fix for missing tag

2025-06-17 00:07:37 +02:00 · 2022-08-16 10:01:27 -07:00
parent d42ec58ad1
commit 8a6bbc55d2
3 changed files with 18 additions and 8 deletions
--- a/docs/parsers/syslog_bsd.md
+++ b/docs/parsers/syslog_bsd.md
@ -7,7 +7,7 @@ jc - JSON Convert Syslog RFC 3164 string parser

 This parser accepts a single syslog line string or multiple syslog lines
 separated by newlines. A warning message to `STDERR` will be printed if an
-unparsable line is found.
+unparsable line is found unless `--quiet` or `quiet=True` is used.

 Usage (cli):

@ -25,7 +25,7 @@ Schema:
        "priority":                   integer/null,
        "date":                       string,
        "hostname":                   string,
-        "tag":                        string,
+        "tag":                        string/null,
        "content":                    string,
        "unparsable":                 string,  # [0]
      }
--- a/jc/parsers/syslog_bsd.py
+++ b/jc/parsers/syslog_bsd.py
@ -2,7 +2,7 @@

 This parser accepts a single syslog line string or multiple syslog lines
 separated by newlines. A warning message to `STDERR` will be printed if an
-unparsable line is found.
+unparsable line is found unless `--quiet` or `quiet=True` is used.

 Usage (cli):

@ -20,7 +20,7 @@ Schema:
        "priority":                   integer/null,
        "date":                       string,
        "hostname":                   string,
-        "tag":                        string,
+        "tag":                        string/null,
        "content":                    string,
        "unparsable":                 string,  # [0]
      }
@ -136,13 +136,23 @@ def parse(
                if syslog_match.group('priority'):
                    priority = syslog_match.group('priority')[1:-1]

+                # check for missing tag
+                hostname = syslog_match.group('host')
+                tag = syslog_match.group('tag')
+                content = syslog_match.group('content')
+                if hostname:
+                    if hostname.endswith(':'):
+                        content = tag + content
+                        tag = None
+                        hostname = hostname[:-1]
+
                syslog_dict = {
                    'priority': priority,
                    'date': syslog_match.group('date'),
-                    'hostname': syslog_match.group('host').rstrip(':'),
+                    'hostname': hostname,
                    # 'raw_msg': syslog_match.group('msg'),
-                    'tag': syslog_match.group('tag'),
-                    'content': syslog_match.group('content').lstrip(' :').rstrip()
+                    'tag': tag,
+                    'content': content.lstrip(' :').rstrip()
                }

            else:
--- a/tests/fixtures/generic/syslog-3164.json
+++ b/tests/fixtures/generic/syslog-3164.json
@ -1 +1 @@
-[{"priority":34,"date":"Oct 11 22:14:15","hostname":"mymachine","tag":"su","content":"'su root' failed for lonvick on /dev/pts/8"},{"priority":null,"date":"Oct 11 22:14:15","hostname":"mymachine","tag":"su","content":"'su root' failed for lonvick on /dev/pts/8"},{"priority":35,"date":"Oct 12 22:14:15","hostname":"client_machine","tag":"su","content":"'su root' failed for joe on /dev/pts/2"},{"priority":35,"date":"Mar  7 04:02:16","hostname":"avas","tag":"clamd","content":"[11165]: /var/amavis/amavis-20040307T033734-10329/parts/part-00003: Worm.Mydoom.F FOUND"},{"priority":null,"date":"Mar  7 04:05:55","hostname":"avas","tag":"clamd","content":"[11240]: /var/amavis/amavis-20040307T035901-10615/parts/part-00002: Worm.SomeFool.Gen-1 FOUND"},{"priority":5,"date":"Mar  7 09:00:51","hostname":"avas","tag":"clamd","content":"[27173]: SelfCheck: Database status OK."},{"priority":null,"date":"Mar  7 05:59:02","hostname":"avas","tag":"clamd","content":"[27173]: Database correctly reloaded (20400 viruses)"},{"priority":null,"date":"Mar  7 04:02:16","hostname":"avas","tag":"clamd","content":"[11165]: /var/amavis/amavis-20040307T033734-10329/parts/part-00003: Worm.Mydoom.F FOUND"},{"priority":null,"date":"Mar  7 04:05:55","hostname":"avas","tag":"clamd","content":"[11240]: /var/amavis/amavis-20040307T035901-10615/parts/part-00002: Worm.SomeFool.Gen-1 FOUND"},{"priority":null,"date":"Mar  7 09:00:51","hostname":"avas","tag":"clamd","content":"[27173]: SelfCheck: Database status OK."},{"priority":null,"date":"Mar  7 05:59:02","hostname":"avas","tag":"clamd","content":"[27173]: Database correctly reloaded (20400 viruses)"},{"priority":null,"date":"Mar  7 11:14:35","hostname":"avas","tag":"dccd","content":"[13284]: 21 requests/sec are too many from anonymous 205.201.1.56,2246"},{"priority":null,"date":"Mar  8 00:22:57","hostname":"avas","tag":"dccifd","content":"[9933]: write(MTA socket,4): Broken pipe"},{"priority":null,"date":"Mar  7 21:23:22","hostname":"avas","tag":"dccifd","content":"[6191]: missing message body"},{"priority":null,"date":"Mar  9 16:05:17","hostname":"avas","tag":"named","content":"[12045]: zone PLNet/IN: refresh: non-authoritative answer from master 10.0.0.253#53"},{"priority":null,"date":"Mar 10 00:38:16","hostname":"avas","tag":"dccifd","content":"[23069]: continue not asking DCC 17 seconds after failure"},{"priority":null,"date":"Mar 10 09:42:11","hostname":"avas","tag":"named","content":"client 127.0.0.1#55524: query: 23.68.27.142.sa-trusted.bondedsender.org IN TXT"},{"priority":null,"date":"Mar  9 03:48:07","hostname":"avas","tag":"dccd","content":"[145]: automatic dbclean; starting `dbclean -DPq -i 1189 -L info,local5.notice -L error,local5.err`"},{"priority":null,"date":"Mar  9 11:58:18","hostname":"avas","tag":"kernel","content":"i810_audio: Connection 0 with codec id 2"},{"priority":null,"date":"Mar  9 19:41:13","hostname":"avas","tag":"dccd","content":"[3004]: \"packet length 44 too small for REPORT\" sent to client 1 at 194.63.250.215,47577"},{"priority":null,"date":"Mar  8 09:01:07","hostname":"avas","tag":"sshd","content":"(pam_unix)[21839]: session opened for user tom by (uid=35567)"},{"priority":null,"date":"Mar  8 03:52:04","hostname":"avas","tag":"dccd","content":"[13284]: 1.2.32 database /home/dcc/dcc_db reopened with 997 MByte window"},{"priority":null,"date":"Mar  8 16:05:26","hostname":"avas","tag":"arpwatch","content":"listening on eth0"},{"priority":null,"date":"Mar 10 10:00:06","hostname":"avas","tag":"named","content":"[6986]: zone PLNet/IN: refresh: non-authoritative answer from master 192.75.26.21#53"},{"priority":null,"date":"Mar 10 10:00:10","hostname":"avas","tag":"named","content":"[6986]: client 127.0.0.1#55867: query: mail.canfor.ca IN MX"},{"priority":null,"date":"Mar  8 15:18:40","hostname":"avas","tag":"last","content":"message repeated 11 times"},{"priority":null,"date":"Mar  8 15:18:40","hostname":"127:0:ab::1","tag":"sshd","content":"unauthorized request"},{"priority":null,"date":"Mar  8 15:18:40","hostname":"server.example.com","tag":"sshd","content":"unauthorized request"},{"priority":null,"date":"Mar  8 15:18:40","hostname":"192.168.1.1","tag":"sshd","content":"unauthorized request"},{"priority":35,"date":"Mar  8 15:18:40","hostname":"server.example.com","tag":"sshd","content":"unauthorized request"},{"unparsable":"<7>unparsable line"}]
+[{"priority":34,"date":"Oct 11 22:14:15","hostname":"mymachine","tag":"su","content":"'su root' failed for lonvick on /dev/pts/8"},{"priority":null,"date":"Oct 11 22:14:15","hostname":"mymachine","tag":"su","content":"'su root' failed for lonvick on /dev/pts/8"},{"priority":35,"date":"Oct 12 22:14:15","hostname":"client_machine","tag":"su","content":"'su root' failed for joe on /dev/pts/2"},{"priority":35,"date":"Mar  7 04:02:16","hostname":"avas","tag":"clamd","content":"[11165]: /var/amavis/amavis-20040307T033734-10329/parts/part-00003: Worm.Mydoom.F FOUND"},{"priority":null,"date":"Mar  7 04:05:55","hostname":"avas","tag":"clamd","content":"[11240]: /var/amavis/amavis-20040307T035901-10615/parts/part-00002: Worm.SomeFool.Gen-1 FOUND"},{"priority":5,"date":"Mar  7 09:00:51","hostname":"avas","tag":"clamd","content":"[27173]: SelfCheck: Database status OK."},{"priority":null,"date":"Mar  7 05:59:02","hostname":"avas","tag":"clamd","content":"[27173]: Database correctly reloaded (20400 viruses)"},{"priority":null,"date":"Mar  7 04:02:16","hostname":"avas","tag":"clamd","content":"[11165]: /var/amavis/amavis-20040307T033734-10329/parts/part-00003: Worm.Mydoom.F FOUND"},{"priority":null,"date":"Mar  7 04:05:55","hostname":"avas","tag":"clamd","content":"[11240]: /var/amavis/amavis-20040307T035901-10615/parts/part-00002: Worm.SomeFool.Gen-1 FOUND"},{"priority":null,"date":"Mar  7 09:00:51","hostname":"avas","tag":"clamd","content":"[27173]: SelfCheck: Database status OK."},{"priority":null,"date":"Mar  7 05:59:02","hostname":"avas","tag":"clamd","content":"[27173]: Database correctly reloaded (20400 viruses)"},{"priority":null,"date":"Mar  7 11:14:35","hostname":"avas","tag":"dccd","content":"[13284]: 21 requests/sec are too many from anonymous 205.201.1.56,2246"},{"priority":null,"date":"Mar  8 00:22:57","hostname":"avas","tag":"dccifd","content":"[9933]: write(MTA socket,4): Broken pipe"},{"priority":null,"date":"Mar  7 21:23:22","hostname":"avas","tag":"dccifd","content":"[6191]: missing message body"},{"priority":null,"date":"Mar  9 16:05:17","hostname":"avas","tag":"named","content":"[12045]: zone PLNet/IN: refresh: non-authoritative answer from master 10.0.0.253#53"},{"priority":null,"date":"Mar 10 00:38:16","hostname":"avas","tag":"dccifd","content":"[23069]: continue not asking DCC 17 seconds after failure"},{"priority":null,"date":"Mar 10 09:42:11","hostname":"avas","tag":"named","content":"client 127.0.0.1#55524: query: 23.68.27.142.sa-trusted.bondedsender.org IN TXT"},{"priority":null,"date":"Mar  9 03:48:07","hostname":"avas","tag":"dccd","content":"[145]: automatic dbclean; starting `dbclean -DPq -i 1189 -L info,local5.notice -L error,local5.err`"},{"priority":null,"date":"Mar  9 11:58:18","hostname":"avas","tag":"kernel","content":"i810_audio: Connection 0 with codec id 2"},{"priority":null,"date":"Mar  9 19:41:13","hostname":"avas","tag":"dccd","content":"[3004]: \"packet length 44 too small for REPORT\" sent to client 1 at 194.63.250.215,47577"},{"priority":null,"date":"Mar  8 09:01:07","hostname":"avas","tag":"sshd","content":"(pam_unix)[21839]: session opened for user tom by (uid=35567)"},{"priority":null,"date":"Mar  8 03:52:04","hostname":"avas","tag":"dccd","content":"[13284]: 1.2.32 database /home/dcc/dcc_db reopened with 997 MByte window"},{"priority":null,"date":"Mar  8 16:05:26","hostname":"avas","tag":"arpwatch","content":"listening on eth0"},{"priority":null,"date":"Mar 10 10:00:06","hostname":"avas","tag":"named","content":"[6986]: zone PLNet/IN: refresh: non-authoritative answer from master 192.75.26.21#53"},{"priority":null,"date":"Mar 10 10:00:10","hostname":"avas","tag":"named","content":"[6986]: client 127.0.0.1#55867: query: mail.canfor.ca IN MX"},{"priority":null,"date":"Mar  8 15:18:40","hostname":"avas","tag":null,"content":"last message repeated 11 times"},{"priority":null,"date":"Mar  8 15:18:40","hostname":"127:0:ab::1","tag":"sshd","content":"unauthorized request"},{"priority":null,"date":"Mar  8 15:18:40","hostname":"server.example.com","tag":"sshd","content":"unauthorized request"},{"priority":null,"date":"Mar  8 15:18:40","hostname":"192.168.1.1","tag":"sshd","content":"unauthorized request"},{"priority":35,"date":"Mar  8 15:18:40","hostname":"server.example.com","tag":"sshd","content":"unauthorized request"},{"unparsable":"<7>unparsable line"}]