Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix timestamp parser error in cisco_catalyst plugin #375

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix timestamp parser error in cisco_catalyst plugin #375

wants to merge 1 commit into from

Conversation

ericwholt
Copy link
Contributor

In customer environment we were seeing a * in front of the timestamp which would cause the regex to fail to parse. Updated regex and routers to handle this without error.

@ericwholt ericwholt requested a review from jsirianni October 17, 2021 15:20
jsirianni
jsirianni requested changes Oct 18, 2021
View reviewed changes
Copy link
Member

@jsirianni jsirianni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple things

  1. Can you provide original logs that should work from the master branch? I have examples that this PR is intended to fix
  2. The logs I am working with are not parsing, for example:

input:

[12:51 PM] 54: *Feb 28 19:02:23 EST: %DHCP-6-ADDRESS_ASSIGN: Interface Vlan1 assigned DHCP address 10.0.0.150, mask 255.255.0.0, hostname test

output:

{
  "timestamp": "2021-10-18T10:54:14.155642-04:00",
  "severity": 0,
  "labels": {
    "log_type": "cisco_catalyst",
    "net.host.ip": "::",
    "net.host.port": "5555",
    "net.peer.ip": "::1",
    "net.peer.port": "56873",
    "net.transport": "IP.UDP",
    "plugin_id": "cisco_catalyst"
  },
  "record": {
    "message": "[12:51 PM] 54: *Feb 28 19:02:23 EST: %DHCP-6-ADDRESS_ASSIGN: Interface Vlan1 assigned DHCP address 10.0.0.150, mask 255.255.0.0, hostname test"
  }
}

I am using the latest stanza and this branch of plugins. With this config

pipeline:
- type: cisco_catalyst
  listen_port: 5555
- type: stdout

this command

echo '[12:51 PM] 54: *Feb 28 19:02:23 EST: %DHCP-6-ADDRESS_ASSIGN: Interface Vlan1 assigned DHCP address 10.0.0.150, mask 255.255.0.0, hostname test' | nc -u localhost 5555

@ericwholt
Copy link
Contributor Author

I used this log entry to test.

54: *Feb 28 19:02:23 EST: %DHCP-6-ADDRESS_ASSIGN: Interface Vlan1 assigned DHCP address 10.0.0.150, mask 255.255.0.0, hostname test

It outputs

{
  "timestamp": "2021-02-28T19:02:23-05:00",
  "severity": 30,
  "severity_text": "6",
  "labels": {
    "log_type": "cisco_catalyst",
    "net.host.ip": "::",
    "net.host.port": "514",
    "net.peer.ip": "127.0.0.1",
    "net.peer.port": "59094",
    "net.transport": "IP.UDP",
    "plugin_id": "cisco_catalyst"
  },
  "record": {
    "facility_text": "DHCP",
    "message": "Interface Vlan1 assigned DHCP address 10.0.0.150, mask 255.255.0.0, hostname test",
    "mnemonic": "ADDRESS_ASSIGN",
    "sequence_number": "54"
  }
}

This command

nc -w1 -u localhost 514 <<< '54: *Feb 28 19:02:23 EST: %DHCP-6-ADDRESS_ASSIGN: Interface Vlan1 assigned DHCP address 10.0.0.150, mask 255.255.0.0, hostname test'

@ericwholt ericwholt requested a review from jsirianni October 19, 2021 00:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsirianni jsirianni Awaiting requested review from jsirianni

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ericwholt @jsirianni