Add syslog-related functions (#19)

Author: joschi

src/main/java/org/graylog/plugins/pipelineprocessor/functions/syslog/SyslogFacilityConversion.java

@@ -0,0 +1,50 @@
+/**
+ * This file is part of Graylog Pipeline Processor.
+ *
+ * Graylog Pipeline Processor is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Graylog Pipeline Processor is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Graylog Pipeline Processor.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.graylog.plugins.pipelineprocessor.functions.syslog;
+
+import com.google.common.primitives.Ints;
+import org.graylog.plugins.pipelineprocessor.EvaluationContext;
+import org.graylog.plugins.pipelineprocessor.ast.functions.AbstractFunction;
+import org.graylog.plugins.pipelineprocessor.ast.functions.FunctionArgs;
+import org.graylog.plugins.pipelineprocessor.ast.functions.FunctionDescriptor;
+import org.graylog.plugins.pipelineprocessor.ast.functions.ParameterDescriptor;
+
+import static com.google.common.base.MoreObjects.firstNonNull;
+import static org.graylog.plugins.pipelineprocessor.ast.functions.ParameterDescriptor.object;
+
+public class SyslogFacilityConversion extends AbstractFunction<String> {
+    public static final String NAME = "syslog_facility";
+
+    private final ParameterDescriptor<Object, Object> valueParam = object("value").build();
+
+    @Override
+    public String evaluate(FunctionArgs args, EvaluationContext context) {
+        final String s = String.valueOf(valueParam.required(args, context));
+        final Integer facility = firstNonNull(Ints.tryParse(s), -1);
+
+        return SyslogUtils.facilityToString(facility);
+    }
+
+    @Override
+    public FunctionDescriptor<String> descriptor() {
+        return FunctionDescriptor.<String>builder()
+                .name(NAME)
+                .returnType(String.class)
+                .params(valueParam)
+                .build();
+    }
+}

src/main/java/org/graylog/plugins/pipelineprocessor/functions/syslog/SyslogLevelConversion.java

@@ -0,0 +1,50 @@
+/**
+ * This file is part of Graylog Pipeline Processor.
+ *
+ * Graylog Pipeline Processor is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Graylog Pipeline Processor is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Graylog Pipeline Processor.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.graylog.plugins.pipelineprocessor.functions.syslog;
+
+import com.google.common.primitives.Ints;
+import org.graylog.plugins.pipelineprocessor.EvaluationContext;
+import org.graylog.plugins.pipelineprocessor.ast.functions.AbstractFunction;
+import org.graylog.plugins.pipelineprocessor.ast.functions.FunctionArgs;
+import org.graylog.plugins.pipelineprocessor.ast.functions.FunctionDescriptor;
+import org.graylog.plugins.pipelineprocessor.ast.functions.ParameterDescriptor;
+
+import static com.google.common.base.MoreObjects.firstNonNull;
+import static org.graylog.plugins.pipelineprocessor.ast.functions.ParameterDescriptor.object;
+
+public class SyslogLevelConversion extends AbstractFunction<String> {
+    public static final String NAME = "syslog_level";
+
+    private final ParameterDescriptor<Object, Object> valueParam = object("value").build();
+
+    @Override
+    public String evaluate(FunctionArgs args, EvaluationContext context) {
+        final String s = String.valueOf(valueParam.required(args, context));
+        final Integer level = firstNonNull(Ints.tryParse(s), -1);
+
+        return SyslogUtils.levelToString(level);
+    }
+
+    @Override
+    public FunctionDescriptor<String> descriptor() {
+        return FunctionDescriptor.<String>builder()
+                .name(NAME)
+                .returnType(String.class)
+                .params(valueParam)
+                .build();
+    }
+}

src/main/java/org/graylog/plugins/pipelineprocessor/functions/syslog/SyslogPriority.java

@@ -0,0 +1,30 @@
+/**
+ * This file is part of Graylog Pipeline Processor.
+ *
+ * Graylog Pipeline Processor is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Graylog Pipeline Processor is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Graylog Pipeline Processor.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.graylog.plugins.pipelineprocessor.functions.syslog;
+
+import com.google.auto.value.AutoValue;
+
+@AutoValue
+public abstract class SyslogPriority {
+    public abstract int getLevel();
+
+    public abstract int getFacility();
+
+    public static SyslogPriority create(int level, int facility) {
+        return new AutoValue_SyslogPriority(level, facility);
+    }
+}

src/main/java/org/graylog/plugins/pipelineprocessor/functions/syslog/SyslogPriorityAsString.java

@@ -0,0 +1,30 @@
+/**
+ * This file is part of Graylog Pipeline Processor.
+ *
+ * Graylog Pipeline Processor is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Graylog Pipeline Processor is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Graylog Pipeline Processor.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.graylog.plugins.pipelineprocessor.functions.syslog;
+
+import com.google.auto.value.AutoValue;
+
+@AutoValue
+public abstract class SyslogPriorityAsString {
+    public abstract String getLevel();
+
+    public abstract String getFacility();
+
+    public static SyslogPriorityAsString create(String level, String facility) {
+        return new AutoValue_SyslogPriorityAsString(level, facility);
+    }
+}

src/main/java/org/graylog/plugins/pipelineprocessor/functions/syslog/SyslogPriorityConversion.java

@@ -0,0 +1,50 @@
+/**
+ * This file is part of Graylog Pipeline Processor.
+ *
+ * Graylog Pipeline Processor is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Graylog Pipeline Processor is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Graylog Pipeline Processor.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.graylog.plugins.pipelineprocessor.functions.syslog;
+
+import org.graylog.plugins.pipelineprocessor.EvaluationContext;
+import org.graylog.plugins.pipelineprocessor.ast.functions.AbstractFunction;
+import org.graylog.plugins.pipelineprocessor.ast.functions.FunctionArgs;
+import org.graylog.plugins.pipelineprocessor.ast.functions.FunctionDescriptor;
+import org.graylog.plugins.pipelineprocessor.ast.functions.ParameterDescriptor;
+
+import static org.graylog.plugins.pipelineprocessor.ast.functions.ParameterDescriptor.object;
+
+public class SyslogPriorityConversion extends AbstractFunction<SyslogPriority> {
+    public static final String NAME = "expand_syslog_priority";
+
+    private final ParameterDescriptor<Object, Object> valueParam = object("value").build();
+
+    @Override
+    public SyslogPriority evaluate(FunctionArgs args, EvaluationContext context) {
+        final String s = String.valueOf(valueParam.required(args, context));
+        final int priority = Integer.parseInt(s);
+        final int facility = SyslogUtils.facilityFromPriority(priority);
+        final int level = SyslogUtils.levelFromPriority(priority);
+
+        return SyslogPriority.create(level, facility);
+    }
+
+    @Override
+    public FunctionDescriptor<SyslogPriority> descriptor() {
+        return FunctionDescriptor.<SyslogPriority>builder()
+                .name(NAME)
+                .returnType(SyslogPriority.class)
+                .params(valueParam)
+                .build();
+    }
+}

src/main/java/org/graylog/plugins/pipelineprocessor/functions/syslog/SyslogPriorityToStringConversion.java

@@ -0,0 +1,52 @@
+/**
+ * This file is part of Graylog Pipeline Processor.
+ *
+ * Graylog Pipeline Processor is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Graylog Pipeline Processor is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Graylog Pipeline Processor.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.graylog.plugins.pipelineprocessor.functions.syslog;
+
+import org.graylog.plugins.pipelineprocessor.EvaluationContext;
+import org.graylog.plugins.pipelineprocessor.ast.functions.AbstractFunction;
+import org.graylog.plugins.pipelineprocessor.ast.functions.FunctionArgs;
+import org.graylog.plugins.pipelineprocessor.ast.functions.FunctionDescriptor;
+import org.graylog.plugins.pipelineprocessor.ast.functions.ParameterDescriptor;
+
+import static org.graylog.plugins.pipelineprocessor.ast.functions.ParameterDescriptor.object;
+
+public class SyslogPriorityToStringConversion extends AbstractFunction<SyslogPriorityAsString> {
+    public static final String NAME = "expand_syslog_priority_as_string";
+
+    private final ParameterDescriptor<Object, Object> valueParam = object("value").build();
+
+    @Override
+    public SyslogPriorityAsString evaluate(FunctionArgs args, EvaluationContext context) {
+        final String s = String.valueOf(valueParam.required(args, context));
+        final int priority = Integer.parseInt(s);
+        final int facility = SyslogUtils.facilityFromPriority(priority);
+        final String facilityString = SyslogUtils.facilityToString(facility);
+        final int level = SyslogUtils.levelFromPriority(priority);
+        final String levelString = SyslogUtils.levelToString(level);
+
+        return SyslogPriorityAsString.create(levelString, facilityString);
+    }
+
+    @Override
+    public FunctionDescriptor<SyslogPriorityAsString> descriptor() {
+        return FunctionDescriptor.<SyslogPriorityAsString>builder()
+                .name(NAME)
+                .returnType(SyslogPriorityAsString.class)
+                .params(valueParam)
+                .build();
+    }
+}

src/main/java/org/graylog/plugins/pipelineprocessor/functions/syslog/SyslogUtils.java

@@ -0,0 +1,119 @@
+/**
+ * This file is part of Graylog Pipeline Processor.
+ *
+ * Graylog Pipeline Processor is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Graylog Pipeline Processor is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Graylog Pipeline Processor.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.graylog.plugins.pipelineprocessor.functions.syslog;
+
+public final class SyslogUtils {
+    /**
+     * Converts integer syslog loglevel to human readable string
+     *
+     * @param level The level to convert
+     * @return The human readable level
+     * @see <a href="https://tools.ietf.org/html/rfc5424#section-6.2.1">RFC 5424, Section 6.2.1</a>
+     */
+    public static String levelToString(int level) {
+        switch (level) {
+            case 0:
+                return "Emergency";
+            case 1:
+                return "Alert";
+            case 2:
+                return "Critical";
+            case 3:
+                return "Error";
+            case 4:
+                return "Warning";
+            case 5:
+                return "Notice";
+            case 6:
+                return "Informational";
+            case 7:
+                return "Debug";
+        }
+
+        return "Unknown";
+    }
+
+    /**
+     * Converts integer syslog facility to human readable string
+     *
+     * @param facility The facility to convert
+     * @return The human readable facility
+     * @see <a href="https://tools.ietf.org/html/rfc5424#section-6.2.1">RFC 5424, Section 6.2.1</a>
+     */
+    public static String facilityToString(int facility) {
+        switch (facility) {
+            case 0:
+                return "kern";
+            case 1:
+                return "user";
+            case 2:
+                return "mail";
+            case 3:
+                return "daemon";
+            case 4:
+                return "auth";
+            case 5:
+                return "syslog";
+            case 6:
+                return "lpr";
+            case 7:
+                return "news";
+            case 8:
+                return "uucp";
+            case 9:
+                return "clock";
+            case 10:
+                return "authpriv";
+            case 11:
+                return "ftp";
+            case 12:
+                return "ntp";
+            case 13:
+                return "log audit";
+            case 14:
+                return "log alert";
+            case 15:
+                return "cron";
+            case 16:
+                return "local0";
+            case 17:
+                return "local1";
+            case 18:
+                return "local2";
+            case 19:
+                return "local3";
+            case 20:
+                return "local4";
+            case 21:
+                return "local5";
+            case 22:
+                return "local6";
+            case 23:
+                return "local7";
+            default:
+                return "Unknown";
+        }
+    }
+
+    public static int levelFromPriority(int priority) {
+        return priority - (facilityFromPriority(priority) << 3);
+    }
+
+    public static int facilityFromPriority(int priority) {
+        return priority >> 3;
+    }
+}