Full support for plain syslog messages. Initial implementation of

structured syslog, CEF introduced.

Author: Huksley

.classpath

@@ -5,5 +5,6 @@
 	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER"/>
 	<classpathentry kind="lib" path="lib/graylog.jar"/>
 	<classpathentry kind="lib" path="lib/junit.jar"/>
+	<classpathentry kind="lib" path="lib/syslog4j-0.9.46.jar" sourcepath="lib/syslog4j-0.9.46.jar"/>
 	<classpathentry kind="output" path="build"/>
 </classpath>

lib/syslog4j-0.9.46.jar

@@ -0,0 +1,28 @@
+package com.wizecore.graylog2.plugin;
+
+import org.graylog2.plugin.Message;
+import org.graylog2.syslog4j.SyslogIF;
+
+/**
+ * Using CEF format
+ */
+
+/*
+ * http://blog.rootshell.be/2011/05/11/ossec-speaks-arcsight/
+ * 
+ * 
+ * CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|\
+Name|Severity|Extension
+
+CEF:0|ArcSight|Logger|5.0.0.5355.2|sensor:115|Logger Internal Event|1|\
+cat=/Monitor/Sensor/Fan5 cs2=Current Value cnt=1 dvc=10.0.0.1 cs3=Ok \
+cs1=null type=0 cs1Label=unit rt=1305034099211 cs3Label=Status cn1Label=value \
+cs2Label=timeframe
+ */
+public class CEFSender implements MessageSender {
+
+	@Override
+	public void send(SyslogIF syslog, int level, Message msg) {
+		throw new UnsupportedOperationException("CEF is not yet complete!");
+	}
+}

src/main/java/com/wizecore/graylog2/plugin/CEFSender.java

@@ -0,0 +1,11 @@
+package com.wizecore.graylog2.plugin;
+
+import org.graylog2.plugin.Message;
+import org.graylog2.syslog4j.SyslogIF;
+
+/**
+ * Optimized sender
+ */
+public interface MessageSender {
+	void send(SyslogIF syslog, int level, Message msg);
+}

src/main/java/com/wizecore/graylog2/plugin/MessageSender.java

@@ -0,0 +1,84 @@
+package com.wizecore.graylog2.plugin;
+
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.Locale;
+import java.util.logging.Logger;
+
+import org.graylog2.plugin.Message;
+import org.graylog2.syslog4j.SyslogIF;
+
+/**
+ * Formats fields into message text 
+ */
+public class PlainSender implements MessageSender {
+	private Logger log = Logger.getLogger(PlainSender.class.getName());
+
+	public static final String SYSLOG_DATEFORMAT = "MMM dd HH:mm:ss";
+	
+	/**
+	 * From syslog4j
+	 * 
+	 * @param dt
+	 * @return
+	 */
+	public static String formatTimestamp(Date dt) {
+		SimpleDateFormat dateFormat = new SimpleDateFormat(SYSLOG_DATEFORMAT,Locale.ENGLISH);		
+		String datePrefix = dateFormat.format(dt);	
+		
+		StringBuilder buffer = new StringBuilder();
+		int pos = buffer.length() + 4;		
+		buffer.append(datePrefix);
+	
+		//  RFC 3164 requires leading space for days 1-9
+		if (buffer.charAt(pos) == '0') {
+			buffer.setCharAt(pos,' ');
+		}	
+		return buffer.toString();
+	}
+	
+	@Override
+	public void send(SyslogIF syslog, int level, Message msg) {
+		Date dt = null;
+		Object ts = msg.getField("timestamp");
+		if (ts != null && ts instanceof Number) {
+			dt = new Date(((Number) ts).longValue());
+		}
+		
+		if (dt == null) {
+			dt = new Date();
+		}
+		
+		StringBuilder out = new StringBuilder();
+		
+		// Write time
+		out.append(formatTimestamp(dt));
+		out.append(" ");
+		
+		// Write source (host)
+		String source = msg.getSource();
+		if (source != null) {
+			out.append(source).append(" ");
+		}
+		
+		// Write service
+		Object facility = msg.getField("facility");
+		if (facility != null) {
+			out.append("[").append(facility.toString()).append("]");
+		}
+		
+		Object username = msg.getField("username");
+		if (username != null) {
+			out.append("[").append(username.toString()).append("]");
+		}
+		
+		if (out.length() > 0) {
+			out.append(' ');
+		}
+		
+		out.append(msg.getMessage());
+		String str = out.toString();
+		log.info("Sending plain message: " + level + ", " + str);
+		syslog.log(level, str);
+	}
+}

src/main/java/com/wizecore/graylog2/plugin/PlainSender.java

@@ -0,0 +1,27 @@
+package com.wizecore.graylog2.plugin;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.logging.Logger;
+
+import org.graylog2.plugin.Message;
+import org.graylog2.syslog4j.SyslogIF;
+import org.graylog2.syslog4j.impl.message.structured.StructuredSyslogMessage;
+
+public class StructuredSender implements MessageSender {
+	private Logger log = Logger.getLogger(StructuredSender.class.getName());
+
+	@Override
+	public void send(SyslogIF syslog, int level, Message msg) {		
+		Map<String, Map<String, String>> data = new HashMap<String, Map<String,String>>();
+		Map<String, Object> fields = msg.getFields();
+		for (String key: fields.keySet()) {
+			Map<String,String> inner = new HashMap<String, String>();
+			inner.put(key, fields.get(key).toString());
+			data.put(key, inner);
+		}
+		
+		log.info("Sending " + level + ", " + msg.getId() + ", " + msg.getSource() + ", " + data + ", " + msg.getMessage());
+		syslog.log(level, new StructuredSyslogMessage(msg.getId(), msg.getSource(), data, msg.getMessage()));
+	}
+}