/*
* Copyright 2012 Future Systems, Inc
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.araqne.logparser.syslog.juniper;
import java.util.HashMap;
import java.util.Map;
import java.util.Scanner;
import org.araqne.log.api.V1LogParser;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class SrxLogParser extends V1LogParser {
private final Logger logger = LoggerFactory.getLogger(SrxLogParser.class.getName());
@Override
public Map<String, Object> parse(Map<String, Object> params) {
Map<String, Object> m = new HashMap<String, Object>();
String line = (String) params.get("line");
if (line == null)
return params;
Scanner s = new Scanner(line);
try {
s.useDelimiter(" +");
String first = s.next();
if (first.matches("[0-9]+")) {
// date
s.next();
m.put("host", s.next());
s.next();
s.next();
String logtype = s.next();
m.put("action", logtype.substring("RT_FLOW_SESSION_".length()).toLowerCase());
while (s.hasNext()) {
String token = s.next();
while (s.hasNext() && !token.startsWith("[") && !token.endsWith("]") && !token.endsWith("\""))
token += " " + s.next();
if (token.startsWith("["))
continue;
else if (token.endsWith("]"))
token = token.substring(0, token.length() - 1);
parseKeyValue(m, token);
}
} else {
// day
String day = s.next();
// time
String time = s.next();
m.put("start_time", first + " " + day + " " + time);
// type or device_id
String unknownField = s.next();
if (!unknownField.equals("RT_FLOW:")) {
m.put("device_id", unknownField);
s.next();
}
String logtype = s.next();
s.next();
s.next();
if (logtype.equals("RT_FLOW_SESSION_CREATE:")) {
m.put("action", "create");
parseCommon(m, s);
} else if (logtype.equals("RT_FLOW_SESSION_CLOSE:")) {
m.put("action", "close");
String reason = s.next();
while (!reason.endsWith(":"))
reason += " " + s.next();
m.put("reason", reason.substring(0, reason.length() - 1));
parseCommon(m, s);
// parseStat(m, "sent", s.next());
// parseStat(m, "rcvd", s.next());
// m.put("elapsed_time", Long.valueOf(s.next()));
} else if (logtype.equals("RT_FLOW_SESSION_DENY:")) {
m.put("action", "deny");
parseFlow(m, s);
String token = s.next();
int p1 = token.indexOf('(');
String protocol = token.substring(0, p1);
String icmpType = token.substring(p1 + 1, token.length() - 1);
m.put("protocol", protocol);
m.put("icmp_type", icmpType);
m.put("policy", s.next());
m.put("src_zone", s.next());
m.put("dst_zone", s.next());
} else
return params;
}
} catch (Throwable t) {
logger.warn("araqne syslog parser: cannot parse log [" + line + "]", t);
return params;
} finally {
s.close();
}
return m;
}
private void parseKeyValue(Map<String, Object> m, String token) {
String[] t = token.split("=", 2);
m.put(t[0], t[1].subSequence(1, t[1].length() - 1));
}
private void parseCommon(Map<String, Object> m, Scanner s) {
parseFlow(m, s);
String natFlow = s.next();
int p4 = natFlow.indexOf('/');
int p5 = natFlow.indexOf('-', p4);
int p6 = natFlow.indexOf('/', p5);
m.put("nat_src_ip", natFlow.substring(0, p4));
m.put("nat_src_port", Integer.valueOf(natFlow.substring(p4 + 1, p5)));
m.put("nat_dst_ip", natFlow.substring(p5 + 2, p6));
m.put("nat_dst_port", Integer.valueOf(natFlow.substring(p6 + 1)));
m.put("src_nat_rule", s.next());
m.put("dst_nat_rule", s.next());
m.put("protocol", s.next());
m.put("policy", s.next());
m.put("src_zone", s.next());
m.put("dst_zone", s.next());
m.put("session_id", s.next());
if (!s.hasNext())
return;
String packetsFromClient = s.next();
String packetsFromServer = s.next();
int ce = packetsFromClient.indexOf("(");
int se = packetsFromServer.indexOf("(");
m.put("packets_from_client", packetsFromClient.substring(0, ce));
m.put("bytes_from_client", packetsFromClient.substring(ce));
m.put("packets_from_server", packetsFromServer.substring(0, se));
m.put("bytes_from_server", packetsFromServer.substring(se));
m.put("elapsed_time", s.next());
m.put("application", s.next());
m.put("nested_application", s.next());
String userAndRole = s.next();
int ue = userAndRole.indexOf("(");
m.put("username", userAndRole.substring(0, ue));
m.put("roles", userAndRole.substring(ue));
m.put("packet_incoming_interface", s.next());
m.put("encrypted", s.next());
}
private void parseFlow(Map<String, Object> m, Scanner s) {
String flow = s.next();
int p1 = flow.indexOf('/');
int p2 = flow.indexOf('-', p1);
int p3 = flow.indexOf('/', p2);
m.put("src_ip", flow.substring(0, p1));
m.put("src_port", Integer.valueOf(flow.substring(p1 + 1, p2)));
m.put("dst_ip", flow.substring(p2 + 2, p3));
m.put("dst_port", Integer.valueOf(flow.substring(p3 + 1)));
m.put("service", s.next());
}
}