Merge pull request #17 from Graylog2/additional-syslog-events

Support FortiGate and Cisco syslog events

Author: dennisoelkers

.travis.yml

@@ -2,9 +2,6 @@ sudo: required
 dist: trusty
 language: java
 jdk:
-#  - openjdk6
-#  - openjdk7
-  - oraclejdk7
   - oraclejdk8
 addons:
   # Fix OpenJDK builds

pom.xml

@@ -49,6 +49,8 @@
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <maven.compiler.source>1.8</maven.compiler.source>
+        <maven.compiler.target>1.8</maven.compiler.target>
     </properties>
 
     <distributionManagement>
@@ -105,6 +107,12 @@
             <version>2.4.0</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.assertj</groupId>
+            <artifactId>assertj-core</artifactId>
+            <version>3.6.2</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>
@@ -120,10 +128,6 @@
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
                 <version>3.5.1</version>
-                <configuration>
-                    <source>1.6</source>
-                    <target>1.6</target>
-                </configuration>
             </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>

src/main/java/org/graylog2/syslog4j/server/impl/event/CiscoSyslogServerEvent.java

@@ -0,0 +1,157 @@
+package org.graylog2.syslog4j.server.impl.event;
+
+import java.net.InetAddress;
+import java.time.ZoneOffset;
+import java.time.ZonedDateTime;
+import java.time.format.DateTimeFormatter;
+import java.time.format.DateTimeParseException;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.Locale;
+
+/**
+ * CiscoSyslogServerEvent provides an implementation of the
+ * SyslogServerEventIF interface that supports receiving of
+ * Cisco syslog messages.
+ *
+ * @see <a href="http://www.ciscopress.com/articles/article.asp?p=426638">An Overview of the syslog Protocol</a>
+ */
+public class CiscoSyslogServerEvent extends SyslogServerEvent {
+    private static final DateTimeFormatter DEFAULT_FORMATTER =
+            DateTimeFormatter
+                    .ofPattern("yyyy MMM ppd HH:mm:ss[.SSS][ zzz]", Locale.ROOT)
+                    .withZone(ZoneOffset.UTC);
+    private int sequenceNumber = 0;
+
+    public CiscoSyslogServerEvent(final byte[] message, int length, InetAddress inetAddress) {
+        super();
+
+        initialize(message, length, inetAddress);
+        parse();
+    }
+
+    public CiscoSyslogServerEvent(final String message, InetAddress inetAddress) {
+        super();
+
+        initialize(message, inetAddress);
+        parse();
+    }
+
+    @Override
+    protected void parsePriority() {
+        if (this.message.charAt(0) == '<') {
+            int i = this.message.indexOf(">");
+
+            if (i <= 4 && i > -1) {
+                String priorityStr = this.message.substring(1, i);
+
+                int priority = 0;
+                try {
+                    priority = Integer.parseInt(priorityStr);
+                    this.facility = priority >> 3;
+                    this.level = priority - (this.facility << 3);
+
+                    this.message = this.message.substring(i + 1);
+
+                    parseSequenceNumber();
+                    parseDate();
+                } catch (NumberFormatException nfe) {
+                    //
+                }
+
+                parseHost();
+            }
+        }
+    }
+
+    private void parseSequenceNumber() {
+        int i = this.message.indexOf(':');
+        if (i > -1) {
+            String sequenceNumberStr = this.message.substring(0, i);
+            if (sequenceNumberStr.isEmpty()) {
+                this.message = this.message.substring(i + 1);
+            } else {
+                try {
+                    this.sequenceNumber = Integer.parseInt(sequenceNumberStr);
+                    this.message = this.message.substring(i + 1);
+                } catch (NumberFormatException nfe) {
+                    //
+                }
+            }
+        }
+    }
+
+    @Override
+    protected void parseHost() {
+        if (message.indexOf('%') < 1) {
+            this.host = "";
+        } else {
+            int i = this.message.indexOf(' ');
+            if (i > -1) {
+                this.host = this.message.substring(0, i).trim();
+
+                // Skip ' ' and ':' characters
+                char c = message.charAt(i);
+                while (c == ' ' || c == ':') {
+                    c = message.charAt(++i);
+                }
+
+                this.message = this.message.substring(i);
+            }
+        }
+    }
+
+    @Override
+    protected void parseDate() {
+        // Skip leading spaces
+        while (message.charAt(0) == ' ') {
+            message = message.substring(1);
+        }
+
+        // Skip leading asterisk
+        if (message.charAt(0) == '*') {
+            message = message.substring(1);
+        }
+
+        int dateLength = message.indexOf(": ");
+        if (this.message.length() > dateLength) {
+            boolean isYearMissing = Character.isLetter(message.charAt(0));
+            String originalDate = this.message.substring(0, dateLength);
+            DateTimeFormatter formatter = DEFAULT_FORMATTER;
+
+            // Hacky override for: "Mar 06 2016 12:53:10 DEVICENAME :"
+            if (Character.isDigit(message.charAt(7))
+                    && Character.isDigit(message.charAt(8))
+                    && Character.isDigit(message.charAt(9))
+                    && Character.isDigit(message.charAt(10))) {
+                dateLength = 20;
+                isYearMissing = false;
+                originalDate = this.message.substring(0, dateLength);
+                formatter = DateTimeFormatter
+                        .ofPattern("MMM ppd yyyy HH:mm:ss", Locale.ROOT)
+                        .withZone(ZoneOffset.UTC);
+            }
+
+            try {
+                if (isYearMissing) {
+                    String year = Integer.toString(Calendar.getInstance().get(Calendar.YEAR));
+                    String modifiedDate = year + " " + originalDate;
+                    final ZonedDateTime dateTime = ZonedDateTime.parse(modifiedDate, formatter);
+                    this.date = Date.from(dateTime.toInstant());
+                } else {
+                    final ZonedDateTime dateTime = ZonedDateTime.parse(originalDate, formatter);
+                    this.date = Date.from(dateTime.toInstant());
+                }
+
+                this.message = this.message.substring(dateLength + 1);
+
+            } catch (DateTimeParseException pe) {
+                this.date = new Date();
+            }
+        }
+    }
+
+    public int getSequenceNumber() {
+        return sequenceNumber;
+    }
+}

src/main/java/org/graylog2/syslog4j/server/impl/event/FortiGateSyslogEvent.java

@@ -0,0 +1,176 @@
+package org.graylog2.syslog4j.server.impl.event;
+
+import org.graylog2.syslog4j.server.SyslogServerEventIF;
+
+import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
+import java.time.LocalDate;
+import java.time.LocalTime;
+import java.time.ZoneOffset;
+import java.time.ZonedDateTime;
+import java.time.format.DateTimeFormatter;
+import java.util.Collections;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import static java.util.Objects.requireNonNull;
+
+/**
+ * FortiGateSyslogEvent provides an implementation of the
+ * SyslogServerEventIF interface that supports receiving of
+ * FortiGate/FortiOS syslog messages.
+ *
+ * @see <a href="http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-logging-reporting-54/logs.htm#Log_messages">FortiGate logging and reporting overview</a>
+ */
+public class FortiGateSyslogEvent implements SyslogServerEventIF {
+    private static final Pattern PRI_PATTERN = Pattern.compile("^<(\\d{1,3})>(.*)$");
+    private static final Pattern KV_PATTERN = Pattern.compile("(\\w+)=([^\\s\"]*)");
+    private static final Pattern QUOTED_KV_PATTERN = Pattern.compile("(\\w+)=\"([^\"]*)\"");
+
+    private final String rawEvent;
+    private Date date;
+    private int facility;
+    private int level;
+    private String host;
+    private String message;
+    private Charset charSet = StandardCharsets.UTF_8;
+    private Map<String, String> fields = Collections.emptyMap();
+
+    public FortiGateSyslogEvent(final String rawEvent) {
+        this.rawEvent = requireNonNull(rawEvent, "rawEvent");
+        parse(rawEvent);
+    }
+
+    private void parse(String event) {
+        final Matcher matcher = PRI_PATTERN.matcher(event);
+        if (!matcher.find()) {
+            throw new IllegalArgumentException("Invalid Fortigate syslog message");
+        } else {
+            final String priority = matcher.group(1);
+            final String message = matcher.group(2);
+
+            parsePriority(priority);
+            setMessage(message);
+            parseFields(message);
+            parseDate(fields.get("date"), fields.get("time"));
+            setHost(fields.get("devname"));
+        }
+    }
+
+    private void parsePriority(String priorityString) {
+        try {
+            final int priority = Integer.parseInt(priorityString);
+            setFacility(priority / 8);
+            setLevel(priority % 8);
+        } catch (NumberFormatException e) {
+            throw new IllegalArgumentException("Couldn't parse message priority", e);
+        }
+    }
+
+    private void parseFields(String event) {
+        final Map<String, String> fields = new HashMap<>();
+        final Matcher matcher = KV_PATTERN.matcher(event);
+        while (matcher.find()) {
+            fields.put(matcher.group(1), matcher.group(2));
+        }
+        final Matcher quotedMatcher = QUOTED_KV_PATTERN.matcher(event);
+        while (quotedMatcher.find()) {
+            fields.put(quotedMatcher.group(1), quotedMatcher.group(2));
+        }
+        setFields(fields);
+    }
+
+    private void parseDate(String date, String time) {
+        if (date != null && time != null) {
+            final ZonedDateTime dateTime = ZonedDateTime.of(
+                    LocalDate.parse(date, DateTimeFormatter.ISO_LOCAL_DATE.withZone(ZoneOffset.UTC)),
+                    LocalTime.parse(time, DateTimeFormatter.ISO_LOCAL_TIME.withZone(ZoneOffset.UTC)),
+                    ZoneOffset.UTC);
+            setDate(Date.from(dateTime.toInstant()));
+
+        } else {
+            setDate(new Date());
+        }
+    }
+
+    @Override
+    public byte[] getRaw() {
+        return rawEvent.getBytes(charSet);
+    }
+
+    @Override
+    public int getFacility() {
+        return facility;
+    }
+
+    @Override
+    public void setFacility(int facility) {
+        this.facility = requireNonNull(facility, "facility");
+    }
+
+    @Override
+    public Date getDate() {
+        return date;
+    }
+
+    @Override
+    public void setDate(Date date) {
+        this.date = requireNonNull(date, "date");
+    }
+
+    @Override
+    public int getLevel() {
+        return level;
+    }
+
+    @Override
+    public void setLevel(int level) {
+        this.level = requireNonNull(level, "level");
+    }
+
+    @Override
+    public String getHost() {
+        return host;
+    }
+
+    @Override
+    public void setHost(String host) {
+        this.host = host;
+    }
+
+    @Override
+    public boolean isHostStrippedFromMessage() {
+        return false;
+    }
+
+    @Override
+    public String getMessage() {
+        return message;
+    }
+
+    @Override
+    public void setMessage(String message) {
+        this.message = requireNonNull(message, "message");
+    }
+
+    @Override
+    public String getCharSet() {
+        return charSet.name();
+    }
+
+    @Override
+    public void setCharSet(String charSet) {
+        this.charSet = Charset.forName(charSet);
+    }
+
+    public Map<String, String> getFields() {
+        return Collections.unmodifiableMap(fields);
+    }
+
+    public void setFields(Map<String, String> fields) {
+        this.fields = requireNonNull(fields, "fields");
+    }
+}