Skip to content

Syslog Parser. Accepts RFC 3164 (BSD) and RFC 5424 formats

License

Notifications You must be signed in to change notification settings

solzimer/nsyslog-parser

Repository files navigation

nsyslog-parser

Syslog Parser. Accepts RFC 3164 (BSD), RFC 5424 and CEF Common Event Format formats. Although thought as a parser for stantard syslog messages, there are too many systems/devices out there that sends erroneous, propietary or simply malformed messages. nsyslog-parser is flexible enough to try and parse every single message to extract as many information as possible, without throwing any errors.

Features

Installation

npm install nsyslog-parser

Usage

parser(line,options)
const parser = require("nsyslog-parser");

// Standard BSD message
var bsdLine = "<34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8";

// IETF (RFC 5424) message, with structured data and chained hostnames
var ietfLine = "<110>1 2009-05-03T14:00:39.529966+02:00 host.example.org/relay.example.org syslogd 2138 - [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][exampleSDID@32474 iut="4" eventSource="Application" eventID="1012"][ssign VER="0111" RSID="1" SG="0" SPRI="0" GBC="2" FMN="1" CNT="7" HB="K6wzcombEvKJ+UTMcn9bPryAeaU= zrkDcIeaDluypaPCY8WWzwHpPok= zgrWOdpx16ADc7UmckyIFY53icE= XfopJ+S8/hODapiBBCgVQaLqBKg= J67gKMFl/OauTC20ibbydwIlJC8= M5GziVgB6KPY3ERU1HXdSi2vtdw= Wxd/lU7uG/ipEYT9xeqnsfohyH0=" SIGN="AKBbX4J7QkrwuwdbV7Taujk2lvOf8gCgC62We1QYfnrNHz7FzAvdySuMyfM="] BOMAn application event log entry";

// Syslog CEF (Common Event Format)
var cefLine = "Jan 18 11:07:53 dsmhost CEF:0|Trend Micro|Deep Security Manager|<DSM version>|600|User Signed In|3|src=10.52.116.160 suser=admin target=admin msg=User signed in from 2001:db8::5";
console.log(parser(bsdLine);
console.log(parser(ietfLine);
console.log(parser(cefLine);

Results

{
	originalMessage: '<34>Oct 11 22:14:15 mymachine su: \'su root\' failed for lonvick on /dev/pts/8',
	pri: '<34>',
	prival: 34,
	facilityval: 4,
	levelval: 2,
	facility: 'auth',
	level: 'crit',
	type: 'BSD',
	ts: '2017-10-11T20:14:15.000Z',
	host: 'mymachine',
	appName: 'su',
	message: '\'su root\' failed for lonvick on /dev/pts/8',
	chain: [],
	fields: [],
	header: '<34>Oct 11 22:14:15 mymachine su: '
}
{
	originalMessage: '<110>1 2009-05-03T14:00:39.529966+02:00 host.example.org/relay.example.org syslogd 2138 - [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][exampleSDID@32474 iut="4" eventSource="Application" eventID="1012"][ssign VER="0111" RSID="1" SG="0" SPRI="0" GBC="2" FMN="1" CNT="7" HB="K6wzcombEvKJ+UTMcn9bPryAeaU= zrkDcIeaDluypaPCY8WWzwHpPok= zgrWOdpx16ADc7UmckyIFY53icE= XfopJ+S8/hODapiBBCgVQaLqBKg= J67gKMFl/OauTC20ibbydwIlJC8= M5GziVgB6KPY3ERU1HXdSi2vtdw= Wxd/lU7uG/ipEYT9xeqnsfohyH0=" SIGN="AKBbX4J7Qkrwu wdbV7Taujk2lvOf8gCgC62We1QYfnrNHz7FzAvdySuMyfM="] BOMAn application event log entry',
	pri: '<110>',
	prival: 110,
	facilityval: 13,
	levelval: 6,
	facility: 'security',
	level: 'info',
	version: 1,
	type: 'RFC5424',
	ts: '2009-05-03T12:00:39.529Z',
	host: 'relay.example.org',
	appName: 'syslogd',
	pid: '2138',
	messageid: '-',
	message: 'BOMAn application event log entry',
	chain: [ 'host.example.org' ],
	structuredData:
	[
		{
			'$id': 'exampleSDID@32473',
			iut: '3',
			eventSource: 'Application',
			eventID: '1011'
		},
		{
			'$id': 'exampleSDID@32474',
			iut: '4',
			eventSource: 'Application',
			eventID: '1012'
		},
		{
			'$id': 'ssign',
			VER: '0111',
			RSID: '1',
			SG: '0',
			SPRI: '0',
			GBC: '2',
			FMN: '1',
			CNT: '7',
			HB: 'K6wzcombEvKJ+UTMcn9bPryAeaU= zrkDcIeaDluypaPCY8WWzwHpPok= zgrWOdpx16ADc7UmckyIFY53icE= XfopJ+S8/hODapiBBCgVQaLqBKg= J67gKMFl/OauTC20ibbydwIlJC8= M5GziVgB6KPY3ERU1HXdSi2 vtdw= Wxd/lU7uG/ipEYT9xeqnsfohyH0=',
			SIGN: 'AKBbX4J7QkrwuwdbV7Taujk2lvOf8gCgC62We1QYfnrNHz7FzAvdySuMyfM='
		}
	],
  fields: [],
  header: '<110>1 2009-05-03T14:00:39.529966+02:00 host.example.org/relay.example.org syslogd 2138 - [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][exampleSDID@32474 iut="4" eventSource="Application" eventID="1012"][ssign VER="0111" RSID="1" SG="0" SPRI="0" GBC="2" FMN="1" CNT="7" HB="K6wzcombEvKJ+UTMcn9bPryAeaU= zrkDcIeaDluypaPCY8WWzwHpPok= zgrWOdpx16ADc7UmckyIFY53icE= XfopJ+S8/hODapiBBCgVQaLqBKg= J67gKMFl/OauTC20ibbydwIlJC8= M5GziVgB6KPY3ERU1HXdSi2vtdw= Wxd/lU7uG/ipEYT9xeqnsfohyH0=" SIGN="AKBbX4J7QkrwuwdbV7Tauj k2lvOf8gCgC62We1QYfnrNHz7FzAvdySuMyfM="]'
}

{
	originalMessage: 'Jan 18 11:07:53 dsmhost CEF:0|Trend Micro|Deep Security Manager|<DSM version>|600|User Signed In|3|src=10.52.116.160 suser=admin target=admin msg=User signed in from 2001:db8::5',
	pri: '',
	prival: NaN,
	type: 'CEF',
	ts: '2017-01-18T10:07:53.000Z',
	host: 'dsmhost',
	message: 'CEF:0|Trend Micro|Deep Security Manager|<DSM version>|600|User Signed In|3|src=10.52.116.160 suser=admin target=admin msg=User signed in from 2001:db8::5',
	chain: [],
	cef: {
		version: 'CEF:0',
		deviceVendor: 'Trend Micro',
		deviceProduct: 'Deep Security Manager',
		deviceVersion: '<DSM version>',
		deviceEventClassID: '600',
		name: 'User Signed In',
		severity: '3',
		extension: 'src=10.52.116.160 suser=admin target=admin msg=User signed in from 2001:db8::5'
	},
  fields: {
		src: '10.52.116.160',
		suser: 'admin',
		target: 'admin',
		msg: 'User signed in from 2001:db8::5'
	},
	header: 'Jan 18 11:07:53 dsmhost '
}

Options

Options is a javascript object with the following parameters:

  • cef : Parse CEF strcuture (true by default)
  • fields : Parse Syslog structured data (true by default)
  • pid : Separate the PID field in case the app header field has the app[pid] format (true by default)
  • generateTimestamp: If true and no timestamp can be parsed from the line, sets the current timestamp. Otherwise, leave the field as undefined (true by default)

About

Syslog Parser. Accepts RFC 3164 (BSD) and RFC 5424 formats

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published