Improved plain sender and structured sender. First implementation of CEF

Huksley · Huksley · commit f54de2364b3e · 2015-05-28T10:13:27.000+03:00
sender.
diff --git a/.gitignore b/.gitignore
@@ -16,3 +16,4 @@
 .jhw-cache
 /bin/
 /build/
+GraylogSyslogOutput.jar
diff --git a/src/main/java/com/wizecore/graylog2/plugin/CEFSender.java b/src/main/java/com/wizecore/graylog2/plugin/CEFSender.java
@@ -1,5 +1,7 @@
 package com.wizecore.graylog2.plugin;
 
+import java.util.Map;
+
 import org.graylog2.plugin.Message;
 import org.graylog2.syslog4j.SyslogIF;
 
@@ -11,8 +13,7 @@
  * http://blog.rootshell.be/2011/05/11/ossec-speaks-arcsight/
  * 
  * 
- * CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|\
-Name|Severity|Extension
+ * CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
 
 CEF:0|ArcSight|Logger|5.0.0.5355.2|sensor:115|Logger Internal Event|1|\
 cat=/Monitor/Sensor/Fan5 cs2=Current Value cnt=1 dvc=10.0.0.1 cs3=Ok \
@@ -23,6 +24,22 @@ public class CEFSender implements MessageSender {
 
 	@Override
 	public void send(SyslogIF syslog, int level, Message msg) {
-		throw new UnsupportedOperationException("CEF is not yet complete!");
+		StringBuilder out = new StringBuilder();
+		PlainSender.appendHeader(msg, out);
+		out.append("CEF:0|ArcSight|Logger|5.0.0.5355.2|log:1|");
+		String str = msg.getMessage();
+		if (str.contains("|")) {
+			str = str.replace("|", "");
+		}
+		out.append(str);
+		out.append("|").append(level) .append("|"); // severity
+		Map<String, Object> fields = msg.getFields();
+		for (String k: fields.keySet()) {
+			Object v = fields.get(k);
+			if (!k.equals("message") && !k.equals("full_message")) {
+    			String s = v != null ? v.toString() : "null";
+    			out.append(k).append('=').append(s);
+			}
+		}
 	}
 }
diff --git a/src/main/java/com/wizecore/graylog2/plugin/PlainSender.java b/src/main/java/com/wizecore/graylog2/plugin/PlainSender.java
@@ -10,6 +10,17 @@
 
 /**
  * Formats fields into message text 
+ * 
+
+        <34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8
+         ^priority
+         	^ version
+         	  ^ date 
+         	  						   ^ host
+         	  						   						 ^ APP-NAME
+         	  						   						 	^ structured data?
+         	  						   						 	  ^ MSGID 
+         	  						   						 	  	    
  */
 public class PlainSender implements MessageSender {
 	private Logger log = Logger.getLogger(PlainSender.class.getName());
@@ -22,23 +33,31 @@ public class PlainSender implements MessageSender {
 	 * @param dt
 	 * @return
 	 */
-	public static String formatTimestamp(Date dt) {
+	public static void appendSyslogTimestamp(Date dt, StringBuilder buffer) {
 		SimpleDateFormat dateFormat = new SimpleDateFormat(SYSLOG_DATEFORMAT,Locale.ENGLISH);		
 		String datePrefix = dateFormat.format(dt);	
 		
-		StringBuilder buffer = new StringBuilder();
 		int pos = buffer.length() + 4;		
 		buffer.append(datePrefix);
 	
 		//  RFC 3164 requires leading space for days 1-9
 		if (buffer.charAt(pos) == '0') {
 			buffer.setCharAt(pos,' ');
-		}	
-		return buffer.toString();
+		}
 	}
 	
 	@Override
 	public void send(SyslogIF syslog, int level, Message msg) {
+		StringBuilder out = new StringBuilder();
+		appendHeader(msg, out);
+		
+		out.append(msg.getMessage());
+		String str = out.toString();
+		log.info("Sending plain message: " + level + ", " + str);
+		syslog.log(level, str);
+	}
+
+	public static void appendHeader(Message msg, StringBuilder out) {
 		Date dt = null;
 		Object ts = msg.getField("timestamp");
 		if (ts != null && ts instanceof Number) {
@@ -49,36 +68,34 @@ public void send(SyslogIF syslog, int level, Message msg) {
 			dt = new Date();
 		}
 		
-		StringBuilder out = new StringBuilder();
-		
 		// Write time
-		out.append(formatTimestamp(dt));
+		appendSyslogTimestamp(dt, out);
 		out.append(" ");
 		
 		// Write source (host)
 		String source = msg.getSource();
 		if (source != null) {
 			out.append(source).append(" ");
+		} else {
+			out.append("- ");
 		}
 		
 		// Write service
 		Object facility = msg.getField("facility");
 		if (facility != null) {
-			out.append("[").append(facility.toString()).append("]");
+			out.append(facility.toString()).append(" ");
+		} else {
+			out.append("- ");
 		}
 		
+		// MSGID
 		Object username = msg.getField("username");
 		if (username != null) {
-			out.append("[").append(username.toString()).append("]");
-		}
-		
-		if (out.length() > 0) {
-			out.append(' ');
+			out.append(username.toString()).append(" ");
+		} else {
+			out.append("- ");
 		}
 		
-		out.append(msg.getMessage());
-		String str = out.toString();
-		log.info("Sending plain message: " + level + ", " + str);
-		syslog.log(level, str);
+		out.append(' ');
 	}
 }
diff --git a/src/main/java/com/wizecore/graylog2/plugin/StructuredSender.java b/src/main/java/com/wizecore/graylog2/plugin/StructuredSender.java
@@ -8,20 +8,55 @@
 import org.graylog2.syslog4j.SyslogIF;
 import org.graylog2.syslog4j.impl.message.structured.StructuredSyslogMessage;
 
+/**
+ * https://tools.ietf.org/html/rfc5424
+ * 
+ * <165>1 2003-10-11T22:14:15.003Z mymachine.example.com
+           evntslog - ID47 [exampleSDID@0 iut="3" eventSource=
+           "Application" eventID="1011"] BOMAn application
+           event log entry...
+
+ */
 public class StructuredSender implements MessageSender {
 	private Logger log = Logger.getLogger(StructuredSender.class.getName());
 
 	@Override
 	public void send(SyslogIF syslog, int level, Message msg) {		
-		Map<String, Map<String, String>> data = new HashMap<String, Map<String,String>>();
+		Map<String, String> sdParams = new HashMap<String, String>();
 		Map<String, Object> fields = msg.getFields();
 		for (String key: fields.keySet()) {
-			Map<String,String> inner = new HashMap<String, String>();
-			inner.put(key, fields.get(key).toString());
-			data.put(key, inner);
+			sdParams.put(key, fields.get(key).toString());
+		}
+		
+		// http://www.iana.org/assignments/enterprise-numbers/enterprise-numbers
+		// <name>@<enterpriseId>
+		String sdId = "all@0";
+		log.info("Sending " + level + ", " + msg.getId() + ", " + msg.getSource() + ", " + sdId + "=" + sdParams + ", " + msg.getMessage());
+		Map<String,Map<String,String>> sd = new HashMap<String, Map<String,String>>();
+		sd.put(sdId, sdParams);
+		
+		String msgId = null;		
+		if (msgId == null) {
+			String source = msg.getSource();
+    		if (source != null) {
+    			msgId = source;
+    		}
+		}		
+		if (msgId == null) {
+			msgId = "-";
+		}
+		
+		String sourceId = null;
+		if (sourceId == null) {
+			Object facility = msg.getField("facility");
+    		if (facility != null) {
+    			sourceId = facility.toString();
+    		}
+		}		
+		if (sourceId == null) {
+			sourceId = "-";
 		}
 		
-		log.info("Sending " + level + ", " + msg.getId() + ", " + msg.getSource() + ", " + data + ", " + msg.getMessage());
-		syslog.log(level, new StructuredSyslogMessage(msg.getId(), msg.getSource(), data, msg.getMessage()));
+		syslog.log(level, new StructuredSyslogMessage(msgId, sourceId, sd, msg.getMessage()));
 	}
 }
diff --git a/src/main/java/com/wizecore/graylog2/plugin/syslog.txt b/src/main/java/com/wizecore/graylog2/plugin/syslog.txt
@@ -0,0 +1,42 @@
+          Numerical             Facility
+             Code
+
+              0             kernel messages
+              1             user-level messages
+              2             mail system
+              3             system daemons
+              4             security/authorization messages
+              5             messages generated internally by syslogd
+              6             line printer subsystem
+              7             network news subsystem
+              8             UUCP subsystem
+              9             clock daemon
+             10             security/authorization messages
+             11             FTP daemon
+             12             NTP subsystem
+             13             log audit
+             14             log alert
+             15             clock daemon (note 2)
+             16             local use 0  (local0)
+             17             local use 1  (local1)
+             18             local use 2  (local2)
+             19             local use 3  (local3)
+             20             local use 4  (local4)
+             21             local use 5  (local5)
+             22             local use 6  (local6)
+             23             local use 7  (local7)
+             
+        Numerical         Severity
+             Code
+
+              0       Emergency: system is unusable
+              1       Alert: action must be taken immediately
+              2       Critical: critical conditions
+              3       Error: error conditions
+              4       Warning: warning conditions
+              5       Notice: normal but significant condition
+              6       Informational: informational messages
+              7       Debug: debug-level messages
+                           
+The Priority value is calculated by first multiplying the Facility
+   number by 8 and then adding the numerical value of the Severity.                           
