anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat: parse RFC 5424 fields and msg directly in backend

Browse Source
This commit is contained in:
anti
2026-04-07 15:56:01 -04:00
parent 5f637b5272
commit 7bc8d75242
24 changed files with 456 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
decnet/web/sqlite_repository.py
View File

@@ -20,9 +20,19 @@ class SQLiteRepository(BaseRepository):
service TEXT, service TEXT,
event_type TEXT, event_type TEXT,
attacker_ip TEXT, attacker_ip TEXT,
raw_line TEXT raw_line TEXT,
fields TEXT,
msg TEXT
) )
""") """)
try:
await db.execute("ALTER TABLE logs ADD COLUMN fields TEXT")
except aiosqlite.OperationalError:
pass
try:
await db.execute("ALTER TABLE logs ADD COLUMN msg TEXT")
except aiosqlite.OperationalError:
pass
# Users table (internal RBAC) # Users table (internal RBAC)
await db.execute(""" await db.execute("""
CREATE TABLE IF NOT EXISTS users ( CREATE TABLE IF NOT EXISTS users (
@@ -44,25 +54,29 @@ class SQLiteRepository(BaseRepository):
timestamp = log_data.get("timestamp") timestamp = log_data.get("timestamp")
if timestamp: if timestamp:
await db.execute( await db.execute(
"INSERT INTO logs (timestamp, decky, service, event_type, attacker_ip, raw_line) VALUES (?, ?, ?, ?, ?, ?)", "INSERT INTO logs (timestamp, decky, service, event_type, attacker_ip, raw_line, fields, msg) VALUES (?, ?, ?, ?, ?, ?, ?, ?)",
( (
timestamp, timestamp,
log_data.get("decky"), log_data.get("decky"),
log_data.get("service"), log_data.get("service"),
log_data.get("event_type"), log_data.get("event_type"),
log_data.get("attacker_ip"), log_data.get("attacker_ip"),
log_data.get("raw_line") log_data.get("raw_line"),
log_data.get("fields"),
log_data.get("msg")
) )
) )
else: else:
await db.execute( await db.execute(
"INSERT INTO logs (decky, service, event_type, attacker_ip, raw_line) VALUES (?, ?, ?, ?, ?)", "INSERT INTO logs (decky, service, event_type, attacker_ip, raw_line, fields, msg) VALUES (?, ?, ?, ?, ?, ?, ?)",
( (
log_data.get("decky"), log_data.get("decky"),
log_data.get("service"), log_data.get("service"),
log_data.get("event_type"), log_data.get("event_type"),
log_data.get("attacker_ip"), log_data.get("attacker_ip"),
log_data.get("raw_line") log_data.get("raw_line"),
log_data.get("fields"),
log_data.get("msg")
) )
) )
await db.commit() await db.commit()

17
templates/decnet_logging.py
View File

@@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger:
return _json_logger return _json_logger
def write_syslog_file(line: str) -> None: def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file.""" """Append a syslog line to the rotating log file."""
try: try:
@@ -176,12 +177,24 @@ def write_syslog_file(line: str) -> None:
if m: if m:
ts_raw, decky, service, event_type, sd_rest = m.groups() ts_raw, decky, service, event_type, sd_rest = m.groups()
block = _SD_BLOCK_RE.search(sd_rest)
fields = {} fields = {}
msg = ""
if sd_rest.startswith("-"):
msg = sd_rest[1:].lstrip()
elif sd_rest.startswith("["):
block = _SD_BLOCK_RE.search(sd_rest)
if block: if block:
for k, v in _PARAM_RE.findall(block.group(1)): for k, v in _PARAM_RE.findall(block.group(1)):
fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
msg_match = re.search(r'\]\s+(.+)$', sd_rest)
if msg_match:
msg = msg_match.group(1).strip()
else:
msg = sd_rest
attacker_ip = "Unknown" attacker_ip = "Unknown"
for fname in _IP_FIELDS: for fname in _IP_FIELDS:
if fname in fields: if fname in fields:
@@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None:
"service": service, "service": service,
"event_type": event_type, "event_type": event_type,
"attacker_ip": attacker_ip, "attacker_ip": attacker_ip,
"fields": json.dumps(fields),
"msg": msg,
"raw_line": line "raw_line": line
} }
_get_json_logger().info(json.dumps(payload)) _get_json_logger().info(json.dumps(payload))

17
templates/docker_api/decnet_logging.py
View File

@@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger:
return _json_logger return _json_logger
def write_syslog_file(line: str) -> None: def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file.""" """Append a syslog line to the rotating log file."""
try: try:
@@ -176,12 +177,24 @@ def write_syslog_file(line: str) -> None:
if m: if m:
ts_raw, decky, service, event_type, sd_rest = m.groups() ts_raw, decky, service, event_type, sd_rest = m.groups()
block = _SD_BLOCK_RE.search(sd_rest)
fields = {} fields = {}
msg = ""
if sd_rest.startswith("-"):
msg = sd_rest[1:].lstrip()
elif sd_rest.startswith("["):
block = _SD_BLOCK_RE.search(sd_rest)
if block: if block:
for k, v in _PARAM_RE.findall(block.group(1)): for k, v in _PARAM_RE.findall(block.group(1)):
fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
msg_match = re.search(r'\]\s+(.+)$', sd_rest)
if msg_match:
msg = msg_match.group(1).strip()
else:
msg = sd_rest
attacker_ip = "Unknown" attacker_ip = "Unknown"
for fname in _IP_FIELDS: for fname in _IP_FIELDS:
if fname in fields: if fname in fields:
@@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None:
"service": service, "service": service,
"event_type": event_type, "event_type": event_type,
"attacker_ip": attacker_ip, "attacker_ip": attacker_ip,
"fields": json.dumps(fields),
"msg": msg,
"raw_line": line "raw_line": line
} }
_get_json_logger().info(json.dumps(payload)) _get_json_logger().info(json.dumps(payload))

17
templates/elasticsearch/decnet_logging.py
View File

@@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger:
return _json_logger return _json_logger
def write_syslog_file(line: str) -> None: def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file.""" """Append a syslog line to the rotating log file."""
try: try:
@@ -176,12 +177,24 @@ def write_syslog_file(line: str) -> None:
if m: if m:
ts_raw, decky, service, event_type, sd_rest = m.groups() ts_raw, decky, service, event_type, sd_rest = m.groups()
block = _SD_BLOCK_RE.search(sd_rest)
fields = {} fields = {}
msg = ""
if sd_rest.startswith("-"):
msg = sd_rest[1:].lstrip()
elif sd_rest.startswith("["):
block = _SD_BLOCK_RE.search(sd_rest)
if block: if block:
for k, v in _PARAM_RE.findall(block.group(1)): for k, v in _PARAM_RE.findall(block.group(1)):
fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
msg_match = re.search(r'\]\s+(.+)$', sd_rest)
if msg_match:
msg = msg_match.group(1).strip()
else:
msg = sd_rest
attacker_ip = "Unknown" attacker_ip = "Unknown"
for fname in _IP_FIELDS: for fname in _IP_FIELDS:
if fname in fields: if fname in fields:
@@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None:
"service": service, "service": service,
"event_type": event_type, "event_type": event_type,
"attacker_ip": attacker_ip, "attacker_ip": attacker_ip,
"fields": json.dumps(fields),
"msg": msg,
"raw_line": line "raw_line": line
} }
_get_json_logger().info(json.dumps(payload)) _get_json_logger().info(json.dumps(payload))

17
templates/ftp/decnet_logging.py
View File

@@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger:
return _json_logger return _json_logger
def write_syslog_file(line: str) -> None: def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file.""" """Append a syslog line to the rotating log file."""
try: try:
@@ -176,12 +177,24 @@ def write_syslog_file(line: str) -> None:
if m: if m:
ts_raw, decky, service, event_type, sd_rest = m.groups() ts_raw, decky, service, event_type, sd_rest = m.groups()
block = _SD_BLOCK_RE.search(sd_rest)
fields = {} fields = {}
msg = ""
if sd_rest.startswith("-"):
msg = sd_rest[1:].lstrip()
elif sd_rest.startswith("["):
block = _SD_BLOCK_RE.search(sd_rest)
if block: if block:
for k, v in _PARAM_RE.findall(block.group(1)): for k, v in _PARAM_RE.findall(block.group(1)):
fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
msg_match = re.search(r'\]\s+(.+)$', sd_rest)
if msg_match:
msg = msg_match.group(1).strip()
else:
msg = sd_rest
attacker_ip = "Unknown" attacker_ip = "Unknown"
for fname in _IP_FIELDS: for fname in _IP_FIELDS:
if fname in fields: if fname in fields:
@@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None:
"service": service, "service": service,
"event_type": event_type, "event_type": event_type,
"attacker_ip": attacker_ip, "attacker_ip": attacker_ip,
"fields": json.dumps(fields),
"msg": msg,
"raw_line": line "raw_line": line
} }
_get_json_logger().info(json.dumps(payload)) _get_json_logger().info(json.dumps(payload))

17
templates/http/decnet_logging.py
View File

@@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger:
return _json_logger return _json_logger
def write_syslog_file(line: str) -> None: def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file.""" """Append a syslog line to the rotating log file."""
try: try:
@@ -176,12 +177,24 @@ def write_syslog_file(line: str) -> None:
if m: if m:
ts_raw, decky, service, event_type, sd_rest = m.groups() ts_raw, decky, service, event_type, sd_rest = m.groups()
block = _SD_BLOCK_RE.search(sd_rest)
fields = {} fields = {}
msg = ""
if sd_rest.startswith("-"):
msg = sd_rest[1:].lstrip()
elif sd_rest.startswith("["):
block = _SD_BLOCK_RE.search(sd_rest)
if block: if block:
for k, v in _PARAM_RE.findall(block.group(1)): for k, v in _PARAM_RE.findall(block.group(1)):
fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
msg_match = re.search(r'\]\s+(.+)$', sd_rest)
if msg_match:
msg = msg_match.group(1).strip()
else:
msg = sd_rest
attacker_ip = "Unknown" attacker_ip = "Unknown"
for fname in _IP_FIELDS: for fname in _IP_FIELDS:
if fname in fields: if fname in fields:
@@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None:
"service": service, "service": service,
"event_type": event_type, "event_type": event_type,
"attacker_ip": attacker_ip, "attacker_ip": attacker_ip,
"fields": json.dumps(fields),
"msg": msg,
"raw_line": line "raw_line": line
} }
_get_json_logger().info(json.dumps(payload)) _get_json_logger().info(json.dumps(payload))

17
templates/imap/decnet_logging.py
View File

@@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger:
return _json_logger return _json_logger
def write_syslog_file(line: str) -> None: def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file.""" """Append a syslog line to the rotating log file."""
try: try:
@@ -176,12 +177,24 @@ def write_syslog_file(line: str) -> None:
if m: if m:
ts_raw, decky, service, event_type, sd_rest = m.groups() ts_raw, decky, service, event_type, sd_rest = m.groups()
block = _SD_BLOCK_RE.search(sd_rest)
fields = {} fields = {}
msg = ""
if sd_rest.startswith("-"):
msg = sd_rest[1:].lstrip()
elif sd_rest.startswith("["):
block = _SD_BLOCK_RE.search(sd_rest)
if block: if block:
for k, v in _PARAM_RE.findall(block.group(1)): for k, v in _PARAM_RE.findall(block.group(1)):
fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
msg_match = re.search(r'\]\s+(.+)$', sd_rest)
if msg_match:
msg = msg_match.group(1).strip()
else:
msg = sd_rest
attacker_ip = "Unknown" attacker_ip = "Unknown"
for fname in _IP_FIELDS: for fname in _IP_FIELDS:
if fname in fields: if fname in fields:
@@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None:
"service": service, "service": service,
"event_type": event_type, "event_type": event_type,
"attacker_ip": attacker_ip, "attacker_ip": attacker_ip,
"fields": json.dumps(fields),
"msg": msg,
"raw_line": line "raw_line": line
} }
_get_json_logger().info(json.dumps(payload)) _get_json_logger().info(json.dumps(payload))

17
templates/k8s/decnet_logging.py
View File

@@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger:
return _json_logger return _json_logger
def write_syslog_file(line: str) -> None: def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file.""" """Append a syslog line to the rotating log file."""
try: try:
@@ -176,12 +177,24 @@ def write_syslog_file(line: str) -> None:
if m: if m:
ts_raw, decky, service, event_type, sd_rest = m.groups() ts_raw, decky, service, event_type, sd_rest = m.groups()
block = _SD_BLOCK_RE.search(sd_rest)
fields = {} fields = {}
msg = ""
if sd_rest.startswith("-"):
msg = sd_rest[1:].lstrip()
elif sd_rest.startswith("["):
block = _SD_BLOCK_RE.search(sd_rest)
if block: if block:
for k, v in _PARAM_RE.findall(block.group(1)): for k, v in _PARAM_RE.findall(block.group(1)):
fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
msg_match = re.search(r'\]\s+(.+)$', sd_rest)
if msg_match:
msg = msg_match.group(1).strip()
else:
msg = sd_rest
attacker_ip = "Unknown" attacker_ip = "Unknown"
for fname in _IP_FIELDS: for fname in _IP_FIELDS:
if fname in fields: if fname in fields:
@@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None:
"service": service, "service": service,
"event_type": event_type, "event_type": event_type,
"attacker_ip": attacker_ip, "attacker_ip": attacker_ip,
"fields": json.dumps(fields),
"msg": msg,
"raw_line": line "raw_line": line
} }
_get_json_logger().info(json.dumps(payload)) _get_json_logger().info(json.dumps(payload))

17
templates/ldap/decnet_logging.py
View File

@@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger:
return _json_logger return _json_logger
def write_syslog_file(line: str) -> None: def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file.""" """Append a syslog line to the rotating log file."""
try: try:
@@ -176,12 +177,24 @@ def write_syslog_file(line: str) -> None:
if m: if m:
ts_raw, decky, service, event_type, sd_rest = m.groups() ts_raw, decky, service, event_type, sd_rest = m.groups()
block = _SD_BLOCK_RE.search(sd_rest)
fields = {} fields = {}
msg = ""
if sd_rest.startswith("-"):
msg = sd_rest[1:].lstrip()
elif sd_rest.startswith("["):
block = _SD_BLOCK_RE.search(sd_rest)
if block: if block:
for k, v in _PARAM_RE.findall(block.group(1)): for k, v in _PARAM_RE.findall(block.group(1)):
fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
msg_match = re.search(r'\]\s+(.+)$', sd_rest)
if msg_match:
msg = msg_match.group(1).strip()
else:
msg = sd_rest
attacker_ip = "Unknown" attacker_ip = "Unknown"
for fname in _IP_FIELDS: for fname in _IP_FIELDS:
if fname in fields: if fname in fields:
@@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None:
"service": service, "service": service,
"event_type": event_type, "event_type": event_type,
"attacker_ip": attacker_ip, "attacker_ip": attacker_ip,
"fields": json.dumps(fields),
"msg": msg,
"raw_line": line "raw_line": line
} }
_get_json_logger().info(json.dumps(payload)) _get_json_logger().info(json.dumps(payload))

17
templates/llmnr/decnet_logging.py
View File

@@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger:
return _json_logger return _json_logger
def write_syslog_file(line: str) -> None: def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file.""" """Append a syslog line to the rotating log file."""
try: try:
@@ -176,12 +177,24 @@ def write_syslog_file(line: str) -> None:
if m: if m:
ts_raw, decky, service, event_type, sd_rest = m.groups() ts_raw, decky, service, event_type, sd_rest = m.groups()
block = _SD_BLOCK_RE.search(sd_rest)
fields = {} fields = {}
msg = ""
if sd_rest.startswith("-"):
msg = sd_rest[1:].lstrip()
elif sd_rest.startswith("["):
block = _SD_BLOCK_RE.search(sd_rest)
if block: if block:
for k, v in _PARAM_RE.findall(block.group(1)): for k, v in _PARAM_RE.findall(block.group(1)):
fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
msg_match = re.search(r'\]\s+(.+)$', sd_rest)
if msg_match:
msg = msg_match.group(1).strip()
else:
msg = sd_rest
attacker_ip = "Unknown" attacker_ip = "Unknown"
for fname in _IP_FIELDS: for fname in _IP_FIELDS:
if fname in fields: if fname in fields:
@@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None:
"service": service, "service": service,
"event_type": event_type, "event_type": event_type,
"attacker_ip": attacker_ip, "attacker_ip": attacker_ip,
"fields": json.dumps(fields),
"msg": msg,
"raw_line": line "raw_line": line
} }
_get_json_logger().info(json.dumps(payload)) _get_json_logger().info(json.dumps(payload))

17
templates/mongodb/decnet_logging.py
View File

@@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger:
return _json_logger return _json_logger
def write_syslog_file(line: str) -> None: def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file.""" """Append a syslog line to the rotating log file."""
try: try:
@@ -176,12 +177,24 @@ def write_syslog_file(line: str) -> None:
if m: if m:
ts_raw, decky, service, event_type, sd_rest = m.groups() ts_raw, decky, service, event_type, sd_rest = m.groups()
block = _SD_BLOCK_RE.search(sd_rest)
fields = {} fields = {}
msg = ""
if sd_rest.startswith("-"):
msg = sd_rest[1:].lstrip()
elif sd_rest.startswith("["):
block = _SD_BLOCK_RE.search(sd_rest)
if block: if block:
for k, v in _PARAM_RE.findall(block.group(1)): for k, v in _PARAM_RE.findall(block.group(1)):
fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
msg_match = re.search(r'\]\s+(.+)$', sd_rest)
if msg_match:
msg = msg_match.group(1).strip()
else:
msg = sd_rest
attacker_ip = "Unknown" attacker_ip = "Unknown"
for fname in _IP_FIELDS: for fname in _IP_FIELDS:
if fname in fields: if fname in fields:
@@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None:
"service": service, "service": service,
"event_type": event_type, "event_type": event_type,
"attacker_ip": attacker_ip, "attacker_ip": attacker_ip,
"fields": json.dumps(fields),
"msg": msg,
"raw_line": line "raw_line": line
} }
_get_json_logger().info(json.dumps(payload)) _get_json_logger().info(json.dumps(payload))

17
templates/mqtt/decnet_logging.py
View File

@@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger:
return _json_logger return _json_logger
def write_syslog_file(line: str) -> None: def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file.""" """Append a syslog line to the rotating log file."""
try: try:
@@ -176,12 +177,24 @@ def write_syslog_file(line: str) -> None:
if m: if m:
ts_raw, decky, service, event_type, sd_rest = m.groups() ts_raw, decky, service, event_type, sd_rest = m.groups()
block = _SD_BLOCK_RE.search(sd_rest)
fields = {} fields = {}
msg = ""
if sd_rest.startswith("-"):
msg = sd_rest[1:].lstrip()
elif sd_rest.startswith("["):
block = _SD_BLOCK_RE.search(sd_rest)
if block: if block:
for k, v in _PARAM_RE.findall(block.group(1)): for k, v in _PARAM_RE.findall(block.group(1)):
fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
msg_match = re.search(r'\]\s+(.+)$', sd_rest)
if msg_match:
msg = msg_match.group(1).strip()
else:
msg = sd_rest
attacker_ip = "Unknown" attacker_ip = "Unknown"
for fname in _IP_FIELDS: for fname in _IP_FIELDS:
if fname in fields: if fname in fields:
@@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None:
"service": service, "service": service,
"event_type": event_type, "event_type": event_type,
"attacker_ip": attacker_ip, "attacker_ip": attacker_ip,
"fields": json.dumps(fields),
"msg": msg,
"raw_line": line "raw_line": line
} }
_get_json_logger().info(json.dumps(payload)) _get_json_logger().info(json.dumps(payload))

17
templates/mssql/decnet_logging.py
View File

@@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger:
return _json_logger return _json_logger
def write_syslog_file(line: str) -> None: def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file.""" """Append a syslog line to the rotating log file."""
try: try:
@@ -176,12 +177,24 @@ def write_syslog_file(line: str) -> None:
if m: if m:
ts_raw, decky, service, event_type, sd_rest = m.groups() ts_raw, decky, service, event_type, sd_rest = m.groups()
block = _SD_BLOCK_RE.search(sd_rest)
fields = {} fields = {}
msg = ""
if sd_rest.startswith("-"):
msg = sd_rest[1:].lstrip()
elif sd_rest.startswith("["):
block = _SD_BLOCK_RE.search(sd_rest)
if block: if block:
for k, v in _PARAM_RE.findall(block.group(1)): for k, v in _PARAM_RE.findall(block.group(1)):
fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
msg_match = re.search(r'\]\s+(.+)$', sd_rest)
if msg_match:
msg = msg_match.group(1).strip()
else:
msg = sd_rest
attacker_ip = "Unknown" attacker_ip = "Unknown"
for fname in _IP_FIELDS: for fname in _IP_FIELDS:
if fname in fields: if fname in fields:
@@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None:
"service": service, "service": service,
"event_type": event_type, "event_type": event_type,
"attacker_ip": attacker_ip, "attacker_ip": attacker_ip,
"fields": json.dumps(fields),
"msg": msg,
"raw_line": line "raw_line": line
} }
_get_json_logger().info(json.dumps(payload)) _get_json_logger().info(json.dumps(payload))

17
templates/mysql/decnet_logging.py
View File

@@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger:
return _json_logger return _json_logger
def write_syslog_file(line: str) -> None: def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file.""" """Append a syslog line to the rotating log file."""
try: try:
@@ -176,12 +177,24 @@ def write_syslog_file(line: str) -> None:
if m: if m:
ts_raw, decky, service, event_type, sd_rest = m.groups() ts_raw, decky, service, event_type, sd_rest = m.groups()
block = _SD_BLOCK_RE.search(sd_rest)
fields = {} fields = {}
msg = ""
if sd_rest.startswith("-"):
msg = sd_rest[1:].lstrip()
elif sd_rest.startswith("["):
block = _SD_BLOCK_RE.search(sd_rest)
if block: if block:
for k, v in _PARAM_RE.findall(block.group(1)): for k, v in _PARAM_RE.findall(block.group(1)):
fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
msg_match = re.search(r'\]\s+(.+)$', sd_rest)
if msg_match:
msg = msg_match.group(1).strip()
else:
msg = sd_rest
attacker_ip = "Unknown" attacker_ip = "Unknown"
for fname in _IP_FIELDS: for fname in _IP_FIELDS:
if fname in fields: if fname in fields:
@@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None:
"service": service, "service": service,
"event_type": event_type, "event_type": event_type,
"attacker_ip": attacker_ip, "attacker_ip": attacker_ip,
"fields": json.dumps(fields),
"msg": msg,
"raw_line": line "raw_line": line
} }
_get_json_logger().info(json.dumps(payload)) _get_json_logger().info(json.dumps(payload))

17
templates/pop3/decnet_logging.py
View File

@@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger:
return _json_logger return _json_logger
def write_syslog_file(line: str) -> None: def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file.""" """Append a syslog line to the rotating log file."""
try: try:
@@ -176,12 +177,24 @@ def write_syslog_file(line: str) -> None:
if m: if m:
ts_raw, decky, service, event_type, sd_rest = m.groups() ts_raw, decky, service, event_type, sd_rest = m.groups()
block = _SD_BLOCK_RE.search(sd_rest)
fields = {} fields = {}
msg = ""
if sd_rest.startswith("-"):
msg = sd_rest[1:].lstrip()
elif sd_rest.startswith("["):
block = _SD_BLOCK_RE.search(sd_rest)
if block: if block:
for k, v in _PARAM_RE.findall(block.group(1)): for k, v in _PARAM_RE.findall(block.group(1)):
fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
msg_match = re.search(r'\]\s+(.+)$', sd_rest)
if msg_match:
msg = msg_match.group(1).strip()
else:
msg = sd_rest
attacker_ip = "Unknown" attacker_ip = "Unknown"
for fname in _IP_FIELDS: for fname in _IP_FIELDS:
if fname in fields: if fname in fields:
@@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None:
"service": service, "service": service,
"event_type": event_type, "event_type": event_type,
"attacker_ip": attacker_ip, "attacker_ip": attacker_ip,
"fields": json.dumps(fields),
"msg": msg,
"raw_line": line "raw_line": line
} }
_get_json_logger().info(json.dumps(payload)) _get_json_logger().info(json.dumps(payload))

17
templates/postgres/decnet_logging.py
View File

@@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger:
return _json_logger return _json_logger
def write_syslog_file(line: str) -> None: def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file.""" """Append a syslog line to the rotating log file."""
try: try:
@@ -176,12 +177,24 @@ def write_syslog_file(line: str) -> None:
if m: if m:
ts_raw, decky, service, event_type, sd_rest = m.groups() ts_raw, decky, service, event_type, sd_rest = m.groups()
block = _SD_BLOCK_RE.search(sd_rest)
fields = {} fields = {}
msg = ""
if sd_rest.startswith("-"):
msg = sd_rest[1:].lstrip()
elif sd_rest.startswith("["):
block = _SD_BLOCK_RE.search(sd_rest)
if block: if block:
for k, v in _PARAM_RE.findall(block.group(1)): for k, v in _PARAM_RE.findall(block.group(1)):
fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
msg_match = re.search(r'\]\s+(.+)$', sd_rest)
if msg_match:
msg = msg_match.group(1).strip()
else:
msg = sd_rest
attacker_ip = "Unknown" attacker_ip = "Unknown"
for fname in _IP_FIELDS: for fname in _IP_FIELDS:
if fname in fields: if fname in fields:
@@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None:
"service": service, "service": service,
"event_type": event_type, "event_type": event_type,
"attacker_ip": attacker_ip, "attacker_ip": attacker_ip,
"fields": json.dumps(fields),
"msg": msg,
"raw_line": line "raw_line": line
} }
_get_json_logger().info(json.dumps(payload)) _get_json_logger().info(json.dumps(payload))

17
templates/rdp/decnet_logging.py
View File

@@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger:
return _json_logger return _json_logger
def write_syslog_file(line: str) -> None: def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file.""" """Append a syslog line to the rotating log file."""
try: try:
@@ -176,12 +177,24 @@ def write_syslog_file(line: str) -> None:
if m: if m:
ts_raw, decky, service, event_type, sd_rest = m.groups() ts_raw, decky, service, event_type, sd_rest = m.groups()
block = _SD_BLOCK_RE.search(sd_rest)
fields = {} fields = {}
msg = ""
if sd_rest.startswith("-"):
msg = sd_rest[1:].lstrip()
elif sd_rest.startswith("["):
block = _SD_BLOCK_RE.search(sd_rest)
if block: if block:
for k, v in _PARAM_RE.findall(block.group(1)): for k, v in _PARAM_RE.findall(block.group(1)):
fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
msg_match = re.search(r'\]\s+(.+)$', sd_rest)
if msg_match:
msg = msg_match.group(1).strip()
else:
msg = sd_rest
attacker_ip = "Unknown" attacker_ip = "Unknown"
for fname in _IP_FIELDS: for fname in _IP_FIELDS:
if fname in fields: if fname in fields:
@@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None:
"service": service, "service": service,
"event_type": event_type, "event_type": event_type,
"attacker_ip": attacker_ip, "attacker_ip": attacker_ip,
"fields": json.dumps(fields),
"msg": msg,
"raw_line": line "raw_line": line
} }
_get_json_logger().info(json.dumps(payload)) _get_json_logger().info(json.dumps(payload))

17
templates/redis/decnet_logging.py
View File

@@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger:
return _json_logger return _json_logger
def write_syslog_file(line: str) -> None: def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file.""" """Append a syslog line to the rotating log file."""
try: try:
@@ -176,12 +177,24 @@ def write_syslog_file(line: str) -> None:
if m: if m:
ts_raw, decky, service, event_type, sd_rest = m.groups() ts_raw, decky, service, event_type, sd_rest = m.groups()
block = _SD_BLOCK_RE.search(sd_rest)
fields = {} fields = {}
msg = ""
if sd_rest.startswith("-"):
msg = sd_rest[1:].lstrip()
elif sd_rest.startswith("["):
block = _SD_BLOCK_RE.search(sd_rest)
if block: if block:
for k, v in _PARAM_RE.findall(block.group(1)): for k, v in _PARAM_RE.findall(block.group(1)):
fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
msg_match = re.search(r'\]\s+(.+)$', sd_rest)
if msg_match:
msg = msg_match.group(1).strip()
else:
msg = sd_rest
attacker_ip = "Unknown" attacker_ip = "Unknown"
for fname in _IP_FIELDS: for fname in _IP_FIELDS:
if fname in fields: if fname in fields:
@@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None:
"service": service, "service": service,
"event_type": event_type, "event_type": event_type,
"attacker_ip": attacker_ip, "attacker_ip": attacker_ip,
"fields": json.dumps(fields),
"msg": msg,
"raw_line": line "raw_line": line
} }
_get_json_logger().info(json.dumps(payload)) _get_json_logger().info(json.dumps(payload))

17
templates/sip/decnet_logging.py
View File

@@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger:
return _json_logger return _json_logger
def write_syslog_file(line: str) -> None: def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file.""" """Append a syslog line to the rotating log file."""
try: try:
@@ -176,12 +177,24 @@ def write_syslog_file(line: str) -> None:
if m: if m:
ts_raw, decky, service, event_type, sd_rest = m.groups() ts_raw, decky, service, event_type, sd_rest = m.groups()
block = _SD_BLOCK_RE.search(sd_rest)
fields = {} fields = {}
msg = ""
if sd_rest.startswith("-"):
msg = sd_rest[1:].lstrip()
elif sd_rest.startswith("["):
block = _SD_BLOCK_RE.search(sd_rest)
if block: if block:
for k, v in _PARAM_RE.findall(block.group(1)): for k, v in _PARAM_RE.findall(block.group(1)):
fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
msg_match = re.search(r'\]\s+(.+)$', sd_rest)
if msg_match:
msg = msg_match.group(1).strip()
else:
msg = sd_rest
attacker_ip = "Unknown" attacker_ip = "Unknown"
for fname in _IP_FIELDS: for fname in _IP_FIELDS:
if fname in fields: if fname in fields:
@@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None:
"service": service, "service": service,
"event_type": event_type, "event_type": event_type,
"attacker_ip": attacker_ip, "attacker_ip": attacker_ip,
"fields": json.dumps(fields),
"msg": msg,
"raw_line": line "raw_line": line
} }
_get_json_logger().info(json.dumps(payload)) _get_json_logger().info(json.dumps(payload))

17
templates/smb/decnet_logging.py
View File

@@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger:
return _json_logger return _json_logger
def write_syslog_file(line: str) -> None: def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file.""" """Append a syslog line to the rotating log file."""
try: try:
@@ -176,12 +177,24 @@ def write_syslog_file(line: str) -> None:
if m: if m:
ts_raw, decky, service, event_type, sd_rest = m.groups() ts_raw, decky, service, event_type, sd_rest = m.groups()
block = _SD_BLOCK_RE.search(sd_rest)
fields = {} fields = {}
msg = ""
if sd_rest.startswith("-"):
msg = sd_rest[1:].lstrip()
elif sd_rest.startswith("["):
block = _SD_BLOCK_RE.search(sd_rest)
if block: if block:
for k, v in _PARAM_RE.findall(block.group(1)): for k, v in _PARAM_RE.findall(block.group(1)):
fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
msg_match = re.search(r'\]\s+(.+)$', sd_rest)
if msg_match:
msg = msg_match.group(1).strip()
else:
msg = sd_rest
attacker_ip = "Unknown" attacker_ip = "Unknown"
for fname in _IP_FIELDS: for fname in _IP_FIELDS:
if fname in fields: if fname in fields:
@@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None:
"service": service, "service": service,
"event_type": event_type, "event_type": event_type,
"attacker_ip": attacker_ip, "attacker_ip": attacker_ip,
"fields": json.dumps(fields),
"msg": msg,
"raw_line": line "raw_line": line
} }
_get_json_logger().info(json.dumps(payload)) _get_json_logger().info(json.dumps(payload))

17
templates/smtp/decnet_logging.py
View File

@@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger:
return _json_logger return _json_logger
def write_syslog_file(line: str) -> None: def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file.""" """Append a syslog line to the rotating log file."""
try: try:
@@ -176,12 +177,24 @@ def write_syslog_file(line: str) -> None:
if m: if m:
ts_raw, decky, service, event_type, sd_rest = m.groups() ts_raw, decky, service, event_type, sd_rest = m.groups()
block = _SD_BLOCK_RE.search(sd_rest)
fields = {} fields = {}
msg = ""
if sd_rest.startswith("-"):
msg = sd_rest[1:].lstrip()
elif sd_rest.startswith("["):
block = _SD_BLOCK_RE.search(sd_rest)
if block: if block:
for k, v in _PARAM_RE.findall(block.group(1)): for k, v in _PARAM_RE.findall(block.group(1)):
fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
msg_match = re.search(r'\]\s+(.+)$', sd_rest)
if msg_match:
msg = msg_match.group(1).strip()
else:
msg = sd_rest
attacker_ip = "Unknown" attacker_ip = "Unknown"
for fname in _IP_FIELDS: for fname in _IP_FIELDS:
if fname in fields: if fname in fields:
@@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None:
"service": service, "service": service,
"event_type": event_type, "event_type": event_type,
"attacker_ip": attacker_ip, "attacker_ip": attacker_ip,
"fields": json.dumps(fields),
"msg": msg,
"raw_line": line "raw_line": line
} }
_get_json_logger().info(json.dumps(payload)) _get_json_logger().info(json.dumps(payload))

17
templates/snmp/decnet_logging.py
View File

@@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger:
return _json_logger return _json_logger
def write_syslog_file(line: str) -> None: def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file.""" """Append a syslog line to the rotating log file."""
try: try:
@@ -176,12 +177,24 @@ def write_syslog_file(line: str) -> None:
if m: if m:
ts_raw, decky, service, event_type, sd_rest = m.groups() ts_raw, decky, service, event_type, sd_rest = m.groups()
block = _SD_BLOCK_RE.search(sd_rest)
fields = {} fields = {}
msg = ""
if sd_rest.startswith("-"):
msg = sd_rest[1:].lstrip()
elif sd_rest.startswith("["):
block = _SD_BLOCK_RE.search(sd_rest)
if block: if block:
for k, v in _PARAM_RE.findall(block.group(1)): for k, v in _PARAM_RE.findall(block.group(1)):
fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
msg_match = re.search(r'\]\s+(.+)$', sd_rest)
if msg_match:
msg = msg_match.group(1).strip()
else:
msg = sd_rest
attacker_ip = "Unknown" attacker_ip = "Unknown"
for fname in _IP_FIELDS: for fname in _IP_FIELDS:
if fname in fields: if fname in fields:
@@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None:
"service": service, "service": service,
"event_type": event_type, "event_type": event_type,
"attacker_ip": attacker_ip, "attacker_ip": attacker_ip,
"fields": json.dumps(fields),
"msg": msg,
"raw_line": line "raw_line": line
} }
_get_json_logger().info(json.dumps(payload)) _get_json_logger().info(json.dumps(payload))

17
templates/tftp/decnet_logging.py
View File

@@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger:
return _json_logger return _json_logger
def write_syslog_file(line: str) -> None: def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file.""" """Append a syslog line to the rotating log file."""
try: try:
@@ -176,12 +177,24 @@ def write_syslog_file(line: str) -> None:
if m: if m:
ts_raw, decky, service, event_type, sd_rest = m.groups() ts_raw, decky, service, event_type, sd_rest = m.groups()
block = _SD_BLOCK_RE.search(sd_rest)
fields = {} fields = {}
msg = ""
if sd_rest.startswith("-"):
msg = sd_rest[1:].lstrip()
elif sd_rest.startswith("["):
block = _SD_BLOCK_RE.search(sd_rest)
if block: if block:
for k, v in _PARAM_RE.findall(block.group(1)): for k, v in _PARAM_RE.findall(block.group(1)):
fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
msg_match = re.search(r'\]\s+(.+)$', sd_rest)
if msg_match:
msg = msg_match.group(1).strip()
else:
msg = sd_rest
attacker_ip = "Unknown" attacker_ip = "Unknown"
for fname in _IP_FIELDS: for fname in _IP_FIELDS:
if fname in fields: if fname in fields:
@@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None:
"service": service, "service": service,
"event_type": event_type, "event_type": event_type,
"attacker_ip": attacker_ip, "attacker_ip": attacker_ip,
"fields": json.dumps(fields),
"msg": msg,
"raw_line": line "raw_line": line
} }
_get_json_logger().info(json.dumps(payload)) _get_json_logger().info(json.dumps(payload))

17
templates/vnc/decnet_logging.py
View File

@@ -149,6 +149,7 @@ def _get_json_logger() -> logging.Logger:
return _json_logger return _json_logger
def write_syslog_file(line: str) -> None: def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file.""" """Append a syslog line to the rotating log file."""
try: try:
@@ -176,12 +177,24 @@ def write_syslog_file(line: str) -> None:
if m: if m:
ts_raw, decky, service, event_type, sd_rest = m.groups() ts_raw, decky, service, event_type, sd_rest = m.groups()
block = _SD_BLOCK_RE.search(sd_rest)
fields = {} fields = {}
msg = ""
if sd_rest.startswith("-"):
msg = sd_rest[1:].lstrip()
elif sd_rest.startswith("["):
block = _SD_BLOCK_RE.search(sd_rest)
if block: if block:
for k, v in _PARAM_RE.findall(block.group(1)): for k, v in _PARAM_RE.findall(block.group(1)):
fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]") fields[k] = v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
msg_match = re.search(r'\]\s+(.+)$', sd_rest)
if msg_match:
msg = msg_match.group(1).strip()
else:
msg = sd_rest
attacker_ip = "Unknown" attacker_ip = "Unknown"
for fname in _IP_FIELDS: for fname in _IP_FIELDS:
if fname in fields: if fname in fields:
@@ -200,6 +213,8 @@ def write_syslog_file(line: str) -> None:
"service": service, "service": service,
"event_type": event_type, "event_type": event_type,
"attacker_ip": attacker_ip, "attacker_ip": attacker_ip,
"fields": json.dumps(fields),
"msg": msg,
"raw_line": line "raw_line": line
} }
_get_json_logger().info(json.dumps(payload)) _get_json_logger().info(json.dumps(payload))