[GitHub] metron issue #579: METRON-941 fix PaloAltoParser

ctramnitz Fri, 09 Feb 2018 08:05:23 -0800

Github user ctramnitz commented on the issue:

    https://github.com/apache/metron/pull/579
  
    I think 
https://github.com/apache/metron/pull/579/commits/ccd99dda3c8a72408ae13eeaca078af1e345a36c#diff-e0385f97ebea64bab3a83bceef70bb4aR67
    expected.put(BasicPaloAltoFirewallParser.PaloAltoDomain, "<11>Jan  5 
05:38:59 PAN1.exampleCustomer.com 1");
    should be
    expected.put(BasicPaloAltoFirewallParser.PaloAltoDomain, "1");
    
    The rest is the syslog header, not the PA domain.
    
    I'd suggest to strip the syslog header off the test data and assume it will 
also be stripped off on ingestion until we have a syslog-preparsing capability 
(i.e. https://issues.apache.org/jira/browse/METRON-1453).
    
    I'm already doing this using rsyslog:
    ```
    module(load="imudp")
    module(load="omkafka")
    
    template(name="msgonly" type="string"
             string="%msg:::drop-last-lf%"
            )
    
    ruleset(name="udp514"){
      if (<some-condition>) then {
        action(
          broker=["<kafka_host>:6667"]
          confparam=["client.id=rsyslog", "compression.codec=snappy", 
"socket.keepalive.enable=true"]
          type="omkafka"
          topic="paloalto"
          template="msgonly"
          errorfile="/var/log/rsyslog_kafka_failures.log"
        )
      }  
    }
    input(type="imudp" port="514" ruleset="udp514")
    ```

---

[GitHub] metron issue #579: METRON-941 fix PaloAltoParser

Reply via email to