Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

some cisco routers produce a message of form <32>9032: 51w2d: ... message no hostname, #5

Merged
merged 3 commits into from

2 participants

@fygrave

...ssage

@squeeks squeeks commented on the diff
lib/glossy/parse.js
@@ -162,6 +162,14 @@ function parseMessage(rawMessage, callback) {
}
parsedMessage.message = segments.join(' ');
+ } else if (segments[0].match(/^(<\d+>\d+:)$/)) {
+ parsedMessage.type = 'RFC3164';
+ var timeStamp = segments.splice(0,1).join(' ').replace(/^(<\d+>)/,'');
+ parsedMessage.time = parseTimeStamp(timeStamp);
+ //parsedMessage.host = segments.shift();
+ parsedMessage.host = "unknown"; // no host?
@squeeks Owner
squeeks added a note

I think it would be better if this was set to null instead, and the commented line above can be removed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@squeeks
Owner

Thank you very much for this, however would it be possible for you to include tests? Just look a look at test/parse.js and include some to cover whatever cases are for this.

@fygrave

Sure. I'll add tests.

@fygrave

Tests included. I included also some logs generated by buggy (i.e. null included) and non-english systems (chinese this case).

@squeeks
Owner

I can't merge this in until the tests pass, at present your fork is broken.

@fygrave

Apologize for not testing it on parse.js apriori. I moved my tests to the bottom of the array, so it runs properly now.

@squeeks squeeks merged commit b789be3 into from
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Mar 18, 2012
  1. @fygrave
Commits on Apr 2, 2012
  1. @fygrave

    added some tests

    fygrave authored
  2. @fygrave

    Typo..

    fygrave authored
This page is out of date. Refresh to see the latest.
Showing with 14 additions and 2 deletions.
  1. +9 −1 lib/glossy/parse.js
  2. +5 −1 test/parse.js
View
10 lib/glossy/parse.js
@@ -125,7 +125,7 @@ function parseMessage(rawMessage, callback) {
}
//TODO Could our detection between 3164/5424 be improved?
- if(segments[0].match(/^(<\d+>\d)/)) {
+ if(segments[0].match(/^(<\d+>\d)$/)) {
parsedMessage.type = 'RFC5424';
segments.shift(); // Shift the prival off
var timeStamp = segments.shift();
@@ -162,6 +162,14 @@ function parseMessage(rawMessage, callback) {
}
parsedMessage.message = segments.join(' ');
+ } else if (segments[0].match(/^(<\d+>\d+:)$/)) {
+ parsedMessage.type = 'RFC3164';
+ var timeStamp = segments.splice(0,1).join(' ').replace(/^(<\d+>)/,'');
+ parsedMessage.time = parseTimeStamp(timeStamp);
+ //parsedMessage.host = segments.shift();
+ parsedMessage.host = "unknown"; // no host?
@squeeks Owner
squeeks added a note

I think it would be better if this was set to null instead, and the commented line above can be removed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+ parsedMessage.message = segments.join(' ');
+
} else if(segments[0].match(/^(<\d+>\w+)/)){
parsedMessage.type = 'RFC3164';
var timeStamp = segments.splice(0,3).join(' ').replace(/^(<\d+>)/,'');
View
6 test/parse.js
@@ -12,7 +12,11 @@ var messages = [
"<13>Feb 5 17:32:18 10.0.0.99 Use the BFG!",
"<34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8",
'<110>1 2009-05-03T14:00:39.519307+02:00 host.example.org syslogd 2138 - [ssign-cert VER="0111" RSID="1" SG="0" SPRI="0" TPBL="587" INDEX="1" FLEN="587" FRAG="2009-05-03T14:00:39.519005+02:00 K BACsLMZ NCV2NUAwe4RAeAnSQuvv2KS51SnHFAaWJNU2XVDYvW1LjmJgg4vKvQPo3HEOD+2hEkt1zcXADe03u5pmHoWy5FGiyCbglYxJkUJJrQqlTSS6vID9yhsmEnh07w3pOsxmb4qYo0uWQrAAenBweVMlBgV3ZA5IMA8xq8l+i8wCgkWJjCjfLar7s+0X3HVrRroyARv8EAIYoxofh9m N8n821BTTuQnz5hp40d6Z3UudKePu2di5Mx3GFelwnV0Qh5mSs0YkuHJg0mcXyUAoeYry5X6482fUxbm+gOHVmYSDtBmZEB8PTEt8Os8aedWgKEt/E4dT+Hmod4omECLteLXxtScTMgDXyC+bSBMjRRCaeWhHrYYdYBACCWMdTc12hRLJTn8LX99kv1I7qwgieyna8GCJv/rEgC ssS9E1qARM+h19KovIUOhl4VzBw3rK7v8Dlw/CJyYDd5kwSvCwjhO21LiReeS90VPYuZFRC1B82Sub152zOqIcAWsgd4myCCiZbWBsuJ8P0gtarFIpleNacCc6OV3i2Rg==" SIGN="AKAQEUiQptgpd0lKcXbuggGXH/dCdQCgdysrTBLUlbeGAQ4vwrnLOqSL7+c="]',
- '<110>1 2009-05-03T14:00:39.529966+02:00 host.example.org syslogd 2138 - [ssign VER="0111" RSID="1" SG="0" SPRI="0" GBC="2" FMN="1" CNT="7" HB="K6wzcombEvKJ+UTMcn9bPryAeaU= zrkDcIeaDluypaPCY8WWzwHpPok= zgrWOdpx16ADc7UmckyIFY53icE= XfopJ+S8/hODapiBBCgVQaLqBKg= J67gKMFl/OauTC20ibbydwIlJC8= M5GziVgB6KPY3ERU1HXdSi2vtdw= Wxd/lU7uG/ipEYT9xeqnsfohyH0=" SIGN="AKBbX4J7QkrwuwdbV7Taujk2lvOf8gCgC62We1QYfnrNHz7FzAvdySuMyfM="]'
+ '<110>1 2009-05-03T14:00:39.529966+02:00 host.example.org syslogd 2138 - [ssign VER="0111" RSID="1" SG="0" SPRI="0" GBC="2" FMN="1" CNT="7" HB="K6wzcombEvKJ+UTMcn9bPryAeaU= zrkDcIeaDluypaPCY8WWzwHpPok= zgrWOdpx16ADc7UmckyIFY53icE= XfopJ+S8/hODapiBBCgVQaLqBKg= J67gKMFl/OauTC20ibbydwIlJC8= M5GziVgB6KPY3ERU1HXdSi2vtdw= Wxd/lU7uG/ipEYT9xeqnsfohyH0=" SIGN="AKBbX4J7QkrwuwdbV7Taujk2lvOf8gCgC62We1QYfnrNHz7FzAvdySuMyfM="]',
+ '<191>94103: 51w2d: DHCPD: assigned IP address 10.10.1.94 to client 0100.01c4.21d3.b3',
+ '<32>Mar 05 2011 22:21:02: %ASA-6-302013: Built inbound TCP connection 401 for outside:123.123.123.123/4413 (123.123.123.123/4413) to net:BOX/25 (BOX/25)',
+ '<32>Mar 16 15:10:26 SyslogAlertForwarder: Attack P2P: HotSpot Shield Traffic Detected (Medium)\u0000","',
+ '<13>Mar 15 11:22:40 myhost.com 0 11,03/15/12,11:22:38,§ó·s,10.10.10.171,,40C6A91373B6,',
];
for(message in messages) {
Something went wrong with that request. Please try again.