Module: check_mk
Branch: master
Commit: 60b683cab25543fb779acdba87cafa72c0e32f0e
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=60b683cab25543…
Author: Goetz Golla <gg(a)mathias-kettner.de>
Date: Wed Mar 25 15:16:02 2015 +0100
#2107 mkeventd: can now handle syslog format of Sophos firewalls
---
.werks/2107 | 9 +++++++++
ChangeLog | 1 +
mkeventd/bin/mkeventd | 12 +++++++++++-
3 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/.werks/2107 b/.werks/2107
new file mode 100644
index 0000000..506b6a3
--- /dev/null
+++ b/.werks/2107
@@ -0,0 +1,9 @@
+Title: mkeventd: can now handle syslog format of Sophos firewalls
+Level: 1
+Component: ec
+Compatible: compat
+Version: 1.2.7i1
+Date: 1427292924
+Class: feature
+
+
diff --git a/ChangeLog b/ChangeLog
index e1d1140..babe25f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -417,6 +417,7 @@
* 1672 Now able to reclassify logwatch messages before forwarding them to the event
console...
* 1878 SEC: Fixed possible shell injection when filtering the EC archive...
* 2099 Allow replication of Event Console rule and settings...
+ * 2107 mkeventd: can now handle syslog format of Sophos firewalls
* 1839 FIX: Fix exception when notifying EC alert into monitoring for traps (because
PID is missing)
* 1813 FIX: Fixed bug in event console rule editor when no contact groups configured
* 1974 FIX: Event console views were randomly ignoring host filters...
diff --git a/mkeventd/bin/mkeventd b/mkeventd/bin/mkeventd
index d6f3b98..255666e 100755
--- a/mkeventd/bin/mkeventd
+++ b/mkeventd/bin/mkeventd
@@ -2147,12 +2147,15 @@ class EventServer:
#Varian 7: logwatch.ec event forwarding
# <78>@1341847712 Klapprechner /var/log/syslog: message....
+ # Variant 8: syslog message from sophos firewall
+ # <84>2015:03:25-12:02:06 gw pluto[7122]: listening for IKE messages
+
# FIXME: Would be better to parse the syslog messages in another way:
# Split the message by the first ":", then split the syslog header
part
# and detect which information are present. Take a look at the syslog RFCs
# for details.
- # Variant 2,3,4,5,6,7
+ # Variant 2,3,4,5,6,7,8
if line.startswith('<'):
i = line.find('>')
prio = int(line[1:i])
@@ -2184,6 +2187,13 @@ class EventServer:
event['time'] = time.mktime(time.strptime(rfc3339_part[:19],
'%Y-%m-%dT%H:%M:%S'))
event.update(self.parse_syslog_info(line))
+ # Variant 8
+ elif line[10] == '-' and line[19] == ' ':
+ event['host'] = line.split(' ')[1]
+ event['time'] = time.mktime(time.strptime(line.split('
')[0], '%Y:%m:%d-%H:%M:%S'))
+ rest = line.split(' ')[2:]
+ event.update(self.parse_syslog_info(rest))
+
# Variant 6
elif len(line.split(': ', 1)[0].split(' ')) == 1:
event.update(self.parse_syslog_info(line))