From 6564cda4c79e77b26021d1578cf1a95db1730aac Mon Sep 17 00:00:00 2001 From: Ruslan Gainutdinov Date: Sat, 5 Jun 2021 19:17:52 +0300 Subject: [PATCH] Version 4.0.8 compatible with Graylog 4.x --- pom.xml | 4 +- run-graylog | 30 +- .../wizecore/graylog2/plugin/CEFSender.java | 278 +++++++------- .../wizecore/graylog2/plugin/FullSender.java | 180 ++++----- .../graylog2/plugin/MessageSender.java | 20 +- .../wizecore/graylog2/plugin/PlainSender.java | 202 +++++------ .../graylog2/plugin/SnareWindowsSender.java | 342 +++++++++--------- .../graylog2/plugin/StructuredSender.java | 128 +++---- .../graylog2/plugin/SyslogOutputMetaData.java | 104 +++--- .../graylog2/plugin/SyslogOutputModule.java | 50 +-- .../graylog2/plugin/SyslogOutputPlugin.java | 42 +-- .../com/wizecore/graylog2/plugin/package.html | 2 +- .../com/wizecore/graylog2/plugin/syslog.txt | 82 ++--- 13 files changed, 734 insertions(+), 730 deletions(-) diff --git a/pom.xml b/pom.xml index 5ae632e..c7f7e17 100644 --- a/pom.xml +++ b/pom.xml @@ -10,7 +10,7 @@ com.wizecore.graylog2 graylog-output-syslog - 3.3.2 + 4.0.8 jar graylog-output-syslog @@ -23,7 +23,7 @@ true true true - 3.3.0 + 4.0.8 0.9.60 /usr/share/graylog-server/plugin diff --git a/run-graylog b/run-graylog index 6f481a4..54ee821 100755 --- a/run-graylog +++ b/run-graylog @@ -1,23 +1,27 @@ #!/bin/bash HERE=$PWD -GL=~/Downloads/graylog-3.3.1 +GL=~/Downloads/graylog-4.0.8 TT=$GL/tmp mkdir -p $TT -#sudo umount $TT -#sudo mount -o bind,noexec $TT $TT -#export JAVA_OPTS="-Djava.io.tmpdir=$TT" -#rm -Rf $GL/data +sudo umount $TT +sudo mount -o bind,noexec $TT $TT +export JAVA_OPTS="-Djava.io.tmpdir=$TT" +rm -Rf $GL/data mkdir -p $GL/data mvn package -DskipTests -cp target/graylog-output-syslog-3.3.1.jar $GL/plugin +cp target/graylog-output-syslog-4.0.8.jar $GL/plugin export GRAYLOG_CONF=$GL/graylog.conf -#docker rm -f elastic -#docker run --name elastic -p 9200:9200 -d elasticsearch:5 -#docker rm -f mongo -#docker run --name mongo -p 27017:27017 -d mongo:3.6 -#docker start elastic -#docker start mongo -sleep 5 +sudo sysctl -w vm.max_map_count=262144 + +docker rm -f elastic +docker run --name elastic -p 9200:9200 -e "discovery.type=single-node" \ + -e "cluster.routing.allocation.disk.threshold_enabled=false" \ + -d elasticsearch:7.10.1 +docker rm -f mongo +docker run --name mongo -p 27017:27017 -d mongo:3.6 +docker start elastic +docker start mongo +sleep 10 $GL/bin/graylogctl run ## Run two consoles additionally: diff --git a/src/main/java/com/wizecore/graylog2/plugin/CEFSender.java b/src/main/java/com/wizecore/graylog2/plugin/CEFSender.java index 44defab..ea766dc 100644 --- a/src/main/java/com/wizecore/graylog2/plugin/CEFSender.java +++ b/src/main/java/com/wizecore/graylog2/plugin/CEFSender.java @@ -1,147 +1,147 @@ -package com.wizecore.graylog2.plugin; - -import java.util.Map; - -import org.graylog2.plugin.Message; -import org.graylog2.syslog4j.SyslogConstants; -import org.graylog2.syslog4j.SyslogIF; - -/** - * Using CEF format - */ - -/* - * http://blog.rootshell.be/2011/05/11/ossec-speaks-arcsight/ - * - * - * CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension - -CEF:0|ArcSight|Logger|5.0.0.5355.2|sensor:115|Logger Internal Event|1|\ -cat=/Monitor/Sensor/Fan5 cs2=Current Value cnt=1 dvc=10.0.0.1 cs3=Ok \ -cs1=null type=0 cs1Label=unit rt=1305034099211 cs3Label=Status cn1Label=value \ -cs2Label=timeframe - */ -public class CEFSender implements MessageSender { - - @Override - public void send(SyslogIF syslog, int level, Message msg) { - StringBuilder out = new StringBuilder(); - - // Header: - // CEF:Version|Device Vendor|Device Product|Device Version| - out.append("CEF:0|Graylog|graylog-output-syslog:cefsender|2.3.1|"); - - // Device Event Class ID - out.append("log:1"); - out.append("|"); - - Map fields = msg.getFields(); - Object fv = fields.get("act"); - - // Name - String str = fv != null ? fv.toString() : null; - if (str == null) { - fv = fields.get("short_message"); - str = fv != null ? fv.toString() : null; - } - if (str == null) { - str = msg.getId(); - } - str = escape(str, false); - out.append(str); - - // Severity - // The valid integer values are 0-3=Low, 4-6=Medium, 7-8=High, and 9-10=Very-High. - int cefLevel = 0; - /** see {@link org.graylog2.syslog4j.SyslogConstants#LEVEL_INFO} */ - switch (level) { - case (SyslogConstants.LEVEL_DEBUG): - cefLevel = 1; - break; - case (SyslogConstants.LEVEL_NOTICE): - cefLevel = 2; - break; - case (SyslogConstants.LEVEL_INFO): - cefLevel = 3; - break; - case (SyslogConstants.LEVEL_WARN): - cefLevel = 6; - break; - case (SyslogConstants.LEVEL_ERROR): - cefLevel = 7; - break; - case (SyslogConstants.LEVEL_CRITICAL): - cefLevel = 8; - break; - case (SyslogConstants.LEVEL_ALERT): - cefLevel = 9; - break; - case (SyslogConstants.LEVEL_EMERGENCY): - cefLevel = 10; - break; - default: - // FIXME: Unknown level - cefLevel = 10; - break; - } - out.append("|").append(cefLevel) .append("|"); - - // Extension - boolean have = false; - boolean haveExternalId = false; - boolean haveMsg = false; +package com.wizecore.graylog2.plugin; + +import java.util.Map; + +import org.graylog2.plugin.Message; +import org.graylog2.syslog4j.SyslogConstants; +import org.graylog2.syslog4j.SyslogIF; + +/** + * Using CEF format + */ + +/* + * http://blog.rootshell.be/2011/05/11/ossec-speaks-arcsight/ + * + * + * CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension + +CEF:0|ArcSight|Logger|5.0.0.5355.2|sensor:115|Logger Internal Event|1|\ +cat=/Monitor/Sensor/Fan5 cs2=Current Value cnt=1 dvc=10.0.0.1 cs3=Ok \ +cs1=null type=0 cs1Label=unit rt=1305034099211 cs3Label=Status cn1Label=value \ +cs2Label=timeframe + */ +public class CEFSender implements MessageSender { + + @Override + public void send(SyslogIF syslog, int level, Message msg) { + StringBuilder out = new StringBuilder(); + + // Header: + // CEF:Version|Device Vendor|Device Product|Device Version| + out.append("CEF:0|Graylog|graylog-output-syslog:cefsender|2.3.1|"); + + // Device Event Class ID + out.append("log:1"); + out.append("|"); + + Map fields = msg.getFields(); + Object fv = fields.get("act"); + + // Name + String str = fv != null ? fv.toString() : null; + if (str == null) { + fv = fields.get("short_message"); + str = fv != null ? fv.toString() : null; + } + if (str == null) { + str = msg.getId(); + } + str = escape(str, false); + out.append(str); + + // Severity + // The valid integer values are 0-3=Low, 4-6=Medium, 7-8=High, and 9-10=Very-High. + int cefLevel = 0; + /** see {@link org.graylog2.syslog4j.SyslogConstants#LEVEL_INFO} */ + switch (level) { + case (SyslogConstants.LEVEL_DEBUG): + cefLevel = 1; + break; + case (SyslogConstants.LEVEL_NOTICE): + cefLevel = 2; + break; + case (SyslogConstants.LEVEL_INFO): + cefLevel = 3; + break; + case (SyslogConstants.LEVEL_WARN): + cefLevel = 6; + break; + case (SyslogConstants.LEVEL_ERROR): + cefLevel = 7; + break; + case (SyslogConstants.LEVEL_CRITICAL): + cefLevel = 8; + break; + case (SyslogConstants.LEVEL_ALERT): + cefLevel = 9; + break; + case (SyslogConstants.LEVEL_EMERGENCY): + cefLevel = 10; + break; + default: + // FIXME: Unknown level + cefLevel = 10; + break; + } + out.append("|").append(cefLevel) .append("|"); + + // Extension + boolean have = false; + boolean haveExternalId = false; + boolean haveMsg = false; boolean haveStart = false; - for (String k: fields.keySet()) { - Object v = fields.get(k); - if (!k.equals("message") && !k.equals("full_message") && !k.equals("short_message")) { + for (String k: fields.keySet()) { + Object v = fields.get(k); + if (!k.equals("message") && !k.equals("full_message") && !k.equals("short_message")) { String s = v != null ? v.toString() : "null"; - s = escape(s, true); - if (have) { - out.append(" "); + s = escape(s, true); + if (have) { + out.append(" "); + } + out.append(k).append('=').append(s); + have = true; + + if (!haveExternalId && k.equals("externalId")) { + haveExternalId = true; + } + + if (!haveMsg && k.equals("msg")) { + haveMsg = true; } - out.append(k).append('=').append(s); - have = true; - - if (!haveExternalId && k.equals("externalId")) { - haveExternalId = true; - } - - if (!haveMsg && k.equals("msg")) { - haveMsg = true; - } - - if (!haveStart && k.equals("start")) { - haveStart = true; - } - } - } - - if (!haveStart) { - out.append(" start=").append(msg.getTimestamp().getMillis()); - } - - if (!haveMsg) { - out.append(" msg=").append(escape(msg.getMessage(), true)); - } - - if (!haveExternalId) { - out.append(" externalId=").append(msg.getId()); + + if (!haveStart && k.equals("start")) { + haveStart = true; + } + } + } + + if (!haveStart) { + out.append(" start=").append(msg.getTimestamp().getMillis()); + } + + if (!haveMsg) { + out.append(" msg=").append(escape(msg.getMessage(), true)); } - syslog.log(level, out.toString()); - } - - public String escape(String s, boolean extension) { - s = s.replace("\\", "\\\\"); + if (!haveExternalId) { + out.append(" externalId=").append(msg.getId()); + } + + syslog.log(level, out.toString()); + } + + public String escape(String s, boolean extension) { + s = s.replace("\\", "\\\\"); if (extension) { s = s.replace("=", "\\="); s = s.replace("\r", ""); - s = s.replace("\n", "\\n"); - } else { - s = s.replace("|", "\\|"); - s = s.replace("\r", ""); - s = s.replace("\n", ""); - } - return s; - } -} + s = s.replace("\n", "\\n"); + } else { + s = s.replace("|", "\\|"); + s = s.replace("\r", ""); + s = s.replace("\n", ""); + } + return s; + } +} diff --git a/src/main/java/com/wizecore/graylog2/plugin/FullSender.java b/src/main/java/com/wizecore/graylog2/plugin/FullSender.java index 0e91c57..9f6d083 100644 --- a/src/main/java/com/wizecore/graylog2/plugin/FullSender.java +++ b/src/main/java/com/wizecore/graylog2/plugin/FullSender.java @@ -1,90 +1,90 @@ -package com.wizecore.graylog2.plugin; - -import java.util.HashMap; -import java.util.Map; -import java.util.logging.Logger; - -import org.graylog2.plugin.Message; -import org.graylog2.syslog4j.SyslogIF; -import org.graylog2.syslog4j.impl.message.structured.StructuredSyslogMessage; - -import com.google.common.base.Joiner; -import com.google.common.collect.Maps; - -/** - * Sends full message to Syslog. - * - * <165>1 2003-10-11T22:14:15.003Z mymachine.example.com - evntslog - ID47 [exampleSDID@0 iut="3" eventSource= - "Application" eventID="1011"] BOMAn application - event log entry... - - */ -public class FullSender implements MessageSender { - private Logger log = Logger.getLogger(FullSender.class.getName()); - - @Override - public void send(SyslogIF syslog, int level, Message msg) { - Map sdParams = new HashMap(); - Map fields = msg.getFields(); - for (String key: fields.keySet()) { - if (key != Message.FIELD_MESSAGE && key != Message.FIELD_FULL_MESSAGE && key != Message.FIELD_SOURCE) { - sdParams.put(key, fields.get(key).toString()); - } - } - - // http://www.iana.org/assignments/enterprise-numbers/enterprise-numbers - // @ - String sdId = "all@0"; - // log.info("Sending " + level + ", " + msg.getId() + ", " + msg.getSource() + ", " + sdId + "=" + sdParams + ", " + msg.getMessage()); - Map> sd = new HashMap>(); - sd.put(sdId, sdParams); - - String msgId = null; - if (msgId == null) { - String source = msg.getSource(); - if (source != null) { - msgId = source; - } - } - if (msgId == null) { - msgId = "-"; - } - - String sourceId = null; - if (sourceId == null) { - Object facility = msg.getField("facility"); - if (facility != null) { - sourceId = facility.toString(); - } - } - if (sourceId == null) { - sourceId = "-"; - } - - syslog.log(level, new StructuredSyslogMessage(msgId, sourceId, sd, dumpMessage(msg))); - } - - public static String dumpMessage(Message msg) { - final StringBuilder sb = new StringBuilder(); - sb.append("source: ").append(msg.getField(Message.FIELD_SOURCE)).append(" | "); - - Object text = msg.getField(Message.FIELD_FULL_MESSAGE); - if (text == null) { - text = msg.getField(Message.FIELD_MESSAGE); - } - final String message = text.toString().replaceAll("\\n", "").replaceAll("\\t", ""); - sb.append("message: "); - sb.append(message); - sb.append(" { "); - - final Map filteredFields = Maps.newHashMap(msg.getFields()); - filteredFields.remove(Message.FIELD_SOURCE); - filteredFields.remove(Message.FIELD_MESSAGE); - - Joiner.on(" | ").withKeyValueSeparator(": ").appendTo(sb, filteredFields); - - sb.append(" }"); - return sb.toString(); - } -} +package com.wizecore.graylog2.plugin; + +import java.util.HashMap; +import java.util.Map; +import java.util.logging.Logger; + +import org.graylog2.plugin.Message; +import org.graylog2.syslog4j.SyslogIF; +import org.graylog2.syslog4j.impl.message.structured.StructuredSyslogMessage; + +import com.google.common.base.Joiner; +import com.google.common.collect.Maps; + +/** + * Sends full message to Syslog. + * + * <165>1 2003-10-11T22:14:15.003Z mymachine.example.com + evntslog - ID47 [exampleSDID@0 iut="3" eventSource= + "Application" eventID="1011"] BOMAn application + event log entry... + + */ +public class FullSender implements MessageSender { + private Logger log = Logger.getLogger(FullSender.class.getName()); + + @Override + public void send(SyslogIF syslog, int level, Message msg) { + Map sdParams = new HashMap(); + Map fields = msg.getFields(); + for (String key: fields.keySet()) { + if (key != Message.FIELD_MESSAGE && key != Message.FIELD_FULL_MESSAGE && key != Message.FIELD_SOURCE) { + sdParams.put(key, fields.get(key).toString()); + } + } + + // http://www.iana.org/assignments/enterprise-numbers/enterprise-numbers + // @ + String sdId = "all@0"; + // log.info("Sending " + level + ", " + msg.getId() + ", " + msg.getSource() + ", " + sdId + "=" + sdParams + ", " + msg.getMessage()); + Map> sd = new HashMap>(); + sd.put(sdId, sdParams); + + String msgId = null; + if (msgId == null) { + String source = msg.getSource(); + if (source != null) { + msgId = source; + } + } + if (msgId == null) { + msgId = "-"; + } + + String sourceId = null; + if (sourceId == null) { + Object facility = msg.getField("facility"); + if (facility != null) { + sourceId = facility.toString(); + } + } + if (sourceId == null) { + sourceId = "-"; + } + + syslog.log(level, new StructuredSyslogMessage(msgId, sourceId, sd, dumpMessage(msg))); + } + + public static String dumpMessage(Message msg) { + final StringBuilder sb = new StringBuilder(); + sb.append("source: ").append(msg.getField(Message.FIELD_SOURCE)).append(" | "); + + Object text = msg.getField(Message.FIELD_FULL_MESSAGE); + if (text == null) { + text = msg.getField(Message.FIELD_MESSAGE); + } + final String message = text.toString().replaceAll("\\n", "").replaceAll("\\t", ""); + sb.append("message: "); + sb.append(message); + sb.append(" { "); + + final Map filteredFields = Maps.newHashMap(msg.getFields()); + filteredFields.remove(Message.FIELD_SOURCE); + filteredFields.remove(Message.FIELD_MESSAGE); + + Joiner.on(" | ").withKeyValueSeparator(": ").appendTo(sb, filteredFields); + + sb.append(" }"); + return sb.toString(); + } +} diff --git a/src/main/java/com/wizecore/graylog2/plugin/MessageSender.java b/src/main/java/com/wizecore/graylog2/plugin/MessageSender.java index e1c1e77..aaebe6c 100644 --- a/src/main/java/com/wizecore/graylog2/plugin/MessageSender.java +++ b/src/main/java/com/wizecore/graylog2/plugin/MessageSender.java @@ -1,11 +1,11 @@ -package com.wizecore.graylog2.plugin; - -import org.graylog2.plugin.Message; -import org.graylog2.syslog4j.SyslogIF; - -/** - * Optimized sender - */ -public interface MessageSender { - void send(SyslogIF syslog, int level, Message msg); +package com.wizecore.graylog2.plugin; + +import org.graylog2.plugin.Message; +import org.graylog2.syslog4j.SyslogIF; + +/** + * Optimized sender + */ +public interface MessageSender { + void send(SyslogIF syslog, int level, Message msg); } \ No newline at end of file diff --git a/src/main/java/com/wizecore/graylog2/plugin/PlainSender.java b/src/main/java/com/wizecore/graylog2/plugin/PlainSender.java index ea036fc..f281c59 100644 --- a/src/main/java/com/wizecore/graylog2/plugin/PlainSender.java +++ b/src/main/java/com/wizecore/graylog2/plugin/PlainSender.java @@ -1,101 +1,101 @@ -package com.wizecore.graylog2.plugin; - -import java.text.SimpleDateFormat; -import java.util.Date; -import java.util.Locale; -import java.util.logging.Logger; - -import org.graylog2.plugin.Message; -import org.graylog2.syslog4j.SyslogIF; - -/** - * Formats fields into message text - * - - <34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8 - ^priority - ^ version - ^ date - ^ host - ^ APP-NAME - ^ structured data? - ^ MSGID - - */ -public class PlainSender implements MessageSender { - private Logger log = Logger.getLogger(PlainSender.class.getName()); - - public static final String SYSLOG_DATEFORMAT = "MMM dd HH:mm:ss"; - - /** - * From syslog4j - * - * @param dt - * @return - */ - public static void appendSyslogTimestamp(Date dt, StringBuilder buffer) { - SimpleDateFormat dateFormat = new SimpleDateFormat(SYSLOG_DATEFORMAT,Locale.ENGLISH); - String datePrefix = dateFormat.format(dt); - - int pos = buffer.length() + 4; - buffer.append(datePrefix); - - // RFC 3164 requires leading space for days 1-9 - if (buffer.charAt(pos) == '0') { - buffer.setCharAt(pos,' '); - } - } - - @Override - public void send(SyslogIF syslog, int level, Message msg) { - StringBuilder out = new StringBuilder(); - appendHeader(msg, out); - - out.append(msg.getMessage()); - String str = out.toString(); - // log.info("Sending plain message: " + level + ", " + str); - syslog.log(level, str); - } - - public static void appendHeader(Message msg, StringBuilder out) { - Date dt = null; - Object ts = msg.getField("timestamp"); - if (ts != null && ts instanceof Number) { - dt = new Date(((Number) ts).longValue()); - } - - if (dt == null) { - dt = new Date(); - } - - // Write time - appendSyslogTimestamp(dt, out); - out.append(" "); - - // Write source (host) - String source = msg.getSource(); - if (source != null) { - out.append(source).append(" "); - } else { - out.append("- "); - } - - // Write service - Object facility = msg.getField("facility"); - if (facility != null) { - out.append(facility.toString()).append(" "); - } else { - out.append("- "); - } - - // MSGID - Object username = msg.getField("username"); - if (username != null) { - out.append(username.toString()).append(" "); - } else { - out.append("- "); - } - - out.append(' '); - } -} +package com.wizecore.graylog2.plugin; + +import java.text.SimpleDateFormat; +import java.util.Date; +import java.util.Locale; +import java.util.logging.Logger; + +import org.graylog2.plugin.Message; +import org.graylog2.syslog4j.SyslogIF; + +/** + * Formats fields into message text + * + + <34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8 + ^priority + ^ version + ^ date + ^ host + ^ APP-NAME + ^ structured data? + ^ MSGID + + */ +public class PlainSender implements MessageSender { + private Logger log = Logger.getLogger(PlainSender.class.getName()); + + public static final String SYSLOG_DATEFORMAT = "MMM dd HH:mm:ss"; + + /** + * From syslog4j + * + * @param dt + * @return + */ + public static void appendSyslogTimestamp(Date dt, StringBuilder buffer) { + SimpleDateFormat dateFormat = new SimpleDateFormat(SYSLOG_DATEFORMAT,Locale.ENGLISH); + String datePrefix = dateFormat.format(dt); + + int pos = buffer.length() + 4; + buffer.append(datePrefix); + + // RFC 3164 requires leading space for days 1-9 + if (buffer.charAt(pos) == '0') { + buffer.setCharAt(pos,' '); + } + } + + @Override + public void send(SyslogIF syslog, int level, Message msg) { + StringBuilder out = new StringBuilder(); + appendHeader(msg, out); + + out.append(msg.getMessage()); + String str = out.toString(); + // log.info("Sending plain message: " + level + ", " + str); + syslog.log(level, str); + } + + public static void appendHeader(Message msg, StringBuilder out) { + Date dt = null; + Object ts = msg.getField("timestamp"); + if (ts != null && ts instanceof Number) { + dt = new Date(((Number) ts).longValue()); + } + + if (dt == null) { + dt = new Date(); + } + + // Write time + appendSyslogTimestamp(dt, out); + out.append(" "); + + // Write source (host) + String source = msg.getSource(); + if (source != null) { + out.append(source).append(" "); + } else { + out.append("- "); + } + + // Write service + Object facility = msg.getField("facility"); + if (facility != null) { + out.append(facility.toString()).append(" "); + } else { + out.append("- "); + } + + // MSGID + Object username = msg.getField("username"); + if (username != null) { + out.append(username.toString()).append(" "); + } else { + out.append("- "); + } + + out.append(' '); + } +} diff --git a/src/main/java/com/wizecore/graylog2/plugin/SnareWindowsSender.java b/src/main/java/com/wizecore/graylog2/plugin/SnareWindowsSender.java index bec7245..628b93a 100644 --- a/src/main/java/com/wizecore/graylog2/plugin/SnareWindowsSender.java +++ b/src/main/java/com/wizecore/graylog2/plugin/SnareWindowsSender.java @@ -1,171 +1,171 @@ -package com.wizecore.graylog2.plugin; - -import java.text.SimpleDateFormat; -import java.util.Date; -import java.util.Locale; -import java.util.logging.Logger; - -import org.graylog2.plugin.Message; -import org.graylog2.syslog4j.SyslogIF; - -/** - * Formats fields into message text - * - - <34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8 - ^priority - ^ version - ^ date - ^ host - ^ APP-NAME - ^ structured data? - ^ MSGID - - */ -public class SnareWindowsSender implements MessageSender { - private Logger log = Logger.getLogger(SnareWindowsSender.class.getName()); - - public static final String SYSLOG_DATEFORMAT = "MMM dd HH:mm:ss"; - public static final String MSEVENT_DATEFORMAT = "EEE MMM dd HH:mm:ss yyyy"; - public static final String SEPARATOR = "\t"; - /** - * From syslog4j - * - * @param dt - * @return - */ - public static void appendSyslogTimestamp(Date dt, StringBuilder buffer) { - SimpleDateFormat dateFormat = new SimpleDateFormat(SYSLOG_DATEFORMAT,Locale.ENGLISH); - String datePrefix = dateFormat.format(dt); - - int pos = buffer.length() + 4; - buffer.append(datePrefix); - - // RFC 3164 requires leading space for days 1-9 - if (buffer.charAt(pos) == '0') { - buffer.setCharAt(pos,' '); - } - } - - public static void appendMSEventTimestamp(Date dt, StringBuilder buffer) { - SimpleDateFormat dateFormat = new SimpleDateFormat(MSEVENT_DATEFORMAT,Locale.ENGLISH); - String datePrefix = dateFormat.format(dt); - - int pos = buffer.length() + 4; - buffer.append(datePrefix); - - // RFC 3164 requires leading space for days 1-9 - if (buffer.charAt(pos) == '0') { - buffer.setCharAt(pos,' '); - } - } - - @Override - public void send(SyslogIF syslog, int level, Message msg) { - StringBuilder out = new StringBuilder(); - //appendHeader(msg, out); - - - Date dt = null; - Object ts = msg.getField("timestamp"); - if (ts != null && ts instanceof Number) { - dt = new Date(((Number) ts).longValue()); - } - - if (dt == null) { - dt = new Date(); - } - - out.append("MSWinEventLog").append(SEPARATOR); - appendCriticality(msg, out); - appendField(msg, out, "Channel"); - appendField(msg, out, "RecordNumber"); // we do not have snare counter - // Write time - appendMSEventTimestamp(dt, out); - out.append(SEPARATOR); - - appendField(msg, out, "EventID"); - - appendField(msg, out, "SourceName"); - appendWinUser(msg, out); - appendField(msg, out, "AccountType"); - - appendField(msg, out, "EventType"); - - appendField(msg, out, "source"); - appendField(msg, out, "Category"); - - // manca il data - out.append(SEPARATOR); - - // ExtendedData - appendField(msg, out, "message"); - - Object fld = msg.getField("RecordNumber"); - if (fld == null){ - fld = new String("N/A"); - } - out.append(fld.toString()); - - //out.append(msg.getMessage()); - String str = out.toString(); - // log.info("Sending plain message: " + level + ", " + str); - syslog.log(level, str); - } - - public static void appendHeader(Message msg, StringBuilder out) { - Date dt = null; - Object ts = msg.getField("timestamp"); - if (ts != null && ts instanceof Number) { - dt = new Date(((Number) ts).longValue()); - } - - if (dt == null) { - dt = new Date(); - } - - //appendPriority(msg, out); - - // Write time - appendSyslogTimestamp(dt, out); - out.append(" "); - - Object fld = msg.getField("source"); - if (fld == null){ - fld = new String("N/A"); - } - out.append(fld.toString()); - out.append(" "); - } - - public static void appendField(Message msg, StringBuilder out, String field){ - Object fld = msg.getField(field.toString()); - if (fld == null){ - fld = new String("N/A"); - } - String f = fld.toString().replaceAll("\t", " "); - out.append(f).append(SEPARATOR); - } - - public static void appendWinUser(Message msg, StringBuilder out){ - Object domain = msg.getField("Domain"); - if(domain != null){ - out.append(domain.toString()).append("\\"); - } - appendField(msg, out, "AccountName"); - } - - public static void appendCriticality(Message msg, StringBuilder out){ - Object severityValue = msg.getField("SeverityValue"); - String criticality = "0"; - if(severityValue!=null){ - int i_severityValue = Integer.parseInt(severityValue.toString()); - criticality = String.valueOf(i_severityValue-1); - } - out.append(criticality.toString()).append(SEPARATOR); - } - - public static void appendPriority(Message msg, StringBuilder out){ - out.append("<").append("14").append(">"); - } -} +package com.wizecore.graylog2.plugin; + +import java.text.SimpleDateFormat; +import java.util.Date; +import java.util.Locale; +import java.util.logging.Logger; + +import org.graylog2.plugin.Message; +import org.graylog2.syslog4j.SyslogIF; + +/** + * Formats fields into message text + * + + <34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8 + ^priority + ^ version + ^ date + ^ host + ^ APP-NAME + ^ structured data? + ^ MSGID + + */ +public class SnareWindowsSender implements MessageSender { + private Logger log = Logger.getLogger(SnareWindowsSender.class.getName()); + + public static final String SYSLOG_DATEFORMAT = "MMM dd HH:mm:ss"; + public static final String MSEVENT_DATEFORMAT = "EEE MMM dd HH:mm:ss yyyy"; + public static final String SEPARATOR = "\t"; + /** + * From syslog4j + * + * @param dt + * @return + */ + public static void appendSyslogTimestamp(Date dt, StringBuilder buffer) { + SimpleDateFormat dateFormat = new SimpleDateFormat(SYSLOG_DATEFORMAT,Locale.ENGLISH); + String datePrefix = dateFormat.format(dt); + + int pos = buffer.length() + 4; + buffer.append(datePrefix); + + // RFC 3164 requires leading space for days 1-9 + if (buffer.charAt(pos) == '0') { + buffer.setCharAt(pos,' '); + } + } + + public static void appendMSEventTimestamp(Date dt, StringBuilder buffer) { + SimpleDateFormat dateFormat = new SimpleDateFormat(MSEVENT_DATEFORMAT,Locale.ENGLISH); + String datePrefix = dateFormat.format(dt); + + int pos = buffer.length() + 4; + buffer.append(datePrefix); + + // RFC 3164 requires leading space for days 1-9 + if (buffer.charAt(pos) == '0') { + buffer.setCharAt(pos,' '); + } + } + + @Override + public void send(SyslogIF syslog, int level, Message msg) { + StringBuilder out = new StringBuilder(); + //appendHeader(msg, out); + + + Date dt = null; + Object ts = msg.getField("timestamp"); + if (ts != null && ts instanceof Number) { + dt = new Date(((Number) ts).longValue()); + } + + if (dt == null) { + dt = new Date(); + } + + out.append("MSWinEventLog").append(SEPARATOR); + appendCriticality(msg, out); + appendField(msg, out, "Channel"); + appendField(msg, out, "RecordNumber"); // we do not have snare counter + // Write time + appendMSEventTimestamp(dt, out); + out.append(SEPARATOR); + + appendField(msg, out, "EventID"); + + appendField(msg, out, "SourceName"); + appendWinUser(msg, out); + appendField(msg, out, "AccountType"); + + appendField(msg, out, "EventType"); + + appendField(msg, out, "source"); + appendField(msg, out, "Category"); + + // manca il data + out.append(SEPARATOR); + + // ExtendedData + appendField(msg, out, "message"); + + Object fld = msg.getField("RecordNumber"); + if (fld == null){ + fld = new String("N/A"); + } + out.append(fld.toString()); + + //out.append(msg.getMessage()); + String str = out.toString(); + // log.info("Sending plain message: " + level + ", " + str); + syslog.log(level, str); + } + + public static void appendHeader(Message msg, StringBuilder out) { + Date dt = null; + Object ts = msg.getField("timestamp"); + if (ts != null && ts instanceof Number) { + dt = new Date(((Number) ts).longValue()); + } + + if (dt == null) { + dt = new Date(); + } + + //appendPriority(msg, out); + + // Write time + appendSyslogTimestamp(dt, out); + out.append(" "); + + Object fld = msg.getField("source"); + if (fld == null){ + fld = new String("N/A"); + } + out.append(fld.toString()); + out.append(" "); + } + + public static void appendField(Message msg, StringBuilder out, String field){ + Object fld = msg.getField(field.toString()); + if (fld == null){ + fld = new String("N/A"); + } + String f = fld.toString().replaceAll("\t", " "); + out.append(f).append(SEPARATOR); + } + + public static void appendWinUser(Message msg, StringBuilder out){ + Object domain = msg.getField("Domain"); + if(domain != null){ + out.append(domain.toString()).append("\\"); + } + appendField(msg, out, "AccountName"); + } + + public static void appendCriticality(Message msg, StringBuilder out){ + Object severityValue = msg.getField("SeverityValue"); + String criticality = "0"; + if(severityValue!=null){ + int i_severityValue = Integer.parseInt(severityValue.toString()); + criticality = String.valueOf(i_severityValue-1); + } + out.append(criticality.toString()).append(SEPARATOR); + } + + public static void appendPriority(Message msg, StringBuilder out){ + out.append("<").append("14").append(">"); + } +} diff --git a/src/main/java/com/wizecore/graylog2/plugin/StructuredSender.java b/src/main/java/com/wizecore/graylog2/plugin/StructuredSender.java index ef9c970..ba9e3c3 100644 --- a/src/main/java/com/wizecore/graylog2/plugin/StructuredSender.java +++ b/src/main/java/com/wizecore/graylog2/plugin/StructuredSender.java @@ -1,64 +1,64 @@ -package com.wizecore.graylog2.plugin; - -import java.util.HashMap; -import java.util.Map; -import java.util.logging.Logger; - -import org.graylog2.plugin.Message; -import org.graylog2.syslog4j.SyslogIF; -import org.graylog2.syslog4j.impl.message.structured.StructuredSyslogMessage; - -/** - * https://tools.ietf.org/html/rfc5424 - * - * <165>1 2003-10-11T22:14:15.003Z mymachine.example.com - evntslog - ID47 [exampleSDID@0 iut="3" eventSource= - "Application" eventID="1011"] BOMAn application - event log entry... - - */ -public class StructuredSender implements MessageSender { - private Logger log = Logger.getLogger(StructuredSender.class.getName()); - - @Override - public void send(SyslogIF syslog, int level, Message msg) { - Map sdParams = new HashMap(); - Map fields = msg.getFields(); - for (String key: fields.keySet()) { - if (key != Message.FIELD_MESSAGE && key != Message.FIELD_FULL_MESSAGE && key != Message.FIELD_SOURCE) { - sdParams.put(key, fields.get(key).toString()); - } - } - - // http://www.iana.org/assignments/enterprise-numbers/enterprise-numbers - // @ - String sdId = "all@0"; - // log.info("Sending " + level + ", " + msg.getId() + ", " + msg.getSource() + ", " + sdId + "=" + sdParams + ", " + msg.getMessage()); - Map> sd = new HashMap>(); - sd.put(sdId, sdParams); - - String msgId = null; - if (msgId == null) { - String source = msg.getSource(); - if (source != null) { - msgId = source; - } - } - if (msgId == null) { - msgId = "-"; - } - - String sourceId = null; - if (sourceId == null) { - Object facility = msg.getField("facility"); - if (facility != null) { - sourceId = facility.toString(); - } - } - if (sourceId == null) { - sourceId = "-"; - } - - syslog.log(level, new StructuredSyslogMessage(msgId, sourceId, sd, FullSender.dumpMessage(msg))); - } -} +package com.wizecore.graylog2.plugin; + +import java.util.HashMap; +import java.util.Map; +import java.util.logging.Logger; + +import org.graylog2.plugin.Message; +import org.graylog2.syslog4j.SyslogIF; +import org.graylog2.syslog4j.impl.message.structured.StructuredSyslogMessage; + +/** + * https://tools.ietf.org/html/rfc5424 + * + * <165>1 2003-10-11T22:14:15.003Z mymachine.example.com + evntslog - ID47 [exampleSDID@0 iut="3" eventSource= + "Application" eventID="1011"] BOMAn application + event log entry... + + */ +public class StructuredSender implements MessageSender { + private Logger log = Logger.getLogger(StructuredSender.class.getName()); + + @Override + public void send(SyslogIF syslog, int level, Message msg) { + Map sdParams = new HashMap(); + Map fields = msg.getFields(); + for (String key: fields.keySet()) { + if (key != Message.FIELD_MESSAGE && key != Message.FIELD_FULL_MESSAGE && key != Message.FIELD_SOURCE) { + sdParams.put(key, fields.get(key).toString()); + } + } + + // http://www.iana.org/assignments/enterprise-numbers/enterprise-numbers + // @ + String sdId = "all@0"; + // log.info("Sending " + level + ", " + msg.getId() + ", " + msg.getSource() + ", " + sdId + "=" + sdParams + ", " + msg.getMessage()); + Map> sd = new HashMap>(); + sd.put(sdId, sdParams); + + String msgId = null; + if (msgId == null) { + String source = msg.getSource(); + if (source != null) { + msgId = source; + } + } + if (msgId == null) { + msgId = "-"; + } + + String sourceId = null; + if (sourceId == null) { + Object facility = msg.getField("facility"); + if (facility != null) { + sourceId = facility.toString(); + } + } + if (sourceId == null) { + sourceId = "-"; + } + + syslog.log(level, new StructuredSyslogMessage(msgId, sourceId, sd, FullSender.dumpMessage(msg))); + } +} diff --git a/src/main/java/com/wizecore/graylog2/plugin/SyslogOutputMetaData.java b/src/main/java/com/wizecore/graylog2/plugin/SyslogOutputMetaData.java index f190d07..63fda89 100644 --- a/src/main/java/com/wizecore/graylog2/plugin/SyslogOutputMetaData.java +++ b/src/main/java/com/wizecore/graylog2/plugin/SyslogOutputMetaData.java @@ -1,52 +1,52 @@ -package com.wizecore.graylog2.plugin; - -import java.net.URI; -import java.util.Collections; -import java.util.Set; - -import org.graylog2.plugin.PluginMetaData; -import org.graylog2.plugin.ServerStatus.Capability; -import org.graylog2.plugin.Version; - -public class SyslogOutputMetaData implements PluginMetaData { - - @Override - public String getAuthor() { - return "Wizecore. Based on work by Intelie."; - } - - @Override - public String getDescription() { - return "Enables sending messages to syslog via TCP, UDP and TCP over SSL."; - } - - @Override - public String getName() { - return "SyslogOutputPlugin"; - } - - @Override - public Set getRequiredCapabilities() { - return Collections.emptySet(); - } - - @Override - public Version getRequiredVersion() { - return Version.from(2, 1, 1); - } - - @Override - public URI getURL() { - return URI.create("https://github.com/wizecore/graylog2-output-syslog"); - } - - @Override - public String getUniqueId() { - return SyslogOutput.class.getName(); - } - - @Override - public Version getVersion() { - return new Version(1, 0, 0); - } -} +package com.wizecore.graylog2.plugin; + +import java.net.URI; +import java.util.Collections; +import java.util.Set; + +import org.graylog2.plugin.PluginMetaData; +import org.graylog2.plugin.ServerStatus.Capability; +import org.graylog2.plugin.Version; + +public class SyslogOutputMetaData implements PluginMetaData { + + @Override + public String getAuthor() { + return "Wizecore. Based on work by Intelie."; + } + + @Override + public String getDescription() { + return "Enables sending messages to syslog via TCP, UDP and TCP over SSL."; + } + + @Override + public String getName() { + return "SyslogOutputPlugin"; + } + + @Override + public Set getRequiredCapabilities() { + return Collections.emptySet(); + } + + @Override + public Version getRequiredVersion() { + return Version.from(2, 1, 1); + } + + @Override + public URI getURL() { + return URI.create("https://github.com/wizecore/graylog2-output-syslog"); + } + + @Override + public String getUniqueId() { + return SyslogOutput.class.getName(); + } + + @Override + public Version getVersion() { + return new Version(4, 0, 8); + } +} diff --git a/src/main/java/com/wizecore/graylog2/plugin/SyslogOutputModule.java b/src/main/java/com/wizecore/graylog2/plugin/SyslogOutputModule.java index d81c995..45df7ec 100644 --- a/src/main/java/com/wizecore/graylog2/plugin/SyslogOutputModule.java +++ b/src/main/java/com/wizecore/graylog2/plugin/SyslogOutputModule.java @@ -1,25 +1,25 @@ -package com.wizecore.graylog2.plugin; - -import java.util.Collections; -import java.util.Set; - -import org.graylog2.plugin.PluginConfigBean; -import org.graylog2.plugin.PluginModule; -import org.graylog2.plugin.outputs.MessageOutput; -import org.graylog2.plugin.outputs.MessageOutput.Factory; - -import com.google.inject.multibindings.MapBinder; - -public class SyslogOutputModule extends PluginModule { - - @Override - public Set getConfigBeans() { - return Collections.emptySet(); - } - - @Override - protected void configure() { - MapBinder> outputMapBinder = outputsMapBinder(); - installOutput(outputMapBinder, SyslogOutput.class, SyslogOutput.Factory.class); - } -} +package com.wizecore.graylog2.plugin; + +import java.util.Collections; +import java.util.Set; + +import org.graylog2.plugin.PluginConfigBean; +import org.graylog2.plugin.PluginModule; +import org.graylog2.plugin.outputs.MessageOutput; +import org.graylog2.plugin.outputs.MessageOutput.Factory; + +import com.google.inject.multibindings.MapBinder; + +public class SyslogOutputModule extends PluginModule { + + @Override + public Set getConfigBeans() { + return Collections.emptySet(); + } + + @Override + protected void configure() { + MapBinder> outputMapBinder = outputsMapBinder(); + installOutput(outputMapBinder, SyslogOutput.class, SyslogOutput.Factory.class); + } +} diff --git a/src/main/java/com/wizecore/graylog2/plugin/SyslogOutputPlugin.java b/src/main/java/com/wizecore/graylog2/plugin/SyslogOutputPlugin.java index 562d92f..d0921ec 100644 --- a/src/main/java/com/wizecore/graylog2/plugin/SyslogOutputPlugin.java +++ b/src/main/java/com/wizecore/graylog2/plugin/SyslogOutputPlugin.java @@ -1,21 +1,21 @@ -package com.wizecore.graylog2.plugin; - -import java.util.Arrays; -import java.util.Collection; - -import org.graylog2.plugin.Plugin; -import org.graylog2.plugin.PluginMetaData; -import org.graylog2.plugin.PluginModule; - -public class SyslogOutputPlugin implements Plugin { - - @Override - public PluginMetaData metadata() { - return new SyslogOutputMetaData(); - } - - @Override - public Collection modules() { - return Arrays.asList(new SyslogOutputModule()); - } -} +package com.wizecore.graylog2.plugin; + +import java.util.Arrays; +import java.util.Collection; + +import org.graylog2.plugin.Plugin; +import org.graylog2.plugin.PluginMetaData; +import org.graylog2.plugin.PluginModule; + +public class SyslogOutputPlugin implements Plugin { + + @Override + public PluginMetaData metadata() { + return new SyslogOutputMetaData(); + } + + @Override + public Collection modules() { + return Arrays.asList(new SyslogOutputModule()); + } +} diff --git a/src/main/java/com/wizecore/graylog2/plugin/package.html b/src/main/java/com/wizecore/graylog2/plugin/package.html index d00f426..50f9d25 100644 --- a/src/main/java/com/wizecore/graylog2/plugin/package.html +++ b/src/main/java/com/wizecore/graylog2/plugin/package.html @@ -1 +1 @@ -Implementation of plugin to Graylog 1.0 to send stream via Syslog \ No newline at end of file +Implementation of plugin to Graylog to send stream via Syslog \ No newline at end of file diff --git a/src/main/java/com/wizecore/graylog2/plugin/syslog.txt b/src/main/java/com/wizecore/graylog2/plugin/syslog.txt index 14902c3..76173b7 100644 --- a/src/main/java/com/wizecore/graylog2/plugin/syslog.txt +++ b/src/main/java/com/wizecore/graylog2/plugin/syslog.txt @@ -1,42 +1,42 @@ - Numerical Facility - Code - - 0 kernel messages - 1 user-level messages - 2 mail system - 3 system daemons - 4 security/authorization messages - 5 messages generated internally by syslogd - 6 line printer subsystem - 7 network news subsystem - 8 UUCP subsystem - 9 clock daemon - 10 security/authorization messages - 11 FTP daemon - 12 NTP subsystem - 13 log audit - 14 log alert - 15 clock daemon (note 2) - 16 local use 0 (local0) - 17 local use 1 (local1) - 18 local use 2 (local2) - 19 local use 3 (local3) - 20 local use 4 (local4) - 21 local use 5 (local5) - 22 local use 6 (local6) - 23 local use 7 (local7) - - Numerical Severity - Code - - 0 Emergency: system is unusable - 1 Alert: action must be taken immediately - 2 Critical: critical conditions - 3 Error: error conditions - 4 Warning: warning conditions - 5 Notice: normal but significant condition - 6 Informational: informational messages - 7 Debug: debug-level messages - -The Priority value is calculated by first multiplying the Facility + Numerical Facility + Code + + 0 kernel messages + 1 user-level messages + 2 mail system + 3 system daemons + 4 security/authorization messages + 5 messages generated internally by syslogd + 6 line printer subsystem + 7 network news subsystem + 8 UUCP subsystem + 9 clock daemon + 10 security/authorization messages + 11 FTP daemon + 12 NTP subsystem + 13 log audit + 14 log alert + 15 clock daemon (note 2) + 16 local use 0 (local0) + 17 local use 1 (local1) + 18 local use 2 (local2) + 19 local use 3 (local3) + 20 local use 4 (local4) + 21 local use 5 (local5) + 22 local use 6 (local6) + 23 local use 7 (local7) + + Numerical Severity + Code + + 0 Emergency: system is unusable + 1 Alert: action must be taken immediately + 2 Critical: critical conditions + 3 Error: error conditions + 4 Warning: warning conditions + 5 Notice: normal but significant condition + 6 Informational: informational messages + 7 Debug: debug-level messages + +The Priority value is calculated by first multiplying the Facility number by 8 and then adding the numerical value of the Severity. \ No newline at end of file