Skip to content

Commit

Permalink
[FILTERADD] Support Limited relay where RFC5424 is contained in the M…
Browse files Browse the repository at this point in the history 
…ESSAGE field of a BSD event (#565)

* [FILTERADD] Support RFC5424 relay via BSD

Address #549 sub issue one by supporting relayed RFC5424 when contained in a BSD format MESSAGE field

* update
  • Loading branch information
Ryan Faircloth authored and GitHub committed Jul 10, 2020
1 parent 7993086 commit 3d2df67
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 1 deletion.
6 changes: 5 additions & 1 deletion package/etc/conf.d/conflib/_common/syslog_format.conf
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
filter f_rfc5424_strict{
message('^\<(?<PRI>\d+)\>(?<VERSION>\d{1,2})? (?<YEAR>\d+)-(?<MONTH>\d+)-(?<DAY>\d+)T(?<HOUR>\d+):(?<MINUTE>\d+):(?<SECOND>\d+)(?:\.(?<MILLISECONDS>\d+))?(?<OFFSET>Z|[\+-] *\d+:\d+) (?<HOSTNAME>(-)|[^ ]+) (?<APPNAME>(?:-)|[!-~]+) (?<PROCID>(?:-)|[!-~]+) (?<MSGID>(?:-)|[!-~]+) *(?<STRUCDATA>(?:-)|\[.*?\]) *(?<MSG>(?:-)| .*)?$');
};
};
filter f_rfc5424_bsd_encapsulated{
message('^(<\d+>)\w+ \d{1,2} \d\d:\d\d:\d\d [^ ]+ ((?<VERSION>\d{1,2})? (?<YEAR>\d+)-(?<MONTH>\d+)-(?<DAY>\d+)T(?<HOUR>\d+):(?<MINUTE>\d+):(?<SECOND>\d+)(?:\.(?<MILLISECONDS>\d+))?(?<OFFSET>Z|[\+-] *\d+:\d+) (?<HOSTNAME>(-)|[^ ]+) (?<APPNAME>(?:-)|[!-~]+) (?<PROCID>(?:-)|[!-~]+) (?<MSGID>(?:-)|[!-~]+) *(?<STRUCDATA>(?:-)|\[.*?\]) *(?<MSG>(?:-)| .*)?)$'
flags(store-matches));
};
filter f_rfc5424_noversion{
message('^(?<SYSLOGMSG>(?<HEADER>(?<PRI><\d{1,3}>) ?(?<TIMESTAMP>(?<FULLDATE>(?<FULLDATEYEAR>\d{4})-(?<FULLDATEMONTH>\d\d)-(?<FULLDATEDAY>\d\d))T(?<FULLTIME>(?<PARTIALTIME>(?<TIMEHOUR>[0-2]\d):(?<TIMEMINUTE>[0-5]\d):(?<TIMESECOND>[0-5]\d)(?:.(?<TIMESECFRAC>\d{1,6}))?)(?<TIMEOFFSET>Z|(?<TIMENUMOFFSET>[+\-][0-2]\d:[0-5]\d))))))');
};
Expand Down
8 changes: 8 additions & 0 deletions package/etc/go_templates/source_network.t
View file
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,14 @@ source s_{{ .port_id }} {
syslog-parser(flags(assume-utf8, syslog-protocol));
};
rewrite(set_rfc5424_strict);
} elif {
filter(f_rfc5424_bsd_encapsulated);
parser {
syslog-parser(
template("$1$2")
flags(assume-utf8, syslog-protocol));
};
rewrite(set_rfc5424_strict);
} elif {
parser (p_cisco_meraki);
rewrite(set_rfc5424_epochtime);
Expand Down
3 changes: 3 additions & 0 deletions tests/test_vmware.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -158,3 +158,6 @@ def test_linux_vmware_horizon_ietf(record_property, setup_wordlist, setup_splunk
record_property("message", message)

assert resultCount == 1

#TODO Add test
#<182>Jun 29 10:54:02 172.16.000.000 1 2020-06-29T10:52:50.786+01:00 nma01af.xxx.xxxxxxxxx.xx.xx.xx NSXV 6152 - [nsxv@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Start executing task: task-3308094 and running executor threads 1

0 comments on commit 3d2df67

Please sign in to comment.