fluenda.parcefone.event.CommonEvent;
    +import com.fluenda.parcefone.parser.CEFParser;
    +
    +import com.martiansoftware.macnificent.MacAddress;
    +
    +import org.apache.nifi.annotation.behavior.EventDriven;
    +import org.apache.nifi.annotation.behavior.InputRequirement;
    +import org.apache.nifi.annotation.behavior.InputRequirement.Requirement;
    +import org.apache.nifi.annotation.behavior.SideEffectFree;
    +import org.apache.nifi.annotation.behavior.SupportsBatching;
    +import org.apache.nifi.annotation.behavior.WritesAttribute;
    +import org.apache.nifi.annotation.behavior.WritesAttributes;
    +import org.apache.nifi.annotation.documentation.CapabilityDescription;
    +import org.apache.nifi.annotation.documentation.SeeAlso;
    +import org.apache.nifi.annotation.documentation.Tags;
    +import org.apache.nifi.annotation.lifecycle.OnScheduled;
    +import org.apache.nifi.components.PropertyDescriptor;
    +import org.apache.nifi.flowfile.FlowFile;
    +import org.apache.nifi.processor.AbstractProcessor;
    +import org.apache.nifi.processor.ProcessContext;
    +import org.apache.nifi.processor.ProcessSession;
    +import org.apache.nifi.processor.Relationship;
    +import org.apache.nifi.processor.exception.ProcessException;
    +import org.apache.nifi.processor.io.InputStreamCallback;
    +import org.apache.nifi.processor.io.OutputStreamCallback;
    +import org.apache.nifi.processor.util.StandardValidators;
    +import org.apache.nifi.stream.io.BufferedOutputStream;
    +import org.apache.nifi.stream.io.StreamUtils;
    +
    +import java.io.IOException;
    +import java.io.InputStream;
    +import java.io.OutputStream;
    +import java.net.InetAddress;
    +import java.text.SimpleDateFormat;
    +import java.time.ZoneId;
    +import java.time.ZonedDateTime;
    +import java.time.format.DateTimeFormatter;
    +import java.util.ArrayList;
    +import java.util.Date;
    +import java.util.HashMap;
    +import java.util.HashSet;
    +import java.util.List;
    +import java.util.Map;
    +import java.util.Set;
    +import java.util.TimeZone;
    +
    +@EventDriven
    +@SideEffectFree
    +@SupportsBatching
    +@InputRequirement(Requirement.INPUT_REQUIRED)
    +@Tags({"logs", "cef", "attributes", "system", "event", "message"})
    +@CapabilityDescription("Parses the contents of a CEF formatted message and 
adds attributes to the FlowFile for " +
    +        "headers and extensions of the parts of the CEF message.\n" +
    +        "Note: This Processor expects CEF messages WITHOUT the syslog 
headers (i.e. starting at \"CEF:0\"")
    +@WritesAttributes({@WritesAttribute(attribute = "cef.header.version", 
description = "The version of the CEF message."),
    +    @WritesAttribute(attribute = "cef.header.deviceVendor", description = 
"The Device Vendor of the CEF message."),
    +    @WritesAttribute(attribute = "cef.header.deviceProduct", description = 
"The Device Product of the CEF message."),
    +    @WritesAttribute(attribute = "cef.header.deviceVersion", description = 
"The Device Version of the CEF message."),
    +    @WritesAttribute(attribute = "cef.header.deviceEventClassId", 
description = "The Device Event Class ID of the CEF message."),
    +    @WritesAttribute(attribute = "cef.header.name", description = "The 
name of the CEF message."),
    +    @WritesAttribute(attribute = "cef.header.severity", description = "The 
severity of the CEF message."),
    +    @WritesAttribute(attribute = "cef.extension.*", description = "The key 
and value generated by the parsing of the message.")})
    +@SeeAlso({ParseSyslog.class})
    +
    +public class ParseCEF extends AbstractProcessor {
    +
    +    // There should be no date format other than internationally agreed 
formats...
    +    // flowfile-attributes uses Java 8 time to parse data (as Date  
objects are not timezoned)
    +    private final static DateTimeFormatter dateTimeFormatter = 
DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
    +
    +    // for some reason Jackson doesnt seem to be able to use 
DateTieFormater
    +    // so we use a SimpleDateFormat to format within flowfile-content
    +    private final SimpleDateFormat simpleDateFormat = new 
SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
    +
    +
    +    // add a TZ object to be used by flowfile-attribute routine
    +    private String tzId = null;
    +
    +    // Add serializer and mapper
    +    private static final ObjectMapper mapper = new ObjectMapper();
    +
    +    public static final String DESTINATION_CONTENT = "flowfile-content";
    +    public static final String DESTINATION_ATTRIBUTES = 
"flowfile-attribute";
    +    public static final PropertyDescriptor FIELDS_DESTINATION = new 
PropertyDescriptor.Builder()
    +        .name("FIELDS_DESTINATION")
    +        .displayName("Parsed fields destination")
    --- End diff --
    
    happy to change that. I have been using all caps matching the property 
descriptor name within code but happy to adjust in case a naming convention 
already exists.


> Create a processor to parse logs formated using CEF
> ---------------------------------------------------
>
>                 Key: NIFI-2341
>                 URL: https://issues.apache.org/jira/browse/NIFI-2341
>             Project: Apache NiFi
>          Issue Type: Improvement
>            Reporter: Andre
>            Assignee: Andre
>             Fix For: 1.1.0
>
>
> As NiFi continue to increase its abilities to complement SIEM, Splunk and ELK 
> deployments, a number of users will be looking to parse CEF formatted 
> logs[1][2].
> CEF is a format specified by Arcsight (now part of HPE) and is described in 
> detail in here:
> https://www.protect724.hpe.com/docs/DOC-1072
> [1] 
> http://apache-nifi.1125220.n5.nabble.com/Suggestion-of-processors-td9795.html
> [2] 
> https://community.hortonworks.com/questions/43185/which-processor-is-used-to-parse-cef-format-logs.html



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)