Yes, I can explain, All, I am looking for is to parse the Message (Tokenize
it), that i am recieveing from the Syslog (Windows Event Logger).
Please have a look at following two ElasticSearch Objects. They don't get
stored in a meaningful way. Is there a way I can extract out Logged Out,
Failed Passwords from it ? Which parser will be best suited for it ?
{
"_index": "bro_index_2019.02.15.10",
"_type": "bro_doc",
"_id": "f411cc08-bbdf-4875-ac46-fcc69f3deace",
"_version": 1,
"_score": null,
"_source": {
"bro_timestamp": "1550208625.997473",
"ip_dst_port": 514,
"adapter:geoadapter:begin:ts": "1550208626893",
"parallelenricher:enrich:end:ts": "1550208626896",
"uid": "Cw7P6g38y3tWWpC9R4",
"protocol": "syslog",
"source:type": "bro",
"adapter:threatinteladapter:end:ts": "1550208626896",
"original_string": "SYSLOG | severity:INFO uid:Cw7P6g38y3tWWpC9R4
id.orig_p:60607 id.resp_p:514 proto:udp id.orig_h:10.60.60.81 message:Feb
15 10:33:38 DC12.tap.local MSWinEventLog\t6\tApplication\t238922\tFri Feb
15 10:33:31
2019\t902\tMicrosoft-Windows-Security-SPP\t\tN/A\tInformation\tDC12.tap.local\t0\tThe
Software Protection service has started.\r\n6.3.9600.19101\n facility:KERN
ts:1550208625.997473 id.resp_h:172.16.4.18",
"ip_dst_addr": "172.16.4.18",
"adapter:hostfromjsonlistadapter:end:ts": "1550208626893",
"adapter:geoadapter:end:ts": "1550208626893",
"ip_src_addr": "10.60.60.81",
"timestamp": 1550208625997,
"severity": "INFO",
"parallelenricher:enrich:begin:ts": "1550208626895",
"adapter:hostfromjsonlistadapter:begin:ts": "1550208626893",
"message": "Feb 15 10:33:38 DC12.tap.local
MSWinEventLog\t6\tApplication\t238922\tFri Feb 15 10:33:31
2019\t902\tMicrosoft-Windows-Security-SPP\t\tN/A\tInformation\tDC12.tap.local\t0\tThe
Software Protection service has started.\r\n6.3.9600.19101\n",
"parallelenricher:splitter:begin:ts": "1550208626895",
"ip_src_port": 60607,
"proto": "udp",
"parallelenricher:splitter:end:ts": "1550208626895",
"adapter:threatinteladapter:begin:ts": "1550208626895",
"guid": "f411cc08-bbdf-4875-ac46-fcc69f3deace",
"facility": "KERN"
},
"fields": {
"parallelenricher:enrich:begin:ts": [
1550208626895
],
"adapter:geoadapter:begin:ts": [
1550208626893
],
"adapter:hostfromjsonlistadapter:begin:ts": [
1550208626893
],
"parallelenricher:enrich:end:ts": [
1550208626896
],
"parallelenricher:splitter:begin:ts": [
1550208626895
],
"adapter:threatinteladapter:end:ts": [
1550208626896
],
"adapter:hostfromjsonlistadapter:end:ts": [
1550208626893
],
"parallelenricher:splitter:end:ts": [
1550208626895
],
"adapter:threatinteladapter:begin:ts": [
1550208626895
],
"adapter:geoadapter:end:ts": [
1550208626893
],
"timestamp": [
1550208625997
]
},
"highlight": {
"original_string": [
"SYSLOG | severity:INFO uid:Cw7P6g38y3tWWpC9R4 id.orig_p:60607
id.resp_p:514 proto:udp id.orig_h:@kibana-highlighted-field@10.60.60.81@
/kibana-highlighted-field@ message:Feb 15 10:33:38 DC12.tap.local
MSWinEventLog\t6\tApplication\t238922\tFri Feb 15 10:33:31
2019\t902\tMicrosoft-Windows-Security-SPP\t\tN/A\tInformation\tDC12.tap.local\t0\tThe
Software Protection service has started.\r\n6.3.9600.19101\n facility:KERN
ts:1550208625.997473 id.resp_h:172.16.4.18"
]
},
"sort": [
1550208625997
]
}
Another Sample Object
{
"_index": "bro_index_2019.02.15.10",
"_type": "bro_doc",
"_id": "7107a0b8-4999-4956-b20f-40fd666bed46",
"_version": 1,
"_score": null,
"_source": {
"bro_timestamp": "1550209568.304029",
"ip_dst_port": 514,
"adapter:geoadapter:begin:ts": "1550209569921",
"parallelenricher:enrich:end:ts": "1550209569923",
"uid": "Cw7P6g38y3tWWpC9R4",
"protocol": "syslog",
"source:type": "bro",
"adapter:threatinteladapter:end:ts": "1550209569923",
"original_string": "SYSLOG | severity:NOTICE uid:Cw7P6g38y3tWWpC9R4
id.orig_p:60607 id.resp_p:514 proto:udp id.orig_h:10.60.60.81 message:Feb
15 10:49:20 DC12.tap.local MSWinEventLog\t5\tSecurity\t239656\tFri Feb 15
10:49:11 2019\t4634\tMicrosoft-Windows-Security-Auditing\t\tN/A\tAudit
Success\tDC12.tap.local\t12545\tAn account was logged
off.\r\n\r\nSubject:\r\n\tSecurity
ID:\t\tS-1-5-21-761976910-1883327070-1659661340-1104\r\n\tAccount
Name:\t\tEXG$\r\n\tAccount Domain:\t\tTAP\r\n\tLogon
ID:\t\t0x505F5B4\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated
when a logon session is destroyed. It may be positively correlated with a
logon event using the Logon ID value. Logon IDs are only unique between
reboots on the same computer.\n facility:KERN ts:1550209568.304029
id.resp_h:172.16.4.18",
"ip_dst_addr": "172.16.4.18",
"adapter:hostfromjsonlistadapter:end:ts": "1550209569921",
"adapter:geoadapter:end:ts": "1550209569921",
"ip_src_addr": "10.60.60.81",
"timestamp": 1550209568304,
"severity": "NOTICE",
"parallelenricher:enrich:begin:ts": "1550209569923",
"adapter:hostfromjsonlistadapter:begin:ts": "1550209569921",
"message": "Feb 15 10:49:20 DC12.tap.local
MSWinEventLog\t5\tSecurity\t239656\tFri Feb 15 10:49:11
2019\t4634\tMicrosoft-Windows-Security-Auditing\t\tN/A\tAudit
Success\tDC12.tap.local\t12545\tAn account was logged
off.\r\n\r\nSubject:\r\n\tSecurity
ID:\t\tS-1-5-21-761976910-1883327070-1659661340-1104\r\n\tAccount
Name:\t\tEXG$\r\n\tAccount Domain:\t\tTAP\r\n\tLogon
ID:\t\t0x505F5B4\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated
when a logon session is destroyed. It may be positively correlated with a
logon event using the Logon ID value. Logon IDs are only unique between
reboots on the same computer.\n",
"parallelenricher:splitter:begin:ts": "1550209569923",
"ip_src_port": 60607,
"proto": "udp",
"parallelenricher:splitter:end:ts": "1550209569923",
"adapter:threatinteladapter:begin:ts": "1550209569923",
"guid": "7107a0b8-4999-4956-b20f-40fd666bed46",
"facility": "KERN"
},
"fields": {
"parallelenricher:enrich:begin:ts": [
1550209569923
],
"adapter:geoadapter:begin:ts": [
1550209569921
],
"adapter:hostfromjsonlistadapter:begin:ts": [
1550209569921
],
"parallelenricher:enrich:end:ts": [
1550209569923
],
"parallelenricher:splitter:begin:ts": [
1550209569923
],
"adapter:threatinteladapter:end:ts": [
1550209569923
],
"adapter:hostfromjsonlistadapter:end:ts": [
1550209569921
],
"parallelenricher:splitter:end:ts": [
1550209569923
],
"adapter:threatinteladapter:begin:ts": [
1550209569923
],
"adapter:geoadapter:end:ts": [
1550209569921
],
"timestamp": [
1550209568304
]
},
"highlight": {
"original_string": [
"SYSLOG | severity:NOTICE uid:Cw7P6g38y3tWWpC9R4 id.orig_p:60607
id.resp_p:514 proto:udp id.orig_h:@kibana-highlighted-field@10.60.60.81@
/kibana-highlighted-field@ message:Feb 15 10:49:20 DC12.tap.local
MSWinEventLog\t5\tSecurity\t239656\tFri Feb 15 10:49:11
2019\t4634\tMicrosoft-Windows-Security-Auditing\t\tN/A\tAudit
Success\tDC12.tap.local\t12545\tAn account was logged
off.\r\n\r\nSubject:\r\n\tSecurity
ID:\t\tS-1-5-21-761976910-1883327070-1659661340-1104\r\n\tAccount
Name:\t\tEXG$\r\n\tAccount Domain:\t\tTAP\r\n\tLogon
ID:\t\t0x505F5B4\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated
when a logon session is destroyed. It may be positively correlated with a
logon event using the Logon ID value. Logon IDs are only unique between
reboots on the same computer.\n facility:KERN ts:1550209568.304029
id.resp_h:172.16.4.18"
]
},
"sort": [
1550209568304
]
}
On Thu, Feb 14, 2019 at 4:57 PM Otto Fowler <ottobackwa...@gmail.com> wrote:
> I don’t understand what “Default Bro Syslog parser does not crunch it……”
> means.
>
> Can you explain your data flow?
>
>
>
> On February 14, 2019 at 04:30:52, Farrukh Naveed Anjum (
> anjum.farr...@gmail.com) wrote:
>
> Hi,
>
> Thanks for reply, I did not made any configuration changes, But I can send
> you sample Events
> For example
> SYSLOG | severity:ERR uid:CvS7064cni4HcD7FU6 id.orig_p:514 id.resp_p:514
> proto:udp id.orig_h:10.2.2.1 message:Feb 14 13:16:52 suricata[88128]:
> [1:2007994:20] ET MALWARE Suspicious User-Agent (1 space) [Classification:
> A Network Trojan was Detected] [Priority: 1] {TCP} 10.2.2.229:37423 ->
> 168.235.205.6:80 facility:LOCAL5 ts:1550132212.404591
> id.resp_h:172.16.4.18
>
>
> Default Bro Syslog parser does not crunch it and just paste it as this
> message
>
> Feb 14 13:16:52 suricata[88128]: [1:2007994:20] ET MALWARE Suspicious
> User-Agent (1 space) [Classification: A Network Trojan was Detected]
> [Priority: 1] {TCP} 10.2.2.229:37423 -> 168.235.205.6:80 Now the problem
> is IP_SRC and IP_DST are being populated as the local IP instead of these
> ips. Similar classifications is not set. Please suggest also about
> windows events logs for detecting Failed Logins
> Feb 14 14:32:18 DC12.tap.local MSWinEventLog 5 Security 182049 Thu Feb 14
> 14:32:10 2019 4634 Microsoft-Windows-Security-Auditing N/A Audit Success
> DC12.tap.local 12545 An account was logged off. Subject: Security ID:
> S-1-5-21-761976910-1883327070-1659661340-1104 Account Name: EXG$ Account
> Domain: TAP Logon ID: 0x3E3F0A7 Logon Type: 3 This event is generated when
> a logon session is destroyed. It may be positively correlated with a logon
> event using the Logon ID value. Logon IDs are only unique between reboots
> on the same computer.
>
>
> On Wed, Feb 13, 2019 at 7:01 PM Otto Fowler <ottobackwa...@gmail.com>
> wrote:
>
>> Also include the configuration of the parser please.
>>
>>
>>
>> On February 13, 2019 at 09:00:08, Otto Fowler (ottobackwa...@gmail.com)
>> wrote:
>>
>> Farrukh,
>>
>> This error means that the syslog line you are passing in is not proper
>> per the spec.
>> Can you create a jira, with this info, and attach or otherwise include a
>> SANITIZED (change IP, machine names, business stuff etc since this will be
>> on the internet ) version of
>> the failing line?
>> I’ll be able to tell you what the issue is and what the options are once
>> I can test it.
>>
>> Not everything sends properly formatted ( to the spec ) syslog. While
>> simple-syslog ( the library I wrote that backs this parser ) makes
>> allowances ( for missing priority, different date formats ) it
>> cannot handle everything that is possible obviously.
>>
>> As a not, this same library is used in nifi for the 5424 processor/
>> record reader as well.
>>
>>
>>
>>
>> On February 13, 2019 at 05:54:42, Farrukh Naveed Anjum (
>> anjum.farr...@gmail.com) wrote:
>>
>> Hi,
>> I am trying to utilize for Syslog5424 I am recieving data from Nifi into
>> the Kakfa.
>>
>> I am getting the Parser Exception any help will be appreciated. Following
>> is the error.
>>
>> nerated.Rfc5424Parser.header(Rfc5424Parser.java:412) ~[stormjar.jar:?]
>> at
>> com.github.palindromicity.syslog.dsl.generated.Rfc5424Parser.syslog_msg(Rfc5424Parser.java:273)
>> ~[stormjar.jar:?]
>> at
>> com.github.palindromicity.syslog.Rfc5424SyslogParser.parseLine(Rfc5424SyslogParser.java:93)
>> ~[stormjar.jar:?]
>> at
>> com.github.palindromicity.syslog.Rfc5424SyslogParser.lambda$parseLines$0(Rfc5424SyslogParser.java:130)
>> ~[stormjar.jar:?]
>> at java.util.ArrayList.forEach(ArrayList.java:1249) [?:1.8.0_112]
>> at
>> com.github.palindromicity.syslog.Rfc5424SyslogParser.parseLines(Rfc5424SyslogParser.java:128)
>> ~[stormjar.jar:?]
>> at
>> org.apache.metron.parsers.syslog.Syslog5424Parser.parseOptionalResult(Syslog5424Parser.java:103)
>> ~[stormjar.jar:?]
>> at
>> org.apache.metron.parsers.ParserRunnerImpl.execute(ParserRunnerImpl.java:146)
>> ~[stormjar.jar:?]
>> at
>> org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:253)
>> [stormjar.jar:?]
>> at
>> org.apache.storm.daemon.executor$fn__10195$tuple_action_fn__10197.invoke(executor.clj:735)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.daemon.executor$mk_task_receiver$fn__10114.invoke(executor.clj:466)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.disruptor$clojure_handler$reify__4137.onEvent(disruptor.clj:40)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:472)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:451)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:73)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.daemon.executor$fn__10195$fn__10208$fn__10263.invoke(executor.clj:855)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at org.apache.storm.util$async_loop$fn__1221.invoke(util.clj:484)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at clojure.lang.AFn.run(AFn.java:22) [clojure-1.7.0.jar:?]
>> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112]
>> Caused by: org.antlr.v4.runtime.NoViableAltException
>> at
>> org.antlr.v4.runtime.atn.ParserATNSimulator.noViableAlt(ParserATNSimulator.java:1894)
>> ~[stormjar.jar:?]
>> at
>> org.antlr.v4.runtime.atn.ParserATNSimulator.execATN(ParserATNSimulator.java:498)
>> ~[stormjar.jar:?]
>> at
>> org.antlr.v4.runtime.atn.ParserATNSimulator.adaptivePredict(ParserATNSimulator.java:424)
>> ~[stormjar.jar:?]
>> at
>> com.github.palindromicity.syslog.dsl.generated.Rfc5424Parser.header(Rfc5424Parser.java:373)
>> ~[stormjar.jar:?]
>> ... 18 more
>> 2019-02-13 15:52:03.138 o.a.s.d.executor Thread-12-parserBolt-executor[5 5]
>> [ERROR]
>> com.github.palindromicity.syslog.dsl.ParseException: Syntax error @ 1:5 no
>> viable alternative at input 'F'
>> at
>> com.github.palindromicity.syslog.dsl.DefaultErrorListener.syntaxError(DefaultErrorListener.java:17)
>> ~[stormjar.jar:?]
>> at
>> org.antlr.v4.runtime.ProxyErrorListener.syntaxError(ProxyErrorListener.java:65)
>> ~[stormjar.jar:?]
>> at org.antlr.v4.runtime.Parser.notifyErrorListeners(Parser.java:558)
>> ~[stormjar.jar:?]
>> at
>> org.antlr.v4.runtime.DefaultErrorStrategy.reportNoViableAlternative(DefaultErrorStrategy.java:310)
>> ~[stormjar.jar:?]
>> at
>> org.antlr.v4.runtime.DefaultErrorStrategy.reportError(DefaultErrorStrategy.java:147)
>> ~[stormjar.jar:?]
>> at
>> com.github.palindromicity.syslog.dsl.generated.Rfc5424Parser.header(Rfc5424Parser.java:412)
>> ~[stormjar.jar:?]
>> at
>> com.github.palindromicity.syslog.dsl.generated.Rfc5424Parser.syslog_msg(Rfc5424Parser.java:273)
>> ~[stormjar.jar:?]
>> at
>> com.github.palindromicity.syslog.Rfc5424SyslogParser.parseLine(Rfc5424SyslogParser.java:93)
>> ~[stormjar.jar:?]
>> at
>> com.github.palindromicity.syslog.Rfc5424SyslogParser.lambda$parseLines$0(Rfc5424SyslogParser.java:130)
>> ~[stormjar.jar:?]
>> at java.util.ArrayList.forEach(ArrayList.java:1249) [?:1.8.0_112]
>> at
>> com.github.palindromicity.syslog.Rfc5424SyslogParser.parseLines(Rfc5424SyslogParser.java:128)
>> ~[stormjar.jar:?]
>> at
>> org.apache.metron.parsers.syslog.Syslog5424Parser.parseOptionalResult(Syslog5424Parser.java:103)
>> ~[stormjar.jar:?]
>> at
>> org.apache.metron.parsers.ParserRunnerImpl.execute(ParserRunnerImpl.java:146)
>> ~[stormjar.jar:?]
>> at
>> org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:253)
>> [stormjar.jar:?]
>> at
>> org.apache.storm.daemon.executor$fn__10195$tuple_action_fn__10197.invoke(executor.clj:735)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.daemon.executor$mk_task_receiver$fn__10114.invoke(executor.clj:466)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.disruptor$clojure_handler$reify__4137.onEvent(disruptor.clj:40)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:472)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:451)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:73)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.daemon.executor$fn__10195$fn__10208$fn__10263.invoke(executor.clj:855)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at org.apache.storm.util$async_loop$fn__1221.invoke(util.clj:484)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at clojure.lang.AFn.run(AFn.java:22) [clojure-1.7.0.jar:?]
>> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112]
>> Caused by: org.antlr.v4.runtime.NoViableAltException
>> at
>> org.antlr.v4.runtime.atn.ParserATNSimulator.noViableAlt(ParserATNSimulator.java:1894)
>> ~[stormjar.jar:?]
>> at
>> org.antlr.v4.runtime.atn.ParserATNSimulator.execATN(ParserATNSimulator.java:498)
>> ~[stormjar.jar:?]
>> at
>> org.antlr.v4.runtime.atn.ParserATNSimulator.adaptivePredict(ParserATNSimulator.java:424)
>> ~[stormjar.jar:?]
>> at
>> com.github.palindromicity.syslog.dsl.generated.Rfc5424Parser.header(Rfc5424Parser.java:373)
>> ~[stormjar.jar:?]
>> ... 18 more
>> 2019-02-13 15:52:03.139 o.a.s.d.executor Thread-12-parserBolt-executor[5 5]
>> [ERROR]
>> com.github.palindromicity.syslog.dsl.ParseException: Syntax error @ 1:5 no
>> viable alternative at input 'F'
>> at
>> com.github.palindromicity.syslog.dsl.DefaultErrorListener.syntaxError(DefaultErrorListener.java:17)
>> ~[stormjar.jar:?]
>> at
>> org.antlr.v4.runtime.ProxyErrorListener.syntaxError(ProxyErrorListener.java:65)
>> ~[stormjar.jar:?]
>> at org.antlr.v4.runtime.Parser.notifyErrorListeners(Parser.java:558)
>> ~[stormjar.jar:?]
>> at
>> org.antlr.v4.runtime.DefaultErrorStrategy.reportNoViableAlternative(DefaultErrorStrategy.java:310)
>> ~[stormjar.jar:?]
>> at
>> org.antlr.v4.runtime.DefaultErrorStrategy.reportError(DefaultErrorStrategy.java:147)
>> ~[stormjar.jar:?]
>> at
>> com.github.palindromicity.syslog.dsl.generated.Rfc5424Parser.header(Rfc5424Parser.java:412)
>> ~[stormjar.jar:?]
>> at
>> com.github.palindromicity.syslog.dsl.generated.Rfc5424Parser.syslog_msg(Rfc5424Parser.java:273)
>> ~[stormjar.jar:?]
>> at
>> com.github.palindromicity.syslog.Rfc5424SyslogParser.parseLine(Rfc5424SyslogParser.java:93)
>> ~[stormjar.jar:?]
>> at
>> com.github.palindromicity.syslog.Rfc5424SyslogParser.lambda$parseLines$0(Rfc5424SyslogParser.java:130)
>> ~[stormjar.jar:?]
>> at java.util.ArrayList.forEach(ArrayList.java:1249) [?:1.8.0_112]
>> at
>> com.github.palindromicity.syslog.Rfc5424SyslogParser.parseLines(Rfc5424SyslogParser.java:128)
>> ~[stormjar.jar:?]
>> at
>> org.apache.metron.parsers.syslog.Syslog5424Parser.parseOptionalResult(Syslog5424Parser.java:103)
>> ~[stormjar.jar:?]
>> at
>> org.apache.metron.parsers.ParserRunnerImpl.execute(ParserRunnerImpl.java:146)
>> ~[stormjar.jar:?]
>> at
>> org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:253)
>> [stormjar.jar:?]
>> at
>> org.apache.storm.daemon.executor$fn__10195$tuple_action_fn__10197.invoke(executor.clj:735)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.daemon.executor$mk_task_receiver$fn__10114.invoke(executor.clj:466)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.disruptor$clojure_handler$reify__4137.onEvent(disruptor.clj:40)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:472)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:451)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:73)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.daemon.executor$fn__10195$fn__10208$fn__10263.invoke(executor.clj:855)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at org.apache.storm.util$async_loop$fn__1221.invoke(util.clj:484)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at clojure.lang.AFn.run(AFn.java:22) [clojure-1.7.0.jar:?]
>> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112]
>> Caused by: org.antlr.v4.runtime.NoViableAltException
>> at
>> org.antlr.v4.runtime.atn.ParserATNSimulator.noViableAlt(ParserATNSimulator.java:1894)
>> ~[stormjar.jar:?]
>> at
>> org.antlr.v4.runtime.atn.ParserATNSimulator.execATN(ParserATNSimulator.java:498)
>> ~[stormjar.jar:?]
>> at
>> org.antlr.v4.runtime.atn.ParserATNSimulator.adaptivePredict(ParserATNSimulator.java:424)
>> ~[stormjar.jar:?]
>> at
>> com.github.palindromicity.syslog.dsl.generated.Rfc5424Parser.header(Rfc5424Parser.java:373)
>> ~[stormjar.jar:?]
>> ... 18 more
>> 2019-02-13 15:52:03.139 o.a.s.d.executor Thread-12-parserBolt-executor[5 5]
>> [ERROR]
>> com.github.palindromicity.syslog.dsl.ParseException: Syntax error @ 1:5 no
>> viable alternative at input 'F'
>> at
>> com.github.palindromicity.syslog.dsl.DefaultErrorListener.syntaxError(DefaultErrorListener.java:17)
>> ~[stormjar.jar:?]
>> at
>> org.antlr.v4.runtime.ProxyErrorListener.syntaxError(ProxyErrorListener.java:65)
>> ~[stormjar.jar:?]
>> at org.antlr.v4.runtime.Parser.notifyErrorListeners(Parser.java:558)
>> ~[stormjar.jar:?]
>> at
>> org.antlr.v4.runtime.DefaultErrorStrategy.reportNoViableAlternative(DefaultErrorStrategy.java:310)
>> ~[stormjar.jar:?]
>> at
>> org.antlr.v4.runtime.DefaultErrorStrategy.reportError(DefaultErrorStrategy.java:147)
>> ~[stormjar.jar:?]
>> at
>> com.github.palindromicity.syslog.dsl.generated.Rfc5424Parser.header(Rfc5424Parser.java:412)
>> ~[stormjar.jar:?]
>> at
>> com.github.palindromicity.syslog.dsl.generated.Rfc5424Parser.syslog_msg(Rfc5424Parser.java:273)
>> ~[stormjar.jar:?]
>> at
>> com.github.palindromicity.syslog.Rfc5424SyslogParser.parseLine(Rfc5424SyslogParser.java:93)
>> ~[stormjar.jar:?]
>> at
>> com.github.palindromicity.syslog.Rfc5424SyslogParser.lambda$parseLines$0(Rfc5424SyslogParser.java:130)
>> ~[stormjar.jar:?]
>> at java.util.ArrayList.forEach(ArrayList.java:1249) [?:1.8.0_112]
>> at
>> com.github.palindromicity.syslog.Rfc5424SyslogParser.parseLines(Rfc5424SyslogParser.java:128)
>> ~[stormjar.jar:?]
>> at
>> org.apache.metron.parsers.syslog.Syslog5424Parser.parseOptionalResult(Syslog5424Parser.java:103)
>> ~[stormjar.jar:?]
>> at
>> org.apache.metron.parsers.ParserRunnerImpl.execute(ParserRunnerImpl.java:146)
>> ~[stormjar.jar:?]
>> at
>> org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:253)
>> [stormjar.jar:?]
>> at
>> org.apache.storm.daemon.executor$fn__10195$tuple_action_fn__10197.invoke(executor.clj:735)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.daemon.executor$mk_task_receiver$fn__10114.invoke(executor.clj:466)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.disruptor$clojure_handler$reify__4137.onEvent(disruptor.clj:40)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:472)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:451)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:73)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.daemon.executor$fn__10195$fn__10208$fn__10263.invoke(executor.clj:855)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at org.apache.storm.util$async_loop$fn__1221.invoke(util.clj:484)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at clojure.lang.AFn.run(AFn.java:22) [clojure-1.7.0.jar:?]
>> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112]
>> Caused by: org.antlr.v4.runtime.NoViableAltException
>> at
>> org.antlr.v4.runtime.atn.ParserATNSimulator.noViableAlt(ParserATNSimulator.java:1894)
>> ~[stormjar.jar:?]
>> at
>> org.antlr.v4.runtime.atn.ParserATNSimulator.execATN(ParserATNSimulator.java:498)
>> ~[stormjar.jar:?]
>> at
>> org.antlr.v4.runtime.atn.ParserATNSimulator.adaptivePredict(ParserATNSimulator.java:424)
>> ~[stormjar.jar:?]
>> at
>> com.github.palindromicity.syslog.dsl.generated.Rfc5424Parser.header(Rfc5424Parser.java:373)
>> ~[stormjar.jar:?]
>> ... 18 more
>> 2019-02-13 15:52:03.140 o.a.s.d.executor Thread-12-parserBolt-executor[5 5]
>> [ERROR]
>> com.github.palindromicity.syslog.dsl.ParseException: Syntax error @ 1:5 no
>> viable alternative at input 'F'
>> at
>> com.github.palindromicity.syslog.dsl.DefaultErrorListener.syntaxError(DefaultErrorListener.java:17)
>> ~[stormjar.jar:?]
>> at
>> org.antlr.v4.runtime.ProxyErrorListener.syntaxError(ProxyErrorListener.java:65)
>> ~[stormjar.jar:?]
>> at org.antlr.v4.runtime.Parser.notifyErrorListeners(Parser.java:558)
>> ~[stormjar.jar:?]
>> at
>> org.antlr.v4.runtime.DefaultErrorStrategy.reportNoViableAlternative(DefaultErrorStrategy.java:310)
>> ~[stormjar.jar:?]
>> at
>> org.antlr.v4.runtime.DefaultErrorStrategy.reportError(DefaultErrorStrategy.java:147)
>> ~[stormjar.jar:?]
>> at
>> com.github.palindromicity.syslog.dsl.generated.Rfc5424Parser.header(Rfc5424Parser.java:412)
>> ~[stormjar.jar:?]
>> at
>> com.github.palindromicity.syslog.dsl.generated.Rfc5424Parser.syslog_msg(Rfc5424Parser.java:273)
>> ~[stormjar.jar:?]
>> at
>> com.github.palindromicity.syslog.Rfc5424SyslogParser.parseLine(Rfc5424SyslogParser.java:93)
>> ~[stormjar.jar:?]
>> at
>> com.github.palindromicity.syslog.Rfc5424SyslogParser.lambda$parseLines$0(Rfc5424SyslogParser.java:130)
>> ~[stormjar.jar:?]
>> at java.util.ArrayList.forEach(ArrayList.java:1249) [?:1.8.0_112]
>> at
>> com.github.palindromicity.syslog.Rfc5424SyslogParser.parseLines(Rfc5424SyslogParser.java:128)
>> ~[stormjar.jar:?]
>> at
>> org.apache.metron.parsers.syslog.Syslog5424Parser.parseOptionalResult(Syslog5424Parser.java:103)
>> ~[stormjar.jar:?]
>> at
>> org.apache.metron.parsers.ParserRunnerImpl.execute(ParserRunnerImpl.java:146)
>> ~[stormjar.jar:?]
>> at
>> org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:253)
>> [stormjar.jar:?]
>> at
>> org.apache.storm.daemon.executor$fn__10195$tuple_action_fn__10197.invoke(executor.clj:735)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.daemon.executor$mk_task_receiver$fn__10114.invoke(executor.clj:466)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.disruptor$clojure_handler$reify__4137.onEvent(disruptor.clj:40)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:472)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:451)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:73)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at
>> org.apache.storm.daemon.executor$fn__10195$fn__10208$fn__10263.invoke(executor.clj:855)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at org.apache.storm.util$async_loop$fn__1221.invoke(util.clj:484)
>> [storm-core-1.1.0.2.6.5.1050-37.jar:1.1.0.2.6.5.1050-37]
>> at clojure.lang.AFn.run(AFn.java:22) [clojure-1.7.0.jar:?]
>> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112]
>>
>> --
>> With Regards
>> Farrukh Naveed Anjum
>>
>>
>
> --
> With Regards
> Farrukh Naveed Anjum
>
>
--
With Regards
Farrukh Naveed Anjum
