From 78b993d1354c38052ee20ea6bec206d657d615b1 Mon Sep 17 00:00:00 2001 From: Nicholas DiCola Date: Thu, 12 Mar 2020 19:35:50 +0000 Subject: [PATCH 1/2] Update parser_cef.rb --- lib/fluent/plugin/parser_cef.rb | 50 ++++++++++++++++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git a/lib/fluent/plugin/parser_cef.rb b/lib/fluent/plugin/parser_cef.rb index 4de377c..7090a6c 100644 --- a/lib/fluent/plugin/parser_cef.rb +++ b/lib/fluent/plugin/parser_cef.rb @@ -9,9 +9,13 @@ module Fluent module Plugin class CommonEventFormatParser < Parser Fluent::Plugin.register_parser("cef", self) + + REGEXP_DETECT_RFC5424 = /^[1-9]\d{0,2}/ + config_param :log_format, :string, :default => "syslog" config_param :log_utc_offset, :string, :default => nil config_param :syslog_timestamp_format, :string, :default => '\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}' + config_param :syslog_timestamp_format_5424, :string, :default => '\d{4}[-]\d{2}[-]\d{2}[T]\d{2}[:]\d{2}[:]\d{2}(?:\.\d{1,6})?(?:[+-]\d{2}[:]\d{2}|Z)' config_param :cef_version, :integer, :default => 0 config_param :parse_strict_mode, :bool, :default => true config_param :cef_keyfilename, :string, :default => 'config/cef_version_0_keys.yaml' @@ -21,8 +25,11 @@ def configure(conf) super @key_value_format_regexp = /([^\s=]+)=(.*?)(?:(?=[^\s=]+=)|\z)/ @valid_format_regexp = create_valid_format_regexp + @valid_format_regexp_5424 = create_valid_format_regexp_5424 @utc_offset = get_utc_offset(@log_utc_offset) begin + $log.trace(@valid_format_regexp) + $log.trace(@valid_format_regexp_5424) if @parse_strict_mode if @cef_keyfilename =~ /^\// yaml_fieldinfo = YAML.load_file(@cef_keyfilename) @@ -47,10 +54,17 @@ def parse(text) yield nil, nil return end + log.trace(text) text.force_encoding("utf-8") replaced_text = text.scrub('?') record = {} - record_overview = @valid_format_regexp.match(replaced_text) + if REGEXP_DETECT_RFC5424.match(text) + record_overview = @valid_format_regexp_5424.match(replaced_text) + log.trace "match 5424" + else + record_overview = @valid_format_regexp.match(replaced_text) + log.trace "match 3164" + end if record_overview.nil? yield Engine.now, { "raw" => replaced_text } return @@ -119,6 +133,40 @@ def create_valid_format_regexp() return Regexp.new(valid_format_regexp) end + def create_valid_format_regexp_5424() + case @log_format + when "syslog" + syslog_header = / + (?:[1-9])\s + (?#{@syslog_timestamp_format_5424})\s + (?\S+)\s + (?\S+)\s + (?\S+)\s + (?\S+)\s + (?(?:\-|(?:\[.*?(?#{@cef_version})\| + (?[^|]*)\| + (?[^|]*)\| + (?[^|]*)\| + (?[^|]*)\| + (?[^|]*)\| + (?[^|]*) + /x + valid_format_regexp_5424 = / + \A + #{syslog_header} + #{cef_header}\| + (?.*) + \z + /x + else + raise Fluent::ConfigError, "#{@log_format} is unknown format" + end + return Regexp.new(valid_format_regexp_5424) + end + def get_unixtime_with_utc_offset(timestamp, utc_offset) unixtime = nil begin From 5d6c9879d95aed2495f3cb0547dc33ff8f4de4f3 Mon Sep 17 00:00:00 2001 From: Nicholas DiCola Date: Thu, 16 Apr 2020 12:36:50 +0000 Subject: [PATCH 2/2] Update parser_cef.rb --- lib/fluent/plugin/parser_cef.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/fluent/plugin/parser_cef.rb b/lib/fluent/plugin/parser_cef.rb index 7090a6c..d0c6844 100644 --- a/lib/fluent/plugin/parser_cef.rb +++ b/lib/fluent/plugin/parser_cef.rb @@ -46,6 +46,7 @@ def configure(conf) @parse_strict_mode = false $log.warn "running without strict mode because of the following error" $log.warn "#{e.message}" + end end