From 3d903c7d80b8b4f46b56339a80a61ce9012ec100 Mon Sep 17 00:00:00 2001
From: nandinivij <61885842+nandinivij@users.noreply.github.com>
Date: Sun, 26 Jul 2020 06:20:52 -0700
Subject: [PATCH] [filter] Added BSD format support in loggen filter (#582)

* Added BSD format support in loggen filter/ Added test for bsd format

* Add `-F` option to loggen example

* Add `-F` option to RFC 5424 loggen example to send _without_ IETF framing

Co-authored-by: mbonsack <mbonsack@splunk.com>
---
 docs/sources/Loggen/index.md                  |  4 +--
 .../log_paths/lp-syslogng_loggen.conf.tmpl    | 10 ++------
 tests/test_loggen.py                          | 25 ++++++++++++++++---
 3 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/docs/sources/Loggen/index.md b/docs/sources/Loggen/index.md
index 839d66d..16047b8 100644
--- a/docs/sources/Loggen/index.md
+++ b/docs/sources/Loggen/index.md
@@ -4,14 +4,14 @@
 
 | Ref            | Link                                                                                                    |
 |----------------|---------------------------------------------------------------------------------------------------------|
-| Product Manual | https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/87   |
+| Product Manual | https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.26/administration-guide/96#loggen.1   |
 
 
 ### Sourcetypes
 
 | sourcetype     | notes                                                                                                   |
 |----------------|---------------------------------------------------------------------------------------------------------|
-| syslogng:loggen | None                                                                                                    |
+| syslogng:loggen | By default, loggen uses the legacy BSD-syslog message format.<br>BSD example:<br>`loggen --inet --dgram --number 1 <ip> <port>`<br>RFC5424 example:<br>`loggen --inet --dgram -PF --number 1 <ip> <port>`<br>Refer to above manual link for more examples.             |
 
 
 ### Index Configuration
diff --git a/package/etc/conf.d/log_paths/lp-syslogng_loggen.conf.tmpl b/package/etc/conf.d/log_paths/lp-syslogng_loggen.conf.tmpl
index 0b8d7f9..daa069c 100644
--- a/package/etc/conf.d/log_paths/lp-syslogng_loggen.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-syslogng_loggen.conf.tmpl
@@ -15,7 +15,6 @@ log {
         channel {
         # Listen on the default port (typically 514) for SYSLOGNG_LOGGEN traffic
             source (s_DEFAULT);
-            filter(f_is_rfc5424_strict);
             filter(f_syslogng_loggen);
             flags(final);
         };
@@ -35,13 +34,8 @@ log {
 
     parser { p_add_context_splunk(key("syslogng_loggen")); };
     parser (compliance_meta_by_source);
-    if {
-        filter(f_is_rfc5424_strict);
-        rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG")); };
-    } else {
-        rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
+    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
 
-    };
 
 {{- /* Check environment variables (and defaults if unset) for sending to the HEC */}}
 {{- /* destination. When more destination options are offered in SC4S, this is where */}}
@@ -72,4 +66,4 @@ log {
 
 # All passes through any matching log path will be final
     flags(flow-control,final);
-};
\ No newline at end of file
+};
diff --git a/tests/test_loggen.py b/tests/test_loggen.py
index 606d2bc..5b1278a 100644
--- a/tests/test_loggen.py
+++ b/tests/test_loggen.py
@@ -5,13 +5,11 @@
 from .sendmessage import *
 from .splunkutils import *
 from .timeutils import *
-import logging
-logger = logging.getLogger(__name__)
 env = Environment()
 
 
 # <38>1 2020-07-21T21:05:56+02:00 localhost prg00000 1234 - - seq: 0000000000, thread: 0000, runid: 1595365556, stamp: 2020-07-21T21:05:56 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPAD
-def test_loggen(record_property, setup_wordlist, setup_splunk, setup_sc4s):
+def test_loggen_rfc(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
     pid = random.randint(1000, 32000)
 
@@ -32,3 +30,24 @@ def test_loggen(record_property, setup_wordlist, setup_splunk, setup_sc4s):
 
     assert resultCount == 1
 
+#<38>2020-07-24T17:04:52 localhost prg00000[1234]: seq: 0000000008, thread: 0000, runid: 1595610292, stamp: 2020-07-24T17:04:52 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADD
+def test_loggen_bsd(record_property, setup_wordlist, setup_splunk, setup_sc4s):
+    host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
+
+    dt = datetime.datetime.now()
+
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+    iso = dt.isoformat()[0:19]
+    epoch = epoch[:-7]
+    mt = env.from_string("<38>{{iso}} {{ host }} prg00000[1234]: seq: 0000000008, thread: 0000, runid: 1595610292, stamp: {{iso}} PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDBSD\n")
+    message = mt.render(iso=iso, host=host)
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+    st = env.from_string("search _time={{ epoch }} index=main host=\"{{ host }}\"  sourcetype=\"syslogng:loggen\"")
+    search = st.render(epoch=epoch, host=host)
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1