You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@metron.apache.org by ctramnitz <gi...@git.apache.org> on 2017/05/10 13:41:03 UTC
[GitHub] incubator-metron pull request #579: METRON-941 fix PaloAltoParser
GitHub user ctramnitz opened a pull request:
https://github.com/apache/incubator-metron/pull/579
METRON-941 fix PaloAltoParser
## Contributor Comments
Fixed comma related issue by using Guava Splitter instead of split (reproduce: send log message with comma in payload, such as url or user-agent)
introduced consistent field naming according to https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/monitoring/syslog-field-descriptions
introduced v7.0 log format support
adding missing fields (that even existed prior to 7.0)
This is build and run tested with real-life logs.
## Pull Request Checklist
Thank you for submitting a contribution to Apache Metron.
Please refer to our [Development Guidelines](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=61332235) for the complete guide to follow for contributions.
Please refer also to our [Build Verification Guidelines](https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds?show-miniview) for complete smoke testing guides.
In order to streamline the review of the contribution we ask you follow these guidelines and ask you to double check the following:
### For all changes:
- [x] Is there a JIRA ticket associated with this PR? If not one needs to be created at [Metron Jira](https://issues.apache.org/jira/browse/METRON/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel).
- [x] Does your PR title start with METRON-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
- [x] Has your PR been rebased against the latest commit within the target branch (typically master)?
### For code changes:
- [x] Have you included steps to reproduce the behavior or problem that is being changed or addressed?
- [ ] Have you included steps or a guide to how the change may be verified and tested manually?
- [ ] Have you ensured that the full suite of tests and checks have been executed in the root incubating-metron folder via:
```
mvn -q clean integration-test install && build_utils/verify_licenses.sh
```
- [ ] Have you written or updated unit tests and or integration tests to verify your changes?
- [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [x] Have you verified the basic functionality of the build by building and running locally with Vagrant full-dev environment or the equivalent?
### For documentation related changes:
- [ ] Have you ensured that format looks appropriate for the output in which it is rendered by building and verifying the site-book? If not then run the following commands and the verify changes via `site-book/target/site/index.html`:
```
cd site-book
mvn site
```
#### Note:
Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.
It is also recommended that [travis-ci](https://travis-ci.org) is set up for your personal repository such that your branches are built there before submitting a pull request.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/ctramnitz/incubator-metron paloparser
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-metron/pull/579.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #579
----
commit f4276762d43baf8b4bfcea256b44bf746be8059b
Author: Christian Tramnitz <tr...@trasec.de>
Date: 2017-05-10T13:10:54Z
PaloAltoParser: Fixed split (when comma in quotes), fixed overloaded content_type parameter and added v7.0 logging options
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-metron issue #579: METRON-941 fix PaloAltoParser
Posted by simonellistonball <gi...@git.apache.org>.
Github user simonellistonball commented on the issue:
https://github.com/apache/incubator-metron/pull/579
Yes, that makes sense, but does have some performance implications of course. A single mapping would have much faster response, so I would question the original approach (on which you are quite correct). I'm sure others will chime in if there are benefits to the re-write the name approach that I'm missing. Right now we only formally define a small number of the fields - ip_(src|dest)_(addr|port) etc to have the metron format, but I would argue things like nat_source_addr in this parser should follow the spirit of the convention.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-metron issue #579: METRON-941 fix PaloAltoParser
Posted by ctramnitz <gi...@git.apache.org>.
Github user ctramnitz commented on the issue:
https://github.com/apache/incubator-metron/pull/579
I agree to both of your points, defining it with the final name from the beginning would be more efficient and we should come up with a more normalized and standardized field naming convention in general.
However, the second part is something for all parsers, not just this one, so it's a little bit out of scope for this PR. In fact, this PR doesn't change the concept of the previous code, it just makes the "intermediate" field names more consistent by following the vendor documentation.
My suggestion would be to either merge this PR as-is or with one-time-definition of already defined Metron field names. To follow-up on the other topic we create a new Jira to define a normalized message format for all parsers (and enrichments), with subtasks to adapt each of the parsers (including this one).
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-metron issue #579: METRON-941 fix PaloAltoParser
Posted by simonellistonball <gi...@git.apache.org>.
Github user simonellistonball commented on the issue:
https://github.com/apache/incubator-metron/pull/579
A number of the field name changes seem to depart from Metron conventions. Is there a reason to change these from matching the metron ip_src_addr style pattern?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-metron issue #579: METRON-941 fix PaloAltoParser
Posted by ctramnitz <gi...@git.apache.org>.
Github user ctramnitz commented on the issue:
https://github.com/apache/incubator-metron/pull/579
Do you have any examples? The previous concept was to use arbitrary (at least I couldn't find any reference) field names (i.e. source_address or destination_address) and then further down these were renamed to "standard" Metron style (i.e. outputMessage.put("ip_src_addr", outputMessage.remove("source_address"));). I started to use the "official" field names (as per vendor documentation), but I still rename the defined field names to Metron style... did I miss any?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---