in metron-platform/metron-parsing/metron-parsers/src/main/java/org/apache/metron/parsers/asa/BasicAsaParser.java [141:235]
public List<JSONObject> parse(byte[] rawMessage) {
String logLine = "";
String messagePattern = "";
JSONObject metronJson = new JSONObject();
List<JSONObject> messages = new ArrayList<>();
Map<String, Object> syslogJson = new HashMap<String, Object>();
logLine = new String(rawMessage, StandardCharsets.UTF_8);
try {
LOG.debug("[Metron] Started parsing raw message: {}", logLine);
Match syslogMatch = syslogGrok.match(logLine);
syslogMatch.captures();
if (!syslogMatch.isNull()) {
syslogJson = syslogMatch.toMap();
LOG.trace("[Metron] Grok CISCO ASA syslog matches: {}", syslogMatch::toJson);
metronJson.put(Constants.Fields.ORIGINAL.getName(), logLine);
metronJson.put(Constants.Fields.TIMESTAMP.getName(),
SyslogUtils.parseTimestampToEpochMillis((String) syslogJson.get("CISCOTIMESTAMP"), deviceClock));
metronJson.put("ciscotag", syslogJson.get("CISCOTAG"));
metronJson.put("syslog_severity", SyslogUtils.getSeverityFromPriority((int) syslogJson.get("syslog_pri")));
metronJson.put("syslog_facility", SyslogUtils.getFacilityFromPriority((int) syslogJson.get("syslog_pri")));
if (syslogJson.get("syslog_host") != null) {
metronJson.put("syslog_host", syslogJson.get("syslog_host"));
}
if (syslogJson.get("syslog_prog") != null) {
metronJson.put("syslog_prog", syslogJson.get("syslog_prog"));
}
} else
throw new RuntimeException(
String.format("[Metron] Message '%s' does not match pattern '%s'", logLine, syslogPattern));
} catch (ParseException e) {
LOG.error("[Metron] Could not parse message timestamp", e);
throw new RuntimeException(e.getMessage(), e);
} catch (RuntimeException e) {
LOG.error(e.getMessage(), e);
throw new RuntimeException(e.getMessage(), e);
}
try {
messagePattern = (String) syslogJson.get("CISCOTAG");
Grok asaGrok = grokers.get(messagePattern);
if (asaGrok == null)
LOG.info("[Metron] No pattern for ciscotag '{}'", syslogJson.get("CISCOTAG"));
else {
String messageContent = (String) syslogJson.get("message");
Match messageMatch = asaGrok.match(messageContent);
messageMatch.captures();
if (!messageMatch.isNull()) {
Map<String, Object> messageJson = messageMatch.toMap();
LOG.trace("[Metron] Grok CISCO ASA message matches: {}", messageMatch::toJson);
String src_ip = (String) messageJson.get("src_ip");
if (src_ip != null)
metronJson.put(Constants.Fields.SRC_ADDR.getName(), src_ip);
Integer src_port = (Integer) messageJson.get("src_port");
if (src_port != null)
metronJson.put(Constants.Fields.SRC_PORT.getName(), src_port);
String dst_ip = (String) messageJson.get("dst_ip");
if (dst_ip != null)
metronJson.put(Constants.Fields.DST_ADDR.getName(), dst_ip);
Integer dst_port = (Integer) messageJson.get("dst_port");
if (dst_port != null)
metronJson.put(Constants.Fields.DST_PORT.getName(), dst_port);
String protocol = (String) messageJson.get("protocol");
if (protocol != null)
metronJson.put(Constants.Fields.PROTOCOL.getName(), protocol.toLowerCase());
String action = (String) messageJson.get("action");
if (action != null)
metronJson.put("action", action.toLowerCase());
} else
LOG.warn("[Metron] Message '{}' did not match pattern for ciscotag '{}'", logLine,
syslogJson.get("CISCOTAG"));
}
LOG.debug("[Metron] Final normalized message: {}", metronJson::toString);
} catch (RuntimeException e) {
LOG.error(e.getMessage(), e);
throw new RuntimeException(e.getMessage(), e);
}
messages.add(metronJson);
return messages;
}