forked from Graylog2/graylog2-server
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
structured syslog fields are now parsed
into additional_fields. fixes #SERVER.93, relates #SERVER-92
- Loading branch information
Lennart Koopmann
committed
Dec 25, 2011
1 parent
00e964e
commit f8a3529
Showing
6 changed files
with
242 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
70 changes: 70 additions & 0 deletions
70
src/main/java/org/graylog2/messagehandlers/syslog/StructuredSyslog.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
/** | ||
* Copyright 2011 Lennart Koopmann <lennart@socketfeed.com> | ||
* | ||
* This file is part of Graylog2. | ||
* | ||
* Graylog2 is free software: you can redistribute it and/or modify | ||
* it under the terms of the GNU General Public License as published by | ||
* the Free Software Foundation, either version 3 of the License, or | ||
* (at your option) any later version. | ||
* | ||
* Graylog2 is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
* GNU General Public License for more details. | ||
* | ||
* You should have received a copy of the GNU General Public License | ||
* along with Graylog2. If not, see <http://www.gnu.org/licenses/>. | ||
* | ||
*/ | ||
|
||
package org.graylog2.messagehandlers.syslog; | ||
|
||
import java.net.InetAddress; | ||
import java.util.HashMap; | ||
import java.util.Map; | ||
import java.util.Set; | ||
import org.apache.log4j.Logger; | ||
import org.productivity.java.syslog4j.server.impl.event.structured.StructuredSyslogServerEvent; | ||
|
||
/** | ||
* StructuredSyslog.java: Dec 24, 2011 5:32:06 PM | ||
* | ||
* Parses structured syslog data. | ||
* | ||
* @author Lennart Koopmann <lennart@socketfeed.com> | ||
*/ | ||
public class StructuredSyslog { | ||
|
||
private static final Logger LOG = Logger.getLogger(StructuredSyslog.class); | ||
|
||
public static Map<String, String> extractFields(byte[] rawSyslogMessage) { | ||
Map<String, String> fields = new HashMap<String, String>(); | ||
try { | ||
StructuredSyslogServerEvent s = new StructuredSyslogServerEvent( | ||
rawSyslogMessage, | ||
rawSyslogMessage.length, | ||
InetAddress.getLocalHost() | ||
); | ||
|
||
Map raw = s.getStructuredMessage().getStructuredData(); | ||
if (raw != null) { | ||
Set ks = raw.keySet(); | ||
if (ks.size() > 0) { | ||
Object[] fl = raw.keySet().toArray(); | ||
|
||
if (fl != null && fl.length > 0) { | ||
String sdID = (String) fl[0]; | ||
fields = (HashMap) raw.get(sdID); | ||
} | ||
} | ||
} | ||
} catch (Exception e) { | ||
LOG.debug("Could not extract structured syslog", e); | ||
return new HashMap(); | ||
} | ||
|
||
return fields; | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
47 changes: 47 additions & 0 deletions
47
src/main/java/org/graylog2/messagehandlers/syslog/Tokenizer.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
/** | ||
* Copyright 2011 Lennart Koopmann <lennart@socketfeed.com> | ||
* | ||
* This file is part of Graylog2. | ||
* | ||
* Graylog2 is free software: you can redistribute it and/or modify | ||
* it under the terms of the GNU General Public License as published by | ||
* the Free Software Foundation, either version 3 of the License, or | ||
* (at your option) any later version. | ||
* | ||
* Graylog2 is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
* GNU General Public License for more details. | ||
* | ||
* You should have received a copy of the GNU General Public License | ||
* along with Graylog2. If not, see <http://www.gnu.org/licenses/>. | ||
* | ||
*/ | ||
|
||
package org.graylog2.messagehandlers.syslog; | ||
|
||
import java.util.HashMap; | ||
import java.util.Map; | ||
import org.productivity.java.syslog4j.server.impl.event.SyslogServerEvent; | ||
|
||
/** | ||
* Tokenizer.java: Dec 24, 2011 4:54:31 PM | ||
* | ||
* Breaks down syslog messages into additional_fields if they could not | ||
* be parsed as structured syslog. | ||
* | ||
* @author Lennart Koopmann <lennart@socketfeed.com> | ||
*/ | ||
public class Tokenizer { | ||
|
||
char[] chseparators = { '=' }; | ||
|
||
public static Map extractAdditionalFields(SyslogServerEvent msg) { | ||
Map extracted = new HashMap(); | ||
|
||
return extracted; | ||
} | ||
|
||
// No spaces between = and | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
58 changes: 58 additions & 0 deletions
58
src/test/java/org/graylog2/messagehandlers/syslog/StructuredSyslogTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
/** | ||
* Copyright 2011 Lennart Koopmann <lennart@socketfeed.com> | ||
* | ||
* This file is part of Graylog2. | ||
* | ||
* Graylog2 is free software: you can redistribute it and/or modify | ||
* it under the terms of the GNU General Public License as published by | ||
* the Free Software Foundation, either version 3 of the License, or | ||
* (at your option) any later version. | ||
* | ||
* Graylog2 is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
* GNU General Public License for more details. | ||
* | ||
* You should have received a copy of the GNU General Public License | ||
* along with Graylog2. If not, see <http://www.gnu.org/licenses/>. | ||
* | ||
*/ | ||
|
||
package org.graylog2.messagehandlers.syslog; | ||
|
||
import java.util.HashMap; | ||
import java.util.Map; | ||
import org.junit.Test; | ||
import static org.junit.Assert.*; | ||
|
||
public class StructuredSyslogTest { | ||
|
||
// http://tools.ietf.org/rfc/rfc5424.txt | ||
public static String ValidStructuredMessage = "<165>1 2012-12-25T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"] BOMAn application event log entry"; | ||
public static String ValidNonStructuredMessage = "<86>Dec 24 17:05:01 nb-lkoopmann CRON[10049]: pam_unix(cron:session): session closed for user root"; | ||
public static String MessageLookingLikeStructured = "<133>NOMA101FW01A: NetScreen device_id=NOMA101FW01A [Root]system-notification-00257(traffic): start_time=\"2011-12-23 17:33:43\" duration=0 reason=Creation"; | ||
|
||
@Test | ||
public void testExtractFields() { | ||
Map expected = new HashMap(); | ||
expected.put("eventSource", "Application"); | ||
expected.put("eventID", "1011"); | ||
expected.put("iut", "3"); | ||
|
||
Map result = StructuredSyslog.extractFields(ValidStructuredMessage.getBytes()); | ||
assertEquals(expected, result); | ||
} | ||
|
||
@Test | ||
public void testExtractFieldsOfNonStructuredMessage() { | ||
Map result = StructuredSyslog.extractFields(ValidNonStructuredMessage.getBytes()); | ||
assertEquals(0, result.size()); | ||
} | ||
|
||
@Test | ||
public void testExtractFieldsOfAMessageThatOnlyLooksStructured() { | ||
Map result = StructuredSyslog.extractFields(MessageLookingLikeStructured.getBytes()); | ||
assertEquals(0, result.size()); | ||
} | ||
|
||
} |