diff --git a/docs/parsers/syslog_bsd.md b/docs/parsers/syslog_bsd.md index 824d62c6..7ffc0189 100644 --- a/docs/parsers/syslog_bsd.md +++ b/docs/parsers/syslog_bsd.md @@ -7,7 +7,7 @@ jc - JSON Convert Syslog RFC 3164 string parser This parser accepts a single syslog line string or multiple syslog lines separated by newlines. A warning message to `STDERR` will be printed if an -unparsable line is found. +unparsable line is found unless `--quiet` or `quiet=True` is used. Usage (cli): @@ -25,7 +25,7 @@ Schema: "priority": integer/null, "date": string, "hostname": string, - "tag": string, + "tag": string/null, "content": string, "unparsable": string, # [0] } diff --git a/jc/parsers/syslog_bsd.py b/jc/parsers/syslog_bsd.py index e6fe3f12..331fdb57 100644 --- a/jc/parsers/syslog_bsd.py +++ b/jc/parsers/syslog_bsd.py @@ -2,7 +2,7 @@ This parser accepts a single syslog line string or multiple syslog lines separated by newlines. A warning message to `STDERR` will be printed if an -unparsable line is found. +unparsable line is found unless `--quiet` or `quiet=True` is used. Usage (cli): @@ -20,7 +20,7 @@ Schema: "priority": integer/null, "date": string, "hostname": string, - "tag": string, + "tag": string/null, "content": string, "unparsable": string, # [0] } @@ -136,13 +136,23 @@ def parse( if syslog_match.group('priority'): priority = syslog_match.group('priority')[1:-1] + # check for missing tag + hostname = syslog_match.group('host') + tag = syslog_match.group('tag') + content = syslog_match.group('content') + if hostname: + if hostname.endswith(':'): + content = tag + content + tag = None + hostname = hostname[:-1] + syslog_dict = { 'priority': priority, 'date': syslog_match.group('date'), - 'hostname': syslog_match.group('host').rstrip(':'), + 'hostname': hostname, # 'raw_msg': syslog_match.group('msg'), - 'tag': syslog_match.group('tag'), - 'content': syslog_match.group('content').lstrip(' :').rstrip() + 'tag': tag, + 'content': content.lstrip(' :').rstrip() } else: diff --git a/tests/fixtures/generic/syslog-3164.json b/tests/fixtures/generic/syslog-3164.json index 667c4743..4e803011 100644 --- a/tests/fixtures/generic/syslog-3164.json +++ b/tests/fixtures/generic/syslog-3164.json @@ -1 +1 @@ -[{"priority":34,"date":"Oct 11 22:14:15","hostname":"mymachine","tag":"su","content":"'su root' failed for lonvick on /dev/pts/8"},{"priority":null,"date":"Oct 11 22:14:15","hostname":"mymachine","tag":"su","content":"'su root' failed for lonvick on /dev/pts/8"},{"priority":35,"date":"Oct 12 22:14:15","hostname":"client_machine","tag":"su","content":"'su root' failed for joe on /dev/pts/2"},{"priority":35,"date":"Mar 7 04:02:16","hostname":"avas","tag":"clamd","content":"[11165]: /var/amavis/amavis-20040307T033734-10329/parts/part-00003: Worm.Mydoom.F FOUND"},{"priority":null,"date":"Mar 7 04:05:55","hostname":"avas","tag":"clamd","content":"[11240]: /var/amavis/amavis-20040307T035901-10615/parts/part-00002: Worm.SomeFool.Gen-1 FOUND"},{"priority":5,"date":"Mar 7 09:00:51","hostname":"avas","tag":"clamd","content":"[27173]: SelfCheck: Database status OK."},{"priority":null,"date":"Mar 7 05:59:02","hostname":"avas","tag":"clamd","content":"[27173]: Database correctly reloaded (20400 viruses)"},{"priority":null,"date":"Mar 7 04:02:16","hostname":"avas","tag":"clamd","content":"[11165]: /var/amavis/amavis-20040307T033734-10329/parts/part-00003: Worm.Mydoom.F FOUND"},{"priority":null,"date":"Mar 7 04:05:55","hostname":"avas","tag":"clamd","content":"[11240]: /var/amavis/amavis-20040307T035901-10615/parts/part-00002: Worm.SomeFool.Gen-1 FOUND"},{"priority":null,"date":"Mar 7 09:00:51","hostname":"avas","tag":"clamd","content":"[27173]: SelfCheck: Database status OK."},{"priority":null,"date":"Mar 7 05:59:02","hostname":"avas","tag":"clamd","content":"[27173]: Database correctly reloaded (20400 viruses)"},{"priority":null,"date":"Mar 7 11:14:35","hostname":"avas","tag":"dccd","content":"[13284]: 21 requests/sec are too many from anonymous 205.201.1.56,2246"},{"priority":null,"date":"Mar 8 00:22:57","hostname":"avas","tag":"dccifd","content":"[9933]: write(MTA socket,4): Broken pipe"},{"priority":null,"date":"Mar 7 21:23:22","hostname":"avas","tag":"dccifd","content":"[6191]: missing message body"},{"priority":null,"date":"Mar 9 16:05:17","hostname":"avas","tag":"named","content":"[12045]: zone PLNet/IN: refresh: non-authoritative answer from master 10.0.0.253#53"},{"priority":null,"date":"Mar 10 00:38:16","hostname":"avas","tag":"dccifd","content":"[23069]: continue not asking DCC 17 seconds after failure"},{"priority":null,"date":"Mar 10 09:42:11","hostname":"avas","tag":"named","content":"client 127.0.0.1#55524: query: 23.68.27.142.sa-trusted.bondedsender.org IN TXT"},{"priority":null,"date":"Mar 9 03:48:07","hostname":"avas","tag":"dccd","content":"[145]: automatic dbclean; starting `dbclean -DPq -i 1189 -L info,local5.notice -L error,local5.err`"},{"priority":null,"date":"Mar 9 11:58:18","hostname":"avas","tag":"kernel","content":"i810_audio: Connection 0 with codec id 2"},{"priority":null,"date":"Mar 9 19:41:13","hostname":"avas","tag":"dccd","content":"[3004]: \"packet length 44 too small for REPORT\" sent to client 1 at 194.63.250.215,47577"},{"priority":null,"date":"Mar 8 09:01:07","hostname":"avas","tag":"sshd","content":"(pam_unix)[21839]: session opened for user tom by (uid=35567)"},{"priority":null,"date":"Mar 8 03:52:04","hostname":"avas","tag":"dccd","content":"[13284]: 1.2.32 database /home/dcc/dcc_db reopened with 997 MByte window"},{"priority":null,"date":"Mar 8 16:05:26","hostname":"avas","tag":"arpwatch","content":"listening on eth0"},{"priority":null,"date":"Mar 10 10:00:06","hostname":"avas","tag":"named","content":"[6986]: zone PLNet/IN: refresh: non-authoritative answer from master 192.75.26.21#53"},{"priority":null,"date":"Mar 10 10:00:10","hostname":"avas","tag":"named","content":"[6986]: client 127.0.0.1#55867: query: mail.canfor.ca IN MX"},{"priority":null,"date":"Mar 8 15:18:40","hostname":"avas","tag":"last","content":"message repeated 11 times"},{"priority":null,"date":"Mar 8 15:18:40","hostname":"127:0:ab::1","tag":"sshd","content":"unauthorized request"},{"priority":null,"date":"Mar 8 15:18:40","hostname":"server.example.com","tag":"sshd","content":"unauthorized request"},{"priority":null,"date":"Mar 8 15:18:40","hostname":"192.168.1.1","tag":"sshd","content":"unauthorized request"},{"priority":35,"date":"Mar 8 15:18:40","hostname":"server.example.com","tag":"sshd","content":"unauthorized request"},{"unparsable":"<7>unparsable line"}] +[{"priority":34,"date":"Oct 11 22:14:15","hostname":"mymachine","tag":"su","content":"'su root' failed for lonvick on /dev/pts/8"},{"priority":null,"date":"Oct 11 22:14:15","hostname":"mymachine","tag":"su","content":"'su root' failed for lonvick on /dev/pts/8"},{"priority":35,"date":"Oct 12 22:14:15","hostname":"client_machine","tag":"su","content":"'su root' failed for joe on /dev/pts/2"},{"priority":35,"date":"Mar 7 04:02:16","hostname":"avas","tag":"clamd","content":"[11165]: /var/amavis/amavis-20040307T033734-10329/parts/part-00003: Worm.Mydoom.F FOUND"},{"priority":null,"date":"Mar 7 04:05:55","hostname":"avas","tag":"clamd","content":"[11240]: /var/amavis/amavis-20040307T035901-10615/parts/part-00002: Worm.SomeFool.Gen-1 FOUND"},{"priority":5,"date":"Mar 7 09:00:51","hostname":"avas","tag":"clamd","content":"[27173]: SelfCheck: Database status OK."},{"priority":null,"date":"Mar 7 05:59:02","hostname":"avas","tag":"clamd","content":"[27173]: Database correctly reloaded (20400 viruses)"},{"priority":null,"date":"Mar 7 04:02:16","hostname":"avas","tag":"clamd","content":"[11165]: /var/amavis/amavis-20040307T033734-10329/parts/part-00003: Worm.Mydoom.F FOUND"},{"priority":null,"date":"Mar 7 04:05:55","hostname":"avas","tag":"clamd","content":"[11240]: /var/amavis/amavis-20040307T035901-10615/parts/part-00002: Worm.SomeFool.Gen-1 FOUND"},{"priority":null,"date":"Mar 7 09:00:51","hostname":"avas","tag":"clamd","content":"[27173]: SelfCheck: Database status OK."},{"priority":null,"date":"Mar 7 05:59:02","hostname":"avas","tag":"clamd","content":"[27173]: Database correctly reloaded (20400 viruses)"},{"priority":null,"date":"Mar 7 11:14:35","hostname":"avas","tag":"dccd","content":"[13284]: 21 requests/sec are too many from anonymous 205.201.1.56,2246"},{"priority":null,"date":"Mar 8 00:22:57","hostname":"avas","tag":"dccifd","content":"[9933]: write(MTA socket,4): Broken pipe"},{"priority":null,"date":"Mar 7 21:23:22","hostname":"avas","tag":"dccifd","content":"[6191]: missing message body"},{"priority":null,"date":"Mar 9 16:05:17","hostname":"avas","tag":"named","content":"[12045]: zone PLNet/IN: refresh: non-authoritative answer from master 10.0.0.253#53"},{"priority":null,"date":"Mar 10 00:38:16","hostname":"avas","tag":"dccifd","content":"[23069]: continue not asking DCC 17 seconds after failure"},{"priority":null,"date":"Mar 10 09:42:11","hostname":"avas","tag":"named","content":"client 127.0.0.1#55524: query: 23.68.27.142.sa-trusted.bondedsender.org IN TXT"},{"priority":null,"date":"Mar 9 03:48:07","hostname":"avas","tag":"dccd","content":"[145]: automatic dbclean; starting `dbclean -DPq -i 1189 -L info,local5.notice -L error,local5.err`"},{"priority":null,"date":"Mar 9 11:58:18","hostname":"avas","tag":"kernel","content":"i810_audio: Connection 0 with codec id 2"},{"priority":null,"date":"Mar 9 19:41:13","hostname":"avas","tag":"dccd","content":"[3004]: \"packet length 44 too small for REPORT\" sent to client 1 at 194.63.250.215,47577"},{"priority":null,"date":"Mar 8 09:01:07","hostname":"avas","tag":"sshd","content":"(pam_unix)[21839]: session opened for user tom by (uid=35567)"},{"priority":null,"date":"Mar 8 03:52:04","hostname":"avas","tag":"dccd","content":"[13284]: 1.2.32 database /home/dcc/dcc_db reopened with 997 MByte window"},{"priority":null,"date":"Mar 8 16:05:26","hostname":"avas","tag":"arpwatch","content":"listening on eth0"},{"priority":null,"date":"Mar 10 10:00:06","hostname":"avas","tag":"named","content":"[6986]: zone PLNet/IN: refresh: non-authoritative answer from master 192.75.26.21#53"},{"priority":null,"date":"Mar 10 10:00:10","hostname":"avas","tag":"named","content":"[6986]: client 127.0.0.1#55867: query: mail.canfor.ca IN MX"},{"priority":null,"date":"Mar 8 15:18:40","hostname":"avas","tag":null,"content":"last message repeated 11 times"},{"priority":null,"date":"Mar 8 15:18:40","hostname":"127:0:ab::1","tag":"sshd","content":"unauthorized request"},{"priority":null,"date":"Mar 8 15:18:40","hostname":"server.example.com","tag":"sshd","content":"unauthorized request"},{"priority":null,"date":"Mar 8 15:18:40","hostname":"192.168.1.1","tag":"sshd","content":"unauthorized request"},{"priority":35,"date":"Mar 8 15:18:40","hostname":"server.example.com","tag":"sshd","content":"unauthorized request"},{"unparsable":"<7>unparsable line"}]