diff --git a/CHANGELOG b/CHANGELOG index 6316bb44..06ae27f2 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,13 +1,14 @@ jc changelog -xxxxxxxx v1.21.0 +20220821 v1.21.0 - Add IP Address string parser -- Add Syslog string parsers (RFC 3164 and RFC 5424) -- Add CEF string parser +- Add Syslog standard and streaming string parsers (RFC 3164 and RFC 5424) +- Add CEF standard and streaming string parser - Add PLIST file parser (XML and binary support) - Add `-n` support to the `traceroute` parser - Add `mdadm` command parser tested on linux -- Add `--time-out` or `-t` option to add a UTC timestamp to the JSON output +- Add `--meta-out` or `-M` option to add metadata to the JSON output, including + a UTC timestamp, parser name, magic command, and magic command exit code - Fix `lsusb` command parser for output containing a `Device Qualifier` and `Binary Object Store Descriptor` sections - Change `LANG=C` to `LC_ALL=C` in locale instructions diff --git a/EXAMPLES.md b/EXAMPLES.md index b7e1a096..2019bc7c 100644 --- a/EXAMPLES.md +++ b/EXAMPLES.md @@ -265,6 +265,37 @@ blkid -o udev -ip /dev/sda2 | jc --blkid -p # or: jc -p blkid -o udev } ] ``` +### CEF strings +```bash +cat cef.log | jc --cef -p +``` +```json +[ + { + "deviceVendor": "Trend Micro", + "deviceProduct": "Deep Security Agent", + "deviceVersion": "", + "deviceEventClassId": "4000000", + "name": "Eicar_test_file", + "agentSeverity": 6, + "CEFVersion": 0, + "dvchost": "hostname", + "string": "hello \"world\"!", + "start": "Nov 08 2020 12:30:00.111 UTC", + "start_epoch": 1604867400, + "start_epoch_utc": 1604838600, + "Host_ID": 1, + "Quarantine": 205, + "myDate": "Nov 08 2022 12:30:00.111", + "myDate_epoch": 1667939400, + "myDate_epoch_utc": null, + "myFloat": 3.14, + "deviceEventClassIdNum": 4000000, + "agentSeverityString": "Medium", + "agentSeverityNum": 6 + } +] +``` ### chage --list ```bash chage --list joeuser | jc --chage -p # or: jc -p chage --list joeuser @@ -3466,6 +3497,57 @@ sysctl -a | jc --sysctl -p # or: jc -p sysctl -a "user.expr_nest_max": 32 } ``` +### Syslog strings (RFC 5424) +```bash +cat syslog.txt | jc --syslog -p +``` +```json +[ + { + "priority": 35, + "version": 1, + "timestamp": "2003-10-11T22:14:15.003Z", + "hostname": "mymachine.example.com", + "appname": "evntslog", + "proc_id": null, + "msg_id": "ID47", + "structured_data": [ + { + "identity": "exampleSDID@32473", + "parameters": { + "iut": "3", + "eventSource": "Application", + "eventID": "1011" + } + }, + { + "identity": "examplePriority@32473", + "parameters": { + "class": "high" + } + } + ], + "message": "unauthorized attempt", + "timestamp_epoch": 1065935655, + "timestamp_epoch_utc": 1065910455 + } +] +``` +### Syslog strings (RFC 3164) +```bash +cat syslog.txt | jc --syslog-bsd -p +``` +```json +[ + { + "priority": 34, + "date": "Oct 11 22:14:15", + "hostname": "mymachine", + "tag": "su", + "content": "'su root' failed for lonvick on /dev/pts/8" + } +] +``` ### systemctl ```bash systemctl -a | jc --systemctl -p # or: jc -p systemctl -a diff --git a/docs/parsers/cef.md b/docs/parsers/cef.md index c264cc54..f6ee4b60 100644 --- a/docs/parsers/cef.md +++ b/docs/parsers/cef.md @@ -90,7 +90,7 @@ Examples: "myDate_epoch": 1667939400, "myDate_epoch_utc": null, "myFloat": 3.14, - "deviceEventClassIdNum": 4000000 + "deviceEventClassIdNum": 4000000, "agentSeverityString": "Medium", "agentSeverityNum": 6 } diff --git a/jc/parsers/cef.py b/jc/parsers/cef.py index 44d4f1c5..0a754fb1 100644 --- a/jc/parsers/cef.py +++ b/jc/parsers/cef.py @@ -85,7 +85,7 @@ Examples: "myDate_epoch": 1667939400, "myDate_epoch_utc": null, "myFloat": 3.14, - "deviceEventClassIdNum": 4000000 + "deviceEventClassIdNum": 4000000, "agentSeverityString": "Medium", "agentSeverityNum": 6 }