| /** |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| package org.apache.metron.parsing.parsers; |
| |
| import oi.thekraken.grok.api.Grok; |
| import oi.thekraken.grok.api.Match; |
| import oi.thekraken.grok.api.exception.GrokException; |
| import org.apache.commons.io.IOUtils; |
| import org.json.simple.JSONObject; |
| |
| import java.io.File; |
| import java.io.FileOutputStream; |
| import java.io.IOException; |
| import java.io.InputStream; |
| import java.text.ParseException; |
| import java.text.SimpleDateFormat; |
| import java.util.*; |
| |
| public class GrokAsaParser extends BasicParser { |
| |
| private static final long serialVersionUID = 945353287115350798L; |
| private transient Grok grok; |
| Map<String, String> patternMap; |
| private transient Map<String, Grok> grokMap; |
| private transient InputStream pattern_url; |
| |
| public static final String PREFIX = "stream2file"; |
| public static final String SUFFIX = ".tmp"; |
| |
| public static File stream2file(InputStream in) throws IOException { |
| final File tempFile = File.createTempFile(PREFIX, SUFFIX); |
| tempFile.deleteOnExit(); |
| try (FileOutputStream out = new FileOutputStream(tempFile)) { |
| IOUtils.copy(in, out); |
| } |
| return tempFile; |
| } |
| |
| public GrokAsaParser() throws Exception { |
| // pattern_url = Resources.getResource("patterns/asa"); |
| |
| pattern_url = getClass().getClassLoader().getResourceAsStream( |
| "patterns/asa"); |
| |
| File file = stream2file(pattern_url); |
| grok = Grok.create(file.getPath()); |
| |
| patternMap = getPatternMap(); |
| grokMap = getGrokMap(); |
| |
| grok.compile("%{CISCO_TAGGED_SYSLOG}"); |
| } |
| |
| public GrokAsaParser(String filepath) throws Exception { |
| |
| grok = Grok.create(filepath); |
| // grok.getNamedRegexCollection().put("ciscotag","CISCOFW302013_302014_302015_302016"); |
| grok.compile("%{CISCO_TAGGED_SYSLOG}"); |
| |
| } |
| |
| public GrokAsaParser(String filepath, String pattern) throws Exception { |
| |
| grok = Grok.create(filepath); |
| grok.compile("%{" + pattern + "}"); |
| } |
| |
| private Map<String, Object> getMap(String pattern, String text) |
| throws GrokException { |
| |
| Grok g = grokMap.get(pattern); |
| if (g != null) { |
| Match gm = g.match(text); |
| gm.captures(); |
| return gm.toMap(); |
| } else { |
| return new HashMap<String, Object>(); |
| } |
| |
| } |
| |
| private Map<String, Grok> getGrokMap() throws GrokException, IOException { |
| Map<String, Grok> map = new HashMap<String, Grok>(); |
| |
| for (Map.Entry<String, String> entry : patternMap.entrySet()) { |
| File file = stream2file(pattern_url); |
| Grok grok = Grok.create(file.getPath()); |
| grok.compile("%{" + entry.getValue() + "}"); |
| |
| map.put(entry.getValue(), grok); |
| |
| } |
| |
| return map; |
| } |
| |
| private Map<String, String> getPatternMap() { |
| Map<String, String> map = new HashMap<String, String>(); |
| |
| map.put("ASA-2-106001", "CISCOFW106001"); |
| map.put("ASA-2-106006", "CISCOFW106006_106007_106010"); |
| map.put("ASA-2-106007", "CISCOFW106006_106007_106010"); |
| map.put("ASA-2-106010", "CISCOFW106006_106007_106010"); |
| map.put("ASA-3-106014", "CISCOFW106014"); |
| map.put("ASA-6-106015", "CISCOFW106015"); |
| map.put("ASA-1-106021", "CISCOFW106021"); |
| map.put("ASA-4-106023", "CISCOFW106023"); |
| map.put("ASA-5-106100", "CISCOFW106100"); |
| map.put("ASA-6-110002", "CISCOFW110002"); |
| map.put("ASA-6-302010", "CISCOFW302010"); |
| map.put("ASA-6-302013", "CISCOFW302013_302014_302015_302016"); |
| map.put("ASA-6-302014", "CISCOFW302013_302014_302015_302016"); |
| map.put("ASA-6-302015", "CISCOFW302013_302014_302015_302016"); |
| map.put("ASA-6-302016", "CISCOFW302013_302014_302015_302016"); |
| map.put("ASA-6-302020", "CISCOFW302020_302021"); |
| map.put("ASA-6-302021", "CISCOFW302020_302021"); |
| map.put("ASA-6-305011", "CISCOFW305011"); |
| map.put("ASA-3-313001", "CISCOFW313001_313004_313008"); |
| map.put("ASA-3-313004", "CISCOFW313001_313004_313008"); |
| map.put("ASA-3-313008", "CISCOFW313001_313004_313008"); |
| map.put("ASA-4-313005", "CISCOFW313005"); |
| map.put("ASA-4-402117", "CISCOFW402117"); |
| map.put("ASA-4-402119", "CISCOFW402119"); |
| map.put("ASA-4-419001", "CISCOFW419001"); |
| map.put("ASA-4-419002", "CISCOFW419002"); |
| map.put("ASA-4-500004", "CISCOFW500004"); |
| map.put("ASA-6-602303", "CISCOFW602303_602304"); |
| map.put("ASA-6-602304", "CISCOFW602303_602304"); |
| map.put("ASA-7-710001", "CISCOFW710001_710002_710003_710005_710006"); |
| map.put("ASA-7-710002", "CISCOFW710001_710002_710003_710005_710006"); |
| map.put("ASA-7-710003", "CISCOFW710001_710002_710003_710005_710006"); |
| map.put("ASA-7-710005", "CISCOFW710001_710002_710003_710005_710006"); |
| map.put("ASA-7-710006", "CISCOFW710001_710002_710003_710005_710006"); |
| map.put("ASA-6-713172", "CISCOFW713172"); |
| map.put("ASA-4-733100", "CISCOFW733100"); |
| map.put("ASA-6-305012", "CISCOFW305012"); |
| map.put("ASA-7-609001", "CISCOFW609001"); |
| map.put("ASA-7-609002", "CISCOFW609002"); |
| |
| return map; |
| } |
| |
| public static Long convertToEpoch(String m, String d, String ts, |
| boolean adjust_timezone) throws ParseException { |
| d = d.trim(); |
| |
| if (d.length() <= 2) |
| d = "0" + d; |
| |
| Date date = new SimpleDateFormat("MMM", Locale.ENGLISH).parse(m); |
| Calendar cal = Calendar.getInstance(); |
| cal.setTime(date); |
| String month = String.valueOf(cal.get(Calendar.MONTH)); |
| int year = Calendar.getInstance().get(Calendar.YEAR); |
| |
| if (month.length() <= 2) |
| month = "0" + month; |
| |
| String coglomerated_ts = year + "-" + month + "-" + d + " " + ts; |
| |
| System.out.println(coglomerated_ts); |
| |
| SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"); |
| |
| if (adjust_timezone) |
| sdf.setTimeZone(TimeZone.getTimeZone("GMT")); |
| |
| date = sdf.parse(coglomerated_ts); |
| long timeInMillisSinceEpoch = date.getTime(); |
| |
| return timeInMillisSinceEpoch; |
| } |
| |
| @Override |
| public void init() { |
| // pattern_url = Resources.getResource("patterns/asa"); |
| |
| pattern_url = getClass().getClassLoader().getResourceAsStream( |
| "patterns/asa"); |
| |
| File file = null; |
| try { |
| file = stream2file(pattern_url); |
| } catch (IOException e) { |
| // TODO Auto-generated catch block |
| e.printStackTrace(); |
| } |
| try { |
| grok = Grok.create(file.getPath()); |
| } catch (GrokException e) { |
| // TODO Auto-generated catch block |
| e.printStackTrace(); |
| } |
| |
| patternMap = getPatternMap(); |
| try { |
| grokMap = getGrokMap(); |
| } catch (GrokException | IOException e1) { |
| // TODO Auto-generated catch block |
| e1.printStackTrace(); |
| } |
| |
| try { |
| grok.compile("%{CISCO_TAGGED_SYSLOG}"); |
| } catch (GrokException e) { |
| // TODO Auto-generated catch block |
| e.printStackTrace(); |
| } |
| } |
| |
| @Override |
| public List<JSONObject> parse(byte[] raw_message) { |
| |
| String toParse = ""; |
| JSONObject toReturn; |
| List<JSONObject> messages = new ArrayList<>(); |
| try { |
| |
| toParse = new String(raw_message, "UTF-8"); |
| |
| System.out.println("Received message: " + toParse); |
| |
| Match gm = grok.match(toParse); |
| gm.captures(); |
| |
| toReturn = new JSONObject(); |
| |
| toReturn.putAll(gm.toMap()); |
| |
| String str = toReturn.get("ciscotag").toString(); |
| String pattern = patternMap.get(str); |
| |
| Map<String, Object> response = getMap(pattern, toParse); |
| |
| toReturn.putAll(response); |
| |
| //System.out.println("*******I MAPPED: " + toReturn); |
| long timestamp = convertToEpoch(toReturn.get("MONTH").toString(), toReturn |
| .get("MONTHDAY").toString(), |
| toReturn.get("TIME").toString(), |
| true); |
| toReturn.put("timestamp", timestamp); |
| |
| toReturn.remove("MONTHDAY"); |
| toReturn.remove("TIME"); |
| toReturn.remove("MINUTE"); |
| toReturn.remove("HOUR"); |
| toReturn.remove("YEAR"); |
| toReturn.remove("SECOND"); |
| |
| toReturn.put("ip_src_addr", toReturn.remove("IPORHOST")); |
| toReturn.put("original_string", toParse); |
| messages.add(toReturn); |
| return messages; |
| |
| } catch (Exception e) { |
| e.printStackTrace(); |
| return null; |
| } |
| |
| } |
| |
| |
| } |