This is an automated email from the ASF dual-hosted git repository. otto pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/metron.git
The following commit(s) were added to refs/heads/master by this push: new 0dc9fc8 METRON-1893 Create a syslog 3164 parser (ottobackwards) closes apache/metron#1279 0dc9fc8 is described below commit 0dc9fc8fe862c6a43f25bf9c61bbd38a36d3bbc8 Author: ottobackwards <ottobackwa...@gmail.com> AuthorDate: Mon Dec 24 11:00:39 2018 -0500 METRON-1893 Create a syslog 3164 parser (ottobackwards) closes apache/metron#1279 --- dependencies_with_url.csv | 2 +- .../sample/data/syslog3164/parsed/Syslog3164Parsed | 100 +++++++++++ .../sample/data/syslog3164/raw/Syslog3164Output | 100 +++++++++++ .../sample/data/syslog5424/parsed/Syslog5424Parsed | 6 +- .../Syslog3164ParserIntegrationTest.java | 37 ++++ metron-platform/metron-parsing/README.md | 1 + .../metron-parsing/metron-parsers-common/README.md | 1 + .../metron-parsing/metron-parsers-common/pom.xml | 5 + .../main/config/zookeeper/parsers/syslog3164.json | 6 + .../main/config/zookeeper/parsers/syslog5424.json | 0 .../metron/parsers/syslog/BaseSyslogParser.java} | 89 ++++++---- .../metron/parsers/syslog/Syslog3164Parser.java | 43 +++++ .../metron/parsers/syslog/Syslog5424Parser.java | 51 ++++++ .../parsers/syslog/Syslog3164ParserTest.java | 187 +++++++++++++++++++++ .../parsers/syslog/Syslog5424ParserTest.java | 49 +++++- .../metron-parsing/metron-parsers/README.md | 1 - .../metron-parsing/metron-parsers/pom.xml | 5 - .../src/main/resources/META-INF/NOTICE | 6 + pom.xml | 2 +- 19 files changed, 641 insertions(+), 50 deletions(-) diff --git a/dependencies_with_url.csv b/dependencies_with_url.csv index 17453f5..745e3c9 100644 --- a/dependencies_with_url.csv +++ b/dependencies_with_url.csv @@ -488,7 +488,7 @@ org.sonatype.sisu:sisu-inject-bean:jar:2.2.2:compile org.sonatype.sisu:sisu-inject-plexus:jar:2.2.2:compile com.zaxxer:HikariCP:jar:2.7.8:compile,ASLv2,https://github.com/brettwooldridge/HikariCP org.hibernate.validator:hibernate-validator:jar:6.0.9.Final:compile,ASLv2,https://github.com/hibernate/hibernate-validator -com.github.palindromicity:simple-syslog-5424:jar:0.0.9:compile,ASLv2,https://github.com/palindromicity/simple-syslog-5424 +com.github.palindromicity:simple-syslog:jar:0.0.1:compile,ASLv2,https://github.com/palindromicity/simple-syslog org.elasticsearch.client:elasticsearch-rest-high-level-client:jar:5.6.14:compile,ASLv2,https://github.com/elastic/elasticsearch/blob/master/LICENSE.txt org.elasticsearch.plugin:aggs-matrix-stats-client:jar:5.6.14:compile,ASLv2,https://github.com/elastic/elasticsearch/blob/master/LICENSE.txt org.fusesource.jansi:jansi:jar:1.16:compile,ASLv2,https://github.com/fusesource/jansi/blob/master/license.txt diff --git a/metron-platform/metron-integration-test/src/main/sample/data/syslog3164/parsed/Syslog3164Parsed b/metron-platform/metron-integration-test/src/main/sample/data/syslog3164/parsed/Syslog3164Parsed new file mode 100644 index 0000000..4e90b46 --- /dev/null +++ b/metron-platform/metron-integration-test/src/main/sample/data/syslog3164/parsed/Syslog3164Parsed @@ -0,0 +1,100 @@ +{"syslog.header.hostName":"10.22.8.216","original_string":"<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-609001: Built local-host inside:10.22.8.205","syslog.header.facility":"20","guid":"4f2beee4-c6d3-4282-b5e1-be42417e717e","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-7-609001: Built local-host inside:10.22.8.205","syslog.header.pri":"167","syslog.header.severity":"7","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.74\/0(LOCAL\\user.name) gaddr 10.22.8.205\/0 laddr 10.22.8.205\/0","syslog.header.facility":"20","guid":"4e86e51e-a970-4a96-bb79-7d400030755c","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.74\/0(LOCAL\\user.name) gaddr 10.22.8.205\/0 laddr 10.22.8.205\/0","syslog.head [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00","syslog.header.facility":"20","guid":"430bbc53-48e9-4f57-bfa6-18a28b7b0223","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00","syslog.header.pri":"167","syslog.header.severity":"7","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167725 for Outside_VPN:147.111.72.16\/26436 to DMZ-Inside:10.22.8.53\/443 duration 0:00:00 bytes 9687 TCP FINs","syslog.header.facility":"17","guid":"8032a334-9c48-4863-ae7b-1b14bfdb5ca7","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488167725 for Outside_VPN:147.111.72.16\/26436 to DMZ-Inside:10.22.8. [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212805593 for outside:10.22.8.223\/59614(LOCAL\\user.name) to inside:10.22.8.78\/8102 duration 0:00:07 bytes 3433 TCP FINs (user.name)","syslog.header.facility":"20","guid":"583888b8-52a7-4833-a62e-0a53572c956c","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 212805593 for outside:10.22.8.223\/59614(LOCAL\\ [...] +{"syslog.header.hostName":"10.22.8.212","original_string":"<174>Jan 5 14:52:35 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245503 for outside:10.22.8.233\/54209 (10.22.8.233\/54209) to inside:198.111.72.238\/443 (198.111.72.238\/443) (user.name)","syslog.header.facility":"21","guid":"07ed512a-6572-4a51-b63e-3953eaa18d1b","syslog.header.timestamp":"Jan 5 14:52:35","syslog.message":"%ASA-6-302013: Built inbound TCP connection 76245503 for outside:10.22.8.233\/54209 (10.22.8 [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806031 for outside:10.22.8.17\/58633 (10.22.8.17\/58633)(LOCAL\\user.name) to inside:10.22.8.12\/389 (10.22.8.12\/389) (user.name)","syslog.header.facility":"20","guid":"7a90799e-3ecd-4928-9096-557b1d012b8e","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302013: Built inbound TCP connection 212806031 for outside:10.22.8.17\/58633 [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168292 for DMZ-Inside:10.22.8.51\/51231 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 2103 TCP FINs","syslog.header.facility":"17","guid":"8e56f63c-2b81-4802-83c5-28648f407a93","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168292 for DMZ-Inside:10.22.8.51\/51231 to Inside-Trunk:10.22.8.1 [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 186.111.72.11\/80 to 204.111.72.226\/45019 flags SYN ACK on interface Outside_VPN","syslog.header.facility":"17","guid":"f883a23c-85b7-4f8d-9f23-ca934aece337","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-106015: Deny TCP (no connection) from 186.111.72.11\/80 to 204.111.72.226\/45019 flags SYN ACK on interface Outside_VPN","sys [...] +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302014: Teardown TCP connection 17604987 for outside:209.111.72.151\/443 to inside:10.22.8.188\/64306 duration 0:00:31 bytes 10128 TCP FINs","syslog.header.facility":"20","guid":"6f1baf12-3725-447c-9ca4-c4ae4b9fd801","syslog.header.timestamp":"Jan 5 09:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 17604987 for outside:209.111.72.151\/443 to inside:10.22.8.188\/64306 duratio [...] +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302014: Teardown TCP connection 17604999 for outside:209.111.72.151\/443 to inside:10.22.8.188\/64307 duration 0:00:30 bytes 6370 TCP FINs","syslog.header.facility":"20","guid":"8dcb24c3-6b65-4057-9c7d-cb5c63f72016","syslog.header.timestamp":"Jan 5 09:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 17604999 for outside:209.111.72.151\/443 to inside:10.22.8.188\/64307 duration [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167347 for Outside_VPN:198.111.72.24\/2134 to DMZ-Inside:10.22.8.53\/443 duration 0:00:01 bytes 9785 TCP FINs","syslog.header.facility":"17","guid":"cb019c2b-302b-4c7f-8726-f70bd88b2d69","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488167347 for Outside_VPN:198.111.72.24\/2134 to DMZ-Inside:10.22.8.53 [...] +{"syslog.header.hostName":"10.22.8.212","original_string":"<174>Jan 5 14:52:35 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245506 for outside:10.22.8.110\/49886 (10.22.8.110\/49886) to inside:192.111.72.8\/8612 (192.111.72.8\/8612) (user.name)","syslog.header.facility":"21","guid":"b2de2222-95bd-492e-bd2a-785242d7adcd","syslog.header.timestamp":"Jan 5 14:52:35","syslog.message":"%ASA-6-302015: Built inbound UDP connection 76245506 for outside:10.22.8.110\/49886 (10.22.8.1 [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212805993 for outside:10.22.8.89\/56917(LOCAL\\user.name) to inside:216.111.72.126\/443 duration 0:00:00 bytes 0 TCP FINs (user.name)","syslog.header.facility":"20","guid":"10b7f2e0-1f40-4f7f-a0fd-d40d32a11837","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 212805993 for outside:10.22.8.89\/56917(LOCAL\\us [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-710005: UDP request discarded from 10.22.8.223\/49192 to outside:224.111.72.252\/5355","syslog.header.facility":"20","guid":"663af706-af43-4c02-8308-1513c8111bea","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-7-710005: UDP request discarded from 10.22.8.223\/49192 to outside:224.111.72.252\/5355","syslog.header.pri":"167","syslog.header.severity":"7","timestamp":1515142 [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488166143 for Outside_VPN:198.111.72.64\/80 to Inside-Trunk:10.22.8.39\/54883 duration 0:00:04 bytes 1148 TCP FINs","syslog.header.facility":"17","guid":"4ccf7d55-4281-475f-acaa-909b3efd81f0","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488166143 for Outside_VPN:198.111.72.64\/80 to Inside-Trunk:10.22.8. [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-106015: Deny TCP (no connection) from 10.22.8.84\/445 to 10.22.8.219\/60726 flags ACK on interface inside","syslog.header.facility":"20","guid":"48d112e2-7569-4661-ba42-f33db2f4e190","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-106015: Deny TCP (no connection) from 10.22.8.84\/445 to 10.22.8.219\/60726 flags ACK on interface inside","syslog.header.pri":"166","syslo [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168344 for DMZ-Inside:10.22.8.53\/61682 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 5648 TCP FINs","syslog.header.facility":"17","guid":"2bc1288b-8216-460a-8060-f12f51118085","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168344 for DMZ-Inside:10.22.8.53\/61682 to Inside-Trunk:10.22.8.1 [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168345 for DMZ-Inside:10.22.8.16\/31454 to Inside-Trunk:10.22.8.21\/443 duration 0:00:00 bytes 756 TCP FINs","syslog.header.facility":"17","guid":"ee8145ce-60a1-4059-95a2-ddf29f23159d","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168345 for DMZ-Inside:10.22.8.16\/31454 to Inside-Trunk:10.22.8.21\/4 [...] +{"syslog.header.hostName":"10.22.8.4","original_string":"<182>Jan 5 20:22:35 10.22.8.4 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.12\/0 gaddr 10.22.8.45\/1 laddr 10.22.8.45\/1","syslog.header.facility":"22","guid":"83246ca7-d2ce-494e-86c3-c2a38f44c581","syslog.header.timestamp":"Jan 5 20:22:35","syslog.message":"%ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.12\/0 gaddr 10.22.8.45\/1 laddr 10.22.8.45\/1","syslog.header.pri":"182","syslog.header.sever [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 50.111.72.230\/80 to 204.111.72.254\/53077 flags RST on interface Outside_VPN","syslog.header.facility":"17","guid":"c7019d2a-819c-44c3-a31a-27d104dc8b2c","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-106015: Deny TCP (no connection) from 50.111.72.230\/80 to 204.111.72.254\/53077 flags RST on interface Outside_VPN","syslog.head [...] +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603649 for outside:206.111.72.2\/161 to inside:10.22.8.48\/63297 duration 0:02:01 bytes 209","syslog.header.facility":"20","guid":"f4a6f93d-d94e-4fd0-bd3d-e3ecd22ead31","syslog.header.timestamp":"Jan 5 09:52:35","syslog.message":"%ASA-6-302016: Teardown UDP connection 17603649 for outside:206.111.72.2\/161 to inside:10.22.8.48\/63297 duration 0:02:01 bytes 2 [...] +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603650 for outside:207.111.72.122\/161 to inside:10.22.8.48\/63298 duration 0:02:01 bytes 209","syslog.header.facility":"20","guid":"4eeed9d1-0619-482a-815d-8e2711c9197d","syslog.header.timestamp":"Jan 5 09:52:35","syslog.message":"%ASA-6-302016: Teardown UDP connection 17603650 for outside:207.111.72.122\/161 to inside:10.22.8.48\/63298 duration 0:02:01 byt [...] +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603652 for outside:206.111.72.2\/161 to inside:10.22.8.48\/63300 duration 0:02:01 bytes 115","syslog.header.facility":"20","guid":"ace7f8c0-fdbd-475b-81d0-42ea557f9b02","syslog.header.timestamp":"Jan 5 09:52:35","syslog.message":"%ASA-6-302016: Teardown UDP connection 17603652 for outside:206.111.72.2\/161 to inside:10.22.8.48\/63300 duration 0:02:01 bytes 1 [...] +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603657 for outside:206.111.72.2\/161 to inside:10.22.8.48\/63306 duration 0:02:01 bytes 115","syslog.header.facility":"20","guid":"88652169-336a-49ad-a0cc-cdbe627dabe3","syslog.header.timestamp":"Jan 5 09:52:35","syslog.message":"%ASA-6-302016: Teardown UDP connection 17603657 for outside:206.111.72.2\/161 to inside:10.22.8.48\/63306 duration 0:02:01 bytes 1 [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168436 for DMZ-Inside:10.22.8.51\/51235 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 2497 TCP FINs","syslog.header.facility":"17","guid":"cce6c817-4237-4970-9868-95bb9cb88769","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168436 for DMZ-Inside:10.22.8.51\/51235 to Inside-Trunk:10.22.8.1 [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167656 for Outside_VPN:69.111.72.70\/21560 to DMZ-Inside:10.22.8.53\/443 duration 0:00:01 bytes 11410 TCP FINs","syslog.header.facility":"17","guid":"c80fe260-62a1-44bc-9790-380730505321","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488167656 for Outside_VPN:69.111.72.70\/21560 to DMZ-Inside:10.22.8.5 [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806050 for outside:10.22.8.62\/53965 (10.22.8.62\/53965)(LOCAL\\user.name) to inside:10.22.8.85\/53 (10.22.8.85\/53) (user.name)","syslog.header.facility":"20","guid":"d2aeae4b-099e-44a8-803e-e6f3efc6b681","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302015: Built inbound UDP connection 212806050 for outside:10.22.8.62\/53965 ( [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806052 for outside:10.22.8.62\/56500 (10.22.8.62\/56500)(LOCAL\\user.name) to inside:198.111.72.83\/443 (198.111.72.83\/443) (user.name)","syslog.header.facility":"20","guid":"4c17cf2e-7614-4bff-b786-b928ac108949","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302013: Built inbound TCP connection 212806052 for outside:10.22.8.62\ [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806054 for outside:10.22.8.62\/56502 (10.22.8.62\/56502)(LOCAL\\user.name) to inside:50.111.72.252\/443 (50.111.72.252\/443) (user.name)","syslog.header.facility":"20","guid":"d14e6612-5694-4114-b305-c8176c661f04","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302013: Built inbound TCP connection 212806054 for outside:10.22.8.62\ [...] +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-305011: Built dynamic TCP translation from inside:10.22.8.188\/64340 to outside:206.111.72.41\/2013","syslog.header.facility":"20","guid":"4ecfc895-d27b-448f-8d29-88fae8bfdc15","syslog.header.timestamp":"Jan 5 09:52:35","syslog.message":"%ASA-6-305011: Built dynamic TCP translation from inside:10.22.8.188\/64340 to outside:206.111.72.41\/2013","syslog.header.pri":"166","syslog.header.severit [...] +{"syslog.header.hostName":"10.22.8.33","original_string":"<166>Jan 5 15:52:35 10.22.8.33 %ASA-6-305012: Teardown dynamic UDP translation from inside:192.111.72.2\/62251 to outside:79.111.72.174\/21311 duration 0:02:30","syslog.header.facility":"20","guid":"e1cf9c5f-40e9-4cce-8d96-ca4b54fcbe89","syslog.header.timestamp":"Jan 5 15:52:35","syslog.message":"%ASA-6-305012: Teardown dynamic UDP translation from inside:192.111.72.2\/62251 to outside:79.111.72.174\/21311 duration 0:02:30","sys [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806058 for outside:10.22.8.221\/56631 (10.22.8.221\/56631)(LOCAL\\user.name) to inside:10.22.8.26\/389 (10.22.8.26\/389) (user.name)","syslog.header.facility":"20","guid":"749d6df7-18d1-4a81-bbea-0dee8f4c89a8","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302015: Built inbound UDP connection 212806058 for outside:10.22.8.221\/56 [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168189 for Outside_VPN:209.111.72.10\/56619 to DMZ-Inside:10.22.8.53\/443 duration 0:00:00 bytes 2477 TCP FINs","syslog.header.facility":"17","guid":"131157d7-fcb9-4f4f-82c9-9b8f0c21bcd0","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168189 for Outside_VPN:209.111.72.10\/56619 to DMZ-Inside:10.22.8. [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 10.22.8.112\/52235 to 198.111.72.227\/80 flags ACK on interface Inside-Trunk","syslog.header.facility":"17","guid":"cdedb97f-8a06-4427-95e4-2dae888b5942","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-106015: Deny TCP (no connection) from 10.22.8.112\/52235 to 198.111.72.227\/80 flags ACK on interface Inside-Trunk","syslog.header [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167192 for Outside_VPN:115.111.72.7\/49196 to DMZ-Inside:10.22.8.57\/443 duration 0:00:02 bytes 20588 TCP Reset-O","syslog.header.facility":"17","guid":"1fc183f6-8390-425f-a79b-a7e17ce95747","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488167192 for Outside_VPN:115.111.72.7\/49196 to DMZ-Inside:10.22. [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212806055 for outside:10.22.8.62\/55383(LOCAL\\user.name) to inside:10.22.8.85\/53 duration 0:00:00 bytes 349 (user.name)","syslog.header.facility":"20","guid":"1dd165c4-602d-444b-88f4-600d6c05cb96","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302016: Teardown UDP connection 212806055 for outside:10.22.8.62\/55383(LOCAL\\user.name) to [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168380 for Outside_VPN:74.111.72.12\/443 to Inside-Trunk:10.22.8.39\/54894 duration 0:00:00 bytes 5701 TCP FINs","syslog.header.facility":"17","guid":"920adf53-ca83-40b2-9ddf-2b034047dafb","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168380 for Outside_VPN:74.111.72.12\/443 to Inside-Trunk:10.22.8. [...] +{"syslog.header.hostName":"10.22.8.212","original_string":"<174>Jan 5 14:52:35 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245522 for outside:10.22.8.147\/56343 (10.22.8.147\/56343) to inside:209.111.72.151\/443 (209.111.72.151\/443) (user.name)","syslog.header.facility":"21","guid":"26d79381-d0be-44ec-ba05-93cec39f5461","syslog.header.timestamp":"Jan 5 14:52:35","syslog.message":"%ASA-6-302013: Built inbound TCP connection 76245522 for outside:10.22.8.147\/56343 (10.22.8 [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168443 for Outside_VPN:23.111.72.27\/80 to Inside-Trunk:10.22.8.81\/64713 duration 0:00:00 bytes 2426 TCP FINs","syslog.header.facility":"17","guid":"54c06801-f175-46e9-b6e5-d47cd9fb4731","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168443 for Outside_VPN:23.111.72.27\/80 to Inside-Trunk:10.22.8.81 [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488111566 for Outside_VPN:131.111.72.49\/443 to Inside-Trunk:10.22.8.127\/56558 duration 0:01:57 bytes 3614 TCP Reset-O","syslog.header.facility":"17","guid":"f556360d-b58b-469a-a8e9-29fa4915915f","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488111566 for Outside_VPN:131.111.72.49\/443 to Inside-Trunk:10 [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806061 for outside:10.22.8.17\/58635 (10.22.8.17\/58635)(LOCAL\\user.name) to inside:10.22.8.12\/389 (10.22.8.12\/389) (user.name)","syslog.header.facility":"20","guid":"68149a18-1f1f-4b5e-b619-61077e84ee2e","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302013: Built inbound TCP connection 212806061 for outside:10.22.8.17\/58635 [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212806010 for outside:10.22.8.33\/60223(LOCAL\\user.name) to inside:10.22.8.86\/389 duration 0:00:00 bytes 416 TCP Reset-I (user.name)","syslog.header.facility":"20","guid":"222989b0-267e-4679-a28f-e3561f4b40f0","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 212806010 for outside:10.22.8.33\/60223(LOCAL\\u [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806062 for outside:10.22.8.221\/56632 (10.22.8.221\/56632)(LOCAL\\user.name) to inside:10.22.8.73\/389 (10.22.8.73\/389) (user.name)","syslog.header.facility":"20","guid":"01a3c7d7-a847-472f-912f-9fed08122a21","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302015: Built inbound UDP connection 212806062 for outside:10.22.8.221\/56 [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00","syslog.header.facility":"20","guid":"b21487c7-a268-4389-8daf-48553e24be9e","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00","syslog.header.pri":"167","syslog.header.severity":"7","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168231 for Outside_VPN:204.111.72.243\/3011 to Inside-Trunk:10.22.8.208\/60037 duration 0:00:00 bytes 19415 TCP FINs","syslog.header.facility":"17","guid":"aa78ab45-e5f7-4c78-91ac-7782278121ba","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168231 for Outside_VPN:204.111.72.243\/3011 to Inside-Trunk: [...] +{"syslog.header.hostName":"10.22.8.41","original_string":"<166>Jan 5 16:52:35 10.22.8.41 %ASA-6-302013: Built inbound TCP connection 45476108 for Outside:10.22.8.97\/53484 (10.22.8.97\/53484)(LOCAL\\user.name) to Inside:141.111.72.70\/7576 (141.111.72.70\/7576) (user.name)","syslog.header.facility":"20","guid":"17255787-8e0b-441b-95f3-2847562976a0","syslog.header.timestamp":"Jan 5 16:52:35","syslog.message":"%ASA-6-302013: Built inbound TCP connection 45476108 for Outside:10.22.8.97\/5 [...] +{"syslog.header.hostName":"10.22.8.212","original_string":"<174>Jan 5 14:52:35 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245527 for outside:10.22.8.97\/65195 (10.22.8.97\/65195) to inside:17.111.72.212\/5223 (17.111.72.212\/5223) (user.name)","syslog.header.facility":"21","guid":"2afc28ff-6abc-4687-8980-29520e29fdd0","syslog.header.timestamp":"Jan 5 14:52:35","syslog.message":"%ASA-6-302013: Built inbound TCP connection 76245527 for outside:10.22.8.97\/65195 (10.22.8.97 [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212806018 for outside:10.22.8.17\/58632(LOCAL\\user.name) to inside:10.22.8.12\/389 duration 0:00:00 bytes 0 TCP FINs (user.name)","syslog.header.facility":"20","guid":"e1b89dd1-ac20-449d-89f3-c0bd6854e5f4","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 212806018 for outside:10.22.8.17\/58632(LOCAL\\user.n [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168562 for DMZ-Inside:10.22.8.51\/51236 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 2273 TCP FINs","syslog.header.facility":"17","guid":"883c4b0a-6fce-473b-accb-05e685f0cbf8","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168562 for DMZ-Inside:10.22.8.51\/51236 to Inside-Trunk:10.22.8.1 [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806065 for outside:10.22.8.62\/59829 (10.22.8.62\/59829)(LOCAL\\user.name) to inside:10.22.8.85\/53 (10.22.8.85\/53) (user.name)","syslog.header.facility":"20","guid":"1163b376-fc70-4ae9-81b4-0b037327fa5a","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302015: Built inbound UDP connection 212806065 for outside:10.22.8.62\/59829 ( [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806067 for outside:10.22.8.143\/62675 (10.22.8.143\/62675)(LOCAL\\user.name) to inside:141.111.72.12\/389 (141.111.72.12\/389) (user.name)","syslog.header.facility":"20","guid":"48775c39-c9d8-4da9-a543-7a70abb2e456","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302013: Built inbound TCP connection 212806067 for outside:10.22.8.1 [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-710005: UDP request discarded from 10.22.8.223\/61122 to outside:224.111.72.252\/5355","syslog.header.facility":"20","guid":"3ec72d5a-d659-4f0a-8be7-328f990d1678","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-7-710005: UDP request discarded from 10.22.8.223\/61122 to outside:224.111.72.252\/5355","syslog.header.pri":"167","syslog.header.severity":"7","timestamp":1515142 [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.143\/0(LOCAL\\user.name) gaddr 141.111.72.12\/0 laddr 141.111.72.12\/0 (user.name)","syslog.header.facility":"20","guid":"ce7ccaf5-f676-455d-a612-1c5856416c9c","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.143\/0(LOCAL\\user.name) gaddr 141.111.72.12\/0 ladd [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168547 for Outside_VPN:107.111.72.102\/80 to Inside-Trunk:10.22.8.54\/61676 duration 0:00:00 bytes 1030 TCP FINs","syslog.header.facility":"17","guid":"fe02e22f-f3f4-4ba3-afe9-500519b4f0f4","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168547 for Outside_VPN:107.111.72.102\/80 to Inside-Trunk:10.22. [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806078 for outside:10.22.8.221\/56633 (10.22.8.221\/56633)(LOCAL\\user.name) to inside:10.22.8.20\/389 (10.22.8.20\/389) (user.name)","syslog.header.facility":"20","guid":"4e748582-a989-4605-abc1-70e30c6ce5b5","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302015: Built inbound UDP connection 212806078 for outside:10.22.8.221\/56 [...] +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-305011: Built dynamic TCP translation from inside:10.22.8.83\/59915 to outside:206.111.72.41\/22776","syslog.header.facility":"20","guid":"557f3bc8-e889-427d-97fe-7d9e4b61e932","syslog.header.timestamp":"Jan 5 09:52:35","syslog.message":"%ASA-6-305011: Built dynamic TCP translation from inside:10.22.8.83\/59915 to outside:206.111.72.41\/22776","syslog.header.pri":"166","syslog.header.severit [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168044 for Outside_VPN:50.111.72.39\/80 to Inside-Trunk:10.22.8.75\/60877 duration 0:00:01 bytes 13304 TCP FINs","syslog.header.facility":"17","guid":"d81d66f2-e6e0-42ff-b886-a02fd3893032","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168044 for Outside_VPN:50.111.72.39\/80 to Inside-Trunk:10.22.8.7 [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488118326 for Outside_VPN:23.111.72.27\/80 to Inside-Trunk:10.22.8.229\/57901 duration 0:01:45 bytes 1942 TCP FINs","syslog.header.facility":"17","guid":"e33243a6-d361-48da-9dd6-30fe1a2b0dbe","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 488118326 for Outside_VPN:23.111.72.27\/80 to Inside-Trunk:10.22.8.2 [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488160565 for Outside_VPN:72.111.72.29\/80 to Inside-Trunk:10.22.8.42\/57520 duration 0:00:15 bytes 1025 TCP FINs","syslog.header.facility":"17","guid":"0833ee92-e4b0-4cec-aed6-73e0f3afa0e8","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 488160565 for Outside_VPN:72.111.72.29\/80 to Inside-Trunk:10.22.8.42 [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488096423 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.22.8.127\/59096 duration 0:02:27 bytes 99347 TCP Reset-O","syslog.header.facility":"17","guid":"5afa5b9b-af47-4954-820f-1a2a72249f5c","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 488096423 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.22 [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488095522 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.22.8.127\/59087 duration 0:02:29 bytes 154785 TCP Reset-O","syslog.header.facility":"17","guid":"cc093a83-1f7d-468a-b09a-982e62a5371a","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 488095522 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.2 [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488106557 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.22.8.127\/59134 duration 0:02:09 bytes 25319 TCP Reset-O","syslog.header.facility":"17","guid":"30e86e48-6d96-4ebc-8865-262c67d1801b","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 488106557 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.22 [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488096426 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.22.8.127\/59099 duration 0:02:27 bytes 26171 TCP Reset-O","syslog.header.facility":"17","guid":"e9d40894-606f-4f14-9bb3-367fbc0c19a0","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 488096426 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.22 [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212806005 for outside:10.22.8.17\/58630(LOCAL\\user.name) to inside:10.22.8.12\/389 duration 0:00:00 bytes 3942 TCP FINs (user.name)","syslog.header.facility":"20","guid":"ada1044a-5805-494a-a814-2907ad6ad665","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 212806005 for outside:10.22.8.17\/58630(LOCAL\\use [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806085 for outside:10.22.8.143\/54018 (10.22.8.143\/54018)(LOCAL\\user.name) to inside:10.22.8.85\/53 (10.22.8.85\/53) (user.name)","syslog.header.facility":"20","guid":"7e38f864-4c30-4f06-9dd7-0bc8f405bbe6","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302015: Built inbound UDP connection 212806085 for outside:10.22.8.143\/5401 [...] +{"syslog.header.hostName":"10.22.8.212","original_string":"<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.96\/2708 gaddr 10.22.8.30\/0 laddr 10.22.8.30\/0 (user.name)","syslog.header.facility":"21","guid":"57fb779c-227a-4f64-afde-d993f5f163fb","syslog.header.timestamp":"Jan 5 14:52:36","syslog.message":"%ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.96\/2708 gaddr 10.22.8.30\/0 laddr 10.22.8.30\/0 (user.name)","syslog.head [...] +{"syslog.header.hostName":"10.22.8.212","original_string":"<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245537 for outside:10.22.8.110\/49886 (10.22.8.110\/49886) to inside:192.111.72.11\/8612 (192.111.72.11\/8612) (user.name)","syslog.header.facility":"21","guid":"55f3aa3a-fa7f-42c2-86fa-23602434c716","syslog.header.timestamp":"Jan 5 14:52:36","syslog.message":"%ASA-6-302015: Built inbound UDP connection 76245537 for outside:10.22.8.110\/49886 (10.22.8 [...] +{"syslog.header.hostName":"10.22.8.41","original_string":"<166>Jan 5 16:52:36 10.22.8.41 %ASA-6-106015: Deny TCP (no connection) from 10.22.8.85\/58359 to 10.22.8.11\/88 flags RST ACK on interface Outside","syslog.header.facility":"20","guid":"04bf0433-398f-4369-8a10-b6b6800b94dc","syslog.header.timestamp":"Jan 5 16:52:36","syslog.message":"%ASA-6-106015: Deny TCP (no connection) from 10.22.8.85\/58359 to 10.22.8.11\/88 flags RST ACK on interface Outside","syslog.header.pri":"166","s [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.82\/0(LOCAL\\user.name) gaddr 10.22.8.205\/0 laddr 10.22.8.205\/0","syslog.header.facility":"20","guid":"0ca4a23e-9dc1-46ea-bbd4-e5fa1566a5fa","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.82\/0(LOCAL\\user.name) gaddr 10.22.8.205\/0 laddr 10.22.8.205\/0","syslog.head [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212799832 for outside:10.22.8.230\/55549(LOCAL\\user.name) to inside:10.22.8.11\/389 duration 0:02:01 bytes 354 (user.name)","syslog.header.facility":"20","guid":"b472dd59-9ede-42ed-a67b-e5d34e8b7b9d","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302016: Teardown UDP connection 212799832 for outside:10.22.8.230\/55549(LOCAL\\user.name) [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212799867 for outside:10.22.8.240\/138(LOCAL\\user.name) to inside:10.22.8.255\/138 duration 0:02:01 bytes 214 (user.name)","syslog.header.facility":"20","guid":"9231563a-4e43-440d-9bcd-ff67d2f01b17","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302016: Teardown UDP connection 212799867 for outside:10.22.8.240\/138(LOCAL\\user.name) to [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<167>Jan 5 08:52:36 10.22.8.216 %ASA-7-609001: Built local-host inside:67.111.72.204","syslog.header.facility":"20","guid":"e717a671-9e5f-4bb7-b0b0-0e1cbcfe5b4a","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-7-609001: Built local-host inside:67.111.72.204","syslog.header.pri":"167","syslog.header.severity":"7","timestamp":1515142356000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.212","original_string":"<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245544 for outside:10.22.8.227\/54540 (10.22.8.227\/54540) to inside:63.111.72.124\/80 (63.111.72.124\/80) (user.name)","syslog.header.facility":"21","guid":"49cc4afe-467b-4b4c-b883-d6aa2ebe1d9f","syslog.header.timestamp":"Jan 5 14:52:36","syslog.message":"%ASA-6-302013: Built inbound TCP connection 76245544 for outside:10.22.8.227\/54540 (10.22.8.227 [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168135 for Outside_VPN:198.111.72.66\/36797 to DMZ-Inside:10.22.8.53\/80 duration 0:00:01 bytes 89039 TCP FINs","syslog.header.facility":"17","guid":"de2a851d-4860-4625-b870-c7f3a10c219a","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168135 for Outside_VPN:198.111.72.66\/36797 to DMZ-Inside:10.22.8. [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212805836 for outside:10.22.8.62\/56471(LOCAL\\user.name) to inside:208.111.72.1\/443 duration 0:00:04 bytes 1700 TCP FINs (user.name)","syslog.header.facility":"20","guid":"6f37c953-20ea-4fa3-aa96-0b91c689e110","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 212805836 for outside:10.22.8.62\/56471(LOCAL\\u [...] +{"syslog.header.hostName":"10.22.8.212","original_string":"<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245546 for outside:10.22.8.227\/54542 (10.22.8.227\/54542) to inside:63.111.72.124\/80 (63.111.72.124\/80) (user.name)","syslog.header.facility":"21","guid":"4e9f6ee9-55fc-40da-8e3c-77ba4f072013","syslog.header.timestamp":"Jan 5 14:52:36","syslog.message":"%ASA-6-302013: Built inbound TCP connection 76245546 for outside:10.22.8.227\/54542 (10.22.8.227 [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.74\/0(LOCAL\\user.name) gaddr 10.22.8.205\/0 laddr 10.22.8.205\/0","syslog.header.facility":"20","guid":"79538743-01a6-49e1-860a-80fe58111d59","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.74\/0(LOCAL\\user.name) gaddr 10.22.8.205\/0 laddr 10.22.8.205\/0","syslog.head [...] +{"syslog.header.hostName":"10.22.8.212","original_string":"<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302020: Built outbound ICMP connection for faddr 10.22.8.96\/2708 gaddr 10.22.8.30\/0 laddr 10.22.8.30\/0","syslog.header.facility":"21","guid":"7ba31a57-915e-466e-8efb-dfdbc9a7d515","syslog.header.timestamp":"Jan 5 14:52:36","syslog.message":"%ASA-6-302020: Built outbound ICMP connection for faddr 10.22.8.96\/2708 gaddr 10.22.8.30\/0 laddr 10.22.8.30\/0","syslog.header.pri":"174","syslog. [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168388 for DMZ-Inside:10.22.8.10\/49771 to Inside-Trunk:10.22.8.128\/443 duration 0:00:00 bytes 19132 TCP Reset-O","syslog.header.facility":"17","guid":"5fb3a31a-84f7-465e-b4a5-648edc12c9f3","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168388 for DMZ-Inside:10.22.8.10\/49771 to Inside-Trunk:10.22.8 [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168692 for DMZ-Inside:10.22.8.53\/61694 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 5660 TCP FINs","syslog.header.facility":"17","guid":"89922414-2c06-45b2-9c96-e2a62956eb4b","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168692 for DMZ-Inside:10.22.8.53\/61694 to Inside-Trunk:10.22.8.1 [...] +{"syslog.header.hostName":"10.22.8.212","original_string":"<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245552 for outside:10.22.8.92\/51042 (10.22.8.92\/51042) to inside:10.22.8.193\/9100 (10.22.8.193\/9100) (user.name)","syslog.header.facility":"21","guid":"af712b8d-55d8-46c0-9ab0-92e075aaf546","syslog.header.timestamp":"Jan 5 14:52:36","syslog.message":"%ASA-6-302013: Built inbound TCP connection 76245552 for outside:10.22.8.92\/51042 (10.22.8.92\/51 [...] +{"syslog.header.hostName":"10.22.8.41","original_string":"<166>Jan 5 16:52:36 10.22.8.41 %ASA-6-302016: Teardown UDP connection 45474680 for Outside:10.22.8.49\/137(LOCAL\\user.name) to Inside:10.22.8.12\/137 duration 0:02:03 bytes 486 (user.name)","syslog.header.facility":"20","guid":"756ac82f-e710-4dac-b7d6-8e22931b3cfd","syslog.header.timestamp":"Jan 5 16:52:36","syslog.message":"%ASA-6-302016: Teardown UDP connection 45474680 for Outside:10.22.8.49\/137(LOCAL\\user.name) to Inside: [...] +{"syslog.header.hostName":"10.22.8.41","original_string":"<166>Jan 5 16:52:36 10.22.8.41 %ASA-6-302016: Teardown UDP connection 45474694 for Outside:10.22.8.49\/138(LOCAL\\user.name) to Inside:10.22.8.12\/138 duration 0:02:01 bytes 184 (user.name)","syslog.header.facility":"20","guid":"c7cbc688-5c80-43f0-b3a9-6e026c988c83","syslog.header.timestamp":"Jan 5 16:52:36","syslog.message":"%ASA-6-302016: Teardown UDP connection 45474694 for Outside:10.22.8.49\/138(LOCAL\\user.name) to Inside: [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167720 for Outside_VPN:198.111.72.75\/1033 to DMZ-Inside:10.22.8.53\/443 duration 0:00:01 bytes 9634 TCP FINs","syslog.header.facility":"17","guid":"fd20d131-6fe5-4258-a822-982db9b3bcc2","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 488167720 for Outside_VPN:198.111.72.75\/1033 to DMZ-Inside:10.22.8.53 [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488165627 for Outside_VPN:170.111.72.22\/27463 to DMZ-Inside:10.22.8.53\/443 duration 0:00:01 bytes 9756 TCP FINs","syslog.header.facility":"17","guid":"de48f6be-b9c8-42e5-8db9-4fdec5458dbf","syslog.header.timestamp":"Jan 5 08:52:32","syslog.message":"%ASA-6-302014: Teardown TCP connection 488165627 for Outside_VPN:170.111.72.22\/27463 to DMZ-Inside:10.22.8. [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:32 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212805854 for outside:10.22.8.62\/54704(LOCAL\\user.name) to inside:10.22.8.85\/53 duration 0:00:00 bytes 114 (user.name)","syslog.header.facility":"20","guid":"84c5fb3b-ae49-4eb8-af3f-57c63fc6d079","syslog.header.timestamp":"Jan 5 08:52:32","syslog.message":"%ASA-6-302016: Teardown UDP connection 212805854 for outside:10.22.8.62\/54704(LOCAL\\user.name) to [...] +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:32 10.22.8.12 %ASA-6-302020: Built inbound ICMP connection for faddr 207.111.72.122\/0 gaddr 206.111.72.24\/512 laddr 10.22.8.57\/512","syslog.header.facility":"20","guid":"a7fcb975-e65a-4f01-939e-839cf4f599b0","syslog.header.timestamp":"Jan 5 09:52:32","syslog.message":"%ASA-6-302020: Built inbound ICMP connection for faddr 207.111.72.122\/0 gaddr 206.111.72.24\/512 laddr 10.22.8.57\/512","syslog.header.pri":"1 [...] +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:32 10.22.8.12 %ASA-6-302013: Built outbound TCP connection 17605397 for outside:69.111.72.0\/80 (69.111.72.0\/80) to inside:10.22.8.102\/55659 (206.111.72.41\/40627)","syslog.header.facility":"20","guid":"12f475f4-04c8-41de-8d41-547f98933048","syslog.header.timestamp":"Jan 5 09:52:32","syslog.message":"%ASA-6-302013: Built outbound TCP connection 17605397 for outside:69.111.72.0\/80 (69.111.72.0\/80) to inside:1 [...] +{"syslog.header.hostName":"10.22.8.212","original_string":"<174>Jan 5 14:52:32 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245230 for outside:10.22.8.96\/123 (10.22.8.96\/123) to inside:10.22.8.12\/123 (10.22.8.12\/123) (user.name)","syslog.header.facility":"21","guid":"9b26768a-1a11-4777-b1fb-906821b7f05b","syslog.header.timestamp":"Jan 5 14:52:32","syslog.message":"%ASA-6-302015: Built inbound UDP connection 76245230 for outside:10.22.8.96\/123 (10.22.8.96\/123) to insi [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488031413 for Outside_VPN:184.111.72.216\/50341 to DMZ-Inside:10.22.8.57\/443 duration 0:05:01 bytes 13543 TCP Reset-O","syslog.header.facility":"17","guid":"b177327e-d674-470a-8f82-bacd18d47df2","syslog.header.timestamp":"Jan 5 08:52:32","syslog.message":"%ASA-6-302014: Teardown TCP connection 488031413 for Outside_VPN:184.111.72.216\/50341 to DMZ-Inside:10 [...] +{"syslog.header.hostName":"10.22.8.41","original_string":"<166>Jan 5 16:52:32 10.22.8.41 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.95\/1(LOCAL\\user.name) gaddr 10.22.8.12\/0 laddr 10.22.8.12\/0 (user.name)","syslog.header.facility":"20","guid":"69f69569-66c2-4846-9f12-3b24a416e876","syslog.header.timestamp":"Jan 5 16:52:32","syslog.message":"%ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.95\/1(LOCAL\\user.name) gaddr 10.22.8.12\/0 laddr 10.22.8.12\ [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488030393 for DMZ-Inside:[10.22.8.10\/57109 to Inside-Trunk:10.22.8.128\/443 duration 0:05:04 bytes 13541 TCP Reset-O","syslog.header.facility":"17","guid":"bf63019f-7895-495f-8406-2b50b9186a90","syslog.header.timestamp":"Jan 5 08:52:32","syslog.message":"%ASA-6-302014: Teardown TCP connection 488030393 for DMZ-Inside:[10.22.8.10\/57109 to Inside-Trunk:10.22 [...] +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:32 10.22.8.12 %ASA-6-305012: Teardown dynamic TCP translation from inside:10.22.8.149\/62156 to outside:206.111.72.41\/19576 duration 0:00:44","syslog.header.facility":"20","guid":"28cc755f-1acb-41bf-a454-ee392fb7ef1a","syslog.header.timestamp":"Jan 5 09:52:32","syslog.message":"%ASA-6-305012: Teardown dynamic TCP translation from inside:10.22.8.149\/62156 to outside:206.111.72.41\/19576 duration 0:00:44","syslo [...] +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:32 10.22.8.12 %ASA-6-305012: Teardown dynamic TCP translation from inside:10.22.8.149\/62159 to outside:206.111.72.41\/39634 duration 0:00:44","syslog.header.facility":"20","guid":"d6c11c2e-c0b4-4981-b6bc-768c5437b7d9","syslog.header.timestamp":"Jan 5 09:52:32","syslog.message":"%ASA-6-305012: Teardown dynamic TCP translation from inside:10.22.8.149\/62159 to outside:206.111.72.41\/39634 duration 0:00:44","syslo [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488031793 for Outside_VPN:198.111.72.146\/28026 to DMZ-Inside:10.22.8.53\/443 duration 0:05:00 bytes 119 TCP FINs","syslog.header.facility":"17","guid":"6816c488-5bc9-4854-97cb-c26c31f223fb","syslog.header.timestamp":"Jan 5 08:52:32","syslog.message":"%ASA-6-302014: Teardown TCP connection 488031793 for Outside_VPN:198.111.72.146\/28026 to DMZ-Inside:10.22.8 [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488030810 for DMZ-Inside:10.22.8.10\/56930 to Inside-Trunk:10.22.8.128\/443 duration 0:05:03 bytes 13543 TCP Reset-O","syslog.header.facility":"17","guid":"abaf91ea-8b0f-4157-9222-3492585e19e4","syslog.header.timestamp":"Jan 5 08:52:32","syslog.message":"%ASA-6-302014: Teardown TCP connection 488030810 for DMZ-Inside:10.22.8.10\/56930 to Inside-Trunk:10.22.8 [...] +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 186.111.72.11\/80 to 204.111.72.199\/61438 flags SYN ACK on interface Outside_VPN","syslog.header.facility":"17","guid":"25830358-2bde-4c75-bc90-0aba594625dd","syslog.header.timestamp":"Jan 5 08:52:32","syslog.message":"%ASA-6-106015: Deny TCP (no connection) from 186.111.72.11\/80 to 204.111.72.199\/61438 flags SYN ACK on interface Outside_VPN","sys [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:32 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212805863 for outside:10.22.8.144\/61999 (10.22.8.144\/61999)(LOCAL\\user.name) to inside:10.22.8.163\/80 (10.22.8.163\/80) (user.name)","syslog.header.facility":"20","guid":"78461d6a-8008-4c55-b8cd-b48b90e9d519","syslog.header.timestamp":"Jan 5 08:52:32","syslog.message":"%ASA-6-302013: Built inbound TCP connection 212805863 for outside:10.22.8.144\/61 [...] +{"syslog.header.hostName":"10.22.8.216","original_string":"<167>Jan 5 08:52:32 10.22.8.216 %ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00","syslog.header.facility":"20","guid":"0d48864f-dcd5-40b5-8ec3-a37ccf2f1527","syslog.header.timestamp":"Jan 5 08:52:32","syslog.message":"%ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00","syslog.header.pri":"167","syslog.header.severity":"7","timestamp":1515142352000,"source.type":"syslog3164"} \ No newline at end of file diff --git a/metron-platform/metron-integration-test/src/main/sample/data/syslog3164/raw/Syslog3164Output b/metron-platform/metron-integration-test/src/main/sample/data/syslog3164/raw/Syslog3164Output new file mode 100644 index 0000000..6009d48 --- /dev/null +++ b/metron-platform/metron-integration-test/src/main/sample/data/syslog3164/raw/Syslog3164Output @@ -0,0 +1,100 @@ +<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-609001: Built local-host inside:10.22.8.205 +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.74/0(LOCAL\user.name) gaddr 10.22.8.205/0 laddr 10.22.8.205/0 +<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00 +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167725 for Outside_VPN:147.111.72.16/26436 to DMZ-Inside:10.22.8.53/443 duration 0:00:00 bytes 9687 TCP FINs +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212805593 for outside:10.22.8.223/59614(LOCAL\user.name) to inside:10.22.8.78/8102 duration 0:00:07 bytes 3433 TCP FINs (user.name) +<174>Jan 5 14:52:35 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245503 for outside:10.22.8.233/54209 (10.22.8.233/54209) to inside:198.111.72.238/443 (198.111.72.238/443) (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806031 for outside:10.22.8.17/58633 (10.22.8.17/58633)(LOCAL\user.name) to inside:10.22.8.12/389 (10.22.8.12/389) (user.name) +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168292 for DMZ-Inside:10.22.8.51/51231 to Inside-Trunk:10.22.8.174/40004 duration 0:00:00 bytes 2103 TCP FINs +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 186.111.72.11/80 to 204.111.72.226/45019 flags SYN ACK on interface Outside_VPN +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302014: Teardown TCP connection 17604987 for outside:209.111.72.151/443 to inside:10.22.8.188/64306 duration 0:00:31 bytes 10128 TCP FINs +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302014: Teardown TCP connection 17604999 for outside:209.111.72.151/443 to inside:10.22.8.188/64307 duration 0:00:30 bytes 6370 TCP FINs +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167347 for Outside_VPN:198.111.72.24/2134 to DMZ-Inside:10.22.8.53/443 duration 0:00:01 bytes 9785 TCP FINs +<174>Jan 5 14:52:35 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245506 for outside:10.22.8.110/49886 (10.22.8.110/49886) to inside:192.111.72.8/8612 (192.111.72.8/8612) (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212805993 for outside:10.22.8.89/56917(LOCAL\user.name) to inside:216.111.72.126/443 duration 0:00:00 bytes 0 TCP FINs (user.name) +<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-710005: UDP request discarded from 10.22.8.223/49192 to outside:224.111.72.252/5355 +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488166143 for Outside_VPN:198.111.72.64/80 to Inside-Trunk:10.22.8.39/54883 duration 0:00:04 bytes 1148 TCP FINs +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-106015: Deny TCP (no connection) from 10.22.8.84/445 to 10.22.8.219/60726 flags ACK on interface inside +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168344 for DMZ-Inside:10.22.8.53/61682 to Inside-Trunk:10.22.8.174/40004 duration 0:00:00 bytes 5648 TCP FINs +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168345 for DMZ-Inside:10.22.8.16/31454 to Inside-Trunk:10.22.8.21/443 duration 0:00:00 bytes 756 TCP FINs +<182>Jan 5 20:22:35 10.22.8.4 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.12/0 gaddr 10.22.8.45/1 laddr 10.22.8.45/1 +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 50.111.72.230/80 to 204.111.72.254/53077 flags RST on interface Outside_VPN +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603649 for outside:206.111.72.2/161 to inside:10.22.8.48/63297 duration 0:02:01 bytes 209 +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603650 for outside:207.111.72.122/161 to inside:10.22.8.48/63298 duration 0:02:01 bytes 209 +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603652 for outside:206.111.72.2/161 to inside:10.22.8.48/63300 duration 0:02:01 bytes 115 +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603657 for outside:206.111.72.2/161 to inside:10.22.8.48/63306 duration 0:02:01 bytes 115 +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168436 for DMZ-Inside:10.22.8.51/51235 to Inside-Trunk:10.22.8.174/40004 duration 0:00:00 bytes 2497 TCP FINs +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167656 for Outside_VPN:69.111.72.70/21560 to DMZ-Inside:10.22.8.53/443 duration 0:00:01 bytes 11410 TCP FINs +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806050 for outside:10.22.8.62/53965 (10.22.8.62/53965)(LOCAL\user.name) to inside:10.22.8.85/53 (10.22.8.85/53) (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806052 for outside:10.22.8.62/56500 (10.22.8.62/56500)(LOCAL\user.name) to inside:198.111.72.83/443 (198.111.72.83/443) (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806054 for outside:10.22.8.62/56502 (10.22.8.62/56502)(LOCAL\user.name) to inside:50.111.72.252/443 (50.111.72.252/443) (user.name) +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-305011: Built dynamic TCP translation from inside:10.22.8.188/64340 to outside:206.111.72.41/2013 +<166>Jan 5 15:52:35 10.22.8.33 %ASA-6-305012: Teardown dynamic UDP translation from inside:192.111.72.2/62251 to outside:79.111.72.174/21311 duration 0:02:30 +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806058 for outside:10.22.8.221/56631 (10.22.8.221/56631)(LOCAL\user.name) to inside:10.22.8.26/389 (10.22.8.26/389) (user.name) +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168189 for Outside_VPN:209.111.72.10/56619 to DMZ-Inside:10.22.8.53/443 duration 0:00:00 bytes 2477 TCP FINs +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 10.22.8.112/52235 to 198.111.72.227/80 flags ACK on interface Inside-Trunk +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167192 for Outside_VPN:115.111.72.7/49196 to DMZ-Inside:10.22.8.57/443 duration 0:00:02 bytes 20588 TCP Reset-O +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212806055 for outside:10.22.8.62/55383(LOCAL\user.name) to inside:10.22.8.85/53 duration 0:00:00 bytes 349 (user.name) +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168380 for Outside_VPN:74.111.72.12/443 to Inside-Trunk:10.22.8.39/54894 duration 0:00:00 bytes 5701 TCP FINs +<174>Jan 5 14:52:35 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245522 for outside:10.22.8.147/56343 (10.22.8.147/56343) to inside:209.111.72.151/443 (209.111.72.151/443) (user.name) +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168443 for Outside_VPN:23.111.72.27/80 to Inside-Trunk:10.22.8.81/64713 duration 0:00:00 bytes 2426 TCP FINs +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488111566 for Outside_VPN:131.111.72.49/443 to Inside-Trunk:10.22.8.127/56558 duration 0:01:57 bytes 3614 TCP Reset-O +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806061 for outside:10.22.8.17/58635 (10.22.8.17/58635)(LOCAL\user.name) to inside:10.22.8.12/389 (10.22.8.12/389) (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212806010 for outside:10.22.8.33/60223(LOCAL\user.name) to inside:10.22.8.86/389 duration 0:00:00 bytes 416 TCP Reset-I (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806062 for outside:10.22.8.221/56632 (10.22.8.221/56632)(LOCAL\user.name) to inside:10.22.8.73/389 (10.22.8.73/389) (user.name) +<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00 +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168231 for Outside_VPN:204.111.72.243/3011 to Inside-Trunk:10.22.8.208/60037 duration 0:00:00 bytes 19415 TCP FINs +<166>Jan 5 16:52:35 10.22.8.41 %ASA-6-302013: Built inbound TCP connection 45476108 for Outside:10.22.8.97/53484 (10.22.8.97/53484)(LOCAL\user.name) to Inside:141.111.72.70/7576 (141.111.72.70/7576) (user.name) +<174>Jan 5 14:52:35 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245527 for outside:10.22.8.97/65195 (10.22.8.97/65195) to inside:17.111.72.212/5223 (17.111.72.212/5223) (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212806018 for outside:10.22.8.17/58632(LOCAL\user.name) to inside:10.22.8.12/389 duration 0:00:00 bytes 0 TCP FINs (user.name) +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168562 for DMZ-Inside:10.22.8.51/51236 to Inside-Trunk:10.22.8.174/40004 duration 0:00:00 bytes 2273 TCP FINs +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806065 for outside:10.22.8.62/59829 (10.22.8.62/59829)(LOCAL\user.name) to inside:10.22.8.85/53 (10.22.8.85/53) (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806067 for outside:10.22.8.143/62675 (10.22.8.143/62675)(LOCAL\user.name) to inside:141.111.72.12/389 (141.111.72.12/389) (user.name) +<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-710005: UDP request discarded from 10.22.8.223/61122 to outside:224.111.72.252/5355 +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.143/0(LOCAL\user.name) gaddr 141.111.72.12/0 laddr 141.111.72.12/0 (user.name) +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168547 for Outside_VPN:107.111.72.102/80 to Inside-Trunk:10.22.8.54/61676 duration 0:00:00 bytes 1030 TCP FINs +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806078 for outside:10.22.8.221/56633 (10.22.8.221/56633)(LOCAL\user.name) to inside:10.22.8.20/389 (10.22.8.20/389) (user.name) +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-305011: Built dynamic TCP translation from inside:10.22.8.83/59915 to outside:206.111.72.41/22776 +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168044 for Outside_VPN:50.111.72.39/80 to Inside-Trunk:10.22.8.75/60877 duration 0:00:01 bytes 13304 TCP FINs +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488118326 for Outside_VPN:23.111.72.27/80 to Inside-Trunk:10.22.8.229/57901 duration 0:01:45 bytes 1942 TCP FINs +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488160565 for Outside_VPN:72.111.72.29/80 to Inside-Trunk:10.22.8.42/57520 duration 0:00:15 bytes 1025 TCP FINs +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488096423 for Outside_VPN:72.111.72.43/80 to Inside-Trunk:10.22.8.127/59096 duration 0:02:27 bytes 99347 TCP Reset-O +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488095522 for Outside_VPN:72.111.72.43/80 to Inside-Trunk:10.22.8.127/59087 duration 0:02:29 bytes 154785 TCP Reset-O +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488106557 for Outside_VPN:72.111.72.43/80 to Inside-Trunk:10.22.8.127/59134 duration 0:02:09 bytes 25319 TCP Reset-O +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488096426 for Outside_VPN:72.111.72.43/80 to Inside-Trunk:10.22.8.127/59099 duration 0:02:27 bytes 26171 TCP Reset-O +<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212806005 for outside:10.22.8.17/58630(LOCAL\user.name) to inside:10.22.8.12/389 duration 0:00:00 bytes 3942 TCP FINs (user.name) +<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806085 for outside:10.22.8.143/54018 (10.22.8.143/54018)(LOCAL\user.name) to inside:10.22.8.85/53 (10.22.8.85/53) (user.name) +<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.96/2708 gaddr 10.22.8.30/0 laddr 10.22.8.30/0 (user.name) +<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245537 for outside:10.22.8.110/49886 (10.22.8.110/49886) to inside:192.111.72.11/8612 (192.111.72.11/8612) (user.name) +<166>Jan 5 16:52:36 10.22.8.41 %ASA-6-106015: Deny TCP (no connection) from 10.22.8.85/58359 to 10.22.8.11/88 flags RST ACK on interface Outside +<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.82/0(LOCAL\user.name) gaddr 10.22.8.205/0 laddr 10.22.8.205/0 +<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212799832 for outside:10.22.8.230/55549(LOCAL\user.name) to inside:10.22.8.11/389 duration 0:02:01 bytes 354 (user.name) +<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212799867 for outside:10.22.8.240/138(LOCAL\user.name) to inside:10.22.8.255/138 duration 0:02:01 bytes 214 (user.name) +<167>Jan 5 08:52:36 10.22.8.216 %ASA-7-609001: Built local-host inside:67.111.72.204 +<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245544 for outside:10.22.8.227/54540 (10.22.8.227/54540) to inside:63.111.72.124/80 (63.111.72.124/80) (user.name) +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168135 for Outside_VPN:198.111.72.66/36797 to DMZ-Inside:10.22.8.53/80 duration 0:00:01 bytes 89039 TCP FINs +<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212805836 for outside:10.22.8.62/56471(LOCAL\user.name) to inside:208.111.72.1/443 duration 0:00:04 bytes 1700 TCP FINs (user.name) +<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245546 for outside:10.22.8.227/54542 (10.22.8.227/54542) to inside:63.111.72.124/80 (63.111.72.124/80) (user.name) +<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.74/0(LOCAL\user.name) gaddr 10.22.8.205/0 laddr 10.22.8.205/0 +<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302020: Built outbound ICMP connection for faddr 10.22.8.96/2708 gaddr 10.22.8.30/0 laddr 10.22.8.30/0 +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168388 for DMZ-Inside:10.22.8.10/49771 to Inside-Trunk:10.22.8.128/443 duration 0:00:00 bytes 19132 TCP Reset-O +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168692 for DMZ-Inside:10.22.8.53/61694 to Inside-Trunk:10.22.8.174/40004 duration 0:00:00 bytes 5660 TCP FINs +<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245552 for outside:10.22.8.92/51042 (10.22.8.92/51042) to inside:10.22.8.193/9100 (10.22.8.193/9100) (user.name) +<166>Jan 5 16:52:36 10.22.8.41 %ASA-6-302016: Teardown UDP connection 45474680 for Outside:10.22.8.49/137(LOCAL\user.name) to Inside:10.22.8.12/137 duration 0:02:03 bytes 486 (user.name) +<166>Jan 5 16:52:36 10.22.8.41 %ASA-6-302016: Teardown UDP connection 45474694 for Outside:10.22.8.49/138(LOCAL\user.name) to Inside:10.22.8.12/138 duration 0:02:01 bytes 184 (user.name) +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167720 for Outside_VPN:198.111.72.75/1033 to DMZ-Inside:10.22.8.53/443 duration 0:00:01 bytes 9634 TCP FINs +<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488165627 for Outside_VPN:170.111.72.22/27463 to DMZ-Inside:10.22.8.53/443 duration 0:00:01 bytes 9756 TCP FINs +<166>Jan 5 08:52:32 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212805854 for outside:10.22.8.62/54704(LOCAL\user.name) to inside:10.22.8.85/53 duration 0:00:00 bytes 114 (user.name) +<166>Jan 5 09:52:32 10.22.8.12 %ASA-6-302020: Built inbound ICMP connection for faddr 207.111.72.122/0 gaddr 206.111.72.24/512 laddr 10.22.8.57/512 +<166>Jan 5 09:52:32 10.22.8.12 %ASA-6-302013: Built outbound TCP connection 17605397 for outside:69.111.72.0/80 (69.111.72.0/80) to inside:10.22.8.102/55659 (206.111.72.41/40627) +<174>Jan 5 14:52:32 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245230 for outside:10.22.8.96/123 (10.22.8.96/123) to inside:10.22.8.12/123 (10.22.8.12/123) (user.name) +<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488031413 for Outside_VPN:184.111.72.216/50341 to DMZ-Inside:10.22.8.57/443 duration 0:05:01 bytes 13543 TCP Reset-O +<166>Jan 5 16:52:32 10.22.8.41 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.95/1(LOCAL\user.name) gaddr 10.22.8.12/0 laddr 10.22.8.12/0 (user.name) +<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488030393 for DMZ-Inside:[10.22.8.10/57109 to Inside-Trunk:10.22.8.128/443 duration 0:05:04 bytes 13541 TCP Reset-O +<166>Jan 5 09:52:32 10.22.8.12 %ASA-6-305012: Teardown dynamic TCP translation from inside:10.22.8.149/62156 to outside:206.111.72.41/19576 duration 0:00:44 +<166>Jan 5 09:52:32 10.22.8.12 %ASA-6-305012: Teardown dynamic TCP translation from inside:10.22.8.149/62159 to outside:206.111.72.41/39634 duration 0:00:44 +<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488031793 for Outside_VPN:198.111.72.146/28026 to DMZ-Inside:10.22.8.53/443 duration 0:05:00 bytes 119 TCP FINs +<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488030810 for DMZ-Inside:10.22.8.10/56930 to Inside-Trunk:10.22.8.128/443 duration 0:05:03 bytes 13543 TCP Reset-O +<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 186.111.72.11/80 to 204.111.72.199/61438 flags SYN ACK on interface Outside_VPN +<166>Jan 5 08:52:32 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212805863 for outside:10.22.8.144/61999 (10.22.8.144/61999)(LOCAL\user.name) to inside:10.22.8.163/80 (10.22.8.163/80) (user.name) +<167>Jan 5 08:52:32 10.22.8.216 %ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00 \ No newline at end of file diff --git a/metron-platform/metron-integration-test/src/main/sample/data/syslog5424/parsed/Syslog5424Parsed b/metron-platform/metron-integration-test/src/main/sample/data/syslog5424/parsed/Syslog5424Parsed index e330204..ee1c6f6 100644 --- a/metron-platform/metron-integration-test/src/main/sample/data/syslog5424/parsed/Syslog5424Parsed +++ b/metron-platform/metron-integration-test/src/main/sample/data/syslog5424/parsed/Syslog5424Parsed @@ -1,3 +1,3 @@ -{"syslog.header.appName":"d0602076-b14a-4c55-852a-981e7afeed38","syslog.header.version":"1","syslog.header.hostName":"loggregator","original_string":"<14>1 2014-06-20T09:14:07+00:00 loggregator d0602076-b14a-4c55-852a-981e7afeed38 DEA - - Removing instance","syslog.header.facility":"1","syslog.header.msgId":"-","syslog.header.timestamp":"2014-06-20T09:14:07+00:00","syslog.message":"Removing instance","syslog.header.pri":"14","syslog.header.procId":"DEA","syslog.header.severity":"6","time [...] -{"syslog.structureddata.examples...@32480.iut":"4","syslog.structuredData.exampleSDID@32480.eventSource":"Other Application","syslog.header.hostName":"loggregator","syslog.header.facility":"1","syslog.structuredData.exampleSDID@32480.eventID":"2022","syslog.structuredData.exampleSDID@32473.eventSource":"Application","syslog.header.timestamp":"2014-06-20T09:14:08+00:00","syslog.message":"Removing instance","syslog.header.pri":"14","syslog.header.procId":"DEA","syslog.header.severity":"6", [...] -{"syslog.structureddata.examples...@32480.iut":"4","syslog.structuredData.exampleSDID@32480.eventSource":"Other Application","syslog.structureddata.examples...@32474.iut":"3","syslog.structuredData.exampleSDID@32474.eventID":"1011","syslog.header.hostName":"loggregator","syslog.header.facility":"1","syslog.structuredData.exampleSDID@32480.eventID":"2022","syslog.header.timestamp":"2014-06-20T09:14:09+00:00","syslog.message":"Removing instance","syslog.header.pri":"14","syslog.header.proc [...] \ No newline at end of file +{"syslog.header.hostName":"loggregator","syslog.header.facility":"1","syslog.header.timestamp":"2014-06-20T09:14:07+00:00","syslog.message":"Removing instance","syslog.header.pri":"14","syslog.header.procId":"DEA","syslog.header.severity":"6","source.type":"syslog5424","syslog.header.appName":"d0602076-b14a-4c55-852a-981e7afeed38","syslog.header.version":"1","original_string":"<14>1 2014-06-20T09:14:07+00:00 loggregator d0602076-b14a-4c55-852a-981e7afeed38 DEA - - Removing instance","sys [...] +{"syslog.structureddata.examples...@32480.iut":"4","syslog.structuredData.exampleSDID@32480.eventSource":"Other Application","syslog.header.hostName":"loggregator","syslog.header.facility":"1","syslog.structuredData.exampleSDID@32480.eventID":"2022","syslog.structuredData.exampleSDID@32473.eventSource":"Application","syslog.header.timestamp":"2014-06-20T09:14:08+00:00","syslog.message":"Removing instance","syslog.header.pri":"14","syslog.header.procId":"DEA","syslog.header.severity":"6", [...] +{"syslog.structureddata.examples...@32480.iut":"4","syslog.structuredData.exampleSDID@32480.eventSource":"Other Application","syslog.structureddata.examples...@32474.iut":"3","syslog.structuredData.exampleSDID@32474.eventID":"1011","syslog.header.hostName":"loggregator","syslog.header.facility":"1","syslog.structuredData.exampleSDID@32480.eventID":"2022","syslog.header.timestamp":"2014-06-20T09:14:09+00:00","syslog.message":"Removing instance","syslog.header.pri":"14","syslog.header.proc [...] \ No newline at end of file diff --git a/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/integration/Syslog3164ParserIntegrationTest.java b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/integration/Syslog3164ParserIntegrationTest.java new file mode 100644 index 0000000..e1affe6 --- /dev/null +++ b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/integration/Syslog3164ParserIntegrationTest.java @@ -0,0 +1,37 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.metron.parsers.integration; + +import org.apache.metron.parsers.integration.validation.SampleDataValidation; + +import java.util.ArrayList; +import java.util.List; + +public class Syslog3164ParserIntegrationTest extends ParserIntegrationTest { + @Override + String getSensorType() { + return "syslog3164"; + } + + @Override + List<ParserValidation> getValidations() { + return new ArrayList<ParserValidation>() {{ + add(new SampleDataValidation()); + }}; + } +} diff --git a/metron-platform/metron-parsing/README.md b/metron-platform/metron-parsing/README.md index 9a46532..9bbd39f 100644 --- a/metron-platform/metron-parsing/README.md +++ b/metron-platform/metron-parsing/README.md @@ -599,6 +599,7 @@ Java parser adapters are intended for higher-velocity topologies and are not eas * org.apache.metron.parsers.sourcefire.BasicSourcefireParser : Parse Sourcefire messages * org.apache.metron.parsers.lancope.BasicLancopeParser : Parse Lancope messages * org.apache.metron.parsers.syslog.Syslog5424Parser : Parse Syslog RFC 5424 messages +* org.apache.metron.parsers.syslog.Syslog3164Parser : Parse Syslog RFC 3164 messages ### Grok Parser Adapters Grok parser adapters are designed primarily for someone who is not a Java coder for quickly standing up a parser adapter for lower velocity topologies. Grok relies on Regex for message parsing, which is much slower than purpose-built Java parsers, but is more extensible. Grok parsers are defined via a config file and the topplogy does not need to be recompiled in order to make changes to them. Example of a Grok parsers are: diff --git a/metron-platform/metron-parsing/metron-parsers-common/README.md b/metron-platform/metron-parsing/metron-parsers-common/README.md index 0c5cf23..0949950 100644 --- a/metron-platform/metron-parsing/metron-parsers-common/README.md +++ b/metron-platform/metron-parsing/metron-parsers-common/README.md @@ -23,5 +23,6 @@ The included parsers are * Grok Parser * JSONMapParser * CSVParser +* Syslog 3164 and 5424 parsers More details on these parsers and the overall architecture can be found in the metron-parsing [README](..#README.md) diff --git a/metron-platform/metron-parsing/metron-parsers-common/pom.xml b/metron-platform/metron-parsing/metron-parsers-common/pom.xml index 617366a..8abc1ee 100644 --- a/metron-platform/metron-parsing/metron-parsers-common/pom.xml +++ b/metron-platform/metron-parsing/metron-parsers-common/pom.xml @@ -217,6 +217,11 @@ <artifactId>json-path</artifactId> <version>2.3.0</version> </dependency> + <dependency> + <groupId>com.github.palindromicity</groupId> + <artifactId>simple-syslog</artifactId> + <version>${global_simple_syslog_version}</version> + </dependency> </dependencies> <build> <plugins> diff --git a/metron-platform/metron-parsing/metron-parsers-common/src/main/config/zookeeper/parsers/syslog3164.json b/metron-platform/metron-parsing/metron-parsers-common/src/main/config/zookeeper/parsers/syslog3164.json new file mode 100644 index 0000000..298e8cc --- /dev/null +++ b/metron-platform/metron-parsing/metron-parsers-common/src/main/config/zookeeper/parsers/syslog3164.json @@ -0,0 +1,6 @@ +{ + "parserClassName":"org.apache.metron.parsers.syslog.Syslog3164Parser", + "sensorTopic":"syslog3164", + "parserConfig": { + } +} \ No newline at end of file diff --git a/metron-platform/metron-parsing/metron-parsers/src/main/config/zookeeper/parsers/syslog5424.json b/metron-platform/metron-parsing/metron-parsers-common/src/main/config/zookeeper/parsers/syslog5424.json similarity index 100% rename from metron-platform/metron-parsing/metron-parsers/src/main/config/zookeeper/parsers/syslog5424.json rename to metron-platform/metron-parsing/metron-parsers-common/src/main/config/zookeeper/parsers/syslog5424.json diff --git a/metron-platform/metron-parsing/metron-parsers/src/main/java/org/apache/metron/parsers/syslog/Syslog5424Parser.java b/metron-platform/metron-parsing/metron-parsers-common/src/main/java/org/apache/metron/parsers/syslog/BaseSyslogParser.java similarity index 65% rename from metron-platform/metron-parsing/metron-parsers/src/main/java/org/apache/metron/parsers/syslog/Syslog5424Parser.java rename to metron-platform/metron-parsing/metron-parsers-common/src/main/java/org/apache/metron/parsers/syslog/BaseSyslogParser.java index 77ebd18..c05b760 100644 --- a/metron-platform/metron-parsing/metron-parsers/src/main/java/org/apache/metron/parsers/syslog/Syslog5424Parser.java +++ b/metron-platform/metron-parsing/metron-parsers-common/src/main/java/org/apache/metron/parsers/syslog/BaseSyslogParser.java @@ -18,65 +18,81 @@ package org.apache.metron.parsers.syslog; -import com.github.palindromicity.syslog.AllowableDeviations; -import com.github.palindromicity.syslog.NilPolicy; import com.github.palindromicity.syslog.SyslogParser; -import com.github.palindromicity.syslog.SyslogParserBuilder; import com.github.palindromicity.syslog.dsl.SyslogFieldKeys; +import org.apache.commons.lang3.StringUtils; +import org.apache.metron.parsers.DefaultMessageParserResult; +import org.apache.metron.parsers.ParseException; +import org.apache.metron.parsers.interfaces.MessageParser; +import org.apache.metron.parsers.interfaces.MessageParserResult; +import org.apache.metron.parsers.utils.SyslogUtils; +import org.json.simple.JSONObject; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + import java.io.BufferedReader; import java.io.IOException; import java.io.Reader; import java.io.Serializable; import java.io.StringReader; import java.lang.invoke.MethodHandles; +import java.time.Clock; import java.time.LocalDateTime; +import java.time.ZoneId; +import java.time.ZoneOffset; import java.time.format.DateTimeFormatter; import java.util.ArrayList; -import java.util.EnumSet; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Optional; -import org.apache.commons.lang3.StringUtils; -import org.apache.metron.parsers.DefaultMessageParserResult; -import org.apache.metron.parsers.interfaces.MessageParser; -import org.apache.metron.parsers.interfaces.MessageParserResult; -import org.json.simple.JSONObject; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; +import java.util.function.Consumer; /** * Parser for well structured RFC 5424 messages. */ -public class Syslog5424Parser implements MessageParser<JSONObject>, Serializable { +public abstract class BaseSyslogParser implements MessageParser<JSONObject>, Serializable { protected static final Logger LOG = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); - public static final String NIL_POLICY_CONFIG = "nilPolicy"; + + private Optional<Consumer<JSONObject>> messageProcessorOptional = Optional.empty(); private transient SyslogParser syslogParser; - @Override - public void configure(Map<String, Object> config) { - // Default to OMIT policy for nil fields - // this means they will not be in the returned field set - String nilPolicyStr = (String) config.getOrDefault(NIL_POLICY_CONFIG, NilPolicy.OMIT.name()); - NilPolicy nilPolicy = NilPolicy.valueOf(nilPolicyStr); - syslogParser = new SyslogParserBuilder() - .withNilPolicy(nilPolicy) - .withDeviations(EnumSet.of(AllowableDeviations.PRIORITY,AllowableDeviations.VERSION)) - .build(); + protected Clock deviceClock; + + + protected void setSyslogParser(SyslogParser syslogParser) { + this.syslogParser = syslogParser; } + protected void setMessageProcessor(Consumer<JSONObject> function) { + this.messageProcessorOptional = Optional.of(function); + } + + protected abstract SyslogParser buildSyslogParser( Map<String,Object> config); + @Override - public void init() { + public void configure(Map<String, Object> parserConfig) { + // we'll pull out the clock stuff ourselves + String timeZone = (String) parserConfig.get("deviceTimeZone"); + if (timeZone != null) + deviceClock = Clock.system(ZoneId.of(timeZone)); + else { + deviceClock = Clock.systemUTC(); + LOG.warn("[Metron] No device time zone provided; defaulting to UTC"); + } + syslogParser = buildSyslogParser(parserConfig); } @Override + public void init(){} + + @Override public boolean validate(JSONObject message) { - JSONObject value = message; - if (!(value.containsKey("original_string"))) { + if (!(message.containsKey("original_string"))) { LOG.trace("[Metron] Message does not have original_string: {}", message); return false; - } else if (!(value.containsKey("timestamp"))) { + } else if (!(message.containsKey("timestamp"))) { LOG.trace("[Metron] Message does not have timestamp: {}", message); return false; } else { @@ -94,7 +110,7 @@ public class Syslog5424Parser implements MessageParser<JSONObject>, Serializable } String originalString = new String(rawMessage); - List<JSONObject> returnList = new ArrayList<>(); + final List<JSONObject> returnList = new ArrayList<>(); Map<Object,Throwable> errorMap = new HashMap<>(); try (Reader reader = new BufferedReader(new StringReader(originalString))) { syslogParser.parseLines(reader, (m) -> { @@ -102,7 +118,13 @@ public class Syslog5424Parser implements MessageParser<JSONObject>, Serializable // be sure to put in the original string, and the timestamp. // we wil just copy over the timestamp from the syslog jsonObject.put("original_string", originalString); - setTimestamp(jsonObject); + try { + setTimestamp(jsonObject); + } catch (ParseException pe) { + errorMap.put(originalString,pe); + return; + } + messageProcessorOptional.ifPresent((c) -> c.accept(jsonObject)); returnList.add(jsonObject); },errorMap::put); @@ -116,12 +138,15 @@ public class Syslog5424Parser implements MessageParser<JSONObject>, Serializable } @SuppressWarnings("unchecked") - private void setTimestamp(JSONObject message) { + private void setTimestamp(JSONObject message) throws ParseException { String timeStampString = (String) message.get(SyslogFieldKeys.HEADER_TIMESTAMP.getField()); if (!StringUtils.isBlank(timeStampString) && !timeStampString.equals("-")) { - message.put("timestamp", timeStampString); + message.put("timestamp", SyslogUtils.parseTimestampToEpochMillis(timeStampString, deviceClock)); } else { - message.put("timestamp", LocalDateTime.now().format(DateTimeFormatter.ISO_DATE_TIME)); + message.put( + "timestamp", + LocalDateTime.now() + .toEpochSecond(ZoneOffset.UTC)); } } } diff --git a/metron-platform/metron-parsing/metron-parsers-common/src/main/java/org/apache/metron/parsers/syslog/Syslog3164Parser.java b/metron-platform/metron-parsing/metron-parsers-common/src/main/java/org/apache/metron/parsers/syslog/Syslog3164Parser.java new file mode 100644 index 0000000..632bcfd --- /dev/null +++ b/metron-platform/metron-parsing/metron-parsers-common/src/main/java/org/apache/metron/parsers/syslog/Syslog3164Parser.java @@ -0,0 +1,43 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.metron.parsers.syslog; + +import com.github.palindromicity.syslog.AllowableDeviations; +import com.github.palindromicity.syslog.SyslogParser; +import com.github.palindromicity.syslog.SyslogParserBuilder; +import com.github.palindromicity.syslog.SyslogSpecification; + +import java.io.Serializable; +import java.util.EnumSet; +import java.util.Map; + + +/** + * Parser for RFC 3164 messages. + */ +public class Syslog3164Parser extends BaseSyslogParser implements Serializable { + + @Override + public SyslogParser buildSyslogParser(Map<String, Object> config) { + return new SyslogParserBuilder() + .forSpecification(SyslogSpecification.RFC_3164) + .withDeviations(EnumSet.of(AllowableDeviations.PRIORITY, AllowableDeviations.VERSION)) + .build(); + } +} diff --git a/metron-platform/metron-parsing/metron-parsers-common/src/main/java/org/apache/metron/parsers/syslog/Syslog5424Parser.java b/metron-platform/metron-parsing/metron-parsers-common/src/main/java/org/apache/metron/parsers/syslog/Syslog5424Parser.java new file mode 100644 index 0000000..cacb0e4 --- /dev/null +++ b/metron-platform/metron-parsing/metron-parsers-common/src/main/java/org/apache/metron/parsers/syslog/Syslog5424Parser.java @@ -0,0 +1,51 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.metron.parsers.syslog; + +import com.github.palindromicity.syslog.AllowableDeviations; +import com.github.palindromicity.syslog.NilPolicy; +import com.github.palindromicity.syslog.SyslogParser; +import com.github.palindromicity.syslog.SyslogParserBuilder; +import com.github.palindromicity.syslog.SyslogSpecification; + +import java.io.Serializable; +import java.util.EnumSet; +import java.util.Map; + + +/** + * Parser for well structured RFC 5424 messages. + */ +public class Syslog5424Parser extends BaseSyslogParser implements Serializable { + public static final String NIL_POLICY_CONFIG = "nilPolicy"; + + @Override + public SyslogParser buildSyslogParser(Map<String, Object> config) { + // Default to OMIT policy for nil fields + // this means they will not be in the returned field set + String nilPolicyStr = (String) config.getOrDefault(NIL_POLICY_CONFIG, NilPolicy.OMIT.name()); + NilPolicy nilPolicy = NilPolicy.valueOf(nilPolicyStr); + return new SyslogParserBuilder() + .forSpecification(SyslogSpecification.RFC_5424) + .withNilPolicy(nilPolicy) + .withDeviations(EnumSet.of(AllowableDeviations.PRIORITY, AllowableDeviations.VERSION)) + .build(); + } +} + diff --git a/metron-platform/metron-parsing/metron-parsers-common/src/test/java/org/apache/metron/parsers/syslog/Syslog3164ParserTest.java b/metron-platform/metron-parsing/metron-parsers-common/src/test/java/org/apache/metron/parsers/syslog/Syslog3164ParserTest.java new file mode 100644 index 0000000..6e8fb40 --- /dev/null +++ b/metron-platform/metron-parsing/metron-parsers-common/src/test/java/org/apache/metron/parsers/syslog/Syslog3164ParserTest.java @@ -0,0 +1,187 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.metron.parsers.syslog; + +import com.github.palindromicity.syslog.dsl.SyslogFieldKeys; +import org.apache.metron.parsers.interfaces.MessageParserResult; +import org.json.simple.JSONObject; +import org.junit.Assert; +import org.junit.Test; + +import java.time.Instant; +import java.time.ZoneOffset; +import java.time.ZonedDateTime; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Optional; +import java.util.function.Consumer; + +import static org.junit.Assert.assertTrue; + +public class Syslog3164ParserTest { + + private static final String SYSLOG_LINE_ALL = "<181>2018-09-14T00:54:09+00:00 lzpqrst-admin.in.mycompany.com.lg CISE_RADIUS_Accounting 0018032501 1 0 2018-09-14 10:54:09.095 +10:00 0221114759 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=73, Device IP Address=00.00.000.0, RequestLatency=2, NetworkDeviceName=foo, User-Name=ACCOUNT-01\\\\\\\\D622322, NAS-IP-Address=00.00.000.0, NAS-Port=50742, Framed-IP-Address=00.00.000.000, Class=CACS:0A3D720400016DB [...] + private static final String SYSLOG_LINE_MISSING = "2018-09-14T00:54:09+00:00 lzpqrst-admin.in.mycompany.com.lg CISE_RADIUS_Accounting 0018032501 1 0 2018-09-14 10:54:09.095 +10:00 0221114759 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=73, Device IP Address=00.00.000.0, RequestLatency=2, NetworkDeviceName=foo, User-Name=ACCOUNT-01\\\\\\\\D622322, NAS-IP-Address=00.00.000.0, NAS-Port=50742, Framed-IP-Address=00.00.000.000, Class=CACS:0A3D720400016DBF [...] + private static final String expectedMessage1 = "CISE_RADIUS_Accounting 0018032501 1 0 2018-09-14 10:54:09.095" + + " +10:00 0221114759 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=73, " + + "Device IP Address=00.00.000.0, RequestLatency=2, NetworkDeviceName=foo, " + + "User-Name=ACCOUNT-01\\\\\\\\D622322, NAS-IP-Address=00.00.000.0, NAS-Port=50742, " + + "Framed-IP-Address=00.00.000.000, Class=CACS:0A3D720400016DBFE530A22E:lzpqrst/323409315/14578982, " + + "Called-Station-ID=00-CA-E5-B1-21-AA, Calling-Station-ID=54-E1-AD-A1-27-72, Acct-Status-Type=Interim-Update, " + + "Acct-Delay-Time=10, Acct-Input-Octets=379294, Acct-Output-Octets=1053336, Acct-Session-Id=00025EB8, " + + "Acct-Input-Packets=1657, Acct-Output-Packets=2018, Event-Timestamp=1536886439, NAS-Port-Type=Ethernet, " + + "NAS-Port-Id=GigabitEthernet7/0/42, cisco-av-pair=dc-profile-name=Microsoft-Workstation, " + + "cisco-av-pair=dc-device-name=MSFT 5.0, cisco-av-pair=dc-device-class-tag=Workstation:Microsoft-Workstation, " + + "cisco-av-pair=dc-certainty-metric=10, " + + "cisco-av-pair=dc-opaque=\\000\\000\\000\\002\\000\\000\\000\\001\\000\\000\\000\\000, " + + "cisco-av-pair=dc-protocol-map=9, " + + "cisco-av-pair=dhcp-option=pad=" + + "1b:2e:01:08:ff:2e:01:08:ff:0a:90:84:51:0a:2c:08:0a:d0:52:31:0a:d0:5a:1b:2e:01:08:ff:2e:01:08:ff:79:f9:2b:" + + "ff:43:17:73:6d:73:62:6f:6f:74:5c:78:38:36:5c:77:64:73:6e:62:70:2e:63:6f:6d:00:ff:6f:6d:00:ff:00:00:00:00:00:" + + "00:00:00:00:00:00:00:00:00:00:00:00:00:00:22:23:54:00:00, cisco-av-pair=dhcp-option=00:ff:00:00, " + + "cisco-av-pair=dhcp-option=dhcp-parameter-request-list=" + + "1\\\\, 15\\\\, 3\\\\, 6\\\\, 44\\\\, 46\\\\, 47\\\\, 31\\\\, 33\\\\, 121\\\\, 249\\\\, 43\\\\, 252," + + " cisco-av-pair=dhcp-option=dhcp-class-identifier=MSFT 5.0, cisco-av-pair=dhcp-option=host-name=W00000PC0R1JC3," + + " cisco-av-pair=dhcp-option=dhcp-client-identifier=01:54:e1:ad:a1:27:72," + + " cisco-av-pair=dhcp-option=dhcp-message-type=8, cisco-av-pair=audit-session-id=0A3D720400016DBFE530A22E," + + " cisco-av-pair=method=dot1x, AcsSessionID=lzpqrst/323409315/14579377, SelectedAccessService=PEAP_MAB," + + " Step=11004, Step=11017, Step=15049, Step=15008, Step=22094, Step=11005, NetworkDeviceGroups=Stage#Deployment" + + " Type#Secure Mode D2, NetworkDeviceGroups=Location#All Locations#Placename#500 Exhibition St" + + " CompanyPlace#Level 18, NetworkDeviceGroups=Device Type#All Device Types#Access Switch#Catalyst 3850," + + " NetworkDeviceGroups=Location Type#Location Type#Office, CPMSessionID=0A3D720400016DBFE530A22E," + + " Stage=Stage#Deployment Type#Secure Mode D2, Location=Location#All Locations#Placename#500 Exhibition St" + + " CompanyPlace#Level 18, Device Type=Device Type#All Device Types#Access Switch#Catalyst 3850, Network Device" + + " Profile=Cisco, Location Type=Location Type#Location Type#Office"; + + private static final String expectedHostNameOne = "lzpqrst-admin.in.mycompany.com.lg"; + private static final String expectedPriOne = "181"; + private static final String expectedTimestampOne = "2018-09-14T00:54:09+00:00"; + private static final String expectedFacilityOne = "22"; + private static final String expectedSeverityOne = "5"; + + private static final String expectedHostNameTwo = "10.34.84.145"; + private static final String expectedMessage2 = "Aug 7 00:45:43 stage-pdp01 CISE_Profiler 0000024855 1 0 " + + "2014-08-07 00:45:43.741 -07:00 0000288542 80002 INFO Profiler: Profiler EndPoint profiling event occurred, " + + "ConfigVersionId=113, EndpointCertainityMetric=10, EndpointIPAddress=10.56.111.14, " + + "EndpointMacAddress=3C:97:0E:C3:F8:F1, EndpointMatchedPolicy=Nortel-Device, EndpointNADAddress=10.56.72.127, " + + "EndpointOUI=Wistron InfoComm(Kunshan)Co.\\,Ltd., EndpointPolicy=Nortel-Device, " + + "EndpointProperty=StaticAssignment=false\\,PostureApplicable=Yes\\,PolicyVersion=402\\," + + "IdentityGroupID=0c1d9270-68a6-11e1-bc72-0050568e013c\\,Total Certainty Factor=10\\," + + "BYODRegistration=Unknown\\,FeedService=false\\,EndPointPolicyID=49054ed0-68a6-11e1-bc72-0050568e013c\\," + + "FirstCollection=1407397543718\\,MatchedPolicyID=49054ed0-68a6-11e1-bc72-0050568e013c\\,TimeToProfile=19\\," + + "StaticGroupAssignment=false\\,NmapSubnetScanID=0\\,DeviceRegistrationStatus=NotRegistered\\,PortalUser=, " + + "EndpointSourceEvent=SNMPQuery Probe, EndpointIdentityGroup=Profiled, ProfilerServer=stage-pdp01.cisco.com,"; + private static final String expectedPriTwo = "181"; + private static final String expectedTimestampTwo = "Aug 6 17:26:31"; + private static final String expectedFacilityTwo = "22"; + private static final String expectedSeverityTwo = "5"; + + + @Test + public void testConfigureDefault() { + Map<String, Object> parserConfig = new HashMap<>(); + Syslog3164Parser testParser = new Syslog3164Parser(); + testParser.configure(parserConfig); + testParser.init(); + assertTrue(testParser.deviceClock.getZone().equals(ZoneOffset.UTC)); + } + + @Test + public void testConfigureTimeZoneOffset() { + Map<String, Object> parserConfig = new HashMap<>(); + parserConfig.put("deviceTimeZone", "UTC-05:00"); + Syslog3164Parser testParser = new Syslog3164Parser(); + testParser.configure(parserConfig); + testParser.init(); + ZonedDateTime deviceTime = ZonedDateTime.ofInstant(Instant.ofEpochSecond(1475323200), testParser.deviceClock.getZone()); + ZonedDateTime referenceTime = ZonedDateTime.ofInstant(Instant.ofEpochSecond(1475323200), ZoneOffset.ofHours(-5)); + assertTrue(deviceTime.isEqual(referenceTime)); + } + + @Test + public void testConfigureTimeZoneText() { + Map<String, Object> parserConfig = new HashMap<>(); + parserConfig.put("deviceTimeZone", "America/New_York"); + Syslog3164Parser testParser = new Syslog3164Parser(); + testParser.configure(parserConfig); + testParser.init(); + ZonedDateTime deviceTime = ZonedDateTime.ofInstant(Instant.ofEpochSecond(1475323200), testParser.deviceClock.getZone()); + ZonedDateTime referenceTime = ZonedDateTime.ofInstant(Instant.ofEpochSecond(1475323200), ZoneOffset.ofHours(-5)); + assertTrue(deviceTime.isEqual(referenceTime)); + } + + @Test + public void testHappyPath() { + test(expectedMessage1, (message) -> Assert.assertEquals(expectedHostNameOne, message.get(SyslogFieldKeys.HEADER_HOSTNAME.getField()))); + } + + + @Test() + public void testNotValid() { + test( "not valid", (message) -> Assert.assertTrue(false)); + } + + public void test( String line, Consumer<JSONObject> msgIdChecker) { + Syslog3164Parser parser = new Syslog3164Parser(); + Map<String, Object> config = new HashMap<>(); + parser.configure(config); + parser.parseOptionalResult(line.getBytes()); + } + + @Test + public void testReadMultiLine() throws Exception { + Syslog3164Parser parser = new Syslog3164Parser(); + Map<String, Object> config = new HashMap<>(); + parser.configure(config); + StringBuilder builder = new StringBuilder(); + builder + .append(SYSLOG_LINE_ALL) + .append("\n") + .append(SYSLOG_LINE_MISSING) + .append("\n") + .append(SYSLOG_LINE_ALL); + Optional<MessageParserResult<JSONObject>> resultOptional = parser.parseOptionalResult(builder.toString().getBytes()); + Assert.assertNotNull(resultOptional); + Assert.assertTrue(resultOptional.isPresent()); + List<JSONObject> parsedList = resultOptional.get().getMessages(); + Assert.assertEquals(3,parsedList.size()); + } + + @Test + public void testReadMultiLineWithErrors() throws Exception { + Syslog3164Parser parser = new Syslog3164Parser(); + Map<String, Object> config = new HashMap<>(); + parser.configure(config); + StringBuilder builder = new StringBuilder(); + builder + .append("HEREWEGO!!!!\n") + .append(SYSLOG_LINE_ALL) + .append("\n") + .append(SYSLOG_LINE_MISSING) + .append("\n") + .append("BOOM!\n") + .append(SYSLOG_LINE_ALL) + .append("\nOHMY!"); + Optional<MessageParserResult<JSONObject>> output = parser.parseOptionalResult(builder.toString().getBytes()); + Assert.assertTrue(output.isPresent()); + Assert.assertEquals(3,output.get().getMessages().size()); + Assert.assertEquals(3,output.get().getMessageThrowables().size()); + } +} \ No newline at end of file diff --git a/metron-platform/metron-parsing/metron-parsers/src/test/java/org/apache/metron/parsers/syslog/Syslog5424ParserTest.java b/metron-platform/metron-parsing/metron-parsers-common/src/test/java/org/apache/metron/parsers/syslog/Syslog5424ParserTest.java similarity index 80% rename from metron-platform/metron-parsing/metron-parsers/src/test/java/org/apache/metron/parsers/syslog/Syslog5424ParserTest.java rename to metron-platform/metron-parsing/metron-parsers-common/src/test/java/org/apache/metron/parsers/syslog/Syslog5424ParserTest.java index b3e4507..3c6c72f 100644 --- a/metron-platform/metron-parsing/metron-parsers/src/test/java/org/apache/metron/parsers/syslog/Syslog5424ParserTest.java +++ b/metron-platform/metron-parsing/metron-parsers-common/src/test/java/org/apache/metron/parsers/syslog/Syslog5424ParserTest.java @@ -25,6 +25,9 @@ import org.json.simple.JSONObject; import org.junit.Assert; import org.junit.Test; +import java.time.Instant; +import java.time.ZoneOffset; +import java.time.ZonedDateTime; import java.time.format.DateTimeFormatter; import java.util.HashMap; import java.util.List; @@ -32,6 +35,8 @@ import java.util.Map; import java.util.Optional; import java.util.function.Consumer; +import static org.junit.Assert.assertTrue; + public class Syslog5424ParserTest { private static final String SYSLOG_LINE_ALL = "<14>1 2014-06-20T09:14:07+00:00 loggregator" + " d0602076-b14a-4c55-852a-981e7afeed38 DEA MSG-01" @@ -66,6 +71,40 @@ public class Syslog5424ParserTest { private static final String expectedEventID1 = "1011"; private static final String expectedEventID2 = "2022"; + + @Test + public void testConfigureDefault() { + Map<String, Object> parserConfig = new HashMap<>(); + Syslog5424Parser testParser = new Syslog5424Parser(); + testParser.configure(parserConfig); + testParser.init(); + assertTrue(testParser.deviceClock.getZone().equals(ZoneOffset.UTC)); + } + + @Test + public void testConfigureTimeZoneOffset() { + Map<String, Object> parserConfig = new HashMap<>(); + parserConfig.put("deviceTimeZone", "UTC-05:00"); + Syslog5424Parser testParser = new Syslog5424Parser(); + testParser.configure(parserConfig); + testParser.init(); + ZonedDateTime deviceTime = ZonedDateTime.ofInstant(Instant.ofEpochSecond(1475323200), testParser.deviceClock.getZone()); + ZonedDateTime referenceTime = ZonedDateTime.ofInstant(Instant.ofEpochSecond(1475323200), ZoneOffset.ofHours(-5)); + assertTrue(deviceTime.isEqual(referenceTime)); + } + + @Test + public void testConfigureTimeZoneText() { + Map<String, Object> parserConfig = new HashMap<>(); + parserConfig.put("deviceTimeZone", "America/New_York"); + Syslog5424Parser testParser = new Syslog5424Parser(); + testParser.configure(parserConfig); + testParser.init(); + ZonedDateTime deviceTime = ZonedDateTime.ofInstant(Instant.ofEpochSecond(1475323200), testParser.deviceClock.getZone()); + ZonedDateTime referenceTime = ZonedDateTime.ofInstant(Instant.ofEpochSecond(1475323200), ZoneOffset.ofHours(-5)); + assertTrue(deviceTime.isEqual(referenceTime)); + } + @Test public void testHappyPath() { test(null, SYSLOG_LINE_ALL, (message) -> Assert.assertEquals(expectedMessageId, message.get(SyslogFieldKeys.HEADER_MSGID.getField()))); @@ -151,13 +190,13 @@ public class Syslog5424ParserTest { public void testMissingTimestamp() { Syslog5424Parser parser = new Syslog5424Parser(); Map<String, Object> config = new HashMap<>(); + String timeStampString = null; config.put(Syslog5424Parser.NIL_POLICY_CONFIG, NilPolicy.DASH.name()); parser.configure(config); Optional<MessageParserResult<JSONObject>> output = parser.parseOptionalResult(SYSLOG_LINE_MISSING_DATE.getBytes()); Assert.assertNotNull(output); Assert.assertTrue(output.isPresent()); - String timeStampString = output.get().getMessages().get(0).get("timestamp").toString(); - DateTimeFormatter.ISO_DATE_TIME.parse(timeStampString); + Assert.assertNotNull(output.get().getMessages().get(0).get("timestamp").toString()); config.clear(); config.put(Syslog5424Parser.NIL_POLICY_CONFIG, NilPolicy.NULL.name()); parser.configure(config); @@ -165,8 +204,7 @@ public class Syslog5424ParserTest { Assert.assertNotNull(output); Assert.assertTrue(output.isPresent()); timeStampString = output.get().getMessages().get(0).get("timestamp").toString(); - DateTimeFormatter.ISO_DATE_TIME.parse(timeStampString); - + Assert.assertNotNull(timeStampString); config.clear(); config.put(Syslog5424Parser.NIL_POLICY_CONFIG, NilPolicy.OMIT.name()); parser.configure(config); @@ -174,8 +212,5 @@ public class Syslog5424ParserTest { output = parser.parseOptionalResult(SYSLOG_LINE_MISSING_DATE.getBytes()); Assert.assertNotNull(output); Assert.assertTrue(output.isPresent()); - - timeStampString = output.get().getMessages().get(0).get("timestamp").toString(); - DateTimeFormatter.ISO_DATE_TIME.parse(timeStampString); } } \ No newline at end of file diff --git a/metron-platform/metron-parsing/metron-parsers/README.md b/metron-platform/metron-parsing/metron-parsers/README.md index 98e0094..aac66b0 100644 --- a/metron-platform/metron-parsing/metron-parsers/README.md +++ b/metron-platform/metron-parsing/metron-parsers/README.md @@ -29,7 +29,6 @@ The included parsers are: * PaloAlto * Snort * Sourcefire -* Syslog * Websphere The basic parsers and their details can be found at [README](../metron-parsers-common#README.md). diff --git a/metron-platform/metron-parsing/metron-parsers/pom.xml b/metron-platform/metron-parsing/metron-parsers/pom.xml index d8b6825..c3f5d30 100644 --- a/metron-platform/metron-parsing/metron-parsers/pom.xml +++ b/metron-platform/metron-parsing/metron-parsers/pom.xml @@ -64,11 +64,6 @@ </exclusions> </dependency> <dependency> - <groupId>com.github.palindromicity</groupId> - <artifactId>simple-syslog-5424</artifactId> - <version>${global_simple_syslog_version}</version> - </dependency> - <dependency> <groupId>org.apache.metron</groupId> <artifactId>metron-parsers-common</artifactId> <version>${project.parent.version}</version> diff --git a/metron-platform/metron-parsing/metron-parsing-storm/src/main/resources/META-INF/NOTICE b/metron-platform/metron-parsing/metron-parsing-storm/src/main/resources/META-INF/NOTICE index c773ab7..767d1ac 100644 --- a/metron-platform/metron-parsing/metron-parsing-storm/src/main/resources/META-INF/NOTICE +++ b/metron-platform/metron-parsing/metron-parsing-storm/src/main/resources/META-INF/NOTICE @@ -37,4 +37,10 @@ Copyright 2006-2011 Google, Inc. Apache Software Foundation that were originally developed at iClick, Inc., software copyright (c) 1999. + (ASLv2) simple-syslog + The following NOTICE information applies: + simple-syslog + https://github.com/palindromicity/simple-syslog + + Copyright 2018 simple-syslog authors. diff --git a/pom.xml b/pom.xml index c352813..ab9dfa4 100644 --- a/pom.xml +++ b/pom.xml @@ -121,7 +121,7 @@ <global_reflections_version>0.9.10</global_reflections_version> <global_checkstyle_version>8.0</global_checkstyle_version> <global_log4j_core_version>2.1</global_log4j_core_version> - <global_simple_syslog_version>0.0.9</global_simple_syslog_version> + <global_simple_syslog_version>0.0.1</global_simple_syslog_version> <global_spark_version>2.3.1</global_spark_version> <global_httpclient_version>4.3.2</global_httpclient_version> <global_aesh_version>0.66.19</global_aesh_version>