Google Git
Sign in
apache / metron / refs/tags/Metron_0.1BETA_rc1 / . / metron-streaming / Metron-MessageParsers / src / main / java / org / apache / metron / parsing / parsers / GrokAsaParser.java
blob: 3f431f2c35cc35bc698a33f628a13cc126087623 [file] [log] [blame]
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.metron.parsing.parsers;
import oi.thekraken.grok.api.Grok;
import oi.thekraken.grok.api.Match;
import oi.thekraken.grok.api.exception.GrokException;
import org.apache.commons.io.IOUtils;
import org.json.simple.JSONObject;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.*;
public class GrokAsaParser extends BasicParser {
private static final long serialVersionUID = 945353287115350798L;
private transient Grok grok;
Map<String, String> patternMap;
private transient Map<String, Grok> grokMap;
private transient InputStream pattern_url;
public static final String PREFIX = "stream2file";
public static final String SUFFIX = ".tmp";
public static File stream2file(InputStream in) throws IOException {
final File tempFile = File.createTempFile(PREFIX, SUFFIX);
tempFile.deleteOnExit();
try (FileOutputStream out = new FileOutputStream(tempFile)) {
IOUtils.copy(in, out);
}
return tempFile;
}
public GrokAsaParser() throws Exception {
// pattern_url = Resources.getResource("patterns/asa");
pattern_url = getClass().getClassLoader().getResourceAsStream(
"patterns/asa");
File file = stream2file(pattern_url);
grok = Grok.create(file.getPath());
patternMap = getPatternMap();
grokMap = getGrokMap();
grok.compile("%{CISCO_TAGGED_SYSLOG}");
}
public GrokAsaParser(String filepath) throws Exception {
grok = Grok.create(filepath);
// grok.getNamedRegexCollection().put("ciscotag","CISCOFW302013_302014_302015_302016");
grok.compile("%{CISCO_TAGGED_SYSLOG}");
}
public GrokAsaParser(String filepath, String pattern) throws Exception {
grok = Grok.create(filepath);
grok.compile("%{" + pattern + "}");
}
private Map<String, Object> getMap(String pattern, String text)
throws GrokException {
Grok g = grokMap.get(pattern);
if (g != null) {
Match gm = g.match(text);
gm.captures();
return gm.toMap();
} else {
return new HashMap<String, Object>();
}
}
private Map<String, Grok> getGrokMap() throws GrokException, IOException {
Map<String, Grok> map = new HashMap<String, Grok>();
for (Map.Entry<String, String> entry : patternMap.entrySet()) {
File file = stream2file(pattern_url);
Grok grok = Grok.create(file.getPath());
grok.compile("%{" + entry.getValue() + "}");
map.put(entry.getValue(), grok);
}
return map;
}
private Map<String, String> getPatternMap() {
Map<String, String> map = new HashMap<String, String>();
map.put("ASA-2-106001", "CISCOFW106001");
map.put("ASA-2-106006", "CISCOFW106006_106007_106010");
map.put("ASA-2-106007", "CISCOFW106006_106007_106010");
map.put("ASA-2-106010", "CISCOFW106006_106007_106010");
map.put("ASA-3-106014", "CISCOFW106014");
map.put("ASA-6-106015", "CISCOFW106015");
map.put("ASA-1-106021", "CISCOFW106021");
map.put("ASA-4-106023", "CISCOFW106023");
map.put("ASA-5-106100", "CISCOFW106100");
map.put("ASA-6-110002", "CISCOFW110002");
map.put("ASA-6-302010", "CISCOFW302010");
map.put("ASA-6-302013", "CISCOFW302013_302014_302015_302016");
map.put("ASA-6-302014", "CISCOFW302013_302014_302015_302016");
map.put("ASA-6-302015", "CISCOFW302013_302014_302015_302016");
map.put("ASA-6-302016", "CISCOFW302013_302014_302015_302016");
map.put("ASA-6-302020", "CISCOFW302020_302021");
map.put("ASA-6-302021", "CISCOFW302020_302021");
map.put("ASA-6-305011", "CISCOFW305011");
map.put("ASA-3-313001", "CISCOFW313001_313004_313008");
map.put("ASA-3-313004", "CISCOFW313001_313004_313008");
map.put("ASA-3-313008", "CISCOFW313001_313004_313008");
map.put("ASA-4-313005", "CISCOFW313005");
map.put("ASA-4-402117", "CISCOFW402117");
map.put("ASA-4-402119", "CISCOFW402119");
map.put("ASA-4-419001", "CISCOFW419001");
map.put("ASA-4-419002", "CISCOFW419002");
map.put("ASA-4-500004", "CISCOFW500004");
map.put("ASA-6-602303", "CISCOFW602303_602304");
map.put("ASA-6-602304", "CISCOFW602303_602304");
map.put("ASA-7-710001", "CISCOFW710001_710002_710003_710005_710006");
map.put("ASA-7-710002", "CISCOFW710001_710002_710003_710005_710006");
map.put("ASA-7-710003", "CISCOFW710001_710002_710003_710005_710006");
map.put("ASA-7-710005", "CISCOFW710001_710002_710003_710005_710006");
map.put("ASA-7-710006", "CISCOFW710001_710002_710003_710005_710006");
map.put("ASA-6-713172", "CISCOFW713172");
map.put("ASA-4-733100", "CISCOFW733100");
map.put("ASA-6-305012", "CISCOFW305012");
map.put("ASA-7-609001", "CISCOFW609001");
map.put("ASA-7-609002", "CISCOFW609002");
return map;
}
public static Long convertToEpoch(String m, String d, String ts,
boolean adjust_timezone) throws ParseException {
d = d.trim();
if (d.length() <= 2)
d = "0" + d;
Date date = new SimpleDateFormat("MMM", Locale.ENGLISH).parse(m);
Calendar cal = Calendar.getInstance();
cal.setTime(date);
String month = String.valueOf(cal.get(Calendar.MONTH));
int year = Calendar.getInstance().get(Calendar.YEAR);
if (month.length() <= 2)
month = "0" + month;
String coglomerated_ts = year + "-" + month + "-" + d + " " + ts;
System.out.println(coglomerated_ts);
SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
if (adjust_timezone)
sdf.setTimeZone(TimeZone.getTimeZone("GMT"));
date = sdf.parse(coglomerated_ts);
long timeInMillisSinceEpoch = date.getTime();
return timeInMillisSinceEpoch;
}
@Override
public void init() {
// pattern_url = Resources.getResource("patterns/asa");
pattern_url = getClass().getClassLoader().getResourceAsStream(
"patterns/asa");
File file = null;
try {
file = stream2file(pattern_url);
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
try {
grok = Grok.create(file.getPath());
} catch (GrokException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
patternMap = getPatternMap();
try {
grokMap = getGrokMap();
} catch (GrokException | IOException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
}
try {
grok.compile("%{CISCO_TAGGED_SYSLOG}");
} catch (GrokException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
@Override
public List<JSONObject> parse(byte[] raw_message) {
String toParse = "";
JSONObject toReturn;
List<JSONObject> messages = new ArrayList<>();
try {
toParse = new String(raw_message, "UTF-8");
System.out.println("Received message: " + toParse);
Match gm = grok.match(toParse);
gm.captures();
toReturn = new JSONObject();
toReturn.putAll(gm.toMap());
String str = toReturn.get("ciscotag").toString();
String pattern = patternMap.get(str);
Map<String, Object> response = getMap(pattern, toParse);
toReturn.putAll(response);
//System.out.println("*******I MAPPED: " + toReturn);
long timestamp = convertToEpoch(toReturn.get("MONTH").toString(), toReturn
.get("MONTHDAY").toString(),
toReturn.get("TIME").toString(),
true);
toReturn.put("timestamp", timestamp);
toReturn.remove("MONTHDAY");
toReturn.remove("TIME");
toReturn.remove("MINUTE");
toReturn.remove("HOUR");
toReturn.remove("YEAR");
toReturn.remove("SECOND");
toReturn.put("ip_src_addr", toReturn.remove("IPORHOST"));
toReturn.put("original_string", toParse);
messages.add(toReturn);
return messages;
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
}