add timzone config to FortiGateSyslogEvent

Author: kodjo-anipah

src/main/java/org/graylog2/syslog4j/server/impl/event/CiscoSyslogServerEvent.java

@@ -29,7 +29,7 @@ public class CiscoSyslogServerEvent extends SyslogServerEvent {
     public CiscoSyslogServerEvent(final byte[] message, int length, InetAddress inetAddress) {
         super();
 
-        initialize(message, length, inetAddress);
+        initialize(message, length, inetAddress, null);
         parse();
     }
     public CiscoSyslogServerEvent(final byte[] message, int length, InetAddress inetAddress, DateTimeZone sysLogServerTimeZone) {
@@ -42,7 +42,7 @@ public CiscoSyslogServerEvent(final byte[] message, int length, InetAddress inet
     public CiscoSyslogServerEvent(final String message, InetAddress inetAddress) {
         super();
 
-        initialize(message, inetAddress);
+        initialize(message, inetAddress, null);
         parse();
     }
 
@@ -171,7 +171,4 @@ public int getSequenceNumber() {
         return sequenceNumber;
     }
 
-    private ZoneId getDefaultServerZoneId() {
-        return Objects.isNull(sysLogServerTimeZone) ? ZoneOffset.UTC : sysLogServerTimeZone.toTimeZone().toZoneId();
-    }
 }

src/main/java/org/graylog2/syslog4j/server/impl/event/FortiGateSyslogEvent.java

@@ -1,18 +1,21 @@
 package org.graylog2.syslog4j.server.impl.event;
 
 import org.graylog2.syslog4j.server.SyslogServerEventIF;
+import org.joda.time.DateTimeZone;
 
 import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
 import java.time.LocalDate;
 import java.time.LocalTime;
+import java.time.ZoneId;
 import java.time.ZoneOffset;
 import java.time.ZonedDateTime;
 import java.time.format.DateTimeFormatter;
 import java.util.Collections;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.Objects;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -30,7 +33,8 @@ public class FortiGateSyslogEvent implements SyslogServerEventIF {
     private static final Pattern KV_PATTERN = Pattern.compile("(\\w+)=([^\\s\"]*)");
     private static final Pattern QUOTED_KV_PATTERN = Pattern.compile("(\\w+)=\"([^\"]*)\"");
 
-    private final String rawEvent;
+    private String rawEvent;
+    private ZoneId defaultZoneId;
     private Date date;
     private int facility;
     private int level;
@@ -40,7 +44,16 @@ public class FortiGateSyslogEvent implements SyslogServerEventIF {
     private Map<String, String> fields = Collections.emptyMap();
 
     public FortiGateSyslogEvent(final String rawEvent) {
+        initialize(rawEvent, null);
+    }
+
+    public FortiGateSyslogEvent(final String rawEvent, DateTimeZone sysLogServerTimeZone) {
+        initialize(rawEvent, sysLogServerTimeZone);
+    }
+
+    private void initialize(final String rawEvent, DateTimeZone sysLogServerTimeZone) {
         this.rawEvent = requireNonNull(rawEvent, "rawEvent");
+        this.defaultZoneId = Objects.isNull(sysLogServerTimeZone) ? ZoneOffset.UTC : sysLogServerTimeZone.toTimeZone().toZoneId();
         parse(rawEvent);
     }
 
@@ -55,7 +68,7 @@ private void parse(String event) {
             parsePriority(priority);
             setMessage(message);
             parseFields(message);
-            parseDate(fields.get("date"), fields.get("time"));
+            parseDate(fields.get("date"), fields.get("time"), fields.get("tz"));
             setHost(fields.get("devname"));
         }
     }
@@ -83,12 +96,18 @@ private void parseFields(String event) {
         setFields(fields);
     }
 
-    private void parseDate(String date, String time) {
+    private void parseDate(String date, String time, String timeZone) {
         if (date != null && time != null) {
+            ZoneId zone = defaultZoneId;
+
+            if (timeZone != null) {
+              zone =   ZoneOffset.of(timeZone);
+            }
+
             final ZonedDateTime dateTime = ZonedDateTime.of(
-                    LocalDate.parse(date, DateTimeFormatter.ISO_LOCAL_DATE.withZone(ZoneOffset.UTC)),
-                    LocalTime.parse(time, DateTimeFormatter.ISO_LOCAL_TIME.withZone(ZoneOffset.UTC)),
-                    ZoneOffset.UTC);
+                    LocalDate.parse(date, DateTimeFormatter.ISO_LOCAL_DATE.withZone(zone)),
+                    LocalTime.parse(time, DateTimeFormatter.ISO_LOCAL_TIME.withZone(zone)),
+                    zone);
             setDate(Date.from(dateTime.toInstant()));
 
         } else {

src/main/java/org/graylog2/syslog4j/server/impl/event/SyslogServerEvent.java

@@ -11,6 +11,8 @@
 import java.text.DateFormat;
 import java.text.ParseException;
 import java.text.SimpleDateFormat;
+import java.time.ZoneId;
+import java.time.ZoneOffset;
 import java.util.Calendar;
 import java.util.Date;
 import java.util.Locale;
@@ -61,7 +63,7 @@ public SyslogServerEvent(final String message, InetAddress inetAddress, DateTime
     }
 
     public SyslogServerEvent(final byte[] message, int length, InetAddress inetAddress) {
-        initialize(message, length, inetAddress);
+        initialize(message, length, inetAddress, null);
 
         parse();
     }
@@ -72,28 +74,20 @@ public SyslogServerEvent(final byte[] message, int length, InetAddress inetAddre
         parse();
     }
 
-    protected void initialize(final String message, InetAddress inetAddress) {
+    protected void initialize(final String message, InetAddress inetAddress, DateTimeZone sysLogServerTimeZone) {
         this.rawString = message;
         this.rawLength = message.length();
         this.inetAddress = inetAddress;
-
         this.message = message;
-    }
-
-    protected void initialize(final String message, InetAddress inetAddress, DateTimeZone sysLogServerTimeZone) {
         this.sysLogServerTimeZone = sysLogServerTimeZone;
-        initialize(message, inetAddress);
     }
 
-    protected void initialize(final byte[] message, int length, InetAddress inetAddress) {
+
+    protected void initialize(final byte[] message, int length, InetAddress inetAddress, DateTimeZone sysLogServerTimeZone) {
         this.rawBytes = message;
         this.rawLength = length;
         this.inetAddress = inetAddress;
-    }
-
-    protected void initialize(final byte[] message, int length, InetAddress inetAddress, DateTimeZone sysLogServerTimeZone) {
         this.sysLogServerTimeZone = sysLogServerTimeZone;
-        initialize(message, length, inetAddress);
     }
 
     protected void parseHost() {
@@ -222,6 +216,10 @@ public byte[] getRaw() {
         }
     }
 
+    protected ZoneId getDefaultServerZoneId() {
+        return Objects.isNull(sysLogServerTimeZone) ? ZoneOffset.UTC : sysLogServerTimeZone.toTimeZone().toZoneId();
+    }
+
     public int getRawLength() {
         return this.rawLength;
     }

src/main/java/org/graylog2/syslog4j/server/impl/event/structured/StructuredSyslogServerEvent.java

@@ -39,14 +39,14 @@ public class StructuredSyslogServerEvent extends SyslogServerEvent {
     public StructuredSyslogServerEvent(final byte[] message, int length, InetAddress inetAddress) {
         super();
 
-        initialize(message, length, inetAddress);
+        initialize(message, length, inetAddress, null);
         parse();
     }
 
     public StructuredSyslogServerEvent(final String message, InetAddress inetAddress) {
         super();
 
-        initialize(message, inetAddress);
+        initialize(message, inetAddress, null);
         parse();
     }
 

src/test/java/org/graylog2/syslog4j/server/impl/event/FortiGateSyslogEventTest.java

@@ -1,14 +1,20 @@
 package org.graylog2.syslog4j.server.impl.event;
 
+import org.joda.time.DateTimeZone;
 import org.junit.Test;
 
 import java.nio.charset.StandardCharsets;
+import java.time.ZoneId;
 import java.time.ZoneOffset;
 import java.time.ZonedDateTime;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
 public class FortiGateSyslogEventTest {
+
+    public static final DateTimeZone MST_TIMEZONE = DateTimeZone.forID("MST");
+    public static final ZoneId MST = MST_TIMEZONE.toTimeZone().toZoneId();
+
     @Test
     public void testFortiGateMessage() {
         final String rawMessage = "<45>date=2017-03-06 time=12:53:10 devname=DEVICENAME devid=DEVICEID logid=0000000013 type=traffic subtype=forward level=notice vd=ALIAS srcip=IP srcport=45748 srcintf=\"IF\" dstip=IP dstport=443 dstintf=\"IF\" sessionid=1122686199 status=close policyid=77 dstcountry=\"COUNTRY\" srccountry=\"COUNTRY\" trandisp=dnat tranip=IP tranport=443 service=HTTPS proto=6 appid=41540 app=\"SSL_TLSv1.2\" appcat=\"Network.Service\" applist=\"ACLNAME\" appact=detected duration=1 sentbyte=2313 rcvdbyte=14883 sentpkt=19 rcvdpkt=19 utmaction=passthrough utmevent=app-ctrl attack=\"SSL\" hostname=\"HOSTNAME\" custom=\"white space\"";
@@ -31,4 +37,38 @@ public void testFortiGateMessage() {
                 .containsEntry("custom", "white space");
     }
 
-}
+    @Test
+    public void testDefaultTimezoneDetected() {
+        final String rawMessage = "<45>date=2017-03-06 time=12:53:10 tz=-0700 devname=DEVICENAME devid=DEVICEID logid=0000000013 type=traffic subtype=forward level=notice vd=ALIAS srcip=IP srcport=45748 srcintf=\"IF\" dstip=IP dstport=443 dstintf=\"IF\" sessionid=1122686199 status=close policyid=77 dstcountry=\"COUNTRY\" srccountry=\"COUNTRY\" trandisp=dnat tranip=IP tranport=443 service=HTTPS proto=6 appid=41540 app=\"SSL_TLSv1.2\" appcat=\"Network.Service\" applist=\"ACLNAME\" appact=detected duration=1 sentbyte=2313 rcvdbyte=14883 sentpkt=19 rcvdpkt=19 utmaction=passthrough utmevent=app-ctrl attack=\"SSL\" hostname=\"HOSTNAME\" custom=\"white space\"";
+        final FortiGateSyslogEvent event = new FortiGateSyslogEvent(rawMessage);
+
+        ZonedDateTime of = ZonedDateTime.of(2017, 3, 6, 12, 53, 10, 0, MST);
+
+        assertThat(ZonedDateTime.ofInstant(event.getDate().toInstant(), MST))
+                .isEqualTo(of);
+    }
+
+
+    @Test
+    public void testDefaultTimezoneConfigIgnored() {
+        final String rawMessage = "<45>date=2017-03-06 time=12:53:10 tz=+0000 devname=DEVICENAME devid=DEVICEID logid=0000000013 type=traffic subtype=forward level=notice vd=ALIAS srcip=IP srcport=45748 srcintf=\"IF\" dstip=IP dstport=443 dstintf=\"IF\" sessionid=1122686199 status=close policyid=77 dstcountry=\"COUNTRY\" srccountry=\"COUNTRY\" trandisp=dnat tranip=IP tranport=443 service=HTTPS proto=6 appid=41540 app=\"SSL_TLSv1.2\" appcat=\"Network.Service\" applist=\"ACLNAME\" appact=detected duration=1 sentbyte=2313 rcvdbyte=14883 sentpkt=19 rcvdpkt=19 utmaction=passthrough utmevent=app-ctrl attack=\"SSL\" hostname=\"HOSTNAME\" custom=\"white space\"";
+        final FortiGateSyslogEvent event = new FortiGateSyslogEvent(rawMessage, MST_TIMEZONE);
+
+        ZonedDateTime of = ZonedDateTime.of(2017, 3, 6, 12, 53, 10, 0, ZoneOffset.UTC);
+
+        assertThat(ZonedDateTime.ofInstant(event.getDate().toInstant(), ZoneOffset.UTC))
+                .isEqualTo(of);
+    }
+
+    @Test
+    public void testDefaultTimezoneConfigured() {
+        final String rawMessage = "<45>date=2017-03-06 time=12:53:10 devname=DEVICENAME devid=DEVICEID logid=0000000013 type=traffic subtype=forward level=notice vd=ALIAS srcip=IP srcport=45748 srcintf=\"IF\" dstip=IP dstport=443 dstintf=\"IF\" sessionid=1122686199 status=close policyid=77 dstcountry=\"COUNTRY\" srccountry=\"COUNTRY\" trandisp=dnat tranip=IP tranport=443 service=HTTPS proto=6 appid=41540 app=\"SSL_TLSv1.2\" appcat=\"Network.Service\" applist=\"ACLNAME\" appact=detected duration=1 sentbyte=2313 rcvdbyte=14883 sentpkt=19 rcvdpkt=19 utmaction=passthrough utmevent=app-ctrl attack=\"SSL\" hostname=\"HOSTNAME\" custom=\"white space\"";
+        final FortiGateSyslogEvent event = new FortiGateSyslogEvent(rawMessage, MST_TIMEZONE);
+
+        ZoneId mst = MST_TIMEZONE.toTimeZone().toZoneId();
+        ZonedDateTime of = ZonedDateTime.of(2017, 3, 6, 12, 53, 10, 0, mst);
+
+        assertThat(ZonedDateTime.ofInstant(event.getDate().toInstant(), mst))
+                .isEqualTo(of);
+    }
+}