GithubHelp home page GithubHelp logo

solzimer / nsyslog-parser Goto Github PK

View Code? Open in Web Editor NEW
18.0 18.0 4.0 988 KB

Syslog Parser. Accepts RFC 3164 (BSD) and RFC 5424 formats

License: MIT License

JavaScript 100.00%
arcsight cef parser rfc-3164 rfc-5424 syslog

nsyslog-parser's People

Contributors

hanvyj avatar solzimer avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

lenfer eoof hanvyj luiskugel

nsyslog-parser's Issues

Failure to parse escaped double-quotes inside SD values

Consider the following code :

const parser = require("nsyslog-parser");
console.log(parser('<15>1 2021-05-06T08:02:30.282938Z host APP 1000 l [c q="x"]').structuredData);
console.log(parser('<15>1 2021-05-06T08:02:30.282938Z host APP 1000 l [c q="\\""]').structuredData);

It generates the following output:

[ { '$id': 'c@0', q: 'x' } ]
[]

Where it should be generating this:

[ { '$id': 'c@0', q: 'x' } ]
[ { '$id': 'c@0', q: '"' } ]

The RFC5424 states that :
Inside PARAM-VALUE, the characters '"' (ABNF %d34), '\' (ABNF %d92), and ']' (ABNF %d93) MUST be escaped.

Nevertheless, the parsing does not seem to properly parse escaped double-quotes inside SD values.

Wrong parsing of RFC5424 if message contains a colon

Through the docker syslog backend configured to do RFC5424 we see messages like:

'<30>1 2018-06-24T22:22:53Z my.test.com testapp 26599 testapp - This: contains two : colons'

Unfortunately the parsed message then contains only:

contains two : colons

Where the initial This: is removed.

Incorrect rfc3164 message parsing

input:

<30>Aug  4 16:53:13 pinger[1334]: 64 bytes from 87.250.250.242: seq=69 ttl=37 time=33.918 ms\n

output:

{ originalMessage: '<30>Aug  4 16:53:13 pinger[1334]: 64 bytes from 87.250.250.242: seq=69 ttl=37 time=33.918 ms\n',
pri: '<30>',
prival: 30,
facilityval: 3,
levelval: 6,
facility: 'daemon',
level: 'info',
type: 'BSD',
ts: 2018-08-04T16:53:13.000Z,
message: 'pinger[1334]: 64 bytes from 87.250.250.242: seq=69 ttl=37 time=33.918 ms\n',
chain: [],
host: '',
fields: [],
header: '<30>Aug  4 16:53:13 ' }

Check message property. This log entry produced by docker.

CEF escaping is not consistent or implemented on extension fields

There escaping doesn't seem consistent with [the CEF standard].(https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/78000/KB78712/en_US/CEF_White_Paper_20100722.pdf)

For example, there's no | character escaping in the prefix fields. There's also no '=' escaping in the extension fields. The following:

CEF:0|security|threatmanager|1.0|100|detected a = in message|10|src=10.0.0.1 act=blocked a \\= dst=1.1.1.1

produces the fields:

  "fields": {
    "src": "10.0.0.1",
    "act": "blocked a",
    "\\": "",
    "dst": "1.1.1.1"
  },

When it should, I think, produce:

  "fields": {
    "src": "10.0.0.1",
    "act": "blocked a \\",
    "dst": "1.1.1.1"
  },

rfc5424 structured data parsing

By default the logger executable sends some RFC5424 structured data fields (see http://kerolasa.github.io/logger.html for details) which seem not to be recognized by the parser. Notice especially the 'messageandheader` property.

logger "test message from logger"

results in the following parser output

{ date: '2020-02-02T12:55:52.333Z',
  host: 'nuc',
  message:
   'tzKnown="1" isSynced="1" syncAccuracy="77000"] test message from logger',
  protocol: 'IPv4',
  originalMessage:
   '<13>1 2020-02-02T13:55:52.332998+01:00 nuc standa - - [timeQuality tzKnown="1" isSynced="1" syncAccuracy="77000"] test message from logger',
  pri: '<13>',
  prival: 13,
  facilityval: 1,
  levelval: 5,
  facility: 'user',
  level: 'notice',
  version: 1,
  type: 'RFC5424',
  ts: '2020-02-02T12:55:52.332Z',
  appName: 'standa',
  pid: '-',
  messageid: '-',
  structuredData: [],
  chain: [],
  fields: [],
  header:
   '<13>1 2020-02-02T13:55:52.332998+01:00 nuc standa - - [timeQuality ' }

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.