diff --git a/fluent-plugin-parser_cef.gemspec b/fluent-plugin-parser_cef.gemspec index 9658c42..2fc84aa 100644 --- a/fluent-plugin-parser_cef.gemspec +++ b/fluent-plugin-parser_cef.gemspec @@ -21,7 +21,7 @@ Gem::Specification.new do |spec| spec.add_runtime_dependency "fluentd", ">= 0.14.0", "< 2" - spec.add_development_dependency "bundler", "~> 1.3" + spec.add_development_dependency "bundler", "~> 2.3" spec.add_development_dependency "rake" spec.add_development_dependency "rspec", "~> 3.0" spec.add_development_dependency "rspec-core" diff --git a/lib/fluent/plugin/config/cef_version_0_keys.yaml b/lib/fluent/plugin/config/cef_version_0_keys.yaml index 9f32773..5babbcd 100644 --- a/lib/fluent/plugin/config/cef_version_0_keys.yaml +++ b/lib/fluent/plugin/config/cef_version_0_keys.yaml @@ -171,3 +171,53 @@ cef_key_names_for_event_consumers: - sourceZoneExternalID - sourceZoneURI +# CEF Key Names For Palo Alto +cef_key_names_for_paloalto: + - slocation + - dlocation + - PanOSPacketsReceived + - PanOSPacketsSent + - PanOSThreatCategory + - PanOSThreatID + - PanOSThreatName + - PanOSThreatDomain + - PanOSSeverity + - PanOSReferer + - PanOSURLCatList + - PanOSLogTimeStamp + - PanOSVirtualSystem + - PanOSEventID + - PanOSStage + - PanOSAuthMethod + - PanOSTunnelType + - PanOSSourceUserName + - PanOSSourceRegion + - PanOSEndpointDeviceName + - PanOSPublicIPv4 + - PanOSPublicIPv6 + - PanOSPrivateIPv4 + - PanOSPrivateIPv6 + - PanOSHostID + - PanOSDeviceSN + - PanOSGlobalProtectClientVersion + - PanOSEndpointOSType + - PanOSEndpointOSVersion + - PanOSCountOfRepeats + - PanOSQuarantineReason + - PanOSConnectionError + - PanOSDescription + - PanOSEventStatus + - PanOSGPGatewayLocation + - PanOSLoginDuration + - PanOSConnectionMethod + - PanOSConnectionErrorID + - PanOSPortal + - PanOSSequenceNo + - PanOSActionFlags + - PanOSTimeGeneratedHighResolution + - PanOSGatewaySelectionType + - PanOSSSLResponseTime + - PanOSGatewayPriority + - PanOSAttemptedGateways + - PanOSGateway + - PanOSEndpointDeviceSN diff --git a/spec/fluent/plugin/parser_cef_spec.rb b/spec/fluent/plugin/parser_cef_spec.rb index b1fba33..d390caf 100644 --- a/spec/fluent/plugin/parser_cef_spec.rb +++ b/spec/fluent/plugin/parser_cef_spec.rb @@ -373,5 +373,70 @@ def create_driver(conf=DEFAULT_CONFIGURE) "dpt" => "80", "msg" => "\xe3\x2e\x2e\x2e".scrub('?') }]} end + context "syslog message is BASIC Log for Palo Alto FW" do + let (:config) {%[ + log_utc_offset +09:00 + ]} + let (:text) { "Jan 1 00:00:00 Paloalto - CEF:0|Palo Alto Networks|PAN-OS|10.1.8|TRAFFIC|end|0|" } + subject do + allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now) + @timestamp = Time.parse("Jan 1 00:00:00 +09:00").to_i + @test_driver = create_driver(config) + parsed = nil + @test_driver.instance.parse(text) do |time, record| + parsed = [time, record] + end + parsed + end + it { is_expected.to eq [ + @timestamp, { + "syslog_timestamp" => "Jan 1 00:00:00", + "syslog_hostname" => "Paloalto", + "syslog_tag" => "-", + "cef_version" => "0", + "cef_device_vendor" => "Palo Alto Networks", + "cef_device_product" => "PAN-OS", + "cef_device_version" => "10.1.8", + "cef_device_event_class_id" => "TRAFFIC", + "cef_name" => "end", + "cef_severity" => "0", + } + ] + } + end + context "syslog message is FW traffic Log for Palo Alto FW" do + let (:config) {%[ + log_utc_offset +09:00 + ]} + let (:text) { "Jan 1 00:00:00 Paloalto - CEF:0|Palo Alto Networks|PAN-OS|10.1.7|TRAFFIC|start|0|deviceExternalId=000000000000001 PanOSPacketsReceived=0 PanOSPacketsSent=1" } + subject do + allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now) + @timestamp = Time.parse("Jan 1 00:00:00 +09:00").to_i + @test_driver = create_driver(config) + parsed = nil + @test_driver.instance.parse(text) do |time, record| + parsed = [time, record] + end + parsed + end + it { is_expected.to eq [ + @timestamp, { + "syslog_timestamp" => "Jan 1 00:00:00", + "syslog_hostname" => "Paloalto", + "syslog_tag" => "-", + "cef_version" => "0", + "cef_device_vendor" => "Palo Alto Networks", + "cef_device_product" => "PAN-OS", + "cef_device_version" => "10.1.7", + "cef_device_event_class_id" => "TRAFFIC", + "cef_name" => "start", + "cef_severity" => "0", + "deviceExternalId" => "000000000000001", + "PanOSPacketsReceived" => "0", + "PanOSPacketsSent" => "1", + } + ] + } + end end end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 702204b..9d6251e 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -32,6 +32,7 @@ # rspec-expectations config goes here. You can use an alternate # assertion/expectation library such as wrong or the stdlib/minitest # assertions if you prefer. + config.example_status_persistence_file_path = "spec/result.txt" config.expect_with :rspec do |expectations| # This option will default to `true` in RSpec 4. It makes the `description` # and `failure_message` of custom matchers include text for helper methods @@ -113,4 +114,3 @@ Kernel.srand config.seed =end end -