[checkmk-commits] Check_MK Git: check_mk: #2107 mkeventd: can now handle syslog format of Sophos firewalls

Module: check_mk Branch: master Commit: 60b683cab25543fb779acdba87cafa72c0e32f0e URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=60b683cab25543… Author: Goetz Golla &lt;gg(a)mathias-kettner.de&gt; Date: Wed Mar 25 15:16:02 2015 +0100 #2107 mkeventd: can now handle syslog format of Sophos firewalls --- .werks/2107 | 9 +++++++++ ChangeLog | 1 + mkeventd/bin/mkeventd | 12 +++++++++++- 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/.werks/2107 b/.werks/2107 new file mode 100644 index 0000000..506b6a3 --- /dev/null +++ b/.werks/2107 @@ -0,0 +1,9 @@ +Title: mkeventd: can now handle syslog format of Sophos firewalls +Level: 1 +Component: ec +Compatible: compat +Version: 1.2.7i1 +Date: 1427292924 +Class: feature + + diff --git a/ChangeLog b/ChangeLog index e1d1140..babe25f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -417,6 +417,7 @@ * 1672 Now able to reclassify logwatch messages before forwarding them to the event console... * 1878 SEC: Fixed possible shell injection when filtering the EC archive... * 2099 Allow replication of Event Console rule and settings... + * 2107 mkeventd: can now handle syslog format of Sophos firewalls * 1839 FIX: Fix exception when notifying EC alert into monitoring for traps (because PID is missing) * 1813 FIX: Fixed bug in event console rule editor when no contact groups configured * 1974 FIX: Event console views were randomly ignoring host filters... diff --git a/mkeventd/bin/mkeventd b/mkeventd/bin/mkeventd index d6f3b98..255666e 100755 --- a/mkeventd/bin/mkeventd +++ b/mkeventd/bin/mkeventd @@ -2147,12 +2147,15 @@ class EventServer: #Varian 7: logwatch.ec event forwarding # <78>@1341847712 Klapprechner /var/log/syslog: message.... + # Variant 8: syslog message from sophos firewall + # <84>2015:03:25-12:02:06 gw pluto[7122]: listening for IKE messages + # FIXME: Would be better to parse the syslog messages in another way: # Split the message by the first ":", then split the syslog header part # and detect which information are present. Take a look at the syslog RFCs # for details. - # Variant 2,3,4,5,6,7 + # Variant 2,3,4,5,6,7,8 if line.startswith('<'): i = line.find('>') prio = int(line[1:i]) @@ -2184,6 +2187,13 @@ class EventServer: event['time'] = time.mktime(time.strptime(rfc3339_part[:19], '%Y-%m-%dT%H:%M:%S')) event.update(self.parse_syslog_info(line)) + # Variant 8 + elif line[10] == '-' and line[19] == ' ': + event['host'] = line.split(' ')[1] + event['time'] = time.mktime(time.strptime(line.split(' ')[0], '%Y:%m:%d-%H:%M:%S')) + rest = line.split(' ')[2:] + event.update(self.parse_syslog_info(rest)) + # Variant 6 elif len(line.split(': ', 1)[0].split(' ')) == 1: event.update(self.parse_syslog_info(line))