diff --git a/content/parsers/third_party/community/DUMMY_LOGTYPE/cbn/dummy_logtype.conf b/content/parsers/third_party/community/DUMMY_LOGTYPE/cbn/dummy_logtype.conf new file mode 100644 index 000000000..5a2eb8d06 --- /dev/null +++ b/content/parsers/third_party/community/DUMMY_LOGTYPE/cbn/dummy_logtype.conf @@ -0,0 +1,84 @@ +filter { + mutate { + replace => { + "event_data" => "" + "productlogid" => "" + "kv_msg" => "" + "msg" => "" + "deviceCustomDate1" => "" + "rt" => "" + } + } + + grok { + match => { + "message" => [ + "%{GREEDYDATA:event_data} \\| %{GREEDYDATA:kv_msg}" + ] + } + overwrite => ["event_data" ,"msg" ,"kv_msg"] + on_error => "grok_failure" + } + + mutate { + gsub => ["kv_msg", " ([a-zA-Z0-9]+=)","#$1"] + } + + kv { + source => "kv_msg" + field_split => "#" + value_split => "=" + on_error => "kv_failure" + } + + mutate { + replace => { + "event_type" => "GENERIC_EVENT" + } + } + + if [msg] != "" { + mutate { + replace => { + "msg_label.value.string_value" => "%{msg}" + } + on_error => "msg_empty" + } + if ![msg_empty] { + mutate { + replace => { + "msg_label.key" => "msg" + } + } + mutate { + merge => { + "event.idm.read_only_udm.additional.fields" => "msg_label" + } + on_error => "msg_label_empty" + } + } + } + + if [event_data] != "" { + mutate { + replace => { + "event.idm.read_only_udm.metadata.description" => "%{event_data}" + } + on_error => "event_data_empty" + } + } + + mutate { + rename => { + "event_type" => "event.idm.read_only_udm.metadata.event_type" + } + } + + mutate { + merge => { + "@output" => "event" + } + } + +} + diff --git a/content/parsers/third_party/community/DUMMY_LOGTYPE/cbn/metadata.json b/content/parsers/third_party/community/DUMMY_LOGTYPE/cbn/metadata.json new file mode 100644 index 000000000..3c61f598a --- /dev/null +++ b/content/parsers/third_party/community/DUMMY_LOGTYPE/cbn/metadata.json @@ -0,0 +1,6 @@ +{ + "product": "DUMMY Product", + "vendor": "Test Vendor", + "description": "Some sort of product from this vendor.", + "log_type": "DUMMY_LOGTYPE" +} diff --git a/content/parsers/third_party/community/DUMMY_LOGTYPE/cbn/testdata/expected_events/test_events.json b/content/parsers/third_party/community/DUMMY_LOGTYPE/cbn/testdata/expected_events/test_events.json new file mode 100644 index 000000000..2d2da07d1 --- /dev/null +++ b/content/parsers/third_party/community/DUMMY_LOGTYPE/cbn/testdata/expected_events/test_events.json @@ -0,0 +1,38 @@ +{ + "events": [ + { + "event" : { + "timestamp": "2021-03-23T08:20:27.863384Z", + "idm": { + "read_only_udm": { + "metadata": { + "event_timestamp": "2021-03-23T08:20:27.863384Z", + "event_type": "GENERIC_EVENT", + "description": "No New Ingestion Activity" + }, + "additional": { + "msg": "No reports have been ingested since MAR 23 2021 00:18:31." + } + } + } + } + }, + { + "event" : { + "timestamp": "2021-03-23T08:20:27.863384Z", + "idm": { + "read_only_udm": { + "metadata": { + "event_timestamp": "2021-03-23T08:20:27.863384Z", + "event_type": "GENERIC_EVENT", + "description": "No New Ingestion Activity" + }, + "additional": { + "msg": "No reports have been ingested since MAR 23 2021 00:18:32." + } + } + } + } + } + ] +} diff --git a/content/parsers/third_party/community/DUMMY_LOGTYPE/cbn/testdata/expected_events/usecase1_events.json b/content/parsers/third_party/community/DUMMY_LOGTYPE/cbn/testdata/expected_events/usecase1_events.json new file mode 100644 index 000000000..2d2da07d1 --- /dev/null +++ b/content/parsers/third_party/community/DUMMY_LOGTYPE/cbn/testdata/expected_events/usecase1_events.json @@ -0,0 +1,38 @@ +{ + "events": [ + { + "event" : { + "timestamp": "2021-03-23T08:20:27.863384Z", + "idm": { + "read_only_udm": { + "metadata": { + "event_timestamp": "2021-03-23T08:20:27.863384Z", + "event_type": "GENERIC_EVENT", + "description": "No New Ingestion Activity" + }, + "additional": { + "msg": "No reports have been ingested since MAR 23 2021 00:18:31." + } + } + } + } + }, + { + "event" : { + "timestamp": "2021-03-23T08:20:27.863384Z", + "idm": { + "read_only_udm": { + "metadata": { + "event_timestamp": "2021-03-23T08:20:27.863384Z", + "event_type": "GENERIC_EVENT", + "description": "No New Ingestion Activity" + }, + "additional": { + "msg": "No reports have been ingested since MAR 23 2021 00:18:32." + } + } + } + } + } + ] +} diff --git a/content/parsers/third_party/community/DUMMY_LOGTYPE/cbn/testdata/raw_logs/test_log.json b/content/parsers/third_party/community/DUMMY_LOGTYPE/cbn/testdata/raw_logs/test_log.json new file mode 100644 index 000000000..c5dd6dfa0 --- /dev/null +++ b/content/parsers/third_party/community/DUMMY_LOGTYPE/cbn/testdata/raw_logs/test_log.json @@ -0,0 +1,6 @@ +{ + "raw_logs": [ + "No New Ingestion Activity | msg=No reports have been ingested since MAR 23 2021 00:18:31.", + "No New Ingestion Activity | msg=No reports have been ingested since MAR 23 2021 00:18:32." + ] +} diff --git a/content/parsers/third_party/community/DUMMY_LOGTYPE/cbn/testdata/raw_logs/usecase1_log.json b/content/parsers/third_party/community/DUMMY_LOGTYPE/cbn/testdata/raw_logs/usecase1_log.json new file mode 100644 index 000000000..c5dd6dfa0 --- /dev/null +++ b/content/parsers/third_party/community/DUMMY_LOGTYPE/cbn/testdata/raw_logs/usecase1_log.json @@ -0,0 +1,6 @@ +{ + "raw_logs": [ + "No New Ingestion Activity | msg=No reports have been ingested since MAR 23 2021 00:18:31.", + "No New Ingestion Activity | msg=No reports have been ingested since MAR 23 2021 00:18:32." + ] +}