True transparent (#38)

* Read timestamp and facility in transparent

* Use facility_num if available

* Added test

* Update run script

Author: huksley

README.md

@@ -68,13 +68,21 @@ Example:
 
 ### trasparent
 
-A variation of plain sender without facility and source (they are in original message).
+A variation of plain sender which tries to keep facility and source from fields, resulting in having a passthrough effect with Graylog Syslog input.
+If configured, can omit header if your message already contains header.
+
 Example:
 
 ```
 <14>Feb 11 17:32:06 graylog01 sshd[26524]: Failed password for admin7 from 10.128.230.28 port 58363 ssh2
 ```
 
+To test, configure Syslog input and send to it using netcat:
+
+```
+echo "<86>_sourcehost_ messagetext86" | nc -v -w 0 localhost 1514
+```
+
 ### snare
 
 Re-build a snare log format of windows event in stream.
@@ -148,3 +156,5 @@ If existing fields does not contain such keys, following fields will be added to
 - https://www.graylog.org/resources/gelf-2/
 - http://docs.graylog.org/en/1.0/pages/plugins.html
 - https://community.saas.hpe.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Guide/ta-p/1589306
+- https://success.trendmicro.com/solution/TP000086250-What-are-Syslog-Facilities-and-Levels
+

pom.xml

@@ -10,7 +10,7 @@
 
     <groupId>com.wizecore.graylog2</groupId>
     <artifactId>graylog-output-syslog</artifactId>
-    <version>3.3.0</version>
+    <version>3.3.1</version>
     <packaging>jar</packaging>
 
     <name>graylog-output-syslog</name>

run-graylog

@@ -6,17 +6,17 @@ mkdir -p $TT
 #sudo umount $TT
 #sudo mount -o bind,noexec $TT $TT
 #export JAVA_OPTS="-Djava.io.tmpdir=$TT"
-rm -Rf $GL/data
+#rm -Rf $GL/data
 mkdir -p $GL/data
 mvn package -DskipTests
-cp target/graylog-output-syslog-2.5.1.jar $GL/plugin
+cp target/graylog-output-syslog-3.3.1.jar $GL/plugin
 export GRAYLOG_CONF=$GL/graylog.conf
-docker rm -f elastic
-docker run --name elastic -p 9200:9200 -d elasticsearch:5
-docker rm -f mongo
-docker run --name mongo -p 27017:27017 -d mongo:3.6
-docker start elastic
-docker start mongo
+#docker rm -f elastic
+#docker run --name elastic -p 9200:9200 -d elasticsearch:5
+#docker rm -f mongo
+#docker run --name mongo -p 27017:27017 -d mongo:3.6
+#docker start elastic
+#docker start mongo
 sleep 5
 $GL/bin/graylogctl run
 

src/main/java/com/wizecore/graylog2/plugin/SyslogOutput.java

@@ -1,32 +1,31 @@
 package com.wizecore.graylog2.plugin;
 
 
-import java.util.List;
-import java.util.Map;
-import java.util.HashMap;
-import java.util.logging.Logger;
-
-import javax.inject.Inject;
-
+import com.google.common.collect.ImmutableMap;
+import com.google.inject.assistedinject.Assisted;
 import org.graylog2.plugin.Message;
 import org.graylog2.plugin.configuration.Configuration;
 import org.graylog2.plugin.configuration.ConfigurationRequest;
+import org.graylog2.plugin.configuration.fields.BooleanField;
 import org.graylog2.plugin.configuration.fields.ConfigurationField;
 import org.graylog2.plugin.configuration.fields.DropdownField;
 import org.graylog2.plugin.configuration.fields.TextField;
-import org.graylog2.plugin.configuration.fields.BooleanField;
 import org.graylog2.plugin.outputs.MessageOutput;
 import org.graylog2.plugin.streams.Stream;
 import org.graylog2.syslog4j.Syslog;
 import org.graylog2.syslog4j.SyslogConfigIF;
 import org.graylog2.syslog4j.SyslogIF;
+import org.graylog2.syslog4j.impl.message.processor.SyslogMessageProcessor;
 import org.graylog2.syslog4j.impl.net.tcp.TCPNetSyslogConfig;
 import org.graylog2.syslog4j.impl.net.tcp.ssl.SSLTCPNetSyslogConfig;
 import org.graylog2.syslog4j.impl.net.udp.UDPNetSyslogConfig;
-import org.graylog2.syslog4j.server.impl.net.tcp.ssl.SSLTCPNetSyslogServerConfig;
 
-import com.google.common.collect.ImmutableMap;
-import com.google.inject.assistedinject.Assisted;
+import javax.inject.Inject;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.logging.Logger;
 
 
 /**
@@ -54,7 +53,7 @@ public static MessageSender createSender(String fmt, Configuration conf) {
 				return new PlainSender();
 			} else
 			if (fmt == null || fmt.equalsIgnoreCase("transparent")) {
-				return new TrasparentSyslogSender(conf);
+				return new TransparentSyslogSender(conf);
 			} else
 			if (fmt == null || fmt.equalsIgnoreCase("snare")) {
 				return new SnareWindowsSender();
@@ -144,11 +143,26 @@ public SyslogOutput(@Assisted Stream stream, @Assisted Configuration conf) {
 		syslog = Syslog.exists(hash) ? Syslog.getInstance(hash) : Syslog.createInstance(hash, config);
 
 		sender = createSender(format, conf);
+
+		if (sender instanceof TransparentSyslogSender) {
+			// Always send empty header, which we will construct ourselves
+			syslog.setMessageProcessor(new SyslogMessageProcessor() {
+				@Override
+				public String createSyslogHeader(int facility, int level, String localName, boolean sendLocalName, Date datetime) {
+					return "";
+				}
+
+				@Override
+				public String createSyslogHeader(int facility, int level, String localName, boolean sendLocalTimestamp, boolean sendLocalName) {
+					return "";
+				}
+			});
+		}
+
 		if (sender instanceof StructuredSender) {
 			// Always send via structured data
 			syslog.getConfig().setUseStructuredData(true);
-		} else
-		if (sender instanceof PlainSender || sender instanceof CEFSender) {
+		} else if (sender instanceof PlainSender || sender instanceof CEFSender) {
 			// Will write this fields manually
 			syslog.getConfig().setSendLocalName(false);
 			syslog.getConfig().setSendLocalTimestamp(false);
@@ -255,30 +269,30 @@ public ConfigurationRequest getRequestedConfiguration() {
 			configurationRequest.addField(new TextField("host", "Syslog host", "localhost", "Remote host to send syslog messages to.", ConfigurationField.Optional.NOT_OPTIONAL));
 			configurationRequest.addField(new TextField("port", "Syslog port", "514", "Syslog port on the remote host. Default is 514.", ConfigurationField.Optional.NOT_OPTIONAL));
 
-      HashMap<String, String> types = new HashMap<String,String>();
-      types.put("plain", "plain");
-      types.put("structured", "structured");
-      types.put("cef", "cef");
-      types.put("full", "full");
-      types.put("transparent", "transparent");
-      types.put("snare", "snare");
+			HashMap<String, String> types = new HashMap<String, String>();
+			types.put("plain", "plain");
+			types.put("structured", "structured");
+			types.put("cef", "cef");
+			types.put("full", "full");
+			types.put("transparent", "transparent");
+			types.put("snare", "snare");
 
 			final Map<String, String> formats = ImmutableMap.copyOf(types);
 			configurationRequest.addField(new DropdownField(
 					"format", "Message format", "plain", formats,
 					"Message format. For detailed explanation, see https://github.com/wizecore/graylog2-output-syslog",
 					ConfigurationField.Optional.NOT_OPTIONAL)
 			);
-      configurationRequest.addField(new BooleanField("transparentFormatRemoveHeader", "Remove header (only for transparent)", false, "Do not insert timestamp header when it forwards the message content."));
+			configurationRequest.addField(new BooleanField("transparentFormatRemoveHeader", "Remove header (only for transparent)", false, "Do not insert header when it forwards the message content."));
 
 			configurationRequest.addField(new TextField("maxlen", "Maximum message length", "", "Maximum message (body) length. Longer messages will be truncated. If not specified defaults to 16384 bytes.", ConfigurationField.Optional.OPTIONAL));
-			
+
 			configurationRequest.addField(new TextField("keystore", "Key store", "", "Path to Java keystore (required for SSL over TCP). Must contain private key and cert for this client.", ConfigurationField.Optional.OPTIONAL));
 			configurationRequest.addField(new TextField("keystorePassword", "Key store password", "", "", ConfigurationField.Optional.OPTIONAL));
-			
+
 			configurationRequest.addField(new TextField("truststore", "Trust store", "", "Path to Java keystore (required for SSL over TCP). Optional (if not set, equals to key store). Must contain peers we trust connecting to.", ConfigurationField.Optional.OPTIONAL));
 			configurationRequest.addField(new TextField("truststorePassword", "Trust store password", "", "", ConfigurationField.Optional.OPTIONAL));
-			
+
 			return configurationRequest;
 		}
 	}

src/main/java/com/wizecore/graylog2/plugin/TransparentSyslogSender.java

@@ -0,0 +1,203 @@
+package com.wizecore.graylog2.plugin;
+
+import org.graylog2.plugin.Message;
+import org.graylog2.plugin.configuration.Configuration;
+import org.graylog2.syslog4j.SyslogConstants;
+import org.graylog2.syslog4j.SyslogIF;
+import org.joda.time.DateTime;
+
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.Locale;
+import java.util.logging.Logger;
+
+/**
+ * Retain as much as possible original message, facility and level, giving maximum compatibility to the Graylog internal syslog input,
+ * so that messages recevied will be sent unmodified to the remote syslog server.
+ */
+public class TransparentSyslogSender implements MessageSender {
+	private Logger log = Logger.getLogger(TransparentSyslogSender.class.getName());
+	private boolean removeHeader = false;
+
+	public static final String SYSLOG_DATEFORMAT = "MMM dd HH:mm:ss";
+
+	public TransparentSyslogSender(Configuration conf) {
+		removeHeader = conf.getBoolean("transparentFormatRemoveHeader");
+	}
+
+
+	/**
+	 * From syslog4j
+	 *
+	 * @param dt
+	 * @return
+	 */
+	public static void appendSyslogTimestamp(Message msg, StringBuilder buffer) {
+		SimpleDateFormat dateFormat = new SimpleDateFormat(SYSLOG_DATEFORMAT, Locale.ENGLISH);
+
+		Date dt = null;
+		Object ts = msg.getField("timestamp");
+		if (ts instanceof Number) {
+			dt = new Date(((Number) ts).longValue());
+		} else if (ts instanceof DateTime) {
+			DateTime jt = ((DateTime) ts);
+			dt = jt.toDate();
+		} else {
+			System.out.println("Missing timestamp: " + msg.getId() + ", " + ts);
+		}
+
+		if (dt == null) {
+			dt = new Date();
+		}
+
+		String datePrefix = dateFormat.format(dt);
+
+		int pos = buffer.length() + 4;
+		buffer.append(datePrefix);
+
+		//  RFC 3164 requires leading space for days 1-9
+		if (buffer.charAt(pos) == '0') {
+			buffer.setCharAt(pos, ' ');
+		}
+	}
+
+	protected int findFacility(Message msg) {
+		int facility = SyslogConstants.FACILITY_USER;
+		// Use field from
+		Object fn = msg.getField("facility_num");
+		if (fn instanceof Number) {
+			return ((Number) fn).intValue();
+		}
+
+		fn = msg.getField("facility");
+		if (fn instanceof Number) {
+			facility = ((Number) fn).intValue();
+		} else if (fn instanceof String) {
+			String fs = ((String) fn);
+			// NB: Keep in sync with org.graylog2.plugin.Tools#syslogFacilityToReadable
+			switch (fs) {
+				case "kernel":
+					facility = 0;
+					break;
+				case "user-level":
+					facility = 1;
+					break;
+				case "mail":
+					facility = 2;
+					break;
+				case "system daemon":
+					facility = 3;
+					break;
+				case "security/authorization":
+					// SyslogConstants.FACILITY_AUTH
+					facility = 4;
+					// SyslogConstants.FACILITY_AUTHPRIV
+					// facility = 10;
+					break;
+				case "syslogd":
+					facility = 5;
+					break;
+				case "line printer":
+					facility = 6;
+					break;
+				case "network news":
+					facility = 7;
+					break;
+				case "UUCP":
+					facility = 8;
+					break;
+				case "clock":
+					// SyslogConstants.FACILITY_CLOCK
+					facility = 9;
+					// SyslogConstants.FACILITY_CLOCK2
+					// facility = 15;
+					break;
+				case "FTP":
+					facility = 11;
+					break;
+				case "NTP":
+					facility = 12;
+					break;
+				case "log audit":
+					facility = 13;
+					break;
+				case "log alert":
+					facility = 14;
+					break;
+				case "local0":
+					facility = 16;
+					break;
+				case "local1":
+					facility = 17;
+					break;
+				case "local2":
+					facility = 18;
+					break;
+				case "local3":
+					facility = 19;
+					break;
+				case "local4":
+					facility = 20;
+					break;
+				case "local5":
+					facility = 21;
+					break;
+				case "local6":
+					facility = 22;
+					break;
+				case "local7":
+					facility = 23;
+					break;
+				case "Unknown":
+				default:
+					System.err.println("Unknown literal facility: " + msg.getId() + ", " + fn);
+					facility = SyslogConstants.FACILITY_USER;
+			}
+		}
+		return facility;
+	}
+
+	protected void appendPriority(Message msg, int level, StringBuilder out) {
+		int facility = findFacility(msg);
+		facility = facility << 3;
+		int priority = facility + level;
+		out.append("<");
+		out.append(priority);
+		out.append(">");
+	}
+
+	@Override
+	public void send(SyslogIF syslog, int level, Message msg) {
+		StringBuilder out = new StringBuilder();
+		if (removeHeader != true) {
+			appendHeader(msg, level, out);
+		}
+
+		// Remove source (hostname) from source message
+		String str = msg.getMessage();
+		String source = msg.getSource();
+		if (source != null && str.startsWith(source) && str.substring(source.length(), source.length() + 1).equals(" ")) {
+			str = str.substring(source.length() + 1);
+		}
+		out.append(str);
+		syslog.log(level, out.toString());
+	}
+
+	protected void appendLocalName(Message msg, StringBuilder out) {
+		// Write source (host)
+		String source = msg.getSource();
+		if (source != null) {
+			out.append(source);
+		} else {
+			out.append("-");
+		}
+	}
+
+	public void appendHeader(Message msg, int level, StringBuilder out) {
+		appendPriority(msg, level, out);
+		appendSyslogTimestamp(msg, out);
+		out.append(" ");
+		appendLocalName(msg, out);
+		out.append(" ");
+	}
+}