Add common event format plugin #328
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jsirianni
requested changes
Sep 15, 2021
Comment on lines
+79
to
+82
| timestamp: | ||
| parse_from: timestamp | ||
| layout_type: gotime | ||
| layout: 'Jan 02 15:04:05' |
There was a problem hiding this comment.
We should have a user specified timezone parameter as the timestamps do not include one.
Sep 11 08:26:10 zurich CEF:0|security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232
4 tasks
…plugins into add-common-event-plugin
|
Removed key_value parser. Extensions format allows to many variations to parse using the parser. |
jsirianni
requested changes
Sep 27, 2021
|
Lets promote device_vendor / device_version to resources |
…plugins into add-common-event-plugin
jsirianni
approved these changes
Sep 29, 2021
{
"timestamp": "2021-09-11T08:26:10Z",
"severity": 70,
"severity_text": "10",
"labels": {
"device": "threatmanager",
"file_name": "cef.log",
"log_type": "cef",
"plugin_id": "common_event_format",
"version": "0"
},
"resource": {
"device_vendor": "security",
"device_version": "1.0",
"hostname": "zurich"
},
"record": {
"extensions": "src=10.0.0.1 dst=2.1.2.2 spt=1232 ",
"message": "worm successfully stopped",
"signature_id": "100"
}
} |
jsirianni
pushed a commit
that referenced
this pull request
Oct 5, 2021
* Update regex to parse IPv6 (#334) Update default listener log path * Add HAProxy Plugin (#335) * Add haproxy plugin * Add supported platforms and min stanza version * PR Feedback fixes * Rename frontend_name to frontend_name_transport in regex * for all move operations, check if field is nil before moving. "set log type to haproxy and haproxy.error (not .http / .tcp)" * typoe: nill --> nil * typo, log_format: http --> default Co-authored-by: jsirianni <[email protected]> * Allow DBID to be empty & Correct case matching (#331) * Allow DBID to be empty & Correct case matching The DBID field is able to be empty on some versions of Oracle DB The multiline regex was looking for `Audit File`, but logs have `Audit file` * Switch to line end for multiline with double newline pattern * Fix plugin failure when using inline truncate check * Switch back to a regex parse for record splitting Co-authored-by: jsirianni <[email protected]> * Release 0.0.79 (#336) * 0.0.79 changelog * dbid oracle pr * fix release date * move frontend port to resources (#338) * Add more checks to reduce errors (#337) * Add more checks to reduce errors * Add ac_lite_ap_parser change to changelog for ubiquiti * 0.0.80 changelog Co-authored-by: jsirianni <[email protected]> * update regex to handle {} brackets before http request info (#342) * update regex to handle {} brackets before http request info * haproxy http default log format fix * make change backwards compatible * Adjust parsing further based on more detailed oracle db audit logs (#343) * release 0.0.82 * CI Testing: End to End Tests (#345) * end to end nginx testing * fix format * fix format * use sudo to compare against files from container mount * sleep so stanza can parse, kill stanza when done * try cloning log library * use token to clone lob lib * fix repo name * fix expect and output paths * handle both nginx formats * add apache_http workflow * dump container log * dump container log * 10 second sleep * use jq with diff to prevent formatting issues * sudo * cannot use sudo with redirection to diff, so just format with jq before using diff * Switch back to diff, something else is going on.. * pause and cat raw output before comparing * sudo * fix paths * sort before compare * redirect output * sort and cat * use jtool for comparing json files * use jtool for comparing json files * chmod it * haproxy workflow * add oracledb workflow * single test case for oracledb * mount plugins dir * stop and then get stanza logs * sleep 20 seconds instead of 10, sometimes 10 is not enough * fix log dirg * install jtool in its own step * fix mount * split oracle up. start with alert logs * oracle audit log * upgrade jtool and use skip timestamp for haproxy and oracle * upgrade jtoo * upgrade jtool * pause, stop, logs * listener log, oracle * Handle second {} in http log entry if present (#346) Co-authored-by: jsirianni <[email protected]> * Add tcpudp plugin (#341) * Add tcpudp plugin * Add tcpudp schema and tests * Split into two plugins udp and tcp * Add schema files for tests * Update plugins/tcp.yaml * Update plugins/tcp.yaml * Update plugins/udp.yaml * Update plugins/udp.yaml * Update test/configs/tcp/invalid/invalid_listen_port.yaml * Update plugins/udp.yaml Co-authored-by: jsirianni <[email protected]> Co-authored-by: Joseph Sirianni <[email protected]> * tcp / udp: move to message field (#347) * move to message field * \n * Add common event format plugin (#328) * Add common event format plugin * use key value parser for parsing extensions field * Promote fields to labels and resources * Promote fields to labels and resources * Update changelog * Remove key value parser * Add promote device_vendor and device_version to resources Co-authored-by: jsirianni <[email protected]> Co-authored-by: jsirianni <[email protected]> * release 0.0.83 * Add http plugin (#352) * Add http plugin * Update log_type label to http * remove duplicate param * tcp --> http * typo * token_header --> auth_header * small refactor * upgrade stanza 1.2.9 Co-authored-by: jsirianni <[email protected]> * Update Titles and uwsgi field name (#350) Co-authored-by: Joseph Sirianni <[email protected]> * Update cisco_meraki plugin to use key_value_parser (#349) * Update cisco_meraki plugin to use key_value_parser instead of custom regex * use stanza 1.2.9 Co-authored-by: jsirianni <[email protected]> * Create Sonicwall log parser plugin (#340) * Create Sonicwall log parser plugin * Add pri field severity_parser * Rename msg field to message * Add parameter location to support setting timezone * Update to use udp_input and add extra tests * Use stanza 1.2.7 for tests * update stanza and get go.sum * Update plugins/sonicwall.yaml Co-authored-by: Joseph Sirianni <[email protected]> * Fix using wrong parameter if you defined listen_port Co-authored-by: jsirianni <[email protected]> Co-authored-by: Joseph Sirianni <[email protected]> * release-0.0.84 * fix ci link * remove start_at reference * remove start_at test for sonicwall, not needed * enable new operators * fix start_at for w3c tests due to delete_at_end being added * Add cisco_catalyst plugin (#351) * Add cisco_catalyst plugin * Add severity field group to regex. Update parse from field for severity and regex. * Remove parse_to message in udp_input and parse_from message in regex_parser * fix ci link * remove start_at reference * remove start_at test for sonicwall, not needed * enable new operators * fix start_at for w3c tests due to delete_at_end being added Co-authored-by: Joseph Sirianni <[email protected]> * remove tests for now, not compatable with otel branch * remove tests for now, not compatable with otel branch * port cisco catalyst to otel * fix cef * fix haproxy * port http * port sonicwall * fix haproxy * Update plugins/cisco_catalyst.yaml Co-authored-by: Keith Schmitt <[email protected]> * rebase oracledb * try and fix severities that were missed Co-authored-by: Dylan Myers <[email protected]> Co-authored-by: EricWHolt <[email protected]> Co-authored-by: Keith Schmitt <[email protected]> Co-authored-by: schmikei <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This plugin adds option to parse common event format logs. Currently it is not possible to parse the extensions without the addition of an operator. Supports syslog prefix with timestamp matching
Jan 02 15:04:05and a hostname.