Checkpoint parser improvements

[bazsi]

With new, current samples received from a syslog-ng user, I could improve the parser to better support the output of CheckPoint LogExporter. Also added links to official documentation and community topic on the matter.

[kira-syslogng]

Build SUCCESS

[mitzkia]

I have checked Light testcases, at first glance I have found a new testcase which was the same as an old one, but after checked it again they are not the same, they are different in timestamps.
Light testcases are ok.

[jewnix]

I'm running version R80.20m2 and sending it syslog format from CP, and it does not seem to parse it correctly. maybe related to the date-parser

actual output:
Jul 29 13:04:13 checkpoint <134>1 2019-07-29T17:04:13Z checkpoint CheckPoint 9951 - [action:"Accept"; conn_direction:"Outgoing"; contextnum:"1"; flags:"7258112";

[bazsi]

Can you show your config?

…

On Mon, Jul 29, 2019, 20:12 Jewnix ***@***.***> wrote: I'm running version R80.20m2 and sending it syslog format from CP, and it does not seem to parse it correctly. maybe related to the date-parser actual output: Jul 29 13:04:13 checkpoint <134>1 2019-07-29T17:04:13Z checkpoint CheckPoint 9951 - [action:"Accept"; conn_direction:"Outgoing"; contextnum:"1"; flags:"7258112"; — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#2740>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAFOK5V5GSKP2ZPVJNSDJWDQB4XINANCNFSM4HN3YCHQ> .

[jewnix]

filter f_cpdash {
netmask("10.0.0.1/32") or host('cpdash-swg');
};
destination d_cpdash {
file (
"/var/log/splunk/cp_firewall/$LOGHOST/$HOST/$R_YEAR$R_MONTH$R_DAY-$R_HOUR.log");
};
log {
source {
network(
transport("tcp")
flags(no-parse)
port(2154)
);
};
parser { checkpoint-parser(); };
filter(f_cpdash);
destination(d_cpdash);
flags(final);
};

[bazsi]

I wanted to check how you apply the checkpoint parser and it seems fine. If you start syslog-ng in debug and trace enabled (like with -Fedvt command line options from a shell), you can see how checkpoint parser attempts parsing the message and where it fails. If you have problems deciphering the output just post it here.

…

On Mon, Aug 5, 2019, 16:59 Jewnix ***@***.***> wrote: filter f_cpdash { netmask("10.0.0.1/32") or host('cpdash-swg'); }; destination d_cpdash { file ( "/var/log/splunk/cp_firewall/$LOGHOST/$HOST/$R_YEAR$R_MONTH$R_DAY-$R_HOUR.log"); }; log { source { network( transport("tcp") flags(no-parse) port(2154) ); }; parser { checkpoint-parser(); }; filter(f_cpdash); destination(d_cpdash); flags(final); }; — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#2740>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAFOK5V7WMJ7VCDNZCTV43DQDA53ZANCNFSM4HN3YCHQ> .