[
https://issues.apache.org/jira/browse/METRON-1750?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16596310#comment-16596310
]
ASF GitHub Bot commented on METRON-1750:
----------------------------------------
Github user cestella commented on a diff in the pull request:
https://github.com/apache/metron/pull/1175#discussion_r213670531
--- Diff:
metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/syslog/Syslog5424Parser.java
---
@@ -0,0 +1,75 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.metron.parsers.syslog;
+
+import com.github.palindromicity.syslog.NilPolicy;
+import com.github.palindromicity.syslog.SyslogParser;
+import com.github.palindromicity.syslog.SyslogParserBuilder;
+import com.github.palindromicity.syslog.dsl.SyslogFieldKeys;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import org.apache.metron.parsers.BasicParser;
+import org.json.simple.JSONObject;
+
+
+
+/**
+ * Parser for well structured RFC 5424 messages.
+ */
+public class Syslog5424Parser extends BasicParser {
+ public static final String NIL_POLICY_CONFIG = "nilPolicy";
+ private transient SyslogParser syslogParser;
+
+ @Override
+ public void configure(Map<String, Object> config) {
+ // Default to OMIT policy for nil fields
+ // this means they will not be in the returned field set
+ String nilPolicyStr = (String)
config.getOrDefault(NIL_POLICY_CONFIG,NilPolicy.OMIT.name());
+ NilPolicy nilPolicy = NilPolicy.valueOf(nilPolicyStr);
+ syslogParser = new
SyslogParserBuilder().withNilPolicy(nilPolicy).build();
+ }
+
+ @Override
+ public void init() {
+ }
+
+ @Override
+ @SuppressWarnings("unchecked")
+ public List<JSONObject> parse(byte[] rawMessage) {
+ try {
+ if (rawMessage == null || rawMessage.length == 0) {
+ return null;
+ }
+
+ String originalString = new String(rawMessage);
+ JSONObject jsonObject = new
JSONObject(syslogParser.parseLine(originalString));
+
+ // be sure to put in the original string, and the timestamp.
+ // we wil just copy over the timestamp from the syslog
+ jsonObject.put("original_string", originalString);
+ jsonObject.put("timestamp",
jsonObject.get(SyslogFieldKeys.HEADER_TIMESTAMP.getField()));
--- End diff --
Based on looking at the docs for the syslog library, it looks like it's
possible to not have a timestamp (or to not validly parse a timestamp). If we
have a nil for timestamp here, we probably want to default like we do
elsewhere, which is to current time. What do you think?
> Create Parser for Syslog RFC 5424 Messages
> ------------------------------------------
>
> Key: METRON-1750
> URL: https://issues.apache.org/jira/browse/METRON-1750
> Project: Metron
> Issue Type: Sub-task
> Reporter: Otto Fowler
> Assignee: Otto Fowler
> Priority: Major
>
> Create a Metron parser for working with valid RFC 5424 syslog messages,
> including support for structured data
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
