Example 1 with SyslogServerEvent
use of org.graylog2.syslog4j.server.impl.event.SyslogServerEvent in project graylog2-server by Graylog2.
the class SyslogCodec method parse.
private Message parse(String msg, InetAddress remoteAddress, DateTime receivedTimestamp) {
/*
* ZOMG funny 80s neckbeard protocols. We are now deciding if to parse
* structured (RFC5424) or unstructured (classic BSD, RFC3164) syslog
* by checking if there is a VERSION after the PRI. Sorry.
*
* ._. _
* R-O-F-L-R-O-F-L-R-O-F-L-IOI-R-O-F-L-R-O-F-L-R-O-F-L / l
* ___________/LOL\____ /: ]
* .__/° °\___/° \ / ::\
* /^^ \ ° ° \_______.__________.____/: OO:\
* .__./ j ________ _________________ ::OO::|
* ./ ^^ j____/° [\______/] .____/ \__:__/
* ._|____/° ° <{(OMG{< / ::
* / ° ° (OMFG{ /
* |° loooooooooooooooooooooooooooooooool
* °L| L|
* () ()
*
*
* http://open.spotify.com/track/2ZtQKBB8wDTtPPqDZhy7xZ
*
*/
final SyslogServerEventIF e;
if (STRUCTURED_SYSLOG_PATTERN.matcher(msg).matches()) {
e = new StructuredSyslogServerEvent(msg, remoteAddress);
} else if (CISCO_WITH_SEQUENCE_NUMBERS_PATTERN.matcher(msg).matches()) {
e = new CiscoSyslogServerEvent(msg, remoteAddress);
} else if (FORTIGATE_PATTERN.matcher(msg).matches()) {
e = new FortiGateSyslogEvent(msg);
} else {
e = new SyslogServerEvent(msg, remoteAddress);
}
// If the message is a structured one, we do not want the message ID and the structured data in the
// message string. See: https://github.com/Graylog2/graylog2-server/issues/845#issuecomment-69499719
final String syslogMessage;
if (e instanceof StructuredSyslogServerEvent) {
final String structMessage = ((StructuredSyslogServerEvent) e).getStructuredMessage().getMessage();
syslogMessage = isNullOrEmpty(structMessage) ? e.getMessage() : structMessage;
} else {
syslogMessage = e.getMessage();
}
final Message m = new Message(syslogMessage, parseHost(e, remoteAddress), parseDate(e, receivedTimestamp));
m.addField("facility", Tools.syslogFacilityToReadable(e.getFacility()));
m.addField("level", e.getLevel());
m.addField("facility_num", e.getFacility());
// I can haz pattern matching?
if (e instanceof CiscoSyslogServerEvent) {
m.addField("sequence_number", ((CiscoSyslogServerEvent) e).getSequenceNumber());
}
if (e instanceof FortiGateSyslogEvent) {
final HashMap<String, Object> fields = new HashMap<>(((FortiGateSyslogEvent) e).getFields());
// The FortiGate "level" field is a string, Graylog requires a numeric value.
fields.remove("level");
m.addFields(fields);
}
// Store full message if configured.
if (configuration.getBoolean(CK_STORE_FULL_MESSAGE)) {
m.addField("full_message", new String(e.getRaw(), StandardCharsets.UTF_8));
}
final boolean expandStructuredData = configuration.getBoolean(CK_EXPAND_STRUCTURED_DATA);
m.addFields(parseAdditionalData(e, expandStructuredData));
return m;
}
Also used :
SyslogServerEventIF(org.graylog2.syslog4j.server.SyslogServerEventIF)
RawMessage(org.graylog2.plugin.journal.RawMessage)
Message(org.graylog2.plugin.Message)
StructuredSyslogServerEvent(org.graylog2.syslog4j.server.impl.event.structured.StructuredSyslogServerEvent)
CiscoSyslogServerEvent(org.graylog2.syslog4j.server.impl.event.CiscoSyslogServerEvent)
SyslogServerEvent(org.graylog2.syslog4j.server.impl.event.SyslogServerEvent)
HashMap(java.util.HashMap)
StructuredSyslogServerEvent(org.graylog2.syslog4j.server.impl.event.structured.StructuredSyslogServerEvent)
FortiGateSyslogEvent(org.graylog2.syslog4j.server.impl.event.FortiGateSyslogEvent)
CiscoSyslogServerEvent(org.graylog2.syslog4j.server.impl.event.CiscoSyslogServerEvent)
Aggregations
HashMap (java.util.HashMap)1
Message (org.graylog2.plugin.Message)1
RawMessage (org.graylog2.plugin.journal.RawMessage)1
SyslogServerEventIF (org.graylog2.syslog4j.server.SyslogServerEventIF)1
CiscoSyslogServerEvent (org.graylog2.syslog4j.server.impl.event.CiscoSyslogServerEvent)1
FortiGateSyslogEvent (org.graylog2.syslog4j.server.impl.event.FortiGateSyslogEvent)1
SyslogServerEvent (org.graylog2.syslog4j.server.impl.event.SyslogServerEvent)1
StructuredSyslogServerEvent (org.graylog2.syslog4j.server.impl.event.structured.StructuredSyslogServerEvent)1
