Create Sonicwall log parser plugin #340
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jsirianni
requested changes
Sep 27, 2021
There was a problem hiding this comment.
Couple additional things:
- File input likely is not approbate. I know we were not sure what the transport medium would be, so this is fine for now but I suspect we will switch to udp / tcp before merging.
- Tests are failing, update go.mod to use stanza 1.2.7, which will give you the k/v parser.
edit: lets use UDP
|
Lets rename msg to message |
jsirianni
requested changes
Sep 29, 2021
jsirianni
requested changes
Sep 30, 2021
There was a problem hiding this comment.
Not sure what is happening,
you can send over udp like this:
echo '<134> id=LVM_Sonicwall sn=18B1693B2C90 time="2021-09-13 18:16:13" fw=142.166.177.10 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=192.168.11.53:36510:X0 natSrc=142.166.177.10:51879 dst=142.250.64.68:443:X1 natDst=142.250.64.68:443 proto=tcp/https sent=60 n=53798' | nc -u localhost 5140
config
pipeline:
- type: sonicwall
listen_port: 5140
location: UTC
- type: stdoutIf I use just udp, it works fine and has output. With the sonicwall plugin I do not get output.
Co-authored-by: Joseph Sirianni <joe.sirianni@bluemedora.com>
jsirianni
approved these changes
Oct 4, 2021
jsirianni
pushed a commit
that referenced
this pull request
Oct 5, 2021
* Update regex to parse IPv6 (#334) Update default listener log path * Add HAProxy Plugin (#335) * Add haproxy plugin * Add supported platforms and min stanza version * PR Feedback fixes * Rename frontend_name to frontend_name_transport in regex * for all move operations, check if field is nil before moving. "set log type to haproxy and haproxy.error (not .http / .tcp)" * typoe: nill --> nil * typo, log_format: http --> default Co-authored-by: jsirianni <joe.sirianni@bluemedora.com> * Allow DBID to be empty & Correct case matching (#331) * Allow DBID to be empty & Correct case matching The DBID field is able to be empty on some versions of Oracle DB The multiline regex was looking for `Audit File`, but logs have `Audit file` * Switch to line end for multiline with double newline pattern * Fix plugin failure when using inline truncate check * Switch back to a regex parse for record splitting Co-authored-by: jsirianni <joe.sirianni@bluemedora.com> * Release 0.0.79 (#336) * 0.0.79 changelog * dbid oracle pr * fix release date * move frontend port to resources (#338) * Add more checks to reduce errors (#337) * Add more checks to reduce errors * Add ac_lite_ap_parser change to changelog for ubiquiti * 0.0.80 changelog Co-authored-by: jsirianni <joe.sirianni@observiq.com> * update regex to handle {} brackets before http request info (#342) * update regex to handle {} brackets before http request info * haproxy http default log format fix * make change backwards compatible * Adjust parsing further based on more detailed oracle db audit logs (#343) * release 0.0.82 * CI Testing: End to End Tests (#345) * end to end nginx testing * fix format * fix format * use sudo to compare against files from container mount * sleep so stanza can parse, kill stanza when done * try cloning log library * use token to clone lob lib * fix repo name * fix expect and output paths * handle both nginx formats * add apache_http workflow * dump container log * dump container log * 10 second sleep * use jq with diff to prevent formatting issues * sudo * cannot use sudo with redirection to diff, so just format with jq before using diff * Switch back to diff, something else is going on.. * pause and cat raw output before comparing * sudo * fix paths * sort before compare * redirect output * sort and cat * use jtool for comparing json files * use jtool for comparing json files * chmod it * haproxy workflow * add oracledb workflow * single test case for oracledb * mount plugins dir * stop and then get stanza logs * sleep 20 seconds instead of 10, sometimes 10 is not enough * fix log dirg * install jtool in its own step * fix mount * split oracle up. start with alert logs * oracle audit log * upgrade jtool and use skip timestamp for haproxy and oracle * upgrade jtoo * upgrade jtool * pause, stop, logs * listener log, oracle * Handle second {} in http log entry if present (#346) Co-authored-by: jsirianni <joe.sirianni@observiq.com> * Add tcpudp plugin (#341) * Add tcpudp plugin * Add tcpudp schema and tests * Split into two plugins udp and tcp * Add schema files for tests * Update plugins/tcp.yaml * Update plugins/tcp.yaml * Update plugins/udp.yaml * Update plugins/udp.yaml * Update test/configs/tcp/invalid/invalid_listen_port.yaml * Update plugins/udp.yaml Co-authored-by: jsirianni <joe.sirianni@observiq.com> Co-authored-by: Joseph Sirianni <joe.sirianni@bluemedora.com> * tcp / udp: move to message field (#347) * move to message field * \n * Add common event format plugin (#328) * Add common event format plugin * use key value parser for parsing extensions field * Promote fields to labels and resources * Promote fields to labels and resources * Update changelog * Remove key value parser * Add promote device_vendor and device_version to resources Co-authored-by: jsirianni <joe.sirianni@bluemedora.com> Co-authored-by: jsirianni <joe.sirianni@observiq.com> * release 0.0.83 * Add http plugin (#352) * Add http plugin * Update log_type label to http * remove duplicate param * tcp --> http * typo * token_header --> auth_header * small refactor * upgrade stanza 1.2.9 Co-authored-by: jsirianni <joe.sirianni@bluemedora.com> * Update Titles and uwsgi field name (#350) Co-authored-by: Joseph Sirianni <joe.sirianni@bluemedora.com> * Update cisco_meraki plugin to use key_value_parser (#349) * Update cisco_meraki plugin to use key_value_parser instead of custom regex * use stanza 1.2.9 Co-authored-by: jsirianni <joe.sirianni@bluemedora.com> * Create Sonicwall log parser plugin (#340) * Create Sonicwall log parser plugin * Add pri field severity_parser * Rename msg field to message * Add parameter location to support setting timezone * Update to use udp_input and add extra tests * Use stanza 1.2.7 for tests * update stanza and get go.sum * Update plugins/sonicwall.yaml Co-authored-by: Joseph Sirianni <joe.sirianni@bluemedora.com> * Fix using wrong parameter if you defined listen_port Co-authored-by: jsirianni <joe.sirianni@observiq.com> Co-authored-by: Joseph Sirianni <joe.sirianni@bluemedora.com> * release-0.0.84 * fix ci link * remove start_at reference * remove start_at test for sonicwall, not needed * enable new operators * fix start_at for w3c tests due to delete_at_end being added * Add cisco_catalyst plugin (#351) * Add cisco_catalyst plugin * Add severity field group to regex. Update parse from field for severity and regex. * Remove parse_to message in udp_input and parse_from message in regex_parser * fix ci link * remove start_at reference * remove start_at test for sonicwall, not needed * enable new operators * fix start_at for w3c tests due to delete_at_end being added Co-authored-by: Joseph Sirianni <joe.sirianni@bluemedora.com> * remove tests for now, not compatable with otel branch * remove tests for now, not compatable with otel branch * port cisco catalyst to otel * fix cef * fix haproxy * port http * port sonicwall * fix haproxy * Update plugins/cisco_catalyst.yaml Co-authored-by: Keith Schmitt <32067685+schmikei@users.noreply.github.com> * rebase oracledb * try and fix severities that were missed Co-authored-by: Dylan Myers <Dylan-M@users.noreply.github.com> Co-authored-by: EricWHolt <39141134+ericwholt@users.noreply.github.com> Co-authored-by: Keith Schmitt <32067685+schmikei@users.noreply.github.com> Co-authored-by: schmikei <keith.schmitt@bluemedora.com>
{
"timestamp": "2021-09-13T18:16:13Z",
"severity": 30,
"severity_text": "134",
"labels": {
"log_type": "sonicwall",
"net.host.ip": "::",
"net.host.port": "5555",
"net.peer.ip": "::1",
"net.peer.port": "33248",
"net.transport": "IP.UDP",
"plugin_id": "sonicwall"
},
"record": {
"c": "262144",
"dst": "142.250.64.68:443:X1",
"fw": "142.166.177.10",
"gcat": "6",
"id": "LVM_Sonicwall",
"m": "98",
"message": "Connection Opened",
"n": "53798",
"natDst": "142.250.64.68:443",
"natSrc": "142.166.177.10:51879",
"pri": "6",
"priority": "134",
"proto": "tcp/https",
"sent": "60",
"sn": "18B1693B2C90",
"src": "192.168.11.53:36510:X0"
}
}
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This parser will parse Sonicwall logs. This plugin uses key_value parser which requires stanza 1.2.7. Used https://www.sonicwall.com/techdocs/pdf/sonicos-6-5-4-log-events-reference-guide.pdf as reference for fields. It handles two log types. One that starts with a syslog priority format
<134>and another that starts withApr 1 10:45:16 10.1.5.1these were the only example logs I had available at the time of creating this plugin.Example Output
{ "timestamp": "2004-04-01T10:39:35-05:00", "severity": 40, "severity_text": "5", "labels": { "file_name": "logs.log", "file_name_resolved": "logs.log", "file_path": "/Users/ericholt/bindplane/bplogagent-dev/sonicwall-logs/logs.log", "file_path_resolved": "/Users/ericholt/bindplane/bplogagent-dev/sonicwall-logs/logs.log", "log_type": "sonicwall", "plugin_id": "sonicwall" }, "record": { "c": "64", "dst": "67.32.44.2:445:LAN", "fw": "67.32.44.2", "host": "10.1.5.1", "id": "firewall", "m": "36", "msg": "TCP connection dropped", "n": "2686", "pri": "5", "proto": "tcp", "sn": "00301E0526B1", "src": "67.101.200.27:4507:WAN" } }