asfgit closed pull request #1279: METRON-1893 Syslog RFC-3164 parser URL: https://github.com/apache/metron/pull/1279
This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/dependencies_with_url.csv b/dependencies_with_url.csv index 17453f5718..745e3c9f8a 100644 --- a/dependencies_with_url.csv +++ b/dependencies_with_url.csv @@ -488,7 +488,7 @@ org.sonatype.sisu:sisu-inject-bean:jar:2.2.2:compile org.sonatype.sisu:sisu-inject-plexus:jar:2.2.2:compile com.zaxxer:HikariCP:jar:2.7.8:compile,ASLv2,https://github.com/brettwooldridge/HikariCP org.hibernate.validator:hibernate-validator:jar:6.0.9.Final:compile,ASLv2,https://github.com/hibernate/hibernate-validator -com.github.palindromicity:simple-syslog-5424:jar:0.0.9:compile,ASLv2,https://github.com/palindromicity/simple-syslog-5424 +com.github.palindromicity:simple-syslog:jar:0.0.1:compile,ASLv2,https://github.com/palindromicity/simple-syslog org.elasticsearch.client:elasticsearch-rest-high-level-client:jar:5.6.14:compile,ASLv2,https://github.com/elastic/elasticsearch/blob/master/LICENSE.txt org.elasticsearch.plugin:aggs-matrix-stats-client:jar:5.6.14:compile,ASLv2,https://github.com/elastic/elasticsearch/blob/master/LICENSE.txt org.fusesource.jansi:jansi:jar:1.16:compile,ASLv2,https://github.com/fusesource/jansi/blob/master/license.txt diff --git a/metron-platform/metron-integration-test/src/main/sample/data/syslog3164/parsed/Syslog3164Parsed b/metron-platform/metron-integration-test/src/main/sample/data/syslog3164/parsed/Syslog3164Parsed new file mode 100644 index 0000000000..4e90b46a0c --- /dev/null +++ b/metron-platform/metron-integration-test/src/main/sample/data/syslog3164/parsed/Syslog3164Parsed @@ -0,0 +1,100 @@ +{"syslog.header.hostName":"10.22.8.216","original_string":"<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-609001: Built local-host inside:10.22.8.205","syslog.header.facility":"20","guid":"4f2beee4-c6d3-4282-b5e1-be42417e717e","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-7-609001: Built local-host inside:10.22.8.205","syslog.header.pri":"167","syslog.header.severity":"7","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.74\/0(LOCAL\\user.name) gaddr 10.22.8.205\/0 laddr 10.22.8.205\/0","syslog.header.facility":"20","guid":"4e86e51e-a970-4a96-bb79-7d400030755c","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.74\/0(LOCAL\\user.name) gaddr 10.22.8.205\/0 laddr 10.22.8.205\/0","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00","syslog.header.facility":"20","guid":"430bbc53-48e9-4f57-bfa6-18a28b7b0223","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00","syslog.header.pri":"167","syslog.header.severity":"7","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167725 for Outside_VPN:147.111.72.16\/26436 to DMZ-Inside:10.22.8.53\/443 duration 0:00:00 bytes 9687 TCP FINs","syslog.header.facility":"17","guid":"8032a334-9c48-4863-ae7b-1b14bfdb5ca7","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488167725 for Outside_VPN:147.111.72.16\/26436 to DMZ-Inside:10.22.8.53\/443 duration 0:00:00 bytes 9687 TCP FINs","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212805593 for outside:10.22.8.223\/59614(LOCAL\\user.name) to inside:10.22.8.78\/8102 duration 0:00:07 bytes 3433 TCP FINs (user.name)","syslog.header.facility":"20","guid":"583888b8-52a7-4833-a62e-0a53572c956c","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 212805593 for outside:10.22.8.223\/59614(LOCAL\\user.name) to inside:10.22.8.78\/8102 duration 0:00:07 bytes 3433 TCP FINs (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.212","original_string":"<174>Jan 5 14:52:35 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245503 for outside:10.22.8.233\/54209 (10.22.8.233\/54209) to inside:198.111.72.238\/443 (198.111.72.238\/443) (user.name)","syslog.header.facility":"21","guid":"07ed512a-6572-4a51-b63e-3953eaa18d1b","syslog.header.timestamp":"Jan 5 14:52:35","syslog.message":"%ASA-6-302013: Built inbound TCP connection 76245503 for outside:10.22.8.233\/54209 (10.22.8.233\/54209) to inside:198.111.72.238\/443 (198.111.72.238\/443) (user.name)","syslog.header.pri":"174","syslog.header.severity":"6","timestamp":1515163955000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806031 for outside:10.22.8.17\/58633 (10.22.8.17\/58633)(LOCAL\\user.name) to inside:10.22.8.12\/389 (10.22.8.12\/389) (user.name)","syslog.header.facility":"20","guid":"7a90799e-3ecd-4928-9096-557b1d012b8e","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302013: Built inbound TCP connection 212806031 for outside:10.22.8.17\/58633 (10.22.8.17\/58633)(LOCAL\\user.name) to inside:10.22.8.12\/389 (10.22.8.12\/389) (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168292 for DMZ-Inside:10.22.8.51\/51231 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 2103 TCP FINs","syslog.header.facility":"17","guid":"8e56f63c-2b81-4802-83c5-28648f407a93","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168292 for DMZ-Inside:10.22.8.51\/51231 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 2103 TCP FINs","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 186.111.72.11\/80 to 204.111.72.226\/45019 flags SYN ACK on interface Outside_VPN","syslog.header.facility":"17","guid":"f883a23c-85b7-4f8d-9f23-ca934aece337","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-106015: Deny TCP (no connection) from 186.111.72.11\/80 to 204.111.72.226\/45019 flags SYN ACK on interface Outside_VPN","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302014: Teardown TCP connection 17604987 for outside:209.111.72.151\/443 to inside:10.22.8.188\/64306 duration 0:00:31 bytes 10128 TCP FINs","syslog.header.facility":"20","guid":"6f1baf12-3725-447c-9ca4-c4ae4b9fd801","syslog.header.timestamp":"Jan 5 09:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 17604987 for outside:209.111.72.151\/443 to inside:10.22.8.188\/64306 duration 0:00:31 bytes 10128 TCP FINs","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515145955000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302014: Teardown TCP connection 17604999 for outside:209.111.72.151\/443 to inside:10.22.8.188\/64307 duration 0:00:30 bytes 6370 TCP FINs","syslog.header.facility":"20","guid":"8dcb24c3-6b65-4057-9c7d-cb5c63f72016","syslog.header.timestamp":"Jan 5 09:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 17604999 for outside:209.111.72.151\/443 to inside:10.22.8.188\/64307 duration 0:00:30 bytes 6370 TCP FINs","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515145955000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167347 for Outside_VPN:198.111.72.24\/2134 to DMZ-Inside:10.22.8.53\/443 duration 0:00:01 bytes 9785 TCP FINs","syslog.header.facility":"17","guid":"cb019c2b-302b-4c7f-8726-f70bd88b2d69","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488167347 for Outside_VPN:198.111.72.24\/2134 to DMZ-Inside:10.22.8.53\/443 duration 0:00:01 bytes 9785 TCP FINs","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.212","original_string":"<174>Jan 5 14:52:35 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245506 for outside:10.22.8.110\/49886 (10.22.8.110\/49886) to inside:192.111.72.8\/8612 (192.111.72.8\/8612) (user.name)","syslog.header.facility":"21","guid":"b2de2222-95bd-492e-bd2a-785242d7adcd","syslog.header.timestamp":"Jan 5 14:52:35","syslog.message":"%ASA-6-302015: Built inbound UDP connection 76245506 for outside:10.22.8.110\/49886 (10.22.8.110\/49886) to inside:192.111.72.8\/8612 (192.111.72.8\/8612) (user.name)","syslog.header.pri":"174","syslog.header.severity":"6","timestamp":1515163955000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212805993 for outside:10.22.8.89\/56917(LOCAL\\user.name) to inside:216.111.72.126\/443 duration 0:00:00 bytes 0 TCP FINs (user.name)","syslog.header.facility":"20","guid":"10b7f2e0-1f40-4f7f-a0fd-d40d32a11837","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 212805993 for outside:10.22.8.89\/56917(LOCAL\\user.name) to inside:216.111.72.126\/443 duration 0:00:00 bytes 0 TCP FINs (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-710005: UDP request discarded from 10.22.8.223\/49192 to outside:224.111.72.252\/5355","syslog.header.facility":"20","guid":"663af706-af43-4c02-8308-1513c8111bea","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-7-710005: UDP request discarded from 10.22.8.223\/49192 to outside:224.111.72.252\/5355","syslog.header.pri":"167","syslog.header.severity":"7","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488166143 for Outside_VPN:198.111.72.64\/80 to Inside-Trunk:10.22.8.39\/54883 duration 0:00:04 bytes 1148 TCP FINs","syslog.header.facility":"17","guid":"4ccf7d55-4281-475f-acaa-909b3efd81f0","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488166143 for Outside_VPN:198.111.72.64\/80 to Inside-Trunk:10.22.8.39\/54883 duration 0:00:04 bytes 1148 TCP FINs","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-106015: Deny TCP (no connection) from 10.22.8.84\/445 to 10.22.8.219\/60726 flags ACK on interface inside","syslog.header.facility":"20","guid":"48d112e2-7569-4661-ba42-f33db2f4e190","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-106015: Deny TCP (no connection) from 10.22.8.84\/445 to 10.22.8.219\/60726 flags ACK on interface inside","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168344 for DMZ-Inside:10.22.8.53\/61682 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 5648 TCP FINs","syslog.header.facility":"17","guid":"2bc1288b-8216-460a-8060-f12f51118085","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168344 for DMZ-Inside:10.22.8.53\/61682 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 5648 TCP FINs","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168345 for DMZ-Inside:10.22.8.16\/31454 to Inside-Trunk:10.22.8.21\/443 duration 0:00:00 bytes 756 TCP FINs","syslog.header.facility":"17","guid":"ee8145ce-60a1-4059-95a2-ddf29f23159d","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168345 for DMZ-Inside:10.22.8.16\/31454 to Inside-Trunk:10.22.8.21\/443 duration 0:00:00 bytes 756 TCP FINs","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.4","original_string":"<182>Jan 5 20:22:35 10.22.8.4 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.12\/0 gaddr 10.22.8.45\/1 laddr 10.22.8.45\/1","syslog.header.facility":"22","guid":"83246ca7-d2ce-494e-86c3-c2a38f44c581","syslog.header.timestamp":"Jan 5 20:22:35","syslog.message":"%ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.12\/0 gaddr 10.22.8.45\/1 laddr 10.22.8.45\/1","syslog.header.pri":"182","syslog.header.severity":"6","timestamp":1515183755000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 50.111.72.230\/80 to 204.111.72.254\/53077 flags RST on interface Outside_VPN","syslog.header.facility":"17","guid":"c7019d2a-819c-44c3-a31a-27d104dc8b2c","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-106015: Deny TCP (no connection) from 50.111.72.230\/80 to 204.111.72.254\/53077 flags RST on interface Outside_VPN","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603649 for outside:206.111.72.2\/161 to inside:10.22.8.48\/63297 duration 0:02:01 bytes 209","syslog.header.facility":"20","guid":"f4a6f93d-d94e-4fd0-bd3d-e3ecd22ead31","syslog.header.timestamp":"Jan 5 09:52:35","syslog.message":"%ASA-6-302016: Teardown UDP connection 17603649 for outside:206.111.72.2\/161 to inside:10.22.8.48\/63297 duration 0:02:01 bytes 209","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515145955000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603650 for outside:207.111.72.122\/161 to inside:10.22.8.48\/63298 duration 0:02:01 bytes 209","syslog.header.facility":"20","guid":"4eeed9d1-0619-482a-815d-8e2711c9197d","syslog.header.timestamp":"Jan 5 09:52:35","syslog.message":"%ASA-6-302016: Teardown UDP connection 17603650 for outside:207.111.72.122\/161 to inside:10.22.8.48\/63298 duration 0:02:01 bytes 209","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515145955000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603652 for outside:206.111.72.2\/161 to inside:10.22.8.48\/63300 duration 0:02:01 bytes 115","syslog.header.facility":"20","guid":"ace7f8c0-fdbd-475b-81d0-42ea557f9b02","syslog.header.timestamp":"Jan 5 09:52:35","syslog.message":"%ASA-6-302016: Teardown UDP connection 17603652 for outside:206.111.72.2\/161 to inside:10.22.8.48\/63300 duration 0:02:01 bytes 115","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515145955000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603657 for outside:206.111.72.2\/161 to inside:10.22.8.48\/63306 duration 0:02:01 bytes 115","syslog.header.facility":"20","guid":"88652169-336a-49ad-a0cc-cdbe627dabe3","syslog.header.timestamp":"Jan 5 09:52:35","syslog.message":"%ASA-6-302016: Teardown UDP connection 17603657 for outside:206.111.72.2\/161 to inside:10.22.8.48\/63306 duration 0:02:01 bytes 115","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515145955000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168436 for DMZ-Inside:10.22.8.51\/51235 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 2497 TCP FINs","syslog.header.facility":"17","guid":"cce6c817-4237-4970-9868-95bb9cb88769","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168436 for DMZ-Inside:10.22.8.51\/51235 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 2497 TCP FINs","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167656 for Outside_VPN:69.111.72.70\/21560 to DMZ-Inside:10.22.8.53\/443 duration 0:00:01 bytes 11410 TCP FINs","syslog.header.facility":"17","guid":"c80fe260-62a1-44bc-9790-380730505321","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488167656 for Outside_VPN:69.111.72.70\/21560 to DMZ-Inside:10.22.8.53\/443 duration 0:00:01 bytes 11410 TCP FINs","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806050 for outside:10.22.8.62\/53965 (10.22.8.62\/53965)(LOCAL\\user.name) to inside:10.22.8.85\/53 (10.22.8.85\/53) (user.name)","syslog.header.facility":"20","guid":"d2aeae4b-099e-44a8-803e-e6f3efc6b681","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302015: Built inbound UDP connection 212806050 for outside:10.22.8.62\/53965 (10.22.8.62\/53965)(LOCAL\\user.name) to inside:10.22.8.85\/53 (10.22.8.85\/53) (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806052 for outside:10.22.8.62\/56500 (10.22.8.62\/56500)(LOCAL\\user.name) to inside:198.111.72.83\/443 (198.111.72.83\/443) (user.name)","syslog.header.facility":"20","guid":"4c17cf2e-7614-4bff-b786-b928ac108949","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302013: Built inbound TCP connection 212806052 for outside:10.22.8.62\/56500 (10.22.8.62\/56500)(LOCAL\\user.name) to inside:198.111.72.83\/443 (198.111.72.83\/443) (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806054 for outside:10.22.8.62\/56502 (10.22.8.62\/56502)(LOCAL\\user.name) to inside:50.111.72.252\/443 (50.111.72.252\/443) (user.name)","syslog.header.facility":"20","guid":"d14e6612-5694-4114-b305-c8176c661f04","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302013: Built inbound TCP connection 212806054 for outside:10.22.8.62\/56502 (10.22.8.62\/56502)(LOCAL\\user.name) to inside:50.111.72.252\/443 (50.111.72.252\/443) (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-305011: Built dynamic TCP translation from inside:10.22.8.188\/64340 to outside:206.111.72.41\/2013","syslog.header.facility":"20","guid":"4ecfc895-d27b-448f-8d29-88fae8bfdc15","syslog.header.timestamp":"Jan 5 09:52:35","syslog.message":"%ASA-6-305011: Built dynamic TCP translation from inside:10.22.8.188\/64340 to outside:206.111.72.41\/2013","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515145955000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.33","original_string":"<166>Jan 5 15:52:35 10.22.8.33 %ASA-6-305012: Teardown dynamic UDP translation from inside:192.111.72.2\/62251 to outside:79.111.72.174\/21311 duration 0:02:30","syslog.header.facility":"20","guid":"e1cf9c5f-40e9-4cce-8d96-ca4b54fcbe89","syslog.header.timestamp":"Jan 5 15:52:35","syslog.message":"%ASA-6-305012: Teardown dynamic UDP translation from inside:192.111.72.2\/62251 to outside:79.111.72.174\/21311 duration 0:02:30","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515167555000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806058 for outside:10.22.8.221\/56631 (10.22.8.221\/56631)(LOCAL\\user.name) to inside:10.22.8.26\/389 (10.22.8.26\/389) (user.name)","syslog.header.facility":"20","guid":"749d6df7-18d1-4a81-bbea-0dee8f4c89a8","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302015: Built inbound UDP connection 212806058 for outside:10.22.8.221\/56631 (10.22.8.221\/56631)(LOCAL\\user.name) to inside:10.22.8.26\/389 (10.22.8.26\/389) (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168189 for Outside_VPN:209.111.72.10\/56619 to DMZ-Inside:10.22.8.53\/443 duration 0:00:00 bytes 2477 TCP FINs","syslog.header.facility":"17","guid":"131157d7-fcb9-4f4f-82c9-9b8f0c21bcd0","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168189 for Outside_VPN:209.111.72.10\/56619 to DMZ-Inside:10.22.8.53\/443 duration 0:00:00 bytes 2477 TCP FINs","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 10.22.8.112\/52235 to 198.111.72.227\/80 flags ACK on interface Inside-Trunk","syslog.header.facility":"17","guid":"cdedb97f-8a06-4427-95e4-2dae888b5942","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-106015: Deny TCP (no connection) from 10.22.8.112\/52235 to 198.111.72.227\/80 flags ACK on interface Inside-Trunk","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167192 for Outside_VPN:115.111.72.7\/49196 to DMZ-Inside:10.22.8.57\/443 duration 0:00:02 bytes 20588 TCP Reset-O","syslog.header.facility":"17","guid":"1fc183f6-8390-425f-a79b-a7e17ce95747","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488167192 for Outside_VPN:115.111.72.7\/49196 to DMZ-Inside:10.22.8.57\/443 duration 0:00:02 bytes 20588 TCP Reset-O","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212806055 for outside:10.22.8.62\/55383(LOCAL\\user.name) to inside:10.22.8.85\/53 duration 0:00:00 bytes 349 (user.name)","syslog.header.facility":"20","guid":"1dd165c4-602d-444b-88f4-600d6c05cb96","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302016: Teardown UDP connection 212806055 for outside:10.22.8.62\/55383(LOCAL\\user.name) to inside:10.22.8.85\/53 duration 0:00:00 bytes 349 (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168380 for Outside_VPN:74.111.72.12\/443 to Inside-Trunk:10.22.8.39\/54894 duration 0:00:00 bytes 5701 TCP FINs","syslog.header.facility":"17","guid":"920adf53-ca83-40b2-9ddf-2b034047dafb","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168380 for Outside_VPN:74.111.72.12\/443 to Inside-Trunk:10.22.8.39\/54894 duration 0:00:00 bytes 5701 TCP FINs","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.212","original_string":"<174>Jan 5 14:52:35 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245522 for outside:10.22.8.147\/56343 (10.22.8.147\/56343) to inside:209.111.72.151\/443 (209.111.72.151\/443) (user.name)","syslog.header.facility":"21","guid":"26d79381-d0be-44ec-ba05-93cec39f5461","syslog.header.timestamp":"Jan 5 14:52:35","syslog.message":"%ASA-6-302013: Built inbound TCP connection 76245522 for outside:10.22.8.147\/56343 (10.22.8.147\/56343) to inside:209.111.72.151\/443 (209.111.72.151\/443) (user.name)","syslog.header.pri":"174","syslog.header.severity":"6","timestamp":1515163955000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168443 for Outside_VPN:23.111.72.27\/80 to Inside-Trunk:10.22.8.81\/64713 duration 0:00:00 bytes 2426 TCP FINs","syslog.header.facility":"17","guid":"54c06801-f175-46e9-b6e5-d47cd9fb4731","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168443 for Outside_VPN:23.111.72.27\/80 to Inside-Trunk:10.22.8.81\/64713 duration 0:00:00 bytes 2426 TCP FINs","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488111566 for Outside_VPN:131.111.72.49\/443 to Inside-Trunk:10.22.8.127\/56558 duration 0:01:57 bytes 3614 TCP Reset-O","syslog.header.facility":"17","guid":"f556360d-b58b-469a-a8e9-29fa4915915f","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488111566 for Outside_VPN:131.111.72.49\/443 to Inside-Trunk:10.22.8.127\/56558 duration 0:01:57 bytes 3614 TCP Reset-O","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806061 for outside:10.22.8.17\/58635 (10.22.8.17\/58635)(LOCAL\\user.name) to inside:10.22.8.12\/389 (10.22.8.12\/389) (user.name)","syslog.header.facility":"20","guid":"68149a18-1f1f-4b5e-b619-61077e84ee2e","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302013: Built inbound TCP connection 212806061 for outside:10.22.8.17\/58635 (10.22.8.17\/58635)(LOCAL\\user.name) to inside:10.22.8.12\/389 (10.22.8.12\/389) (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212806010 for outside:10.22.8.33\/60223(LOCAL\\user.name) to inside:10.22.8.86\/389 duration 0:00:00 bytes 416 TCP Reset-I (user.name)","syslog.header.facility":"20","guid":"222989b0-267e-4679-a28f-e3561f4b40f0","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 212806010 for outside:10.22.8.33\/60223(LOCAL\\user.name) to inside:10.22.8.86\/389 duration 0:00:00 bytes 416 TCP Reset-I (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806062 for outside:10.22.8.221\/56632 (10.22.8.221\/56632)(LOCAL\\user.name) to inside:10.22.8.73\/389 (10.22.8.73\/389) (user.name)","syslog.header.facility":"20","guid":"01a3c7d7-a847-472f-912f-9fed08122a21","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302015: Built inbound UDP connection 212806062 for outside:10.22.8.221\/56632 (10.22.8.221\/56632)(LOCAL\\user.name) to inside:10.22.8.73\/389 (10.22.8.73\/389) (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00","syslog.header.facility":"20","guid":"b21487c7-a268-4389-8daf-48553e24be9e","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00","syslog.header.pri":"167","syslog.header.severity":"7","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168231 for Outside_VPN:204.111.72.243\/3011 to Inside-Trunk:10.22.8.208\/60037 duration 0:00:00 bytes 19415 TCP FINs","syslog.header.facility":"17","guid":"aa78ab45-e5f7-4c78-91ac-7782278121ba","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168231 for Outside_VPN:204.111.72.243\/3011 to Inside-Trunk:10.22.8.208\/60037 duration 0:00:00 bytes 19415 TCP FINs","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.41","original_string":"<166>Jan 5 16:52:35 10.22.8.41 %ASA-6-302013: Built inbound TCP connection 45476108 for Outside:10.22.8.97\/53484 (10.22.8.97\/53484)(LOCAL\\user.name) to Inside:141.111.72.70\/7576 (141.111.72.70\/7576) (user.name)","syslog.header.facility":"20","guid":"17255787-8e0b-441b-95f3-2847562976a0","syslog.header.timestamp":"Jan 5 16:52:35","syslog.message":"%ASA-6-302013: Built inbound TCP connection 45476108 for Outside:10.22.8.97\/53484 (10.22.8.97\/53484)(LOCAL\\user.name) to Inside:141.111.72.70\/7576 (141.111.72.70\/7576) (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515171155000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.212","original_string":"<174>Jan 5 14:52:35 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245527 for outside:10.22.8.97\/65195 (10.22.8.97\/65195) to inside:17.111.72.212\/5223 (17.111.72.212\/5223) (user.name)","syslog.header.facility":"21","guid":"2afc28ff-6abc-4687-8980-29520e29fdd0","syslog.header.timestamp":"Jan 5 14:52:35","syslog.message":"%ASA-6-302013: Built inbound TCP connection 76245527 for outside:10.22.8.97\/65195 (10.22.8.97\/65195) to inside:17.111.72.212\/5223 (17.111.72.212\/5223) (user.name)","syslog.header.pri":"174","syslog.header.severity":"6","timestamp":1515163955000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212806018 for outside:10.22.8.17\/58632(LOCAL\\user.name) to inside:10.22.8.12\/389 duration 0:00:00 bytes 0 TCP FINs (user.name)","syslog.header.facility":"20","guid":"e1b89dd1-ac20-449d-89f3-c0bd6854e5f4","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 212806018 for outside:10.22.8.17\/58632(LOCAL\\user.name) to inside:10.22.8.12\/389 duration 0:00:00 bytes 0 TCP FINs (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168562 for DMZ-Inside:10.22.8.51\/51236 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 2273 TCP FINs","syslog.header.facility":"17","guid":"883c4b0a-6fce-473b-accb-05e685f0cbf8","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168562 for DMZ-Inside:10.22.8.51\/51236 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 2273 TCP FINs","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806065 for outside:10.22.8.62\/59829 (10.22.8.62\/59829)(LOCAL\\user.name) to inside:10.22.8.85\/53 (10.22.8.85\/53) (user.name)","syslog.header.facility":"20","guid":"1163b376-fc70-4ae9-81b4-0b037327fa5a","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302015: Built inbound UDP connection 212806065 for outside:10.22.8.62\/59829 (10.22.8.62\/59829)(LOCAL\\user.name) to inside:10.22.8.85\/53 (10.22.8.85\/53) (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806067 for outside:10.22.8.143\/62675 (10.22.8.143\/62675)(LOCAL\\user.name) to inside:141.111.72.12\/389 (141.111.72.12\/389) (user.name)","syslog.header.facility":"20","guid":"48775c39-c9d8-4da9-a543-7a70abb2e456","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302013: Built inbound TCP connection 212806067 for outside:10.22.8.143\/62675 (10.22.8.143\/62675)(LOCAL\\user.name) to inside:141.111.72.12\/389 (141.111.72.12\/389) (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-710005: UDP request discarded from 10.22.8.223\/61122 to outside:224.111.72.252\/5355","syslog.header.facility":"20","guid":"3ec72d5a-d659-4f0a-8be7-328f990d1678","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-7-710005: UDP request discarded from 10.22.8.223\/61122 to outside:224.111.72.252\/5355","syslog.header.pri":"167","syslog.header.severity":"7","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.143\/0(LOCAL\\user.name) gaddr 141.111.72.12\/0 laddr 141.111.72.12\/0 (user.name)","syslog.header.facility":"20","guid":"ce7ccaf5-f676-455d-a612-1c5856416c9c","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.143\/0(LOCAL\\user.name) gaddr 141.111.72.12\/0 laddr 141.111.72.12\/0 (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168547 for Outside_VPN:107.111.72.102\/80 to Inside-Trunk:10.22.8.54\/61676 duration 0:00:00 bytes 1030 TCP FINs","syslog.header.facility":"17","guid":"fe02e22f-f3f4-4ba3-afe9-500519b4f0f4","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168547 for Outside_VPN:107.111.72.102\/80 to Inside-Trunk:10.22.8.54\/61676 duration 0:00:00 bytes 1030 TCP FINs","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806078 for outside:10.22.8.221\/56633 (10.22.8.221\/56633)(LOCAL\\user.name) to inside:10.22.8.20\/389 (10.22.8.20\/389) (user.name)","syslog.header.facility":"20","guid":"4e748582-a989-4605-abc1-70e30c6ce5b5","syslog.header.timestamp":"Jan 5 08:52:35","syslog.message":"%ASA-6-302015: Built inbound UDP connection 212806078 for outside:10.22.8.221\/56633 (10.22.8.221\/56633)(LOCAL\\user.name) to inside:10.22.8.20\/389 (10.22.8.20\/389) (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142355000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-305011: Built dynamic TCP translation from inside:10.22.8.83\/59915 to outside:206.111.72.41\/22776","syslog.header.facility":"20","guid":"557f3bc8-e889-427d-97fe-7d9e4b61e932","syslog.header.timestamp":"Jan 5 09:52:35","syslog.message":"%ASA-6-305011: Built dynamic TCP translation from inside:10.22.8.83\/59915 to outside:206.111.72.41\/22776","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515145955000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168044 for Outside_VPN:50.111.72.39\/80 to Inside-Trunk:10.22.8.75\/60877 duration 0:00:01 bytes 13304 TCP FINs","syslog.header.facility":"17","guid":"d81d66f2-e6e0-42ff-b886-a02fd3893032","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168044 for Outside_VPN:50.111.72.39\/80 to Inside-Trunk:10.22.8.75\/60877 duration 0:00:01 bytes 13304 TCP FINs","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142356000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488118326 for Outside_VPN:23.111.72.27\/80 to Inside-Trunk:10.22.8.229\/57901 duration 0:01:45 bytes 1942 TCP FINs","syslog.header.facility":"17","guid":"e33243a6-d361-48da-9dd6-30fe1a2b0dbe","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 488118326 for Outside_VPN:23.111.72.27\/80 to Inside-Trunk:10.22.8.229\/57901 duration 0:01:45 bytes 1942 TCP FINs","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142356000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488160565 for Outside_VPN:72.111.72.29\/80 to Inside-Trunk:10.22.8.42\/57520 duration 0:00:15 bytes 1025 TCP FINs","syslog.header.facility":"17","guid":"0833ee92-e4b0-4cec-aed6-73e0f3afa0e8","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 488160565 for Outside_VPN:72.111.72.29\/80 to Inside-Trunk:10.22.8.42\/57520 duration 0:00:15 bytes 1025 TCP FINs","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142356000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488096423 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.22.8.127\/59096 duration 0:02:27 bytes 99347 TCP Reset-O","syslog.header.facility":"17","guid":"5afa5b9b-af47-4954-820f-1a2a72249f5c","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 488096423 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.22.8.127\/59096 duration 0:02:27 bytes 99347 TCP Reset-O","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142356000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488095522 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.22.8.127\/59087 duration 0:02:29 bytes 154785 TCP Reset-O","syslog.header.facility":"17","guid":"cc093a83-1f7d-468a-b09a-982e62a5371a","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 488095522 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.22.8.127\/59087 duration 0:02:29 bytes 154785 TCP Reset-O","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142356000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488106557 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.22.8.127\/59134 duration 0:02:09 bytes 25319 TCP Reset-O","syslog.header.facility":"17","guid":"30e86e48-6d96-4ebc-8865-262c67d1801b","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 488106557 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.22.8.127\/59134 duration 0:02:09 bytes 25319 TCP Reset-O","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142356000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488096426 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.22.8.127\/59099 duration 0:02:27 bytes 26171 TCP Reset-O","syslog.header.facility":"17","guid":"e9d40894-606f-4f14-9bb3-367fbc0c19a0","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 488096426 for Outside_VPN:72.111.72.43\/80 to Inside-Trunk:10.22.8.127\/59099 duration 0:02:27 bytes 26171 TCP Reset-O","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142356000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212806005 for outside:10.22.8.17\/58630(LOCAL\\user.name) to inside:10.22.8.12\/389 duration 0:00:00 bytes 3942 TCP FINs (user.name)","syslog.header.facility":"20","guid":"ada1044a-5805-494a-a814-2907ad6ad665","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 212806005 for outside:10.22.8.17\/58630(LOCAL\\user.name) to inside:10.22.8.12\/389 duration 0:00:00 bytes 3942 TCP FINs (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142356000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806085 for outside:10.22.8.143\/54018 (10.22.8.143\/54018)(LOCAL\\user.name) to inside:10.22.8.85\/53 (10.22.8.85\/53) (user.name)","syslog.header.facility":"20","guid":"7e38f864-4c30-4f06-9dd7-0bc8f405bbe6","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302015: Built inbound UDP connection 212806085 for outside:10.22.8.143\/54018 (10.22.8.143\/54018)(LOCAL\\user.name) to inside:10.22.8.85\/53 (10.22.8.85\/53) (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142356000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.212","original_string":"<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.96\/2708 gaddr 10.22.8.30\/0 laddr 10.22.8.30\/0 (user.name)","syslog.header.facility":"21","guid":"57fb779c-227a-4f64-afde-d993f5f163fb","syslog.header.timestamp":"Jan 5 14:52:36","syslog.message":"%ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.96\/2708 gaddr 10.22.8.30\/0 laddr 10.22.8.30\/0 (user.name)","syslog.header.pri":"174","syslog.header.severity":"6","timestamp":1515163956000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.212","original_string":"<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245537 for outside:10.22.8.110\/49886 (10.22.8.110\/49886) to inside:192.111.72.11\/8612 (192.111.72.11\/8612) (user.name)","syslog.header.facility":"21","guid":"55f3aa3a-fa7f-42c2-86fa-23602434c716","syslog.header.timestamp":"Jan 5 14:52:36","syslog.message":"%ASA-6-302015: Built inbound UDP connection 76245537 for outside:10.22.8.110\/49886 (10.22.8.110\/49886) to inside:192.111.72.11\/8612 (192.111.72.11\/8612) (user.name)","syslog.header.pri":"174","syslog.header.severity":"6","timestamp":1515163956000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.41","original_string":"<166>Jan 5 16:52:36 10.22.8.41 %ASA-6-106015: Deny TCP (no connection) from 10.22.8.85\/58359 to 10.22.8.11\/88 flags RST ACK on interface Outside","syslog.header.facility":"20","guid":"04bf0433-398f-4369-8a10-b6b6800b94dc","syslog.header.timestamp":"Jan 5 16:52:36","syslog.message":"%ASA-6-106015: Deny TCP (no connection) from 10.22.8.85\/58359 to 10.22.8.11\/88 flags RST ACK on interface Outside","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515171156000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.82\/0(LOCAL\\user.name) gaddr 10.22.8.205\/0 laddr 10.22.8.205\/0","syslog.header.facility":"20","guid":"0ca4a23e-9dc1-46ea-bbd4-e5fa1566a5fa","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.82\/0(LOCAL\\user.name) gaddr 10.22.8.205\/0 laddr 10.22.8.205\/0","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142356000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212799832 for outside:10.22.8.230\/55549(LOCAL\\user.name) to inside:10.22.8.11\/389 duration 0:02:01 bytes 354 (user.name)","syslog.header.facility":"20","guid":"b472dd59-9ede-42ed-a67b-e5d34e8b7b9d","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302016: Teardown UDP connection 212799832 for outside:10.22.8.230\/55549(LOCAL\\user.name) to inside:10.22.8.11\/389 duration 0:02:01 bytes 354 (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142356000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212799867 for outside:10.22.8.240\/138(LOCAL\\user.name) to inside:10.22.8.255\/138 duration 0:02:01 bytes 214 (user.name)","syslog.header.facility":"20","guid":"9231563a-4e43-440d-9bcd-ff67d2f01b17","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302016: Teardown UDP connection 212799867 for outside:10.22.8.240\/138(LOCAL\\user.name) to inside:10.22.8.255\/138 duration 0:02:01 bytes 214 (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142356000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<167>Jan 5 08:52:36 10.22.8.216 %ASA-7-609001: Built local-host inside:67.111.72.204","syslog.header.facility":"20","guid":"e717a671-9e5f-4bb7-b0b0-0e1cbcfe5b4a","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-7-609001: Built local-host inside:67.111.72.204","syslog.header.pri":"167","syslog.header.severity":"7","timestamp":1515142356000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.212","original_string":"<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245544 for outside:10.22.8.227\/54540 (10.22.8.227\/54540) to inside:63.111.72.124\/80 (63.111.72.124\/80) (user.name)","syslog.header.facility":"21","guid":"49cc4afe-467b-4b4c-b883-d6aa2ebe1d9f","syslog.header.timestamp":"Jan 5 14:52:36","syslog.message":"%ASA-6-302013: Built inbound TCP connection 76245544 for outside:10.22.8.227\/54540 (10.22.8.227\/54540) to inside:63.111.72.124\/80 (63.111.72.124\/80) (user.name)","syslog.header.pri":"174","syslog.header.severity":"6","timestamp":1515163956000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168135 for Outside_VPN:198.111.72.66\/36797 to DMZ-Inside:10.22.8.53\/80 duration 0:00:01 bytes 89039 TCP FINs","syslog.header.facility":"17","guid":"de2a851d-4860-4625-b870-c7f3a10c219a","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168135 for Outside_VPN:198.111.72.66\/36797 to DMZ-Inside:10.22.8.53\/80 duration 0:00:01 bytes 89039 TCP FINs","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142356000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212805836 for outside:10.22.8.62\/56471(LOCAL\\user.name) to inside:208.111.72.1\/443 duration 0:00:04 bytes 1700 TCP FINs (user.name)","syslog.header.facility":"20","guid":"6f37c953-20ea-4fa3-aa96-0b91c689e110","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 212805836 for outside:10.22.8.62\/56471(LOCAL\\user.name) to inside:208.111.72.1\/443 duration 0:00:04 bytes 1700 TCP FINs (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142356000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.212","original_string":"<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245546 for outside:10.22.8.227\/54542 (10.22.8.227\/54542) to inside:63.111.72.124\/80 (63.111.72.124\/80) (user.name)","syslog.header.facility":"21","guid":"4e9f6ee9-55fc-40da-8e3c-77ba4f072013","syslog.header.timestamp":"Jan 5 14:52:36","syslog.message":"%ASA-6-302013: Built inbound TCP connection 76245546 for outside:10.22.8.227\/54542 (10.22.8.227\/54542) to inside:63.111.72.124\/80 (63.111.72.124\/80) (user.name)","syslog.header.pri":"174","syslog.header.severity":"6","timestamp":1515163956000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.74\/0(LOCAL\\user.name) gaddr 10.22.8.205\/0 laddr 10.22.8.205\/0","syslog.header.facility":"20","guid":"79538743-01a6-49e1-860a-80fe58111d59","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.74\/0(LOCAL\\user.name) gaddr 10.22.8.205\/0 laddr 10.22.8.205\/0","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142356000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.212","original_string":"<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302020: Built outbound ICMP connection for faddr 10.22.8.96\/2708 gaddr 10.22.8.30\/0 laddr 10.22.8.30\/0","syslog.header.facility":"21","guid":"7ba31a57-915e-466e-8efb-dfdbc9a7d515","syslog.header.timestamp":"Jan 5 14:52:36","syslog.message":"%ASA-6-302020: Built outbound ICMP connection for faddr 10.22.8.96\/2708 gaddr 10.22.8.30\/0 laddr 10.22.8.30\/0","syslog.header.pri":"174","syslog.header.severity":"6","timestamp":1515163956000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168388 for DMZ-Inside:10.22.8.10\/49771 to Inside-Trunk:10.22.8.128\/443 duration 0:00:00 bytes 19132 TCP Reset-O","syslog.header.facility":"17","guid":"5fb3a31a-84f7-465e-b4a5-648edc12c9f3","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168388 for DMZ-Inside:10.22.8.10\/49771 to Inside-Trunk:10.22.8.128\/443 duration 0:00:00 bytes 19132 TCP Reset-O","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142356000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168692 for DMZ-Inside:10.22.8.53\/61694 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 5660 TCP FINs","syslog.header.facility":"17","guid":"89922414-2c06-45b2-9c96-e2a62956eb4b","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 488168692 for DMZ-Inside:10.22.8.53\/61694 to Inside-Trunk:10.22.8.174\/40004 duration 0:00:00 bytes 5660 TCP FINs","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142356000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.212","original_string":"<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245552 for outside:10.22.8.92\/51042 (10.22.8.92\/51042) to inside:10.22.8.193\/9100 (10.22.8.193\/9100) (user.name)","syslog.header.facility":"21","guid":"af712b8d-55d8-46c0-9ab0-92e075aaf546","syslog.header.timestamp":"Jan 5 14:52:36","syslog.message":"%ASA-6-302013: Built inbound TCP connection 76245552 for outside:10.22.8.92\/51042 (10.22.8.92\/51042) to inside:10.22.8.193\/9100 (10.22.8.193\/9100) (user.name)","syslog.header.pri":"174","syslog.header.severity":"6","timestamp":1515163956000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.41","original_string":"<166>Jan 5 16:52:36 10.22.8.41 %ASA-6-302016: Teardown UDP connection 45474680 for Outside:10.22.8.49\/137(LOCAL\\user.name) to Inside:10.22.8.12\/137 duration 0:02:03 bytes 486 (user.name)","syslog.header.facility":"20","guid":"756ac82f-e710-4dac-b7d6-8e22931b3cfd","syslog.header.timestamp":"Jan 5 16:52:36","syslog.message":"%ASA-6-302016: Teardown UDP connection 45474680 for Outside:10.22.8.49\/137(LOCAL\\user.name) to Inside:10.22.8.12\/137 duration 0:02:03 bytes 486 (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515171156000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.41","original_string":"<166>Jan 5 16:52:36 10.22.8.41 %ASA-6-302016: Teardown UDP connection 45474694 for Outside:10.22.8.49\/138(LOCAL\\user.name) to Inside:10.22.8.12\/138 duration 0:02:01 bytes 184 (user.name)","syslog.header.facility":"20","guid":"c7cbc688-5c80-43f0-b3a9-6e026c988c83","syslog.header.timestamp":"Jan 5 16:52:36","syslog.message":"%ASA-6-302016: Teardown UDP connection 45474694 for Outside:10.22.8.49\/138(LOCAL\\user.name) to Inside:10.22.8.12\/138 duration 0:02:01 bytes 184 (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515171156000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167720 for Outside_VPN:198.111.72.75\/1033 to DMZ-Inside:10.22.8.53\/443 duration 0:00:01 bytes 9634 TCP FINs","syslog.header.facility":"17","guid":"fd20d131-6fe5-4258-a822-982db9b3bcc2","syslog.header.timestamp":"Jan 5 08:52:36","syslog.message":"%ASA-6-302014: Teardown TCP connection 488167720 for Outside_VPN:198.111.72.75\/1033 to DMZ-Inside:10.22.8.53\/443 duration 0:00:01 bytes 9634 TCP FINs","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142356000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488165627 for Outside_VPN:170.111.72.22\/27463 to DMZ-Inside:10.22.8.53\/443 duration 0:00:01 bytes 9756 TCP FINs","syslog.header.facility":"17","guid":"de48f6be-b9c8-42e5-8db9-4fdec5458dbf","syslog.header.timestamp":"Jan 5 08:52:32","syslog.message":"%ASA-6-302014: Teardown TCP connection 488165627 for Outside_VPN:170.111.72.22\/27463 to DMZ-Inside:10.22.8.53\/443 duration 0:00:01 bytes 9756 TCP FINs","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142352000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:32 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212805854 for outside:10.22.8.62\/54704(LOCAL\\user.name) to inside:10.22.8.85\/53 duration 0:00:00 bytes 114 (user.name)","syslog.header.facility":"20","guid":"84c5fb3b-ae49-4eb8-af3f-57c63fc6d079","syslog.header.timestamp":"Jan 5 08:52:32","syslog.message":"%ASA-6-302016: Teardown UDP connection 212805854 for outside:10.22.8.62\/54704(LOCAL\\user.name) to inside:10.22.8.85\/53 duration 0:00:00 bytes 114 (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142352000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:32 10.22.8.12 %ASA-6-302020: Built inbound ICMP connection for faddr 207.111.72.122\/0 gaddr 206.111.72.24\/512 laddr 10.22.8.57\/512","syslog.header.facility":"20","guid":"a7fcb975-e65a-4f01-939e-839cf4f599b0","syslog.header.timestamp":"Jan 5 09:52:32","syslog.message":"%ASA-6-302020: Built inbound ICMP connection for faddr 207.111.72.122\/0 gaddr 206.111.72.24\/512 laddr 10.22.8.57\/512","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515145952000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:32 10.22.8.12 %ASA-6-302013: Built outbound TCP connection 17605397 for outside:69.111.72.0\/80 (69.111.72.0\/80) to inside:10.22.8.102\/55659 (206.111.72.41\/40627)","syslog.header.facility":"20","guid":"12f475f4-04c8-41de-8d41-547f98933048","syslog.header.timestamp":"Jan 5 09:52:32","syslog.message":"%ASA-6-302013: Built outbound TCP connection 17605397 for outside:69.111.72.0\/80 (69.111.72.0\/80) to inside:10.22.8.102\/55659 (206.111.72.41\/40627)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515145952000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.212","original_string":"<174>Jan 5 14:52:32 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245230 for outside:10.22.8.96\/123 (10.22.8.96\/123) to inside:10.22.8.12\/123 (10.22.8.12\/123) (user.name)","syslog.header.facility":"21","guid":"9b26768a-1a11-4777-b1fb-906821b7f05b","syslog.header.timestamp":"Jan 5 14:52:32","syslog.message":"%ASA-6-302015: Built inbound UDP connection 76245230 for outside:10.22.8.96\/123 (10.22.8.96\/123) to inside:10.22.8.12\/123 (10.22.8.12\/123) (user.name)","syslog.header.pri":"174","syslog.header.severity":"6","timestamp":1515163952000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488031413 for Outside_VPN:184.111.72.216\/50341 to DMZ-Inside:10.22.8.57\/443 duration 0:05:01 bytes 13543 TCP Reset-O","syslog.header.facility":"17","guid":"b177327e-d674-470a-8f82-bacd18d47df2","syslog.header.timestamp":"Jan 5 08:52:32","syslog.message":"%ASA-6-302014: Teardown TCP connection 488031413 for Outside_VPN:184.111.72.216\/50341 to DMZ-Inside:10.22.8.57\/443 duration 0:05:01 bytes 13543 TCP Reset-O","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142352000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.41","original_string":"<166>Jan 5 16:52:32 10.22.8.41 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.95\/1(LOCAL\\user.name) gaddr 10.22.8.12\/0 laddr 10.22.8.12\/0 (user.name)","syslog.header.facility":"20","guid":"69f69569-66c2-4846-9f12-3b24a416e876","syslog.header.timestamp":"Jan 5 16:52:32","syslog.message":"%ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.95\/1(LOCAL\\user.name) gaddr 10.22.8.12\/0 laddr 10.22.8.12\/0 (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515171152000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488030393 for DMZ-Inside:[10.22.8.10\/57109 to Inside-Trunk:10.22.8.128\/443 duration 0:05:04 bytes 13541 TCP Reset-O","syslog.header.facility":"17","guid":"bf63019f-7895-495f-8406-2b50b9186a90","syslog.header.timestamp":"Jan 5 08:52:32","syslog.message":"%ASA-6-302014: Teardown TCP connection 488030393 for DMZ-Inside:[10.22.8.10\/57109 to Inside-Trunk:10.22.8.128\/443 duration 0:05:04 bytes 13541 TCP Reset-O","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142352000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:32 10.22.8.12 %ASA-6-305012: Teardown dynamic TCP translation from inside:10.22.8.149\/62156 to outside:206.111.72.41\/19576 duration 0:00:44","syslog.header.facility":"20","guid":"28cc755f-1acb-41bf-a454-ee392fb7ef1a","syslog.header.timestamp":"Jan 5 09:52:32","syslog.message":"%ASA-6-305012: Teardown dynamic TCP translation from inside:10.22.8.149\/62156 to outside:206.111.72.41\/19576 duration 0:00:44","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515145952000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.12","original_string":"<166>Jan 5 09:52:32 10.22.8.12 %ASA-6-305012: Teardown dynamic TCP translation from inside:10.22.8.149\/62159 to outside:206.111.72.41\/39634 duration 0:00:44","syslog.header.facility":"20","guid":"d6c11c2e-c0b4-4981-b6bc-768c5437b7d9","syslog.header.timestamp":"Jan 5 09:52:32","syslog.message":"%ASA-6-305012: Teardown dynamic TCP translation from inside:10.22.8.149\/62159 to outside:206.111.72.41\/39634 duration 0:00:44","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515145952000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488031793 for Outside_VPN:198.111.72.146\/28026 to DMZ-Inside:10.22.8.53\/443 duration 0:05:00 bytes 119 TCP FINs","syslog.header.facility":"17","guid":"6816c488-5bc9-4854-97cb-c26c31f223fb","syslog.header.timestamp":"Jan 5 08:52:32","syslog.message":"%ASA-6-302014: Teardown TCP connection 488031793 for Outside_VPN:198.111.72.146\/28026 to DMZ-Inside:10.22.8.53\/443 duration 0:05:00 bytes 119 TCP FINs","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142352000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488030810 for DMZ-Inside:10.22.8.10\/56930 to Inside-Trunk:10.22.8.128\/443 duration 0:05:03 bytes 13543 TCP Reset-O","syslog.header.facility":"17","guid":"abaf91ea-8b0f-4157-9222-3492585e19e4","syslog.header.timestamp":"Jan 5 08:52:32","syslog.message":"%ASA-6-302014: Teardown TCP connection 488030810 for DMZ-Inside:10.22.8.10\/56930 to Inside-Trunk:10.22.8.128\/443 duration 0:05:03 bytes 13543 TCP Reset-O","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142352000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.201","original_string":"<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 186.111.72.11\/80 to 204.111.72.199\/61438 flags SYN ACK on interface Outside_VPN","syslog.header.facility":"17","guid":"25830358-2bde-4c75-bc90-0aba594625dd","syslog.header.timestamp":"Jan 5 08:52:32","syslog.message":"%ASA-6-106015: Deny TCP (no connection) from 186.111.72.11\/80 to 204.111.72.199\/61438 flags SYN ACK on interface Outside_VPN","syslog.header.pri":"142","syslog.header.severity":"6","timestamp":1515142352000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<166>Jan 5 08:52:32 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212805863 for outside:10.22.8.144\/61999 (10.22.8.144\/61999)(LOCAL\\user.name) to inside:10.22.8.163\/80 (10.22.8.163\/80) (user.name)","syslog.header.facility":"20","guid":"78461d6a-8008-4c55-b8cd-b48b90e9d519","syslog.header.timestamp":"Jan 5 08:52:32","syslog.message":"%ASA-6-302013: Built inbound TCP connection 212805863 for outside:10.22.8.144\/61999 (10.22.8.144\/61999)(LOCAL\\user.name) to inside:10.22.8.163\/80 (10.22.8.163\/80) (user.name)","syslog.header.pri":"166","syslog.header.severity":"6","timestamp":1515142352000,"source.type":"syslog3164"} +{"syslog.header.hostName":"10.22.8.216","original_string":"<167>Jan 5 08:52:32 10.22.8.216 %ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00","syslog.header.facility":"20","guid":"0d48864f-dcd5-40b5-8ec3-a37ccf2f1527","syslog.header.timestamp":"Jan 5 08:52:32","syslog.message":"%ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00","syslog.header.pri":"167","syslog.header.severity":"7","timestamp":1515142352000,"source.type":"syslog3164"} \ No newline at end of file diff --git a/metron-platform/metron-integration-test/src/main/sample/data/syslog3164/raw/Syslog3164Output b/metron-platform/metron-integration-test/src/main/sample/data/syslog3164/raw/Syslog3164Output new file mode 100644 index 0000000000..6009d4888e --- /dev/null +++ b/metron-platform/metron-integration-test/src/main/sample/data/syslog3164/raw/Syslog3164Output @@ -0,0 +1,100 @@ +<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-609001: Built local-host inside:10.22.8.205 +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.74/0(LOCAL\user.name) gaddr 10.22.8.205/0 laddr 10.22.8.205/0 +<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00 +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167725 for Outside_VPN:147.111.72.16/26436 to DMZ-Inside:10.22.8.53/443 duration 0:00:00 bytes 9687 TCP FINs +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212805593 for outside:10.22.8.223/59614(LOCAL\user.name) to inside:10.22.8.78/8102 duration 0:00:07 bytes 3433 TCP FINs (user.name) +<174>Jan 5 14:52:35 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245503 for outside:10.22.8.233/54209 (10.22.8.233/54209) to inside:198.111.72.238/443 (198.111.72.238/443) (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806031 for outside:10.22.8.17/58633 (10.22.8.17/58633)(LOCAL\user.name) to inside:10.22.8.12/389 (10.22.8.12/389) (user.name) +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168292 for DMZ-Inside:10.22.8.51/51231 to Inside-Trunk:10.22.8.174/40004 duration 0:00:00 bytes 2103 TCP FINs +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 186.111.72.11/80 to 204.111.72.226/45019 flags SYN ACK on interface Outside_VPN +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302014: Teardown TCP connection 17604987 for outside:209.111.72.151/443 to inside:10.22.8.188/64306 duration 0:00:31 bytes 10128 TCP FINs +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302014: Teardown TCP connection 17604999 for outside:209.111.72.151/443 to inside:10.22.8.188/64307 duration 0:00:30 bytes 6370 TCP FINs +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167347 for Outside_VPN:198.111.72.24/2134 to DMZ-Inside:10.22.8.53/443 duration 0:00:01 bytes 9785 TCP FINs +<174>Jan 5 14:52:35 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245506 for outside:10.22.8.110/49886 (10.22.8.110/49886) to inside:192.111.72.8/8612 (192.111.72.8/8612) (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212805993 for outside:10.22.8.89/56917(LOCAL\user.name) to inside:216.111.72.126/443 duration 0:00:00 bytes 0 TCP FINs (user.name) +<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-710005: UDP request discarded from 10.22.8.223/49192 to outside:224.111.72.252/5355 +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488166143 for Outside_VPN:198.111.72.64/80 to Inside-Trunk:10.22.8.39/54883 duration 0:00:04 bytes 1148 TCP FINs +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-106015: Deny TCP (no connection) from 10.22.8.84/445 to 10.22.8.219/60726 flags ACK on interface inside +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168344 for DMZ-Inside:10.22.8.53/61682 to Inside-Trunk:10.22.8.174/40004 duration 0:00:00 bytes 5648 TCP FINs +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168345 for DMZ-Inside:10.22.8.16/31454 to Inside-Trunk:10.22.8.21/443 duration 0:00:00 bytes 756 TCP FINs +<182>Jan 5 20:22:35 10.22.8.4 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.12/0 gaddr 10.22.8.45/1 laddr 10.22.8.45/1 +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 50.111.72.230/80 to 204.111.72.254/53077 flags RST on interface Outside_VPN +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603649 for outside:206.111.72.2/161 to inside:10.22.8.48/63297 duration 0:02:01 bytes 209 +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603650 for outside:207.111.72.122/161 to inside:10.22.8.48/63298 duration 0:02:01 bytes 209 +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603652 for outside:206.111.72.2/161 to inside:10.22.8.48/63300 duration 0:02:01 bytes 115 +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603657 for outside:206.111.72.2/161 to inside:10.22.8.48/63306 duration 0:02:01 bytes 115 +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168436 for DMZ-Inside:10.22.8.51/51235 to Inside-Trunk:10.22.8.174/40004 duration 0:00:00 bytes 2497 TCP FINs +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167656 for Outside_VPN:69.111.72.70/21560 to DMZ-Inside:10.22.8.53/443 duration 0:00:01 bytes 11410 TCP FINs +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806050 for outside:10.22.8.62/53965 (10.22.8.62/53965)(LOCAL\user.name) to inside:10.22.8.85/53 (10.22.8.85/53) (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806052 for outside:10.22.8.62/56500 (10.22.8.62/56500)(LOCAL\user.name) to inside:198.111.72.83/443 (198.111.72.83/443) (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806054 for outside:10.22.8.62/56502 (10.22.8.62/56502)(LOCAL\user.name) to inside:50.111.72.252/443 (50.111.72.252/443) (user.name) +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-305011: Built dynamic TCP translation from inside:10.22.8.188/64340 to outside:206.111.72.41/2013 +<166>Jan 5 15:52:35 10.22.8.33 %ASA-6-305012: Teardown dynamic UDP translation from inside:192.111.72.2/62251 to outside:79.111.72.174/21311 duration 0:02:30 +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806058 for outside:10.22.8.221/56631 (10.22.8.221/56631)(LOCAL\user.name) to inside:10.22.8.26/389 (10.22.8.26/389) (user.name) +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168189 for Outside_VPN:209.111.72.10/56619 to DMZ-Inside:10.22.8.53/443 duration 0:00:00 bytes 2477 TCP FINs +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 10.22.8.112/52235 to 198.111.72.227/80 flags ACK on interface Inside-Trunk +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167192 for Outside_VPN:115.111.72.7/49196 to DMZ-Inside:10.22.8.57/443 duration 0:00:02 bytes 20588 TCP Reset-O +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212806055 for outside:10.22.8.62/55383(LOCAL\user.name) to inside:10.22.8.85/53 duration 0:00:00 bytes 349 (user.name) +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168380 for Outside_VPN:74.111.72.12/443 to Inside-Trunk:10.22.8.39/54894 duration 0:00:00 bytes 5701 TCP FINs +<174>Jan 5 14:52:35 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245522 for outside:10.22.8.147/56343 (10.22.8.147/56343) to inside:209.111.72.151/443 (209.111.72.151/443) (user.name) +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168443 for Outside_VPN:23.111.72.27/80 to Inside-Trunk:10.22.8.81/64713 duration 0:00:00 bytes 2426 TCP FINs +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488111566 for Outside_VPN:131.111.72.49/443 to Inside-Trunk:10.22.8.127/56558 duration 0:01:57 bytes 3614 TCP Reset-O +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806061 for outside:10.22.8.17/58635 (10.22.8.17/58635)(LOCAL\user.name) to inside:10.22.8.12/389 (10.22.8.12/389) (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212806010 for outside:10.22.8.33/60223(LOCAL\user.name) to inside:10.22.8.86/389 duration 0:00:00 bytes 416 TCP Reset-I (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806062 for outside:10.22.8.221/56632 (10.22.8.221/56632)(LOCAL\user.name) to inside:10.22.8.73/389 (10.22.8.73/389) (user.name) +<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00 +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168231 for Outside_VPN:204.111.72.243/3011 to Inside-Trunk:10.22.8.208/60037 duration 0:00:00 bytes 19415 TCP FINs +<166>Jan 5 16:52:35 10.22.8.41 %ASA-6-302013: Built inbound TCP connection 45476108 for Outside:10.22.8.97/53484 (10.22.8.97/53484)(LOCAL\user.name) to Inside:141.111.72.70/7576 (141.111.72.70/7576) (user.name) +<174>Jan 5 14:52:35 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245527 for outside:10.22.8.97/65195 (10.22.8.97/65195) to inside:17.111.72.212/5223 (17.111.72.212/5223) (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212806018 for outside:10.22.8.17/58632(LOCAL\user.name) to inside:10.22.8.12/389 duration 0:00:00 bytes 0 TCP FINs (user.name) +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168562 for DMZ-Inside:10.22.8.51/51236 to Inside-Trunk:10.22.8.174/40004 duration 0:00:00 bytes 2273 TCP FINs +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806065 for outside:10.22.8.62/59829 (10.22.8.62/59829)(LOCAL\user.name) to inside:10.22.8.85/53 (10.22.8.85/53) (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806067 for outside:10.22.8.143/62675 (10.22.8.143/62675)(LOCAL\user.name) to inside:141.111.72.12/389 (141.111.72.12/389) (user.name) +<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-710005: UDP request discarded from 10.22.8.223/61122 to outside:224.111.72.252/5355 +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.143/0(LOCAL\user.name) gaddr 141.111.72.12/0 laddr 141.111.72.12/0 (user.name) +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168547 for Outside_VPN:107.111.72.102/80 to Inside-Trunk:10.22.8.54/61676 duration 0:00:00 bytes 1030 TCP FINs +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806078 for outside:10.22.8.221/56633 (10.22.8.221/56633)(LOCAL\user.name) to inside:10.22.8.20/389 (10.22.8.20/389) (user.name) +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-305011: Built dynamic TCP translation from inside:10.22.8.83/59915 to outside:206.111.72.41/22776 +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168044 for Outside_VPN:50.111.72.39/80 to Inside-Trunk:10.22.8.75/60877 duration 0:00:01 bytes 13304 TCP FINs +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488118326 for Outside_VPN:23.111.72.27/80 to Inside-Trunk:10.22.8.229/57901 duration 0:01:45 bytes 1942 TCP FINs +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488160565 for Outside_VPN:72.111.72.29/80 to Inside-Trunk:10.22.8.42/57520 duration 0:00:15 bytes 1025 TCP FINs +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488096423 for Outside_VPN:72.111.72.43/80 to Inside-Trunk:10.22.8.127/59096 duration 0:02:27 bytes 99347 TCP Reset-O +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488095522 for Outside_VPN:72.111.72.43/80 to Inside-Trunk:10.22.8.127/59087 duration 0:02:29 bytes 154785 TCP Reset-O +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488106557 for Outside_VPN:72.111.72.43/80 to Inside-Trunk:10.22.8.127/59134 duration 0:02:09 bytes 25319 TCP Reset-O +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488096426 for Outside_VPN:72.111.72.43/80 to Inside-Trunk:10.22.8.127/59099 duration 0:02:27 bytes 26171 TCP Reset-O +<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212806005 for outside:10.22.8.17/58630(LOCAL\user.name) to inside:10.22.8.12/389 duration 0:00:00 bytes 3942 TCP FINs (user.name) +<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806085 for outside:10.22.8.143/54018 (10.22.8.143/54018)(LOCAL\user.name) to inside:10.22.8.85/53 (10.22.8.85/53) (user.name) +<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.96/2708 gaddr 10.22.8.30/0 laddr 10.22.8.30/0 (user.name) +<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245537 for outside:10.22.8.110/49886 (10.22.8.110/49886) to inside:192.111.72.11/8612 (192.111.72.11/8612) (user.name) +<166>Jan 5 16:52:36 10.22.8.41 %ASA-6-106015: Deny TCP (no connection) from 10.22.8.85/58359 to 10.22.8.11/88 flags RST ACK on interface Outside +<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.82/0(LOCAL\user.name) gaddr 10.22.8.205/0 laddr 10.22.8.205/0 +<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212799832 for outside:10.22.8.230/55549(LOCAL\user.name) to inside:10.22.8.11/389 duration 0:02:01 bytes 354 (user.name) +<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212799867 for outside:10.22.8.240/138(LOCAL\user.name) to inside:10.22.8.255/138 duration 0:02:01 bytes 214 (user.name) +<167>Jan 5 08:52:36 10.22.8.216 %ASA-7-609001: Built local-host inside:67.111.72.204 +<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245544 for outside:10.22.8.227/54540 (10.22.8.227/54540) to inside:63.111.72.124/80 (63.111.72.124/80) (user.name) +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168135 for Outside_VPN:198.111.72.66/36797 to DMZ-Inside:10.22.8.53/80 duration 0:00:01 bytes 89039 TCP FINs +<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212805836 for outside:10.22.8.62/56471(LOCAL\user.name) to inside:208.111.72.1/443 duration 0:00:04 bytes 1700 TCP FINs (user.name) +<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245546 for outside:10.22.8.227/54542 (10.22.8.227/54542) to inside:63.111.72.124/80 (63.111.72.124/80) (user.name) +<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.74/0(LOCAL\user.name) gaddr 10.22.8.205/0 laddr 10.22.8.205/0 +<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302020: Built outbound ICMP connection for faddr 10.22.8.96/2708 gaddr 10.22.8.30/0 laddr 10.22.8.30/0 +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168388 for DMZ-Inside:10.22.8.10/49771 to Inside-Trunk:10.22.8.128/443 duration 0:00:00 bytes 19132 TCP Reset-O +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168692 for DMZ-Inside:10.22.8.53/61694 to Inside-Trunk:10.22.8.174/40004 duration 0:00:00 bytes 5660 TCP FINs +<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245552 for outside:10.22.8.92/51042 (10.22.8.92/51042) to inside:10.22.8.193/9100 (10.22.8.193/9100) (user.name) +<166>Jan 5 16:52:36 10.22.8.41 %ASA-6-302016: Teardown UDP connection 45474680 for Outside:10.22.8.49/137(LOCAL\user.name) to Inside:10.22.8.12/137 duration 0:02:03 bytes 486 (user.name) +<166>Jan 5 16:52:36 10.22.8.41 %ASA-6-302016: Teardown UDP connection 45474694 for Outside:10.22.8.49/138(LOCAL\user.name) to Inside:10.22.8.12/138 duration 0:02:01 bytes 184 (user.name) +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167720 for Outside_VPN:198.111.72.75/1033 to DMZ-Inside:10.22.8.53/443 duration 0:00:01 bytes 9634 TCP FINs +<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488165627 for Outside_VPN:170.111.72.22/27463 to DMZ-Inside:10.22.8.53/443 duration 0:00:01 bytes 9756 TCP FINs +<166>Jan 5 08:52:32 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212805854 for outside:10.22.8.62/54704(LOCAL\user.name) to inside:10.22.8.85/53 duration 0:00:00 bytes 114 (user.name) +<166>Jan 5 09:52:32 10.22.8.12 %ASA-6-302020: Built inbound ICMP connection for faddr 207.111.72.122/0 gaddr 206.111.72.24/512 laddr 10.22.8.57/512 +<166>Jan 5 09:52:32 10.22.8.12 %ASA-6-302013: Built outbound TCP connection 17605397 for outside:69.111.72.0/80 (69.111.72.0/80) to inside:10.22.8.102/55659 (206.111.72.41/40627) +<174>Jan 5 14:52:32 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245230 for outside:10.22.8.96/123 (10.22.8.96/123) to inside:10.22.8.12/123 (10.22.8.12/123) (user.name) +<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488031413 for Outside_VPN:184.111.72.216/50341 to DMZ-Inside:10.22.8.57/443 duration 0:05:01 bytes 13543 TCP Reset-O +<166>Jan 5 16:52:32 10.22.8.41 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.95/1(LOCAL\user.name) gaddr 10.22.8.12/0 laddr 10.22.8.12/0 (user.name) +<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488030393 for DMZ-Inside:[10.22.8.10/57109 to Inside-Trunk:10.22.8.128/443 duration 0:05:04 bytes 13541 TCP Reset-O +<166>Jan 5 09:52:32 10.22.8.12 %ASA-6-305012: Teardown dynamic TCP translation from inside:10.22.8.149/62156 to outside:206.111.72.41/19576 duration 0:00:44 +<166>Jan 5 09:52:32 10.22.8.12 %ASA-6-305012: Teardown dynamic TCP translation from inside:10.22.8.149/62159 to outside:206.111.72.41/39634 duration 0:00:44 +<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488031793 for Outside_VPN:198.111.72.146/28026 to DMZ-Inside:10.22.8.53/443 duration 0:05:00 bytes 119 TCP FINs +<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488030810 for DMZ-Inside:10.22.8.10/56930 to Inside-Trunk:10.22.8.128/443 duration 0:05:03 bytes 13543 TCP Reset-O +<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 186.111.72.11/80 to 204.111.72.199/61438 flags SYN ACK on interface Outside_VPN +<166>Jan 5 08:52:32 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212805863 for outside:10.22.8.144/61999 (10.22.8.144/61999)(LOCAL\user.name) to inside:10.22.8.163/80 (10.22.8.163/80) (user.name) +<167>Jan 5 08:52:32 10.22.8.216 %ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00 \ No newline at end of file diff --git a/metron-platform/metron-integration-test/src/main/sample/data/syslog5424/parsed/Syslog5424Parsed b/metron-platform/metron-integration-test/src/main/sample/data/syslog5424/parsed/Syslog5424Parsed index e33020444f..ee1c6f6632 100644 --- a/metron-platform/metron-integration-test/src/main/sample/data/syslog5424/parsed/Syslog5424Parsed +++ b/metron-platform/metron-integration-test/src/main/sample/data/syslog5424/parsed/Syslog5424Parsed @@ -1,3 +1,3 @@ -{"syslog.header.appName":"d0602076-b14a-4c55-852a-981e7afeed38","syslog.header.version":"1","syslog.header.hostName":"loggregator","original_string":"<14>1 2014-06-20T09:14:07+00:00 loggregator d0602076-b14a-4c55-852a-981e7afeed38 DEA - - Removing instance","syslog.header.facility":"1","syslog.header.msgId":"-","syslog.header.timestamp":"2014-06-20T09:14:07+00:00","syslog.message":"Removing instance","syslog.header.pri":"14","syslog.header.procId":"DEA","syslog.header.severity":"6","timestamp":"2014-06-20T09:14:07+00:00","guid":"this-is-random-uuid-will-be-36-chars","source.type":"syslog5424"} -{"syslog.structureddata.examples...@32480.iut":"4","syslog.structuredData.exampleSDID@32480.eventSource":"Other Application","syslog.header.hostName":"loggregator","syslog.header.facility":"1","syslog.structuredData.exampleSDID@32480.eventID":"2022","syslog.structuredData.exampleSDID@32473.eventSource":"Application","syslog.header.timestamp":"2014-06-20T09:14:08+00:00","syslog.message":"Removing instance","syslog.header.pri":"14","syslog.header.procId":"DEA","syslog.header.severity":"6","syslog.header.appName":"d0602076-b14a-4c55-852a-981e7afeed40","syslog.header.version":"1","syslog.structureddata.examples...@32473.iut":"3","original_string":"<14>1 2014-06-20T09:14:08+00:00 loggregator d0602076-b14a-4c55-852a-981e7afeed40 DEA MSG-02 [exampleSDID@32473 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"] [exampleSDID@32480 iut=\"4\" eventSource=\"Other Application\" eventID=\"2022\"] Removing instance","syslog.header.msgId":"MSG-02","syslog.structuredData.exampleSDID@32473.eventID":"1011","timestamp":"2014-06-20T09:14:08+00:00","guid":"this-is-random-uuid-will-be-36-chars","source.type":"syslog5424"} -{"syslog.structureddata.examples...@32480.iut":"4","syslog.structuredData.exampleSDID@32480.eventSource":"Other Application","syslog.structureddata.examples...@32474.iut":"3","syslog.structuredData.exampleSDID@32474.eventID":"1011","syslog.header.hostName":"loggregator","syslog.header.facility":"1","syslog.structuredData.exampleSDID@32480.eventID":"2022","syslog.header.timestamp":"2014-06-20T09:14:09+00:00","syslog.message":"Removing instance","syslog.header.pri":"14","syslog.header.procId":"DEA","syslog.structuredData.exampleSDID@32474.eventSource":"Application","syslog.header.severity":"6","syslog.header.appName":"d0602076-b14a-4c55-852a-981e7afeed42","syslog.header.version":"1","original_string":"<14>1 2014-06-20T09:14:09+00:00 loggregator d0602076-b14a-4c55-852a-981e7afeed42 DEA MSG-03 [exampleSDID@32474 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"] [exampleSDID@32480 iut=\"4\" eventSource=\"Other Application\" eventID=\"2022\"] Removing instance","syslog.header.msgId":"MSG-03","timestamp":"2014-06-20T09:14:09+00:00","guid":"this-is-random-uuid-will-be-36-chars","source.type":"syslog5424"} \ No newline at end of file +{"syslog.header.hostName":"loggregator","syslog.header.facility":"1","syslog.header.timestamp":"2014-06-20T09:14:07+00:00","syslog.message":"Removing instance","syslog.header.pri":"14","syslog.header.procId":"DEA","syslog.header.severity":"6","source.type":"syslog5424","syslog.header.appName":"d0602076-b14a-4c55-852a-981e7afeed38","syslog.header.version":"1","original_string":"<14>1 2014-06-20T09:14:07+00:00 loggregator d0602076-b14a-4c55-852a-981e7afeed38 DEA - - Removing instance","syslog.header.msgId":"-","guid":"4cc6ba44-0a74-44cb-b7d0-3b3c761c1f4a","timestamp":1403255647000} +{"syslog.structureddata.examples...@32480.iut":"4","syslog.structuredData.exampleSDID@32480.eventSource":"Other Application","syslog.header.hostName":"loggregator","syslog.header.facility":"1","syslog.structuredData.exampleSDID@32480.eventID":"2022","syslog.structuredData.exampleSDID@32473.eventSource":"Application","syslog.header.timestamp":"2014-06-20T09:14:08+00:00","syslog.message":"Removing instance","syslog.header.pri":"14","syslog.header.procId":"DEA","syslog.header.severity":"6","source.type":"syslog5424","syslog.header.appName":"d0602076-b14a-4c55-852a-981e7afeed40","syslog.header.version":"1","syslog.structureddata.examples...@32473.iut":"3","original_string":"<14>1 2014-06-20T09:14:08+00:00 loggregator d0602076-b14a-4c55-852a-981e7afeed40 DEA MSG-02 [exampleSDID@32473 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"] [exampleSDID@32480 iut=\"4\" eventSource=\"Other Application\" eventID=\"2022\"] Removing instance","syslog.header.msgId":"MSG-02","guid":"7bb44066-a0a8-4459-a826-7243000d6798","syslog.structuredData.exampleSDID@32473.eventID":"1011","timestamp":1403255648000} +{"syslog.structureddata.examples...@32480.iut":"4","syslog.structuredData.exampleSDID@32480.eventSource":"Other Application","syslog.structureddata.examples...@32474.iut":"3","syslog.structuredData.exampleSDID@32474.eventID":"1011","syslog.header.hostName":"loggregator","syslog.header.facility":"1","syslog.structuredData.exampleSDID@32480.eventID":"2022","syslog.header.timestamp":"2014-06-20T09:14:09+00:00","syslog.message":"Removing instance","syslog.header.pri":"14","syslog.header.procId":"DEA","syslog.structuredData.exampleSDID@32474.eventSource":"Application","syslog.header.severity":"6","source.type":"syslog5424","syslog.header.appName":"d0602076-b14a-4c55-852a-981e7afeed42","syslog.header.version":"1","original_string":"<14>1 2014-06-20T09:14:09+00:00 loggregator d0602076-b14a-4c55-852a-981e7afeed42 DEA MSG-03 [exampleSDID@32474 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"] [exampleSDID@32480 iut=\"4\" eventSource=\"Other Application\" eventID=\"2022\"] Removing instance","syslog.header.msgId":"MSG-03","guid":"18a80e8f-13b8-472a-8a0e-fe80ce1a6d32","timestamp":1403255649000} \ No newline at end of file diff --git a/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/integration/Syslog3164ParserIntegrationTest.java b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/integration/Syslog3164ParserIntegrationTest.java new file mode 100644 index 0000000000..e1affe641f --- /dev/null +++ b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/integration/Syslog3164ParserIntegrationTest.java @@ -0,0 +1,37 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.metron.parsers.integration; + +import org.apache.metron.parsers.integration.validation.SampleDataValidation; + +import java.util.ArrayList; +import java.util.List; + +public class Syslog3164ParserIntegrationTest extends ParserIntegrationTest { + @Override + String getSensorType() { + return "syslog3164"; + } + + @Override + List<ParserValidation> getValidations() { + return new ArrayList<ParserValidation>() {{ + add(new SampleDataValidation()); + }}; + } +} diff --git a/metron-platform/metron-parsing/README.md b/metron-platform/metron-parsing/README.md index 76b6168dca..43334cbd62 100644 --- a/metron-platform/metron-parsing/README.md +++ b/metron-platform/metron-parsing/README.md @@ -589,6 +589,7 @@ Java parser adapters are intended for higher-velocity topologies and are not eas * org.apache.metron.parsers.sourcefire.BasicSourcefireParser : Parse Sourcefire messages * org.apache.metron.parsers.lancope.BasicLancopeParser : Parse Lancope messages * org.apache.metron.parsers.syslog.Syslog5424Parser : Parse Syslog RFC 5424 messages +* org.apache.metron.parsers.syslog.Syslog3164Parser : Parse Syslog RFC 3164 messages ### Grok Parser Adapters Grok parser adapters are designed primarily for someone who is not a Java coder for quickly standing up a parser adapter for lower velocity topologies. Grok relies on Regex for message parsing, which is much slower than purpose-built Java parsers, but is more extensible. Grok parsers are defined via a config file and the topplogy does not need to be recompiled in order to make changes to them. Example of a Grok parsers are: diff --git a/metron-platform/metron-parsing/metron-parsers-common/README.md b/metron-platform/metron-parsing/metron-parsers-common/README.md index 0c5cf23e80..09499506e7 100644 --- a/metron-platform/metron-parsing/metron-parsers-common/README.md +++ b/metron-platform/metron-parsing/metron-parsers-common/README.md @@ -23,5 +23,6 @@ The included parsers are * Grok Parser * JSONMapParser * CSVParser +* Syslog 3164 and 5424 parsers More details on these parsers and the overall architecture can be found in the metron-parsing [README](..#README.md) diff --git a/metron-platform/metron-parsing/metron-parsers-common/pom.xml b/metron-platform/metron-parsing/metron-parsers-common/pom.xml index 617366aff2..8abc1ee7aa 100644 --- a/metron-platform/metron-parsing/metron-parsers-common/pom.xml +++ b/metron-platform/metron-parsing/metron-parsers-common/pom.xml @@ -217,6 +217,11 @@ <artifactId>json-path</artifactId> <version>2.3.0</version> </dependency> + <dependency> + <groupId>com.github.palindromicity</groupId> + <artifactId>simple-syslog</artifactId> + <version>${global_simple_syslog_version}</version> + </dependency> </dependencies> <build> <plugins> diff --git a/metron-platform/metron-parsing/metron-parsers-common/src/main/config/zookeeper/parsers/syslog3164.json b/metron-platform/metron-parsing/metron-parsers-common/src/main/config/zookeeper/parsers/syslog3164.json new file mode 100644 index 0000000000..298e8ccfab --- /dev/null +++ b/metron-platform/metron-parsing/metron-parsers-common/src/main/config/zookeeper/parsers/syslog3164.json @@ -0,0 +1,6 @@ +{ + "parserClassName":"org.apache.metron.parsers.syslog.Syslog3164Parser", + "sensorTopic":"syslog3164", + "parserConfig": { + } +} \ No newline at end of file diff --git a/metron-platform/metron-parsing/metron-parsers/src/main/config/zookeeper/parsers/syslog5424.json b/metron-platform/metron-parsing/metron-parsers-common/src/main/config/zookeeper/parsers/syslog5424.json similarity index 100% rename from metron-platform/metron-parsing/metron-parsers/src/main/config/zookeeper/parsers/syslog5424.json rename to metron-platform/metron-parsing/metron-parsers-common/src/main/config/zookeeper/parsers/syslog5424.json diff --git a/metron-platform/metron-parsing/metron-parsers/src/main/java/org/apache/metron/parsers/syslog/Syslog5424Parser.java b/metron-platform/metron-parsing/metron-parsers-common/src/main/java/org/apache/metron/parsers/syslog/BaseSyslogParser.java similarity index 65% rename from metron-platform/metron-parsing/metron-parsers/src/main/java/org/apache/metron/parsers/syslog/Syslog5424Parser.java rename to metron-platform/metron-parsing/metron-parsers-common/src/main/java/org/apache/metron/parsers/syslog/BaseSyslogParser.java index 77ebd18e9f..c05b7604ab 100644 --- a/metron-platform/metron-parsing/metron-parsers/src/main/java/org/apache/metron/parsers/syslog/Syslog5424Parser.java +++ b/metron-platform/metron-parsing/metron-parsers-common/src/main/java/org/apache/metron/parsers/syslog/BaseSyslogParser.java @@ -18,65 +18,81 @@ package org.apache.metron.parsers.syslog; -import com.github.palindromicity.syslog.AllowableDeviations; -import com.github.palindromicity.syslog.NilPolicy; import com.github.palindromicity.syslog.SyslogParser; -import com.github.palindromicity.syslog.SyslogParserBuilder; import com.github.palindromicity.syslog.dsl.SyslogFieldKeys; +import org.apache.commons.lang3.StringUtils; +import org.apache.metron.parsers.DefaultMessageParserResult; +import org.apache.metron.parsers.ParseException; +import org.apache.metron.parsers.interfaces.MessageParser; +import org.apache.metron.parsers.interfaces.MessageParserResult; +import org.apache.metron.parsers.utils.SyslogUtils; +import org.json.simple.JSONObject; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + import java.io.BufferedReader; import java.io.IOException; import java.io.Reader; import java.io.Serializable; import java.io.StringReader; import java.lang.invoke.MethodHandles; +import java.time.Clock; import java.time.LocalDateTime; +import java.time.ZoneId; +import java.time.ZoneOffset; import java.time.format.DateTimeFormatter; import java.util.ArrayList; -import java.util.EnumSet; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Optional; -import org.apache.commons.lang3.StringUtils; -import org.apache.metron.parsers.DefaultMessageParserResult; -import org.apache.metron.parsers.interfaces.MessageParser; -import org.apache.metron.parsers.interfaces.MessageParserResult; -import org.json.simple.JSONObject; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; +import java.util.function.Consumer; /** * Parser for well structured RFC 5424 messages. */ -public class Syslog5424Parser implements MessageParser<JSONObject>, Serializable { +public abstract class BaseSyslogParser implements MessageParser<JSONObject>, Serializable { protected static final Logger LOG = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); - public static final String NIL_POLICY_CONFIG = "nilPolicy"; + + private Optional<Consumer<JSONObject>> messageProcessorOptional = Optional.empty(); private transient SyslogParser syslogParser; - @Override - public void configure(Map<String, Object> config) { - // Default to OMIT policy for nil fields - // this means they will not be in the returned field set - String nilPolicyStr = (String) config.getOrDefault(NIL_POLICY_CONFIG, NilPolicy.OMIT.name()); - NilPolicy nilPolicy = NilPolicy.valueOf(nilPolicyStr); - syslogParser = new SyslogParserBuilder() - .withNilPolicy(nilPolicy) - .withDeviations(EnumSet.of(AllowableDeviations.PRIORITY,AllowableDeviations.VERSION)) - .build(); + protected Clock deviceClock; + + + protected void setSyslogParser(SyslogParser syslogParser) { + this.syslogParser = syslogParser; } + protected void setMessageProcessor(Consumer<JSONObject> function) { + this.messageProcessorOptional = Optional.of(function); + } + + protected abstract SyslogParser buildSyslogParser( Map<String,Object> config); + @Override - public void init() { + public void configure(Map<String, Object> parserConfig) { + // we'll pull out the clock stuff ourselves + String timeZone = (String) parserConfig.get("deviceTimeZone"); + if (timeZone != null) + deviceClock = Clock.system(ZoneId.of(timeZone)); + else { + deviceClock = Clock.systemUTC(); + LOG.warn("[Metron] No device time zone provided; defaulting to UTC"); + } + syslogParser = buildSyslogParser(parserConfig); } + @Override + public void init(){} + @Override public boolean validate(JSONObject message) { - JSONObject value = message; - if (!(value.containsKey("original_string"))) { + if (!(message.containsKey("original_string"))) { LOG.trace("[Metron] Message does not have original_string: {}", message); return false; - } else if (!(value.containsKey("timestamp"))) { + } else if (!(message.containsKey("timestamp"))) { LOG.trace("[Metron] Message does not have timestamp: {}", message); return false; } else { @@ -94,7 +110,7 @@ public boolean validate(JSONObject message) { } String originalString = new String(rawMessage); - List<JSONObject> returnList = new ArrayList<>(); + final List<JSONObject> returnList = new ArrayList<>(); Map<Object,Throwable> errorMap = new HashMap<>(); try (Reader reader = new BufferedReader(new StringReader(originalString))) { syslogParser.parseLines(reader, (m) -> { @@ -102,7 +118,13 @@ public boolean validate(JSONObject message) { // be sure to put in the original string, and the timestamp. // we wil just copy over the timestamp from the syslog jsonObject.put("original_string", originalString); - setTimestamp(jsonObject); + try { + setTimestamp(jsonObject); + } catch (ParseException pe) { + errorMap.put(originalString,pe); + return; + } + messageProcessorOptional.ifPresent((c) -> c.accept(jsonObject)); returnList.add(jsonObject); },errorMap::put); @@ -116,12 +138,15 @@ public boolean validate(JSONObject message) { } @SuppressWarnings("unchecked") - private void setTimestamp(JSONObject message) { + private void setTimestamp(JSONObject message) throws ParseException { String timeStampString = (String) message.get(SyslogFieldKeys.HEADER_TIMESTAMP.getField()); if (!StringUtils.isBlank(timeStampString) && !timeStampString.equals("-")) { - message.put("timestamp", timeStampString); + message.put("timestamp", SyslogUtils.parseTimestampToEpochMillis(timeStampString, deviceClock)); } else { - message.put("timestamp", LocalDateTime.now().format(DateTimeFormatter.ISO_DATE_TIME)); + message.put( + "timestamp", + LocalDateTime.now() + .toEpochSecond(ZoneOffset.UTC)); } } } diff --git a/metron-platform/metron-parsing/metron-parsers-common/src/main/java/org/apache/metron/parsers/syslog/Syslog3164Parser.java b/metron-platform/metron-parsing/metron-parsers-common/src/main/java/org/apache/metron/parsers/syslog/Syslog3164Parser.java new file mode 100644 index 0000000000..632bcfd195 --- /dev/null +++ b/metron-platform/metron-parsing/metron-parsers-common/src/main/java/org/apache/metron/parsers/syslog/Syslog3164Parser.java @@ -0,0 +1,43 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.metron.parsers.syslog; + +import com.github.palindromicity.syslog.AllowableDeviations; +import com.github.palindromicity.syslog.SyslogParser; +import com.github.palindromicity.syslog.SyslogParserBuilder; +import com.github.palindromicity.syslog.SyslogSpecification; + +import java.io.Serializable; +import java.util.EnumSet; +import java.util.Map; + + +/** + * Parser for RFC 3164 messages. + */ +public class Syslog3164Parser extends BaseSyslogParser implements Serializable { + + @Override + public SyslogParser buildSyslogParser(Map<String, Object> config) { + return new SyslogParserBuilder() + .forSpecification(SyslogSpecification.RFC_3164) + .withDeviations(EnumSet.of(AllowableDeviations.PRIORITY, AllowableDeviations.VERSION)) + .build(); + } +} diff --git a/metron-platform/metron-parsing/metron-parsers-common/src/main/java/org/apache/metron/parsers/syslog/Syslog5424Parser.java b/metron-platform/metron-parsing/metron-parsers-common/src/main/java/org/apache/metron/parsers/syslog/Syslog5424Parser.java new file mode 100644 index 0000000000..cacb0e4082 --- /dev/null +++ b/metron-platform/metron-parsing/metron-parsers-common/src/main/java/org/apache/metron/parsers/syslog/Syslog5424Parser.java @@ -0,0 +1,51 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.metron.parsers.syslog; + +import com.github.palindromicity.syslog.AllowableDeviations; +import com.github.palindromicity.syslog.NilPolicy; +import com.github.palindromicity.syslog.SyslogParser; +import com.github.palindromicity.syslog.SyslogParserBuilder; +import com.github.palindromicity.syslog.SyslogSpecification; + +import java.io.Serializable; +import java.util.EnumSet; +import java.util.Map; + + +/** + * Parser for well structured RFC 5424 messages. + */ +public class Syslog5424Parser extends BaseSyslogParser implements Serializable { + public static final String NIL_POLICY_CONFIG = "nilPolicy"; + + @Override + public SyslogParser buildSyslogParser(Map<String, Object> config) { + // Default to OMIT policy for nil fields + // this means they will not be in the returned field set + String nilPolicyStr = (String) config.getOrDefault(NIL_POLICY_CONFIG, NilPolicy.OMIT.name()); + NilPolicy nilPolicy = NilPolicy.valueOf(nilPolicyStr); + return new SyslogParserBuilder() + .forSpecification(SyslogSpecification.RFC_5424) + .withNilPolicy(nilPolicy) + .withDeviations(EnumSet.of(AllowableDeviations.PRIORITY, AllowableDeviations.VERSION)) + .build(); + } +} + diff --git a/metron-platform/metron-parsing/metron-parsers-common/src/test/java/org/apache/metron/parsers/syslog/Syslog3164ParserTest.java b/metron-platform/metron-parsing/metron-parsers-common/src/test/java/org/apache/metron/parsers/syslog/Syslog3164ParserTest.java new file mode 100644 index 0000000000..6e8fb40cc3 --- /dev/null +++ b/metron-platform/metron-parsing/metron-parsers-common/src/test/java/org/apache/metron/parsers/syslog/Syslog3164ParserTest.java @@ -0,0 +1,187 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.metron.parsers.syslog; + +import com.github.palindromicity.syslog.dsl.SyslogFieldKeys; +import org.apache.metron.parsers.interfaces.MessageParserResult; +import org.json.simple.JSONObject; +import org.junit.Assert; +import org.junit.Test; + +import java.time.Instant; +import java.time.ZoneOffset; +import java.time.ZonedDateTime; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Optional; +import java.util.function.Consumer; + +import static org.junit.Assert.assertTrue; + +public class Syslog3164ParserTest { + + private static final String SYSLOG_LINE_ALL = "<181>2018-09-14T00:54:09+00:00 lzpqrst-admin.in.mycompany.com.lg CISE_RADIUS_Accounting 0018032501 1 0 2018-09-14 10:54:09.095 +10:00 0221114759 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=73, Device IP Address=00.00.000.0, RequestLatency=2, NetworkDeviceName=foo, User-Name=ACCOUNT-01\\\\\\\\D622322, NAS-IP-Address=00.00.000.0, NAS-Port=50742, Framed-IP-Address=00.00.000.000, Class=CACS:0A3D720400016DBFE530A22E:lzpqrst/323409315/14578982, Called-Station-ID=00-CA-E5-B1-21-AA, Calling-Station-ID=54-E1-AD-A1-27-72, Acct-Status-Type=Interim-Update, Acct-Delay-Time=10, Acct-Input-Octets=379294, Acct-Output-Octets=1053336, Acct-Session-Id=00025EB8, Acct-Input-Packets=1657, Acct-Output-Packets=2018, Event-Timestamp=1536886439, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet7/0/42, cisco-av-pair=dc-profile-name=Microsoft-Workstation, cisco-av-pair=dc-device-name=MSFT 5.0, cisco-av-pair=dc-device-class-tag=Workstation:Microsoft-Workstation, cisco-av-pair=dc-certainty-metric=10, cisco-av-pair=dc-opaque=\\000\\000\\000\\002\\000\\000\\000\\001\\000\\000\\000\\000, cisco-av-pair=dc-protocol-map=9, cisco-av-pair=dhcp-option=pad=1b:2e:01:08:ff:2e:01:08:ff:0a:90:84:51:0a:2c:08:0a:d0:52:31:0a:d0:5a:1b:2e:01:08:ff:2e:01:08:ff:79:f9:2b:ff:43:17:73:6d:73:62:6f:6f:74:5c:78:38:36:5c:77:64:73:6e:62:70:2e:63:6f:6d:00:ff:6f:6d:00:ff:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:22:23:54:00:00, cisco-av-pair=dhcp-option=00:ff:00:00, cisco-av-pair=dhcp-option=dhcp-parameter-request-list=1\\\\, 15\\\\, 3\\\\, 6\\\\, 44\\\\, 46\\\\, 47\\\\, 31\\\\, 33\\\\, 121\\\\, 249\\\\, 43\\\\, 252, cisco-av-pair=dhcp-option=dhcp-class-identifier=MSFT 5.0, cisco-av-pair=dhcp-option=host-name=W00000PC0R1JC3, cisco-av-pair=dhcp-option=dhcp-client-identifier=01:54:e1:ad:a1:27:72, cisco-av-pair=dhcp-option=dhcp-message-type=8, cisco-av-pair=audit-session-id=0A3D720400016DBFE530A22E, cisco-av-pair=method=dot1x, AcsSessionID=lzpqrst/323409315/14579377, SelectedAccessService=PEAP_MAB, Step=11004, Step=11017, Step=15049, Step=15008, Step=22094, Step=11005, NetworkDeviceGroups=Stage#Deployment Type#Secure Mode D2, NetworkDeviceGroups=Location#All Locations#Placename#500 Exhibition St CompanyPlace#Level 18, NetworkDeviceGroups=Device Type#All Device Types#Access Switch#Catalyst 3850, NetworkDeviceGroups=Location Type#Location Type#Office, CPMSessionID=0A3D720400016DBFE530A22E, Stage=Stage#Deployment Type#Secure Mode D2, Location=Location#All Locations#Placename#500 Exhibition St CompanyPlace#Level 18, Device Type=Device Type#All Device Types#Access Switch#Catalyst 3850, Network Device Profile=Cisco, Location Type=Location Type#Location Type#Office"; + private static final String SYSLOG_LINE_MISSING = "2018-09-14T00:54:09+00:00 lzpqrst-admin.in.mycompany.com.lg CISE_RADIUS_Accounting 0018032501 1 0 2018-09-14 10:54:09.095 +10:00 0221114759 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=73, Device IP Address=00.00.000.0, RequestLatency=2, NetworkDeviceName=foo, User-Name=ACCOUNT-01\\\\\\\\D622322, NAS-IP-Address=00.00.000.0, NAS-Port=50742, Framed-IP-Address=00.00.000.000, Class=CACS:0A3D720400016DBFE530A22E:lzpqrst/323409315/14578982, Called-Station-ID=00-CA-E5-B1-21-AA, Calling-Station-ID=54-E1-AD-A1-27-72, Acct-Status-Type=Interim-Update, Acct-Delay-Time=10, Acct-Input-Octets=379294, Acct-Output-Octets=1053336, Acct-Session-Id=00025EB8, Acct-Input-Packets=1657, Acct-Output-Packets=2018, Event-Timestamp=1536886439, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet7/0/42, cisco-av-pair=dc-profile-name=Microsoft-Workstation, cisco-av-pair=dc-device-name=MSFT 5.0, cisco-av-pair=dc-device-class-tag=Workstation:Microsoft-Workstation, cisco-av-pair=dc-certainty-metric=10, cisco-av-pair=dc-opaque=\\000\\000\\000\\002\\000\\000\\000\\001\\000\\000\\000\\000, cisco-av-pair=dc-protocol-map=9, cisco-av-pair=dhcp-option=pad=1b:2e:01:08:ff:2e:01:08:ff:0a:90:84:51:0a:2c:08:0a:d0:52:31:0a:d0:5a:1b:2e:01:08:ff:2e:01:08:ff:79:f9:2b:ff:43:17:73:6d:73:62:6f:6f:74:5c:78:38:36:5c:77:64:73:6e:62:70:2e:63:6f:6d:00:ff:6f:6d:00:ff:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:22:23:54:00:00, cisco-av-pair=dhcp-option=00:ff:00:00, cisco-av-pair=dhcp-option=dhcp-parameter-request-list=1\\\\, 15\\\\, 3\\\\, 6\\\\, 44\\\\, 46\\\\, 47\\\\, 31\\\\, 33\\\\, 121\\\\, 249\\\\, 43\\\\, 252, cisco-av-pair=dhcp-option=dhcp-class-identifier=MSFT 5.0, cisco-av-pair=dhcp-option=host-name=W00000PC0R1JC3, cisco-av-pair=dhcp-option=dhcp-client-identifier=01:54:e1:ad:a1:27:72, cisco-av-pair=dhcp-option=dhcp-message-type=8, cisco-av-pair=audit-session-id=0A3D720400016DBFE530A22E, cisco-av-pair=method=dot1x, AcsSessionID=lzpqrst/323409315/14579377, SelectedAccessService=PEAP_MAB, Step=11004, Step=11017, Step=15049, Step=15008, Step=22094, Step=11005, NetworkDeviceGroups=Stage#Deployment Type#Secure Mode D2, NetworkDeviceGroups=Location#All Locations#Placename#500 Exhibition St CompanyPlace#Level 18, NetworkDeviceGroups=Device Type#All Device Types#Access Switch#Catalyst 3850, NetworkDeviceGroups=Location Type#Location Type#Office, CPMSessionID=0A3D720400016DBFE530A22E, Stage=Stage#Deployment Type#Secure Mode D2, Location=Location#All Locations#Placename#500 Exhibition St CompanyPlace#Level 18, Device Type=Device Type#All Device Types#Access Switch#Catalyst 3850, Network Device Profile=Cisco, Location Type=Location Type#Location Type#Office"; + private static final String expectedMessage1 = "CISE_RADIUS_Accounting 0018032501 1 0 2018-09-14 10:54:09.095" + + " +10:00 0221114759 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=73, " + + "Device IP Address=00.00.000.0, RequestLatency=2, NetworkDeviceName=foo, " + + "User-Name=ACCOUNT-01\\\\\\\\D622322, NAS-IP-Address=00.00.000.0, NAS-Port=50742, " + + "Framed-IP-Address=00.00.000.000, Class=CACS:0A3D720400016DBFE530A22E:lzpqrst/323409315/14578982, " + + "Called-Station-ID=00-CA-E5-B1-21-AA, Calling-Station-ID=54-E1-AD-A1-27-72, Acct-Status-Type=Interim-Update, " + + "Acct-Delay-Time=10, Acct-Input-Octets=379294, Acct-Output-Octets=1053336, Acct-Session-Id=00025EB8, " + + "Acct-Input-Packets=1657, Acct-Output-Packets=2018, Event-Timestamp=1536886439, NAS-Port-Type=Ethernet, " + + "NAS-Port-Id=GigabitEthernet7/0/42, cisco-av-pair=dc-profile-name=Microsoft-Workstation, " + + "cisco-av-pair=dc-device-name=MSFT 5.0, cisco-av-pair=dc-device-class-tag=Workstation:Microsoft-Workstation, " + + "cisco-av-pair=dc-certainty-metric=10, " + + "cisco-av-pair=dc-opaque=\\000\\000\\000\\002\\000\\000\\000\\001\\000\\000\\000\\000, " + + "cisco-av-pair=dc-protocol-map=9, " + + "cisco-av-pair=dhcp-option=pad=" + + "1b:2e:01:08:ff:2e:01:08:ff:0a:90:84:51:0a:2c:08:0a:d0:52:31:0a:d0:5a:1b:2e:01:08:ff:2e:01:08:ff:79:f9:2b:" + + "ff:43:17:73:6d:73:62:6f:6f:74:5c:78:38:36:5c:77:64:73:6e:62:70:2e:63:6f:6d:00:ff:6f:6d:00:ff:00:00:00:00:00:" + + "00:00:00:00:00:00:00:00:00:00:00:00:00:00:22:23:54:00:00, cisco-av-pair=dhcp-option=00:ff:00:00, " + + "cisco-av-pair=dhcp-option=dhcp-parameter-request-list=" + + "1\\\\, 15\\\\, 3\\\\, 6\\\\, 44\\\\, 46\\\\, 47\\\\, 31\\\\, 33\\\\, 121\\\\, 249\\\\, 43\\\\, 252," + + " cisco-av-pair=dhcp-option=dhcp-class-identifier=MSFT 5.0, cisco-av-pair=dhcp-option=host-name=W00000PC0R1JC3," + + " cisco-av-pair=dhcp-option=dhcp-client-identifier=01:54:e1:ad:a1:27:72," + + " cisco-av-pair=dhcp-option=dhcp-message-type=8, cisco-av-pair=audit-session-id=0A3D720400016DBFE530A22E," + + " cisco-av-pair=method=dot1x, AcsSessionID=lzpqrst/323409315/14579377, SelectedAccessService=PEAP_MAB," + + " Step=11004, Step=11017, Step=15049, Step=15008, Step=22094, Step=11005, NetworkDeviceGroups=Stage#Deployment" + + " Type#Secure Mode D2, NetworkDeviceGroups=Location#All Locations#Placename#500 Exhibition St" + + " CompanyPlace#Level 18, NetworkDeviceGroups=Device Type#All Device Types#Access Switch#Catalyst 3850," + + " NetworkDeviceGroups=Location Type#Location Type#Office, CPMSessionID=0A3D720400016DBFE530A22E," + + " Stage=Stage#Deployment Type#Secure Mode D2, Location=Location#All Locations#Placename#500 Exhibition St" + + " CompanyPlace#Level 18, Device Type=Device Type#All Device Types#Access Switch#Catalyst 3850, Network Device" + + " Profile=Cisco, Location Type=Location Type#Location Type#Office"; + + private static final String expectedHostNameOne = "lzpqrst-admin.in.mycompany.com.lg"; + private static final String expectedPriOne = "181"; + private static final String expectedTimestampOne = "2018-09-14T00:54:09+00:00"; + private static final String expectedFacilityOne = "22"; + private static final String expectedSeverityOne = "5"; + + private static final String expectedHostNameTwo = "10.34.84.145"; + private static final String expectedMessage2 = "Aug 7 00:45:43 stage-pdp01 CISE_Profiler 0000024855 1 0 " + + "2014-08-07 00:45:43.741 -07:00 0000288542 80002 INFO Profiler: Profiler EndPoint profiling event occurred, " + + "ConfigVersionId=113, EndpointCertainityMetric=10, EndpointIPAddress=10.56.111.14, " + + "EndpointMacAddress=3C:97:0E:C3:F8:F1, EndpointMatchedPolicy=Nortel-Device, EndpointNADAddress=10.56.72.127, " + + "EndpointOUI=Wistron InfoComm(Kunshan)Co.\\,Ltd., EndpointPolicy=Nortel-Device, " + + "EndpointProperty=StaticAssignment=false\\,PostureApplicable=Yes\\,PolicyVersion=402\\," + + "IdentityGroupID=0c1d9270-68a6-11e1-bc72-0050568e013c\\,Total Certainty Factor=10\\," + + "BYODRegistration=Unknown\\,FeedService=false\\,EndPointPolicyID=49054ed0-68a6-11e1-bc72-0050568e013c\\," + + "FirstCollection=1407397543718\\,MatchedPolicyID=49054ed0-68a6-11e1-bc72-0050568e013c\\,TimeToProfile=19\\," + + "StaticGroupAssignment=false\\,NmapSubnetScanID=0\\,DeviceRegistrationStatus=NotRegistered\\,PortalUser=, " + + "EndpointSourceEvent=SNMPQuery Probe, EndpointIdentityGroup=Profiled, ProfilerServer=stage-pdp01.cisco.com,"; + private static final String expectedPriTwo = "181"; + private static final String expectedTimestampTwo = "Aug 6 17:26:31"; + private static final String expectedFacilityTwo = "22"; + private static final String expectedSeverityTwo = "5"; + + + @Test + public void testConfigureDefault() { + Map<String, Object> parserConfig = new HashMap<>(); + Syslog3164Parser testParser = new Syslog3164Parser(); + testParser.configure(parserConfig); + testParser.init(); + assertTrue(testParser.deviceClock.getZone().equals(ZoneOffset.UTC)); + } + + @Test + public void testConfigureTimeZoneOffset() { + Map<String, Object> parserConfig = new HashMap<>(); + parserConfig.put("deviceTimeZone", "UTC-05:00"); + Syslog3164Parser testParser = new Syslog3164Parser(); + testParser.configure(parserConfig); + testParser.init(); + ZonedDateTime deviceTime = ZonedDateTime.ofInstant(Instant.ofEpochSecond(1475323200), testParser.deviceClock.getZone()); + ZonedDateTime referenceTime = ZonedDateTime.ofInstant(Instant.ofEpochSecond(1475323200), ZoneOffset.ofHours(-5)); + assertTrue(deviceTime.isEqual(referenceTime)); + } + + @Test + public void testConfigureTimeZoneText() { + Map<String, Object> parserConfig = new HashMap<>(); + parserConfig.put("deviceTimeZone", "America/New_York"); + Syslog3164Parser testParser = new Syslog3164Parser(); + testParser.configure(parserConfig); + testParser.init(); + ZonedDateTime deviceTime = ZonedDateTime.ofInstant(Instant.ofEpochSecond(1475323200), testParser.deviceClock.getZone()); + ZonedDateTime referenceTime = ZonedDateTime.ofInstant(Instant.ofEpochSecond(1475323200), ZoneOffset.ofHours(-5)); + assertTrue(deviceTime.isEqual(referenceTime)); + } + + @Test + public void testHappyPath() { + test(expectedMessage1, (message) -> Assert.assertEquals(expectedHostNameOne, message.get(SyslogFieldKeys.HEADER_HOSTNAME.getField()))); + } + + + @Test() + public void testNotValid() { + test( "not valid", (message) -> Assert.assertTrue(false)); + } + + public void test( String line, Consumer<JSONObject> msgIdChecker) { + Syslog3164Parser parser = new Syslog3164Parser(); + Map<String, Object> config = new HashMap<>(); + parser.configure(config); + parser.parseOptionalResult(line.getBytes()); + } + + @Test + public void testReadMultiLine() throws Exception { + Syslog3164Parser parser = new Syslog3164Parser(); + Map<String, Object> config = new HashMap<>(); + parser.configure(config); + StringBuilder builder = new StringBuilder(); + builder + .append(SYSLOG_LINE_ALL) + .append("\n") + .append(SYSLOG_LINE_MISSING) + .append("\n") + .append(SYSLOG_LINE_ALL); + Optional<MessageParserResult<JSONObject>> resultOptional = parser.parseOptionalResult(builder.toString().getBytes()); + Assert.assertNotNull(resultOptional); + Assert.assertTrue(resultOptional.isPresent()); + List<JSONObject> parsedList = resultOptional.get().getMessages(); + Assert.assertEquals(3,parsedList.size()); + } + + @Test + public void testReadMultiLineWithErrors() throws Exception { + Syslog3164Parser parser = new Syslog3164Parser(); + Map<String, Object> config = new HashMap<>(); + parser.configure(config); + StringBuilder builder = new StringBuilder(); + builder + .append("HEREWEGO!!!!\n") + .append(SYSLOG_LINE_ALL) + .append("\n") + .append(SYSLOG_LINE_MISSING) + .append("\n") + .append("BOOM!\n") + .append(SYSLOG_LINE_ALL) + .append("\nOHMY!"); + Optional<MessageParserResult<JSONObject>> output = parser.parseOptionalResult(builder.toString().getBytes()); + Assert.assertTrue(output.isPresent()); + Assert.assertEquals(3,output.get().getMessages().size()); + Assert.assertEquals(3,output.get().getMessageThrowables().size()); + } +} \ No newline at end of file diff --git a/metron-platform/metron-parsing/metron-parsers/src/test/java/org/apache/metron/parsers/syslog/Syslog5424ParserTest.java b/metron-platform/metron-parsing/metron-parsers-common/src/test/java/org/apache/metron/parsers/syslog/Syslog5424ParserTest.java similarity index 80% rename from metron-platform/metron-parsing/metron-parsers/src/test/java/org/apache/metron/parsers/syslog/Syslog5424ParserTest.java rename to metron-platform/metron-parsing/metron-parsers-common/src/test/java/org/apache/metron/parsers/syslog/Syslog5424ParserTest.java index b3e4507fc1..3c6c72f72b 100644 --- a/metron-platform/metron-parsing/metron-parsers/src/test/java/org/apache/metron/parsers/syslog/Syslog5424ParserTest.java +++ b/metron-platform/metron-parsing/metron-parsers-common/src/test/java/org/apache/metron/parsers/syslog/Syslog5424ParserTest.java @@ -25,6 +25,9 @@ import org.junit.Assert; import org.junit.Test; +import java.time.Instant; +import java.time.ZoneOffset; +import java.time.ZonedDateTime; import java.time.format.DateTimeFormatter; import java.util.HashMap; import java.util.List; @@ -32,6 +35,8 @@ import java.util.Optional; import java.util.function.Consumer; +import static org.junit.Assert.assertTrue; + public class Syslog5424ParserTest { private static final String SYSLOG_LINE_ALL = "<14>1 2014-06-20T09:14:07+00:00 loggregator" + " d0602076-b14a-4c55-852a-981e7afeed38 DEA MSG-01" @@ -66,6 +71,40 @@ private static final String expectedEventID1 = "1011"; private static final String expectedEventID2 = "2022"; + + @Test + public void testConfigureDefault() { + Map<String, Object> parserConfig = new HashMap<>(); + Syslog5424Parser testParser = new Syslog5424Parser(); + testParser.configure(parserConfig); + testParser.init(); + assertTrue(testParser.deviceClock.getZone().equals(ZoneOffset.UTC)); + } + + @Test + public void testConfigureTimeZoneOffset() { + Map<String, Object> parserConfig = new HashMap<>(); + parserConfig.put("deviceTimeZone", "UTC-05:00"); + Syslog5424Parser testParser = new Syslog5424Parser(); + testParser.configure(parserConfig); + testParser.init(); + ZonedDateTime deviceTime = ZonedDateTime.ofInstant(Instant.ofEpochSecond(1475323200), testParser.deviceClock.getZone()); + ZonedDateTime referenceTime = ZonedDateTime.ofInstant(Instant.ofEpochSecond(1475323200), ZoneOffset.ofHours(-5)); + assertTrue(deviceTime.isEqual(referenceTime)); + } + + @Test + public void testConfigureTimeZoneText() { + Map<String, Object> parserConfig = new HashMap<>(); + parserConfig.put("deviceTimeZone", "America/New_York"); + Syslog5424Parser testParser = new Syslog5424Parser(); + testParser.configure(parserConfig); + testParser.init(); + ZonedDateTime deviceTime = ZonedDateTime.ofInstant(Instant.ofEpochSecond(1475323200), testParser.deviceClock.getZone()); + ZonedDateTime referenceTime = ZonedDateTime.ofInstant(Instant.ofEpochSecond(1475323200), ZoneOffset.ofHours(-5)); + assertTrue(deviceTime.isEqual(referenceTime)); + } + @Test public void testHappyPath() { test(null, SYSLOG_LINE_ALL, (message) -> Assert.assertEquals(expectedMessageId, message.get(SyslogFieldKeys.HEADER_MSGID.getField()))); @@ -151,13 +190,13 @@ public void testReadMultiLineWithErrors() throws Exception { public void testMissingTimestamp() { Syslog5424Parser parser = new Syslog5424Parser(); Map<String, Object> config = new HashMap<>(); + String timeStampString = null; config.put(Syslog5424Parser.NIL_POLICY_CONFIG, NilPolicy.DASH.name()); parser.configure(config); Optional<MessageParserResult<JSONObject>> output = parser.parseOptionalResult(SYSLOG_LINE_MISSING_DATE.getBytes()); Assert.assertNotNull(output); Assert.assertTrue(output.isPresent()); - String timeStampString = output.get().getMessages().get(0).get("timestamp").toString(); - DateTimeFormatter.ISO_DATE_TIME.parse(timeStampString); + Assert.assertNotNull(output.get().getMessages().get(0).get("timestamp").toString()); config.clear(); config.put(Syslog5424Parser.NIL_POLICY_CONFIG, NilPolicy.NULL.name()); parser.configure(config); @@ -165,8 +204,7 @@ public void testMissingTimestamp() { Assert.assertNotNull(output); Assert.assertTrue(output.isPresent()); timeStampString = output.get().getMessages().get(0).get("timestamp").toString(); - DateTimeFormatter.ISO_DATE_TIME.parse(timeStampString); - + Assert.assertNotNull(timeStampString); config.clear(); config.put(Syslog5424Parser.NIL_POLICY_CONFIG, NilPolicy.OMIT.name()); parser.configure(config); @@ -174,8 +212,5 @@ public void testMissingTimestamp() { output = parser.parseOptionalResult(SYSLOG_LINE_MISSING_DATE.getBytes()); Assert.assertNotNull(output); Assert.assertTrue(output.isPresent()); - - timeStampString = output.get().getMessages().get(0).get("timestamp").toString(); - DateTimeFormatter.ISO_DATE_TIME.parse(timeStampString); } } \ No newline at end of file diff --git a/metron-platform/metron-parsing/metron-parsers/README.md b/metron-platform/metron-parsing/metron-parsers/README.md index 98e009455f..aac66b0f56 100644 --- a/metron-platform/metron-parsing/metron-parsers/README.md +++ b/metron-platform/metron-parsing/metron-parsers/README.md @@ -29,7 +29,6 @@ The included parsers are: * PaloAlto * Snort * Sourcefire -* Syslog * Websphere The basic parsers and their details can be found at [README](../metron-parsers-common#README.md). diff --git a/metron-platform/metron-parsing/metron-parsers/pom.xml b/metron-platform/metron-parsing/metron-parsers/pom.xml index d8b68256b0..c3f5d30abf 100644 --- a/metron-platform/metron-parsing/metron-parsers/pom.xml +++ b/metron-platform/metron-parsing/metron-parsers/pom.xml @@ -63,11 +63,6 @@ </exclusion> </exclusions> </dependency> - <dependency> - <groupId>com.github.palindromicity</groupId> - <artifactId>simple-syslog-5424</artifactId> - <version>${global_simple_syslog_version}</version> - </dependency> <dependency> <groupId>org.apache.metron</groupId> <artifactId>metron-parsers-common</artifactId> diff --git a/metron-platform/metron-parsing/metron-parsing-storm/src/main/resources/META-INF/NOTICE b/metron-platform/metron-parsing/metron-parsing-storm/src/main/resources/META-INF/NOTICE index c773ab721f..767d1aca9a 100644 --- a/metron-platform/metron-parsing/metron-parsing-storm/src/main/resources/META-INF/NOTICE +++ b/metron-platform/metron-parsing/metron-parsing-storm/src/main/resources/META-INF/NOTICE @@ -37,4 +37,10 @@ Copyright 2006-2011 Google, Inc. Apache Software Foundation that were originally developed at iClick, Inc., software copyright (c) 1999. + (ASLv2) simple-syslog + The following NOTICE information applies: + simple-syslog + https://github.com/palindromicity/simple-syslog + + Copyright 2018 simple-syslog authors. diff --git a/pom.xml b/pom.xml index c3528134e8..ab9dfa4e66 100644 --- a/pom.xml +++ b/pom.xml @@ -121,7 +121,7 @@ <global_reflections_version>0.9.10</global_reflections_version> <global_checkstyle_version>8.0</global_checkstyle_version> <global_log4j_core_version>2.1</global_log4j_core_version> - <global_simple_syslog_version>0.0.9</global_simple_syslog_version> + <global_simple_syslog_version>0.0.1</global_simple_syslog_version> <global_spark_version>2.3.1</global_spark_version> <global_httpclient_version>4.3.2</global_httpclient_version> <global_aesh_version>0.66.19</global_aesh_version> ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
