doc update

CHANGELOG

@@ -1,13 +1,14 @@
 jc changelog
 
-xxxxxxxx v1.21.0
+20220821 v1.21.0
 - Add IP Address string parser
-- Add Syslog string parsers (RFC 3164 and RFC 5424)
+- Add Syslog standard and streaming string parsers (RFC 3164 and RFC 5424)
-- Add CEF string parser
+- Add CEF standard and streaming string parser
 - Add PLIST file parser (XML and binary support)
 - Add `-n` support to the `traceroute` parser
 - Add `mdadm` command parser tested on linux
-- Add `--time-out` or `-t` option to add a UTC timestamp to the JSON output
+- Add `--meta-out` or `-M` option to add metadata to the JSON output, including
+  a UTC timestamp, parser name, magic command, and magic command exit code
 - Fix `lsusb` command parser for output containing a `Device Qualifier` and
   `Binary Object Store Descriptor` sections
 - Change `LANG=C` to `LC_ALL=C` in locale instructions

EXAMPLES.md

@@ -265,6 +265,37 @@ blkid -o udev -ip /dev/sda2 | jc --blkid -p          # or:  jc -p blkid -o udev
   }
 ]
 ```
+### CEF strings
+```bash
+cat cef.log | jc --cef -p
+```
+```json
+[
+  {
+    "deviceVendor": "Trend Micro",
+    "deviceProduct": "Deep Security Agent",
+    "deviceVersion": "<DSA version>",
+    "deviceEventClassId": "4000000",
+    "name": "Eicar_test_file",
+    "agentSeverity": 6,
+    "CEFVersion": 0,
+    "dvchost": "hostname",
+    "string": "hello \"world\"!",
+    "start": "Nov 08 2020 12:30:00.111 UTC",
+    "start_epoch": 1604867400,
+    "start_epoch_utc": 1604838600,
+    "Host_ID": 1,
+    "Quarantine": 205,
+    "myDate": "Nov 08 2022 12:30:00.111",
+    "myDate_epoch": 1667939400,
+    "myDate_epoch_utc": null,
+    "myFloat": 3.14,
+    "deviceEventClassIdNum": 4000000,
+    "agentSeverityString": "Medium",
+    "agentSeverityNum": 6
+  }
+]
+```
 ### chage --list
 ```bash
 chage --list joeuser | jc --chage -p          # or:  jc -p chage --list joeuser
@@ -3466,6 +3497,57 @@ sysctl -a | jc --sysctl -p          # or:  jc -p sysctl -a
   "user.expr_nest_max": 32
 }
 ```
+### Syslog strings (RFC 5424)
+```bash
+cat syslog.txt | jc --syslog -p
+```
+```json
+[
+  {
+    "priority": 35,
+    "version": 1,
+    "timestamp": "2003-10-11T22:14:15.003Z",
+    "hostname": "mymachine.example.com",
+    "appname": "evntslog",
+    "proc_id": null,
+    "msg_id": "ID47",
+    "structured_data": [
+      {
+        "identity": "exampleSDID@32473",
+        "parameters": {
+          "iut": "3",
+          "eventSource": "Application",
+          "eventID": "1011"
+        }
+      },
+      {
+        "identity": "examplePriority@32473",
+        "parameters": {
+          "class": "high"
+        }
+      }
+    ],
+    "message": "unauthorized attempt",
+    "timestamp_epoch": 1065935655,
+    "timestamp_epoch_utc": 1065910455
+  }
+]
+```
+### Syslog strings (RFC 3164)
+```bash
+cat syslog.txt | jc --syslog-bsd -p
+```
+```json
+[
+  {
+    "priority": 34,
+    "date": "Oct 11 22:14:15",
+    "hostname": "mymachine",
+    "tag": "su",
+    "content": "'su root' failed for lonvick on /dev/pts/8"
+  }
+]
+```
 ### systemctl
 ```bash
 systemctl -a | jc --systemctl -p          # or:  jc -p systemctl -a

docs/parsers/cef.md

@@ -90,7 +90,7 @@ Examples:
         "myDate_epoch": 1667939400,
         "myDate_epoch_utc": null,
         "myFloat": 3.14,
-        "deviceEventClassIdNum": 4000000
+        "deviceEventClassIdNum": 4000000,
         "agentSeverityString": "Medium",
         "agentSeverityNum": 6
       }

jc/parsers/cef.py

@@ -85,7 +85,7 @@ Examples:
         "myDate_epoch": 1667939400,
         "myDate_epoch_utc": null,
         "myFloat": 3.14,
-        "deviceEventClassIdNum": 4000000
+        "deviceEventClassIdNum": 4000000,
         "agentSeverityString": "Medium",
         "agentSeverityNum": 6
       }