From 7bc8d7524289ac660b53c94fd07b09cb4944c406 Mon Sep 17 00:00:00 2001 From: anti Date: Tue, 7 Apr 2026 15:56:01 -0400 Subject: [PATCH] feat: parse RFC 5424 fields and msg directly in backend --- decnet/web/sqlite_repository.py | 24 ++++++++++++++++++----- templates/decnet_logging.py | 23 ++++++++++++++++++---- templates/docker_api/decnet_logging.py | 23 ++++++++++++++++++---- templates/elasticsearch/decnet_logging.py | 23 ++++++++++++++++++---- templates/ftp/decnet_logging.py | 23 ++++++++++++++++++---- templates/http/decnet_logging.py | 23 ++++++++++++++++++---- templates/imap/decnet_logging.py | 23 ++++++++++++++++++---- templates/k8s/decnet_logging.py | 23 ++++++++++++++++++---- templates/ldap/decnet_logging.py | 23 ++++++++++++++++++---- templates/llmnr/decnet_logging.py | 23 ++++++++++++++++++---- templates/mongodb/decnet_logging.py | 23 ++++++++++++++++++---- templates/mqtt/decnet_logging.py | 23 ++++++++++++++++++---- templates/mssql/decnet_logging.py | 23 ++++++++++++++++++---- templates/mysql/decnet_logging.py | 23 ++++++++++++++++++---- templates/pop3/decnet_logging.py | 23 ++++++++++++++++++---- templates/postgres/decnet_logging.py | 23 ++++++++++++++++++---- templates/rdp/decnet_logging.py | 23 ++++++++++++++++++---- templates/redis/decnet_logging.py | 23 ++++++++++++++++++---- templates/sip/decnet_logging.py | 23 ++++++++++++++++++---- templates/smb/decnet_logging.py | 23 ++++++++++++++++++---- templates/smtp/decnet_logging.py | 23 ++++++++++++++++++---- templates/snmp/decnet_logging.py | 23 ++++++++++++++++++---- templates/tftp/decnet_logging.py | 23 ++++++++++++++++++---- templates/vnc/decnet_logging.py | 23 ++++++++++++++++++---- 24 files changed, 456 insertions(+), 97 deletions(-) diff --git a/decnet/web/sqlite_repository.py b/decnet/web/sqlite_repository.py index 5f9eccd..5cc3df4 100644 --- a/decnet/web/sqlite_repository.py +++ b/decnet/web/sqlite_repository.py @@ -20,9 +20,19 @@ class SQLiteRepository(BaseRepository): service TEXT, event_type TEXT, attacker_ip TEXT, - raw_line TEXT + raw_line TEXT, + fields TEXT, + msg TEXT ) """) + try: + await db.execute("ALTER TABLE logs ADD COLUMN fields TEXT") + except aiosqlite.OperationalError: + pass + try: + await db.execute("ALTER TABLE logs ADD COLUMN msg TEXT") + except aiosqlite.OperationalError: + pass # Users table (internal RBAC) await db.execute(""" CREATE TABLE IF NOT EXISTS users ( @@ -44,25 +54,29 @@ class SQLiteRepository(BaseRepository): timestamp = log_data.get("timestamp") if timestamp: await db.execute( - "INSERT INTO logs (timestamp, decky, service, event_type, attacker_ip, raw_line) VALUES (?, ?, ?, ?, ?, ?)", + "INSERT INTO logs (timestamp, decky, service, event_type, attacker_ip, raw_line, fields, msg) VALUES (?, ?, ?, ?, ?, ?, ?, ?)", ( timestamp, log_data.get("decky"), log_data.get("service"), log_data.get("event_type"), log_data.get("attacker_ip"), - log_data.get("raw_line") + log_data.get("raw_line"), + log_data.get("fields"), + log_data.get("msg") ) ) else: await db.execute( - "INSERT INTO logs (decky, service, event_type, attacker_ip, raw_line) VALUES (?, ?, ?, ?, ?)", + "INSERT INTO logs (decky, service, event_type, attacker_ip, raw_line, fields, msg) VALUES (?, ?, ?, ?, ?, ?, ?)", ( log_data.get("decky"), log_data.get("service"), log_data.get("event_type"), log_data.get("attacker_ip"), - log_data.get("raw_line") + log_data.get("raw_line"), + log_data.get("fields"), + log_data.get("msg") ) ) await db.commit() diff --git a/templates/decnet_logging.py b/templates/decnet_logging.py index 2aa0219..3840838 100644 --- a/templates/decnet_logging.py +++ b/templates/decnet_logging.py @@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger: return _json_logger + def write_syslog_file(line: str) -> None: """Append a syslog line to the rotating log file.""" try: @@ -176,11 +177,23 @@ def write_syslog_file(line: str) -> None: if m: ts_raw, decky, service, event_type, sd_rest = m.groups() - block = _SD_BLOCK_RE.search(sd_rest) fields = {} - if block: - for k, v in _PARAM_RE.findall(block.group(1)): - fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + msg = "" + + if sd_rest.startswith("-"): + msg = sd_rest[1:].lstrip() + elif sd_rest.startswith("["): + block = _SD_BLOCK_RE.search(sd_rest) + if block: + for k, v in _PARAM_RE.findall(block.group(1)): + fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + + # extract msg after the block + msg_match = re.search(r'\]\s+(.+)$', sd_rest) + if msg_match: + msg = msg_match.group(1).strip() + else: + msg = sd_rest attacker_ip = "Unknown" for fname in _IP_FIELDS: @@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None: "service": service, "event_type": event_type, "attacker_ip": attacker_ip, + "fields": json.dumps(fields), + "msg": msg, "raw_line": line } _get_json_logger().info(json.dumps(payload)) diff --git a/templates/docker_api/decnet_logging.py b/templates/docker_api/decnet_logging.py index 2aa0219..3840838 100644 --- a/templates/docker_api/decnet_logging.py +++ b/templates/docker_api/decnet_logging.py @@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger: return _json_logger + def write_syslog_file(line: str) -> None: """Append a syslog line to the rotating log file.""" try: @@ -176,11 +177,23 @@ def write_syslog_file(line: str) -> None: if m: ts_raw, decky, service, event_type, sd_rest = m.groups() - block = _SD_BLOCK_RE.search(sd_rest) fields = {} - if block: - for k, v in _PARAM_RE.findall(block.group(1)): - fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + msg = "" + + if sd_rest.startswith("-"): + msg = sd_rest[1:].lstrip() + elif sd_rest.startswith("["): + block = _SD_BLOCK_RE.search(sd_rest) + if block: + for k, v in _PARAM_RE.findall(block.group(1)): + fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + + # extract msg after the block + msg_match = re.search(r'\]\s+(.+)$', sd_rest) + if msg_match: + msg = msg_match.group(1).strip() + else: + msg = sd_rest attacker_ip = "Unknown" for fname in _IP_FIELDS: @@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None: "service": service, "event_type": event_type, "attacker_ip": attacker_ip, + "fields": json.dumps(fields), + "msg": msg, "raw_line": line } _get_json_logger().info(json.dumps(payload)) diff --git a/templates/elasticsearch/decnet_logging.py b/templates/elasticsearch/decnet_logging.py index 2aa0219..3840838 100644 --- a/templates/elasticsearch/decnet_logging.py +++ b/templates/elasticsearch/decnet_logging.py @@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger: return _json_logger + def write_syslog_file(line: str) -> None: """Append a syslog line to the rotating log file.""" try: @@ -176,11 +177,23 @@ def write_syslog_file(line: str) -> None: if m: ts_raw, decky, service, event_type, sd_rest = m.groups() - block = _SD_BLOCK_RE.search(sd_rest) fields = {} - if block: - for k, v in _PARAM_RE.findall(block.group(1)): - fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + msg = "" + + if sd_rest.startswith("-"): + msg = sd_rest[1:].lstrip() + elif sd_rest.startswith("["): + block = _SD_BLOCK_RE.search(sd_rest) + if block: + for k, v in _PARAM_RE.findall(block.group(1)): + fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + + # extract msg after the block + msg_match = re.search(r'\]\s+(.+)$', sd_rest) + if msg_match: + msg = msg_match.group(1).strip() + else: + msg = sd_rest attacker_ip = "Unknown" for fname in _IP_FIELDS: @@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None: "service": service, "event_type": event_type, "attacker_ip": attacker_ip, + "fields": json.dumps(fields), + "msg": msg, "raw_line": line } _get_json_logger().info(json.dumps(payload)) diff --git a/templates/ftp/decnet_logging.py b/templates/ftp/decnet_logging.py index 2aa0219..3840838 100644 --- a/templates/ftp/decnet_logging.py +++ b/templates/ftp/decnet_logging.py @@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger: return _json_logger + def write_syslog_file(line: str) -> None: """Append a syslog line to the rotating log file.""" try: @@ -176,11 +177,23 @@ def write_syslog_file(line: str) -> None: if m: ts_raw, decky, service, event_type, sd_rest = m.groups() - block = _SD_BLOCK_RE.search(sd_rest) fields = {} - if block: - for k, v in _PARAM_RE.findall(block.group(1)): - fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + msg = "" + + if sd_rest.startswith("-"): + msg = sd_rest[1:].lstrip() + elif sd_rest.startswith("["): + block = _SD_BLOCK_RE.search(sd_rest) + if block: + for k, v in _PARAM_RE.findall(block.group(1)): + fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + + # extract msg after the block + msg_match = re.search(r'\]\s+(.+)$', sd_rest) + if msg_match: + msg = msg_match.group(1).strip() + else: + msg = sd_rest attacker_ip = "Unknown" for fname in _IP_FIELDS: @@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None: "service": service, "event_type": event_type, "attacker_ip": attacker_ip, + "fields": json.dumps(fields), + "msg": msg, "raw_line": line } _get_json_logger().info(json.dumps(payload)) diff --git a/templates/http/decnet_logging.py b/templates/http/decnet_logging.py index 2aa0219..3840838 100644 --- a/templates/http/decnet_logging.py +++ b/templates/http/decnet_logging.py @@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger: return _json_logger + def write_syslog_file(line: str) -> None: """Append a syslog line to the rotating log file.""" try: @@ -176,11 +177,23 @@ def write_syslog_file(line: str) -> None: if m: ts_raw, decky, service, event_type, sd_rest = m.groups() - block = _SD_BLOCK_RE.search(sd_rest) fields = {} - if block: - for k, v in _PARAM_RE.findall(block.group(1)): - fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + msg = "" + + if sd_rest.startswith("-"): + msg = sd_rest[1:].lstrip() + elif sd_rest.startswith("["): + block = _SD_BLOCK_RE.search(sd_rest) + if block: + for k, v in _PARAM_RE.findall(block.group(1)): + fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + + # extract msg after the block + msg_match = re.search(r'\]\s+(.+)$', sd_rest) + if msg_match: + msg = msg_match.group(1).strip() + else: + msg = sd_rest attacker_ip = "Unknown" for fname in _IP_FIELDS: @@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None: "service": service, "event_type": event_type, "attacker_ip": attacker_ip, + "fields": json.dumps(fields), + "msg": msg, "raw_line": line } _get_json_logger().info(json.dumps(payload)) diff --git a/templates/imap/decnet_logging.py b/templates/imap/decnet_logging.py index 2aa0219..3840838 100644 --- a/templates/imap/decnet_logging.py +++ b/templates/imap/decnet_logging.py @@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger: return _json_logger + def write_syslog_file(line: str) -> None: """Append a syslog line to the rotating log file.""" try: @@ -176,11 +177,23 @@ def write_syslog_file(line: str) -> None: if m: ts_raw, decky, service, event_type, sd_rest = m.groups() - block = _SD_BLOCK_RE.search(sd_rest) fields = {} - if block: - for k, v in _PARAM_RE.findall(block.group(1)): - fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + msg = "" + + if sd_rest.startswith("-"): + msg = sd_rest[1:].lstrip() + elif sd_rest.startswith("["): + block = _SD_BLOCK_RE.search(sd_rest) + if block: + for k, v in _PARAM_RE.findall(block.group(1)): + fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + + # extract msg after the block + msg_match = re.search(r'\]\s+(.+)$', sd_rest) + if msg_match: + msg = msg_match.group(1).strip() + else: + msg = sd_rest attacker_ip = "Unknown" for fname in _IP_FIELDS: @@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None: "service": service, "event_type": event_type, "attacker_ip": attacker_ip, + "fields": json.dumps(fields), + "msg": msg, "raw_line": line } _get_json_logger().info(json.dumps(payload)) diff --git a/templates/k8s/decnet_logging.py b/templates/k8s/decnet_logging.py index 2aa0219..3840838 100644 --- a/templates/k8s/decnet_logging.py +++ b/templates/k8s/decnet_logging.py @@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger: return _json_logger + def write_syslog_file(line: str) -> None: """Append a syslog line to the rotating log file.""" try: @@ -176,11 +177,23 @@ def write_syslog_file(line: str) -> None: if m: ts_raw, decky, service, event_type, sd_rest = m.groups() - block = _SD_BLOCK_RE.search(sd_rest) fields = {} - if block: - for k, v in _PARAM_RE.findall(block.group(1)): - fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + msg = "" + + if sd_rest.startswith("-"): + msg = sd_rest[1:].lstrip() + elif sd_rest.startswith("["): + block = _SD_BLOCK_RE.search(sd_rest) + if block: + for k, v in _PARAM_RE.findall(block.group(1)): + fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + + # extract msg after the block + msg_match = re.search(r'\]\s+(.+)$', sd_rest) + if msg_match: + msg = msg_match.group(1).strip() + else: + msg = sd_rest attacker_ip = "Unknown" for fname in _IP_FIELDS: @@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None: "service": service, "event_type": event_type, "attacker_ip": attacker_ip, + "fields": json.dumps(fields), + "msg": msg, "raw_line": line } _get_json_logger().info(json.dumps(payload)) diff --git a/templates/ldap/decnet_logging.py b/templates/ldap/decnet_logging.py index 2aa0219..3840838 100644 --- a/templates/ldap/decnet_logging.py +++ b/templates/ldap/decnet_logging.py @@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger: return _json_logger + def write_syslog_file(line: str) -> None: """Append a syslog line to the rotating log file.""" try: @@ -176,11 +177,23 @@ def write_syslog_file(line: str) -> None: if m: ts_raw, decky, service, event_type, sd_rest = m.groups() - block = _SD_BLOCK_RE.search(sd_rest) fields = {} - if block: - for k, v in _PARAM_RE.findall(block.group(1)): - fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + msg = "" + + if sd_rest.startswith("-"): + msg = sd_rest[1:].lstrip() + elif sd_rest.startswith("["): + block = _SD_BLOCK_RE.search(sd_rest) + if block: + for k, v in _PARAM_RE.findall(block.group(1)): + fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + + # extract msg after the block + msg_match = re.search(r'\]\s+(.+)$', sd_rest) + if msg_match: + msg = msg_match.group(1).strip() + else: + msg = sd_rest attacker_ip = "Unknown" for fname in _IP_FIELDS: @@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None: "service": service, "event_type": event_type, "attacker_ip": attacker_ip, + "fields": json.dumps(fields), + "msg": msg, "raw_line": line } _get_json_logger().info(json.dumps(payload)) diff --git a/templates/llmnr/decnet_logging.py b/templates/llmnr/decnet_logging.py index 2aa0219..3840838 100644 --- a/templates/llmnr/decnet_logging.py +++ b/templates/llmnr/decnet_logging.py @@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger: return _json_logger + def write_syslog_file(line: str) -> None: """Append a syslog line to the rotating log file.""" try: @@ -176,11 +177,23 @@ def write_syslog_file(line: str) -> None: if m: ts_raw, decky, service, event_type, sd_rest = m.groups() - block = _SD_BLOCK_RE.search(sd_rest) fields = {} - if block: - for k, v in _PARAM_RE.findall(block.group(1)): - fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + msg = "" + + if sd_rest.startswith("-"): + msg = sd_rest[1:].lstrip() + elif sd_rest.startswith("["): + block = _SD_BLOCK_RE.search(sd_rest) + if block: + for k, v in _PARAM_RE.findall(block.group(1)): + fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + + # extract msg after the block + msg_match = re.search(r'\]\s+(.+)$', sd_rest) + if msg_match: + msg = msg_match.group(1).strip() + else: + msg = sd_rest attacker_ip = "Unknown" for fname in _IP_FIELDS: @@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None: "service": service, "event_type": event_type, "attacker_ip": attacker_ip, + "fields": json.dumps(fields), + "msg": msg, "raw_line": line } _get_json_logger().info(json.dumps(payload)) diff --git a/templates/mongodb/decnet_logging.py b/templates/mongodb/decnet_logging.py index 2aa0219..3840838 100644 --- a/templates/mongodb/decnet_logging.py +++ b/templates/mongodb/decnet_logging.py @@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger: return _json_logger + def write_syslog_file(line: str) -> None: """Append a syslog line to the rotating log file.""" try: @@ -176,11 +177,23 @@ def write_syslog_file(line: str) -> None: if m: ts_raw, decky, service, event_type, sd_rest = m.groups() - block = _SD_BLOCK_RE.search(sd_rest) fields = {} - if block: - for k, v in _PARAM_RE.findall(block.group(1)): - fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + msg = "" + + if sd_rest.startswith("-"): + msg = sd_rest[1:].lstrip() + elif sd_rest.startswith("["): + block = _SD_BLOCK_RE.search(sd_rest) + if block: + for k, v in _PARAM_RE.findall(block.group(1)): + fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + + # extract msg after the block + msg_match = re.search(r'\]\s+(.+)$', sd_rest) + if msg_match: + msg = msg_match.group(1).strip() + else: + msg = sd_rest attacker_ip = "Unknown" for fname in _IP_FIELDS: @@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None: "service": service, "event_type": event_type, "attacker_ip": attacker_ip, + "fields": json.dumps(fields), + "msg": msg, "raw_line": line } _get_json_logger().info(json.dumps(payload)) diff --git a/templates/mqtt/decnet_logging.py b/templates/mqtt/decnet_logging.py index 2aa0219..3840838 100644 --- a/templates/mqtt/decnet_logging.py +++ b/templates/mqtt/decnet_logging.py @@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger: return _json_logger + def write_syslog_file(line: str) -> None: """Append a syslog line to the rotating log file.""" try: @@ -176,11 +177,23 @@ def write_syslog_file(line: str) -> None: if m: ts_raw, decky, service, event_type, sd_rest = m.groups() - block = _SD_BLOCK_RE.search(sd_rest) fields = {} - if block: - for k, v in _PARAM_RE.findall(block.group(1)): - fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + msg = "" + + if sd_rest.startswith("-"): + msg = sd_rest[1:].lstrip() + elif sd_rest.startswith("["): + block = _SD_BLOCK_RE.search(sd_rest) + if block: + for k, v in _PARAM_RE.findall(block.group(1)): + fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + + # extract msg after the block + msg_match = re.search(r'\]\s+(.+)$', sd_rest) + if msg_match: + msg = msg_match.group(1).strip() + else: + msg = sd_rest attacker_ip = "Unknown" for fname in _IP_FIELDS: @@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None: "service": service, "event_type": event_type, "attacker_ip": attacker_ip, + "fields": json.dumps(fields), + "msg": msg, "raw_line": line } _get_json_logger().info(json.dumps(payload)) diff --git a/templates/mssql/decnet_logging.py b/templates/mssql/decnet_logging.py index 2aa0219..3840838 100644 --- a/templates/mssql/decnet_logging.py +++ b/templates/mssql/decnet_logging.py @@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger: return _json_logger + def write_syslog_file(line: str) -> None: """Append a syslog line to the rotating log file.""" try: @@ -176,11 +177,23 @@ def write_syslog_file(line: str) -> None: if m: ts_raw, decky, service, event_type, sd_rest = m.groups() - block = _SD_BLOCK_RE.search(sd_rest) fields = {} - if block: - for k, v in _PARAM_RE.findall(block.group(1)): - fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + msg = "" + + if sd_rest.startswith("-"): + msg = sd_rest[1:].lstrip() + elif sd_rest.startswith("["): + block = _SD_BLOCK_RE.search(sd_rest) + if block: + for k, v in _PARAM_RE.findall(block.group(1)): + fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + + # extract msg after the block + msg_match = re.search(r'\]\s+(.+)$', sd_rest) + if msg_match: + msg = msg_match.group(1).strip() + else: + msg = sd_rest attacker_ip = "Unknown" for fname in _IP_FIELDS: @@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None: "service": service, "event_type": event_type, "attacker_ip": attacker_ip, + "fields": json.dumps(fields), + "msg": msg, "raw_line": line } _get_json_logger().info(json.dumps(payload)) diff --git a/templates/mysql/decnet_logging.py b/templates/mysql/decnet_logging.py index 2aa0219..3840838 100644 --- a/templates/mysql/decnet_logging.py +++ b/templates/mysql/decnet_logging.py @@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger: return _json_logger + def write_syslog_file(line: str) -> None: """Append a syslog line to the rotating log file.""" try: @@ -176,11 +177,23 @@ def write_syslog_file(line: str) -> None: if m: ts_raw, decky, service, event_type, sd_rest = m.groups() - block = _SD_BLOCK_RE.search(sd_rest) fields = {} - if block: - for k, v in _PARAM_RE.findall(block.group(1)): - fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + msg = "" + + if sd_rest.startswith("-"): + msg = sd_rest[1:].lstrip() + elif sd_rest.startswith("["): + block = _SD_BLOCK_RE.search(sd_rest) + if block: + for k, v in _PARAM_RE.findall(block.group(1)): + fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + + # extract msg after the block + msg_match = re.search(r'\]\s+(.+)$', sd_rest) + if msg_match: + msg = msg_match.group(1).strip() + else: + msg = sd_rest attacker_ip = "Unknown" for fname in _IP_FIELDS: @@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None: "service": service, "event_type": event_type, "attacker_ip": attacker_ip, + "fields": json.dumps(fields), + "msg": msg, "raw_line": line } _get_json_logger().info(json.dumps(payload)) diff --git a/templates/pop3/decnet_logging.py b/templates/pop3/decnet_logging.py index 2aa0219..3840838 100644 --- a/templates/pop3/decnet_logging.py +++ b/templates/pop3/decnet_logging.py @@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger: return _json_logger + def write_syslog_file(line: str) -> None: """Append a syslog line to the rotating log file.""" try: @@ -176,11 +177,23 @@ def write_syslog_file(line: str) -> None: if m: ts_raw, decky, service, event_type, sd_rest = m.groups() - block = _SD_BLOCK_RE.search(sd_rest) fields = {} - if block: - for k, v in _PARAM_RE.findall(block.group(1)): - fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + msg = "" + + if sd_rest.startswith("-"): + msg = sd_rest[1:].lstrip() + elif sd_rest.startswith("["): + block = _SD_BLOCK_RE.search(sd_rest) + if block: + for k, v in _PARAM_RE.findall(block.group(1)): + fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + + # extract msg after the block + msg_match = re.search(r'\]\s+(.+)$', sd_rest) + if msg_match: + msg = msg_match.group(1).strip() + else: + msg = sd_rest attacker_ip = "Unknown" for fname in _IP_FIELDS: @@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None: "service": service, "event_type": event_type, "attacker_ip": attacker_ip, + "fields": json.dumps(fields), + "msg": msg, "raw_line": line } _get_json_logger().info(json.dumps(payload)) diff --git a/templates/postgres/decnet_logging.py b/templates/postgres/decnet_logging.py index 2aa0219..3840838 100644 --- a/templates/postgres/decnet_logging.py +++ b/templates/postgres/decnet_logging.py @@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger: return _json_logger + def write_syslog_file(line: str) -> None: """Append a syslog line to the rotating log file.""" try: @@ -176,11 +177,23 @@ def write_syslog_file(line: str) -> None: if m: ts_raw, decky, service, event_type, sd_rest = m.groups() - block = _SD_BLOCK_RE.search(sd_rest) fields = {} - if block: - for k, v in _PARAM_RE.findall(block.group(1)): - fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + msg = "" + + if sd_rest.startswith("-"): + msg = sd_rest[1:].lstrip() + elif sd_rest.startswith("["): + block = _SD_BLOCK_RE.search(sd_rest) + if block: + for k, v in _PARAM_RE.findall(block.group(1)): + fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + + # extract msg after the block + msg_match = re.search(r'\]\s+(.+)$', sd_rest) + if msg_match: + msg = msg_match.group(1).strip() + else: + msg = sd_rest attacker_ip = "Unknown" for fname in _IP_FIELDS: @@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None: "service": service, "event_type": event_type, "attacker_ip": attacker_ip, + "fields": json.dumps(fields), + "msg": msg, "raw_line": line } _get_json_logger().info(json.dumps(payload)) diff --git a/templates/rdp/decnet_logging.py b/templates/rdp/decnet_logging.py index 2aa0219..3840838 100644 --- a/templates/rdp/decnet_logging.py +++ b/templates/rdp/decnet_logging.py @@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger: return _json_logger + def write_syslog_file(line: str) -> None: """Append a syslog line to the rotating log file.""" try: @@ -176,11 +177,23 @@ def write_syslog_file(line: str) -> None: if m: ts_raw, decky, service, event_type, sd_rest = m.groups() - block = _SD_BLOCK_RE.search(sd_rest) fields = {} - if block: - for k, v in _PARAM_RE.findall(block.group(1)): - fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + msg = "" + + if sd_rest.startswith("-"): + msg = sd_rest[1:].lstrip() + elif sd_rest.startswith("["): + block = _SD_BLOCK_RE.search(sd_rest) + if block: + for k, v in _PARAM_RE.findall(block.group(1)): + fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + + # extract msg after the block + msg_match = re.search(r'\]\s+(.+)$', sd_rest) + if msg_match: + msg = msg_match.group(1).strip() + else: + msg = sd_rest attacker_ip = "Unknown" for fname in _IP_FIELDS: @@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None: "service": service, "event_type": event_type, "attacker_ip": attacker_ip, + "fields": json.dumps(fields), + "msg": msg, "raw_line": line } _get_json_logger().info(json.dumps(payload)) diff --git a/templates/redis/decnet_logging.py b/templates/redis/decnet_logging.py index 2aa0219..3840838 100644 --- a/templates/redis/decnet_logging.py +++ b/templates/redis/decnet_logging.py @@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger: return _json_logger + def write_syslog_file(line: str) -> None: """Append a syslog line to the rotating log file.""" try: @@ -176,11 +177,23 @@ def write_syslog_file(line: str) -> None: if m: ts_raw, decky, service, event_type, sd_rest = m.groups() - block = _SD_BLOCK_RE.search(sd_rest) fields = {} - if block: - for k, v in _PARAM_RE.findall(block.group(1)): - fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + msg = "" + + if sd_rest.startswith("-"): + msg = sd_rest[1:].lstrip() + elif sd_rest.startswith("["): + block = _SD_BLOCK_RE.search(sd_rest) + if block: + for k, v in _PARAM_RE.findall(block.group(1)): + fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + + # extract msg after the block + msg_match = re.search(r'\]\s+(.+)$', sd_rest) + if msg_match: + msg = msg_match.group(1).strip() + else: + msg = sd_rest attacker_ip = "Unknown" for fname in _IP_FIELDS: @@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None: "service": service, "event_type": event_type, "attacker_ip": attacker_ip, + "fields": json.dumps(fields), + "msg": msg, "raw_line": line } _get_json_logger().info(json.dumps(payload)) diff --git a/templates/sip/decnet_logging.py b/templates/sip/decnet_logging.py index 2aa0219..3840838 100644 --- a/templates/sip/decnet_logging.py +++ b/templates/sip/decnet_logging.py @@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger: return _json_logger + def write_syslog_file(line: str) -> None: """Append a syslog line to the rotating log file.""" try: @@ -176,11 +177,23 @@ def write_syslog_file(line: str) -> None: if m: ts_raw, decky, service, event_type, sd_rest = m.groups() - block = _SD_BLOCK_RE.search(sd_rest) fields = {} - if block: - for k, v in _PARAM_RE.findall(block.group(1)): - fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + msg = "" + + if sd_rest.startswith("-"): + msg = sd_rest[1:].lstrip() + elif sd_rest.startswith("["): + block = _SD_BLOCK_RE.search(sd_rest) + if block: + for k, v in _PARAM_RE.findall(block.group(1)): + fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + + # extract msg after the block + msg_match = re.search(r'\]\s+(.+)$', sd_rest) + if msg_match: + msg = msg_match.group(1).strip() + else: + msg = sd_rest attacker_ip = "Unknown" for fname in _IP_FIELDS: @@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None: "service": service, "event_type": event_type, "attacker_ip": attacker_ip, + "fields": json.dumps(fields), + "msg": msg, "raw_line": line } _get_json_logger().info(json.dumps(payload)) diff --git a/templates/smb/decnet_logging.py b/templates/smb/decnet_logging.py index 2aa0219..3840838 100644 --- a/templates/smb/decnet_logging.py +++ b/templates/smb/decnet_logging.py @@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger: return _json_logger + def write_syslog_file(line: str) -> None: """Append a syslog line to the rotating log file.""" try: @@ -176,11 +177,23 @@ def write_syslog_file(line: str) -> None: if m: ts_raw, decky, service, event_type, sd_rest = m.groups() - block = _SD_BLOCK_RE.search(sd_rest) fields = {} - if block: - for k, v in _PARAM_RE.findall(block.group(1)): - fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + msg = "" + + if sd_rest.startswith("-"): + msg = sd_rest[1:].lstrip() + elif sd_rest.startswith("["): + block = _SD_BLOCK_RE.search(sd_rest) + if block: + for k, v in _PARAM_RE.findall(block.group(1)): + fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + + # extract msg after the block + msg_match = re.search(r'\]\s+(.+)$', sd_rest) + if msg_match: + msg = msg_match.group(1).strip() + else: + msg = sd_rest attacker_ip = "Unknown" for fname in _IP_FIELDS: @@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None: "service": service, "event_type": event_type, "attacker_ip": attacker_ip, + "fields": json.dumps(fields), + "msg": msg, "raw_line": line } _get_json_logger().info(json.dumps(payload)) diff --git a/templates/smtp/decnet_logging.py b/templates/smtp/decnet_logging.py index 2aa0219..3840838 100644 --- a/templates/smtp/decnet_logging.py +++ b/templates/smtp/decnet_logging.py @@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger: return _json_logger + def write_syslog_file(line: str) -> None: """Append a syslog line to the rotating log file.""" try: @@ -176,11 +177,23 @@ def write_syslog_file(line: str) -> None: if m: ts_raw, decky, service, event_type, sd_rest = m.groups() - block = _SD_BLOCK_RE.search(sd_rest) fields = {} - if block: - for k, v in _PARAM_RE.findall(block.group(1)): - fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + msg = "" + + if sd_rest.startswith("-"): + msg = sd_rest[1:].lstrip() + elif sd_rest.startswith("["): + block = _SD_BLOCK_RE.search(sd_rest) + if block: + for k, v in _PARAM_RE.findall(block.group(1)): + fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + + # extract msg after the block + msg_match = re.search(r'\]\s+(.+)$', sd_rest) + if msg_match: + msg = msg_match.group(1).strip() + else: + msg = sd_rest attacker_ip = "Unknown" for fname in _IP_FIELDS: @@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None: "service": service, "event_type": event_type, "attacker_ip": attacker_ip, + "fields": json.dumps(fields), + "msg": msg, "raw_line": line } _get_json_logger().info(json.dumps(payload)) diff --git a/templates/snmp/decnet_logging.py b/templates/snmp/decnet_logging.py index 2aa0219..3840838 100644 --- a/templates/snmp/decnet_logging.py +++ b/templates/snmp/decnet_logging.py @@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger: return _json_logger + def write_syslog_file(line: str) -> None: """Append a syslog line to the rotating log file.""" try: @@ -176,11 +177,23 @@ def write_syslog_file(line: str) -> None: if m: ts_raw, decky, service, event_type, sd_rest = m.groups() - block = _SD_BLOCK_RE.search(sd_rest) fields = {} - if block: - for k, v in _PARAM_RE.findall(block.group(1)): - fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + msg = "" + + if sd_rest.startswith("-"): + msg = sd_rest[1:].lstrip() + elif sd_rest.startswith("["): + block = _SD_BLOCK_RE.search(sd_rest) + if block: + for k, v in _PARAM_RE.findall(block.group(1)): + fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + + # extract msg after the block + msg_match = re.search(r'\]\s+(.+)$', sd_rest) + if msg_match: + msg = msg_match.group(1).strip() + else: + msg = sd_rest attacker_ip = "Unknown" for fname in _IP_FIELDS: @@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None: "service": service, "event_type": event_type, "attacker_ip": attacker_ip, + "fields": json.dumps(fields), + "msg": msg, "raw_line": line } _get_json_logger().info(json.dumps(payload)) diff --git a/templates/tftp/decnet_logging.py b/templates/tftp/decnet_logging.py index 2aa0219..3840838 100644 --- a/templates/tftp/decnet_logging.py +++ b/templates/tftp/decnet_logging.py @@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger: return _json_logger + def write_syslog_file(line: str) -> None: """Append a syslog line to the rotating log file.""" try: @@ -176,11 +177,23 @@ def write_syslog_file(line: str) -> None: if m: ts_raw, decky, service, event_type, sd_rest = m.groups() - block = _SD_BLOCK_RE.search(sd_rest) fields = {} - if block: - for k, v in _PARAM_RE.findall(block.group(1)): - fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + msg = "" + + if sd_rest.startswith("-"): + msg = sd_rest[1:].lstrip() + elif sd_rest.startswith("["): + block = _SD_BLOCK_RE.search(sd_rest) + if block: + for k, v in _PARAM_RE.findall(block.group(1)): + fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + + # extract msg after the block + msg_match = re.search(r'\]\s+(.+)$', sd_rest) + if msg_match: + msg = msg_match.group(1).strip() + else: + msg = sd_rest attacker_ip = "Unknown" for fname in _IP_FIELDS: @@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None: "service": service, "event_type": event_type, "attacker_ip": attacker_ip, + "fields": json.dumps(fields), + "msg": msg, "raw_line": line } _get_json_logger().info(json.dumps(payload)) diff --git a/templates/vnc/decnet_logging.py b/templates/vnc/decnet_logging.py index 2aa0219..3840838 100644 --- a/templates/vnc/decnet_logging.py +++ b/templates/vnc/decnet_logging.py @@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger: return _json_logger + def write_syslog_file(line: str) -> None: """Append a syslog line to the rotating log file.""" try: @@ -176,11 +177,23 @@ def write_syslog_file(line: str) -> None: if m: ts_raw, decky, service, event_type, sd_rest = m.groups() - block = _SD_BLOCK_RE.search(sd_rest) fields = {} - if block: - for k, v in _PARAM_RE.findall(block.group(1)): - fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + msg = "" + + if sd_rest.startswith("-"): + msg = sd_rest[1:].lstrip() + elif sd_rest.startswith("["): + block = _SD_BLOCK_RE.search(sd_rest) + if block: + for k, v in _PARAM_RE.findall(block.group(1)): + fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") + + # extract msg after the block + msg_match = re.search(r'\]\s+(.+)$', sd_rest) + if msg_match: + msg = msg_match.group(1).strip() + else: + msg = sd_rest attacker_ip = "Unknown" for fname in _IP_FIELDS: @@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None: "service": service, "event_type": event_type, "attacker_ip": attacker_ip, + "fields": json.dumps(fields), + "msg": msg, "raw_line": line } _get_json_logger().info(json.dumps(payload))