You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@metron.apache.org by updates on tube <ab...@gmail.com> on 2019/12/23 06:57:35 UTC
streaming rsyslog metron using asa parser
i was trying to stream rsyslog log data to apache metron using asa parser. the log look like down below
2019-12-20T07:06:41-05:00 ab TESTING: Fri 20 Dec 2019 07:06:41 AM EST
the log 2019-12-20T07:06:41-05:00 ab rsyslogd: action 'action-13-builtin:omfwd' resumed (module 'builtin:omfwd') [v8.1911.0 try https://www.rsyslog.com/e/2359 ]
2019-12-20T07:08:04-05:00 ab TESTING: Fri 20 Dec 2019 07:08:04 AM EST
2019-12-20T07:08:05-05:00 ab TESTING: Fri 20 Dec 2019 07:08:05 AM EST
2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec 2019 07:08:06 AM EST
2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec 2019 07:08:06 AM EST
2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019 07:08:08 AM EST
2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019 07:08:08 AM EST
2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019 07:08:09 AM EST
2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019 07:08:09 AM EST
2019-12-20T07:09:01-05:00 ab CRON[3174]: pam_unix(cron:session): session opened for user root by (uid=0)
2019-12-20T07:09:01-05:00 ab CRON[3175]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
2019-12-20T07:09:01-05:00 ab CRON[3174]: pam_unix(cron:session): session closed for user root
2019-12-20T07:09:01-05:00 ab systemd[1]: Starting Clean php session files...
2019-12-20T07:09:01-05:00 ab systemd[1]: phpsessionclean.service: Succeeded.
2019-12-20T07:09:01-05:00 ab systemd[1]: Started Clean php session files.
2019-12-20T07:10:04-05:00 ab TESTING: Fri 20 Dec 2019 07:10:04 AM EST
2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019 07:10:05 AM EST
2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019 07:10:05 AM EST
2019-12-20T07:10:06-05:00 ab TESTING: Fri 20 Dec 2019 07:10:06 AM EST
2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019 07:10:07 AM EST
2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019 07:10:07 AM EST
2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019 07:10:08 AM EST
2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019 07:10:08 AM EST
2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019 07:10:09 AM EST
2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019 07:10:09 AM EST
2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST
2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST
2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST
2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST
2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST
2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST
2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST
2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST
2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST
2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019 07:10:13 AM EST
2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019 07:10:13 AM EST
2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST
2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST
2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST
2019-12-20T07:10:15-05:00 ab systemd[1]: Stopping System Logging Service...
2019-12-20T07:10:15-05:00 ab rsyslogd: [origin software="rsyslogd" swVersion="8.1911.0" x-pid="3071" x-info="https://www.rsyslog.com"] exiting on signal 15.
2019-12-20T07:10:15-05:00 ab systemd[1]: rsyslog.service: Succeeded.
2019-12-20T07:10:15-05:00 ab systemd[1]: Stopped System Logging Service.
2019-12-20T07:10:15-05:00 ab systemd[1]: Starting System Logging Service...
2019-12-20T07:10:15-05:00 ab rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.1911.0]
2019-12-20T07:10:15-05:00 ab rsyslogd: [origin software="rsyslogd" swVersion="8.1911.0" x-pid="3270" x-info="https://www.rsyslog.com"] start
2019-12-20T07:10:15-05:00 ab systemd[1]: Started System Logging Service.
2019-12-20T07:10:18-05:00 ab TESTING: Fri 20 Dec 2019 07:10:18 AM EST
2019-12-20T07:15:01-05:00 ab CRON[3283]: pam_unix(cron:session): session opened for user root by (uid=0)
2019-12-20T07:15:01-05:00 ab CRON[3284]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
2019-12-20T07:15:01-05:00 ab CRON[3283]: pam_unix(cron:session): session closed for user root
2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session opened for user root by (uid=0)
2019-12-20T07:17:01-05:00 ab CRON[3324]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session closed for user root
2019-12-20T07:25:01-05:00 ab CRON[3333]: pam_unix(cron:session): session opened for user root by (uid=0)
2019-12-20T07:25:01-05:00 ab CRON[3334]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
2019-12-20T07:25:01-05:00 ab CRON[3333]: pam_unix(cron:session): session closed for user root
2019-12-20T07:29:38-05:00 ab snapd[666]: storehelpers.go:436: cannot refresh: snap has no updates available: "barrier", "barrier-kvm", "gtk-common-themes", "notepad-plus-plus", "snapd", "wine-platform-3-stable"
2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART Usage Attribute: 190 Airflow_Temperature_Cel changed from 67 to 66
2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART Usage Attribute: 194 Temperature_Celsius changed from 110 to 109
2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session opened for user root by (uid=0)
2019-12-20T07:35:01-05:00 ab CRON[3451]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session closed for user root
2019-12-20T07:39:01-05:00 ab CRON[3460]: pam_unix(cron:session): session opened for user root by (uid=0)
2019-12-20T07:39:01-05:00 ab CRON[3461]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
2019-12-20T07:39:01-05:00 ab CRON[3460]: pam_unix(cron:session): session closed for user root
2019-12-20T07:39:01-05:00 ab systemd[1]: Starting Clean php session files...
2019-12-20T07:39:01-05:00 ab systemd[1]: phpsessionclean.service: Succeeded.
2019-12-20T07:39:01-05:00 ab systemd[1]: Started Clean php session files.
2019-12-20T07:45:01-05:00 ab CRON[3525]: pam_unix(cron:session): session opened for user root by (uid=0)
2019-12-20T07:45:01-05:00 ab CRON[3526]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
2019-12-20T07:45:01-05:00 ab CRON[3525]: pam_unix(cron:session): session closed for user root
2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session opened for user root by (uid=0)
2019-12-20T07:55:01-05:00 ab CRON[3550]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session closed for user root
2019-12-20T08:05:01-05:00 ab CRON[3575]: pam_unix(cron:session): session opened for user root by (uid=0)
2019-12-20T08:05:01-05:00 ab CRON[3576]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
2019-12-20T08:05:01-05:00 ab CRON[3575]: pam_unix(cron:session): session closed for user root
2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session opened for user root by (uid=0)
2019-12-20T08:09:01-05:00 ab CRON[3587]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session closed for user root
2019-12-20T08:09:01-05:00 ab systemd[1]: Starting Clean php session files...
2019-12-20T08:09:01-05:00 ab systemd[1]: phpsessionclean.service: Succeeded.
2019-12-20T08:09:01-05:00 ab systemd[1]: Started Clean php session files
THIS IS THE ERROR FOUND IN STORM UI parserBolt
java.lang.RuntimeException: [Metron] Message '2019-12-20T07:06:41-05:00 ab TESTING: Fri 20 Dec 2019 07:06:41 AM EST 2019-12-20T07:06:41-05:00 ab rsyslogd: action 'action-13-builtin:omfwd' resumed (module 'builtin:omfwd') [v8.1911.0 try https://www.rsyslog.com/e/2359 ] 2019-12-20T07:08:04-05:00 ab TESTING: Fri 20 Dec 2019 07:08:04 AM EST 2019-12-20T07:08:05-05:00 ab TESTING: Fri 20 Dec 2019 07:08:05 AM EST 2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec 2019 07:08:06 AM EST 2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec 2019 07:08:06 AM EST 2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019 07:08:08 AM EST 2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019 07:08:08 AM EST 2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019 07:08:09 AM EST 2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019 07:08:09 AM EST 2019-12-20T07:09:01-05:00 ab CRON[3174]: pam_unix(cron:session): session opened for user root by (uid=0) 2019-12-20T07:09:01-05:00 ab CRON[3175]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi) 2019-12-20T07:09:01-05:00 ab CRON[3174]: pam_unix(cron:session): session closed for user root 2019-12-20T07:09:01-05:00 ab systemd[1]: Starting Clean php session files... 2019-12-20T07:09:01-05:00 ab systemd[1]: phpsessionclean.service: Succeeded. 2019-12-20T07:09:01-05:00 ab systemd[1]: Started Clean php session files. 2019-12-20T07:10:04-05:00 ab TESTING: Fri 20 Dec 2019 07:10:04 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019 07:10:05 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019 07:10:05 AM EST 2019-12-20T07:10:06-05:00 ab TESTING: Fri 20 Dec 2019 07:10:06 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019 07:10:07 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019 07:10:07 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019 07:10:08 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019 07:10:08 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019 07:10:09 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019 07:10:09 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019 07:10:13 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019 07:10:13 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST 2019-12-20T07:10:15-05:00 ab systemd[1]: Stopping System Logging Service... 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin software="rsyslogd" swVersion="8.1911.0" x-pid="3071" x-info="https://www.rsyslog.com"] exiting on signal 15. 2019-12-20T07:10:15-05:00 ab systemd[1]: rsyslog.service: Succeeded. 2019-12-20T07:10:15-05:00 ab systemd[1]: Stopped System Logging Service. 2019-12-20T07:10:15-05:00 ab systemd[1]: Starting System Logging Service... 2019-12-20T07:10:15-05:00 ab rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.1911.0] 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin software="rsyslogd" swVersion="8.1911.0" x-pid="3270" x-info="https://www.rsyslog.com"] start 2019-12-20T07:10:15-05:00 ab systemd[1]: Started System Logging Service. 2019-12-20T07:10:18-05:00 ab TESTING: Fri 20 Dec 2019 07:10:18 AM EST 2019-12-20T07:15:01-05:00 ab CRON[3283]: pam_unix(cron:session): session opened for user root by (uid=0) 2019-12-20T07:15:01-05:00 ab CRON[3284]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1) 2019-12-20T07:15:01-05:00 ab CRON[3283]: pam_unix(cron:session): session closed for user root 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session opened for user root by (uid=0) 2019-12-20T07:17:01-05:00 ab CRON[3324]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session closed for user root 2019-12-20T07:25:01-05:00 ab CRON[3333]: pam_unix(cron:session): session opened for user root by (uid=0) 2019-12-20T07:25:01-05:00 ab CRON[3334]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1) 2019-12-20T07:25:01-05:00 ab CRON[3333]: pam_unix(cron:session): session closed for user root 2019-12-20T07:29:38-05:00 ab snapd[666]: storehelpers.go:436: cannot refresh: snap has no updates available: "barrier", "barrier-kvm", "gtk-common-themes", "notepad-plus-plus", "snapd", "wine-platform-3-stable" 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART Usage Attribute: 190 Airflow_Temperature_Cel changed from 67 to 66 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART Usage Attribute: 194 Temperature_Celsius changed from 110 to 109 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session opened for user root by (uid=0) 2019-12-20T07:35:01-05:00 ab CRON[3451]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1) 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session closed for user root 2019-12-20T07:39:01-05:00 ab CRON[3460]: pam_unix(cron:session): session opened for user root by (uid=0) 2019-12-20T07:39:01-05:00 ab CRON[3461]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi) 2019-12-20T07:39:01-05:00 ab CRON[3460]: pam_unix(cron:session): session closed for user root 2019-12-20T07:39:01-05:00 ab systemd[1]: Starting Clean php session files... 2019-12-20T07:39:01-05:00 ab systemd[1]: phpsessionclean.service: Succeeded. 2019-12-20T07:39:01-05:00 ab systemd[1]: Started Clean php session files. 2019-12-20T07:45:01-05:00 ab CRON[3525]: pam_unix(cron:session): session opened for user root by (uid=0) 2019-12-20T07:45:01-05:00 ab CRON[3526]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1) 2019-12-20T07:45:01-05:00 ab CRON[3525]: pam_unix(cron:session): session closed for user root 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session opened for user root by (uid=0) 2019-12-20T07:55:01-05:00 ab CRON[3550]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1) 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session closed for user root 2019-12-20T08:05:01-05:00 ab CRON[3575]: pam_unix(cron:session): session opened for user root by (uid=0) 2019-12-20T08:05:01-05:00 ab CRON[3576]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1) 2019-12-20T08:05:01-05:00 ab CRON[3575]: pam_unix(cron:session): session closed for user root 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session opened for user root by (uid=0) 2019-12-20T08:09:01-05:00 ab CRON[3587]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi) 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session closed for user root 2019-12-20T08:09:01-05:00 ab systemd[1]: Starting Clean php session files... 2019-12-20T08:09:01-05:00 ab systemd[1]: phpsessionclean.service: Succeeded. 2019-12-20T08:09:01-05:00 ab systemd[1]: Started Clean php session files. ' does not match pattern '%{CISCO_TAGGED_SYSLOG}' at org.apache.metron.parsers.asa.BasicAsaParser.parse(BasicAsaParser.java:184) at org.apache.metron.parsers.interfaces.MessageParser.parseOptional(MessageParser.java:54) at org.apache.metron.parsers.interfaces.MessageParser.parseOptionalResult(MessageParser.java:67) at org.apache.metron.parsers.ParserRunnerImpl.execute(ParserRunnerImpl.java:144) at org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:257) at org.apache.storm.daemon.executor$fn__10195$tuple_action_fn__10197.invoke(executor.clj:735) at org.apache.storm.daemon.executor$mk_task_receiver$fn__10114.invoke(executor.clj:466) at org.apache.storm.disruptor$clojure_handler$reify__4137.onEvent(disruptor.clj:40) at org.apache.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:472) at org.apache.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:451) at org.apache.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:73) at org.apache.storm.daemon.executor$fn__10195$fn__10208$fn__10263.invoke(executor.clj:855) at org.apache.storm.util$async_loop$fn__1221.invoke(util.clj:484) at clojure.lang.AFn.run(AFn.java:22) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.RuntimeException: [Metron] Message '2019-12-20T07:06:41-05:00 ab TESTING: Fri 20 Dec 2019 07:06:41 AM EST 2019-12-20T07:06:41-05:00 ab rsyslogd: action 'action-13-builtin:omfwd' resumed (module 'builtin:omfwd') [v8.1911.0 try https://www.rsyslog.com/e/2359 ] 2019-12-20T07:08:04-05:00 ab TESTING: Fri 20 Dec 2019 07:08:04 AM EST 2019-12-20T07:08:05-05:00 ab TESTING: Fri 20 Dec 2019 07:08:05 AM EST 2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec 2019 07:08:06 AM EST 2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec 2019 07:08:06 AM EST 2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019 07:08:08 AM EST 2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019 07:08:08 AM EST 2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019 07:08:09 AM EST 2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019 07:08:09 AM EST 2019-12-20T07:09:01-05:00 ab CRON[3174]: pam_unix(cron:session): session opened for user root by (uid=0) 2019-12-20T07:09:01-05:00 ab CRON[3175]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi) 2019-12-20T07:09:01-05:00 ab CRON[3174]: pam_unix(cron:session): session closed for user root 2019-12-20T07:09:01-05:00 ab systemd[1]: Starting Clean php session files... 2019-12-20T07:09:01-05:00 ab systemd[1]: phpsessionclean.service: Succeeded. 2019-12-20T07:09:01-05:00 ab systemd[1]: Started Clean php session files. 2019-12-20T07:10:04-05:00 ab TESTING: Fri 20 Dec 2019 07:10:04 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019 07:10:05 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019 07:10:05 AM EST 2019-12-20T07:10:06-05:00 ab TESTING: Fri 20 Dec 2019 07:10:06 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019 07:10:07 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019 07:10:07 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019 07:10:08 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019 07:10:08 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019 07:10:09 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019 07:10:09 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019 07:10:13 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019 07:10:13 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST 2019-12-20T07:10:15-05:00 ab systemd[1]: Stopping System Logging Service... 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin software="rsyslogd" swVersion="8.1911.0" x-pid="3071" x-info="https://www.rsyslog.com"] exiting on signal 15. 2019-12-20T07:10:15-05:00 ab systemd[1]: rsyslog.service: Succeeded. 2019-12-20T07:10:15-05:00 ab systemd[1]: Stopped System Logging Service. 2019-12-20T07:10:15-05:00 ab systemd[1]: Starting System Logging Service... 2019-12-20T07:10:15-05:00 ab rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.1911.0] 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin software="rsyslogd" swVersion="8.1911.0" x-pid="3270" x-info="https://www.rsyslog.com"] start 2019-12-20T07:10:15-05:00 ab systemd[1]: Started System Logging Service. 2019-12-20T07:10:18-05:00 ab TESTING: Fri 20 Dec 2019 07:10:18 AM EST 2019-12-20T07:15:01-05:00 ab CRON[3283]: pam_unix(cron:session): session opened for user root by (uid=0) 2019-12-20T07:15:01-05:00 ab CRON[3284]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1) 2019-12-20T07:15:01-05:00 ab CRON[3283]: pam_unix(cron:session): session closed for user root 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session opened for user root by (uid=0) 2019-12-20T07:17:01-05:00 ab CRON[3324]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session closed for user root 2019-12-20T07:25:01-05:00 ab CRON[3333]: pam_unix(cron:session): session opened for user root by (uid=0) 2019-12-20T07:25:01-05:00 ab CRON[3334]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1) 2019-12-20T07:25:01-05:00 ab CRON[3333]: pam_unix(cron:session): session closed for user root 2019-12-20T07:29:38-05:00 ab snapd[666]: storehelpers.go:436: cannot refresh: snap has no updates available: "barrier", "barrier-kvm", "gtk-common-themes", "notepad-plus-plus", "snapd", "wine-platform-3-stable" 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART Usage Attribute: 190 Airflow_Temperature_Cel changed from 67 to 66 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART Usage Attribute: 194 Temperature_Celsius changed from 110 to 109 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session opened for user root by (uid=0) 2019-12-20T07:35:01-05:00 ab CRON[3451]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1) 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session closed for user root 2019-12-20T07:39:01-05:00 ab CRON[3460]: pam_unix(cron:session): session opened for user root by (uid=0) 2019-12-20T07:39:01-05:00 ab CRON[3461]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi) 2019-12-20T07:39:01-05:00 ab CRON[3460]: pam_unix(cron:session): session closed for user root 2019-12-20T07:39:01-05:00 ab systemd[1]: Starting Clean php session files... 2019-12-20T07:39:01-05:00 ab systemd[1]: phpsessionclean.service: Succeeded. 2019-12-20T07:39:01-05:00 ab systemd[1]: Started Clean php session files. 2019-12-20T07:45:01-05:00 ab CRON[3525]: pam_unix(cron:session): session opened for user root by (uid=0) 2019-12-20T07:45:01-05:00 ab CRON[3526]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1) 2019-12-20T07:45:01-05:00 ab CRON[3525]: pam_unix(cron:session): session closed for user root 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session opened for user root by (uid=0) 2019-12-20T07:55:01-05:00 ab CRON[3550]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1) 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session closed for user root 2019-12-20T08:05:01-05:00 ab CRON[3575]: pam_unix(cron:session): session opened for user root by (uid=0) 2019-12-20T08:05:01-05:00 ab CRON[3576]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1) 2019-12-20T08:05:01-05:00 ab CRON[3575]: pam_unix(cron:session): session closed for user root 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session opened for user root by (uid=0) 2019-12-20T08:09:01-05:00 ab CRON[3587]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi) 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session closed for user root 2019-12-20T08:09:01-05:00 ab systemd[1]: Starting Clean php session files... 2019-12-20T08:09:01-05:00 ab systemd[1]: phpsessionclean.service: Succeeded. 2019-12-20T08:09:01-05:00 ab systemd[1]: Started Clean php session files. ' does not match pattern '%{CISCO_TAGGED_SYSLOG}' at org.apache.metron.parsers.asa.BasicAsaParser.parse(BasicAsaParser.java:178) ... 14 more
i need your help???? as always
Re: streaming rsyslog metron using asa parser
Posted by Otto Fowler <ot...@gmail.com>.
Please look at this recent explanation:
http://mail-archives.apache.org/mod_mbox/metron-user/201912.mbox/%3cCAMCcOJq8qWNOMEvVYiH_xWQ_c8HGBvBVhYnzR6hqcVEz4mrtGQ@mail.gmail.com%3e
On December 27, 2019 at 00:33:31, updates on tube (abrahamfikire@gmail.com)
wrote:
On 2019/12/26 14:19:09, Otto Fowler <ot...@gmail.com> wrote:
> You are saying different things that are confusing me.
> You seemed to be saying that you couldn’t parse, but now you are saying
you
> can parse, and see things in kibana but they are not in the alert ui?
> yes based on what you suggest me before, i can push sample log from (
https://github.com/apache/metron/blob/master/metron-platform/metron-integration-test/src/main/sample/data/asa/raw/asa_raw)
and to kafka topic and storm parsed it and i see it in kibana ui; but can't
see it on the metron alart ui that is the problem. parsing is going well..
>
> On December 25, 2019 at 10:47:54, updates on tube (abrahamfikire@gmail.com)
> wrote:
>
> On 2019/12/23 11:25:45, Otto Fowler <ot...@gmail.com> wrote:
> > That doesn’t look like ASA data.
> >
>
https://github.com/apache/metron/blob/master/metron-platform/metron-integration-test/src/main/sample/data/asa/raw/asa_raw
> >
> > Are you trying to do regular syslog, or ASA.
> >
> >
> >
> >
> > On December 23, 2019 at 01:57:38, updates on tube (
abrahamfikire@gmail.com)
>
> > wrote:
> >
> > i was trying to stream rsyslog log data to apache metron using asa
> parser.
> > the log look like down below
> >
> > 2019-12-20T07:06:41-05:00 ab TESTING: Fri 20 Dec 2019 07:06:41 AM EST
> > the log 2019-12-20T07:06:41-05:00 ab rsyslogd: action
> > 'action-13-builtin:omfwd' resumed (module 'builtin:omfwd') [v8.1911.0
try
> > https://www.rsyslog.com/e/2359 ]
> > 2019-12-20T07:08:04-05:00 ab TESTING: Fri 20 Dec 2019 07:08:04 AM EST
> > 2019-12-20T07:08:05-05:00 ab TESTING: Fri 20 Dec 2019 07:08:05 AM EST
> > 2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec 2019 07:08:06 AM EST
> > 2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec 2019 07:08:06 AM EST
> > 2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019 07:08:08 AM EST
> > 2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019 07:08:08 AM EST
> > 2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019 07:08:09 AM EST
> > 2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019 07:08:09 AM EST
> > 2019-12-20T07:09:01-05:00 ab CRON[3174]: pam_unix(cron:session):
session
> > opened for user root by (uid=0)
> > 2019-12-20T07:09:01-05:00 ab CRON[3175]: (root) CMD ( [ -x
> > /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> > /usr/lib/php/sessionclean; fi)
> > 2019-12-20T07:09:01-05:00 ab CRON[3174]: pam_unix(cron:session):
session
> > closed for user root
> > 2019-12-20T07:09:01-05:00 ab systemd[1]: Starting Clean php session
> > files...
> > 2019-12-20T07:09:01-05:00 ab systemd[1]: phpsessionclean.service:
> > Succeeded.
> > 2019-12-20T07:09:01-05:00 ab systemd[1]: Started Clean php session
files.
> > 2019-12-20T07:10:04-05:00 ab TESTING: Fri 20 Dec 2019 07:10:04 AM EST
> > 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019 07:10:05 AM EST
> > 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019 07:10:05 AM EST
> > 2019-12-20T07:10:06-05:00 ab TESTING: Fri 20 Dec 2019 07:10:06 AM EST
> > 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019 07:10:07 AM EST
> > 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019 07:10:07 AM EST
> > 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019 07:10:08 AM EST
> > 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019 07:10:08 AM EST
> > 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019 07:10:09 AM EST
> > 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019 07:10:09 AM EST
> > 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST
> > 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST
> > 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST
> > 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST
> > 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST
> > 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST
> > 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST
> > 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST
> > 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST
> > 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019 07:10:13 AM EST
> > 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019 07:10:13 AM EST
> > 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST
> > 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST
> > 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST
> > 2019-12-20T07:10:15-05:00 ab systemd[1]: Stopping System Logging
> Service...
> > 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin software="rsyslogd"
> > swVersion="8.1911.0" x-pid="3071" x-info="https://www.rsyslog.com"]
> exiting
> > on signal 15.
> > 2019-12-20T07:10:15-05:00 ab systemd[1]: rsyslog.service: Succeeded.
> > 2019-12-20T07:10:15-05:00 ab systemd[1]: Stopped System Logging
Service.
> > 2019-12-20T07:10:15-05:00 ab systemd[1]: Starting System Logging
> Service...
> > 2019-12-20T07:10:15-05:00 ab rsyslogd: imuxsock: Acquired UNIX socket
> > '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.1911.0]
> > 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin software="rsyslogd"
> > swVersion="8.1911.0" x-pid="3270" x-info="https://www.rsyslog.com"]
start
> > 2019-12-20T07:10:15-05:00 ab systemd[1]: Started System Logging
Service.
> > 2019-12-20T07:10:18-05:00 ab TESTING: Fri 20 Dec 2019 07:10:18 AM EST
> > 2019-12-20T07:15:01-05:00 ab CRON[3283]: pam_unix(cron:session):
session
> > opened for user root by (uid=0)
> > 2019-12-20T07:15:01-05:00 ab CRON[3284]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1)
> > 2019-12-20T07:15:01-05:00 ab CRON[3283]: pam_unix(cron:session):
session
> > closed for user root
> > 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session):
session
> > opened for user root by (uid=0)
> > 2019-12-20T07:17:01-05:00 ab CRON[3324]: (root) CMD ( cd / && run-parts
> > --report /etc/cron.hourly)
> > 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session):
session
> > closed for user root
> > 2019-12-20T07:25:01-05:00 ab CRON[3333]: pam_unix(cron:session):
session
> > opened for user root by (uid=0)
> > 2019-12-20T07:25:01-05:00 ab CRON[3334]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1)
> > 2019-12-20T07:25:01-05:00 ab CRON[3333]: pam_unix(cron:session):
session
> > closed for user root
> > 2019-12-20T07:29:38-05:00 ab snapd[666]: storehelpers.go:436: cannot
> > refresh: snap has no updates available: "barrier", "barrier-kvm",
> > "gtk-common-themes", "notepad-plus-plus", "snapd",
> "wine-platform-3-stable"
> > 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> > Usage Attribute: 190 Airflow_Temperature_Cel changed from 67 to 66
> > 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> > Usage Attribute: 194 Temperature_Celsius changed from 110 to 109
> > 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session):
session
> > opened for user root by (uid=0)
> > 2019-12-20T07:35:01-05:00 ab CRON[3451]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1)
> > 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session):
session
> > closed for user root
> > 2019-12-20T07:39:01-05:00 ab CRON[3460]: pam_unix(cron:session):
session
> > opened for user root by (uid=0)
> > 2019-12-20T07:39:01-05:00 ab CRON[3461]: (root) CMD ( [ -x
> > /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> > /usr/lib/php/sessionclean; fi)
> > 2019-12-20T07:39:01-05:00 ab CRON[3460]: pam_unix(cron:session):
session
> > closed for user root
> > 2019-12-20T07:39:01-05:00 ab systemd[1]: Starting Clean php session
> > files...
> > 2019-12-20T07:39:01-05:00 ab systemd[1]: phpsessionclean.service:
> > Succeeded.
> > 2019-12-20T07:39:01-05:00 ab systemd[1]: Started Clean php session
files.
> > 2019-12-20T07:45:01-05:00 ab CRON[3525]: pam_unix(cron:session):
session
> > opened for user root by (uid=0)
> > 2019-12-20T07:45:01-05:00 ab CRON[3526]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1)
> > 2019-12-20T07:45:01-05:00 ab CRON[3525]: pam_unix(cron:session):
session
> > closed for user root
> > 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session):
session
> > opened for user root by (uid=0)
> > 2019-12-20T07:55:01-05:00 ab CRON[3550]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1)
> > 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session):
session
> > closed for user root
> > 2019-12-20T08:05:01-05:00 ab CRON[3575]: pam_unix(cron:session):
session
> > opened for user root by (uid=0)
> > 2019-12-20T08:05:01-05:00 ab CRON[3576]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1)
> > 2019-12-20T08:05:01-05:00 ab CRON[3575]: pam_unix(cron:session):
session
> > closed for user root
> > 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session):
session
> > opened for user root by (uid=0)
> > 2019-12-20T08:09:01-05:00 ab CRON[3587]: (root) CMD ( [ -x
> > /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> > /usr/lib/php/sessionclean; fi)
> > 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session):
session
> > closed for user root
> > 2019-12-20T08:09:01-05:00 ab systemd[1]: Starting Clean php session
> > files...
> > 2019-12-20T08:09:01-05:00 ab systemd[1]: phpsessionclean.service:
> > Succeeded.
> > 2019-12-20T08:09:01-05:00 ab systemd[1]: Started Clean php session
files
> >
> >
> >
> >
> >
> >
> >
> > THIS IS THE ERROR FOUND IN STORM UI parserBolt
> >
> > java.lang.RuntimeException: [Metron] Message '2019-12-20T07:06:41-05:00
> ab
> > TESTING: Fri 20 Dec 2019 07:06:41 AM EST 2019-12-20T07:06:41-05:00 ab
> > rsyslogd: action 'action-13-builtin:omfwd' resumed (module
> 'builtin:omfwd')
> > [v8.1911.0 try https://www.rsyslog.com/e/2359 ]
2019-12-20T07:08:04-05:00
> > ab TESTING: Fri 20 Dec 2019 07:08:04 AM EST 2019-12-20T07:08:05-05:00
ab
> > TESTING: Fri 20 Dec 2019 07:08:05 AM EST 2019-12-20T07:08:06-05:00 ab
> > TESTING: Fri 20 Dec 2019 07:08:06 AM EST 2019-12-20T07:08:06-05:00 ab
> > TESTING: Fri 20 Dec 2019 07:08:06 AM EST 2019-12-20T07:08:08-05:00 ab
> > TESTING: Fri 20 Dec 2019 07:08:08 AM EST 2019-12-20T07:08:08-05:00 ab
> > TESTING: Fri 20 Dec 2019 07:08:08 AM EST 2019-12-20T07:08:09-05:00 ab
> > TESTING: Fri 20 Dec 2019 07:08:09 AM EST 2019-12-20T07:08:09-05:00 ab
> > TESTING: Fri 20 Dec 2019 07:08:09 AM EST 2019-12-20T07:09:01-05:00 ab
> > CRON[3174]: pam_unix(cron:session): session opened for user root by
> (uid=0)
> > 2019-12-20T07:09:01-05:00 ab CRON[3175]: (root) CMD ( [ -x
> > /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> > /usr/lib/php/sessionclean; fi) 2019-12-20T07:09:01-05:00 ab CRON[3174]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T07:09:01-05:00 ab systemd[1]: Starting Clean php session
> > files... 2019-12-20T07:09:01-05:00 ab systemd[1]:
> phpsessionclean.service:
> > Succeeded. 2019-12-20T07:09:01-05:00 ab systemd[1]: Started Clean php
> > session files. 2019-12-20T07:10:04-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:04 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:05 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:05 AM EST 2019-12-20T07:10:06-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:06 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:07 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:07 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:08 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:08 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:09 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:09 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:10 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:11 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:12 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:13 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:13 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:14 AM EST 2019-12-20T07:10:15-05:00 ab systemd[1]: Stopping
System
> > Logging Service... 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin
> > software="rsyslogd" swVersion="8.1911.0" x-pid="3071" x-info="
> > https://www.rsyslog.com"] exiting on signal 15.
2019-12-20T07:10:15-05:00
> > ab systemd[1]: rsyslog.service: Succeeded. 2019-12-20T07:10:15-05:00 ab
> > systemd[1]: Stopped System Logging Service. 2019-12-20T07:10:15-05:00
ab
> > systemd[1]: Starting System Logging Service...
2019-12-20T07:10:15-05:00
> ab
> > rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog'
> (fd
> > 3) from systemd. [v8.1911.0] 2019-12-20T07:10:15-05:00 ab rsyslogd:
> [origin
> > software="rsyslogd" swVersion="8.1911.0" x-pid="3270" x-info="
> > https://www.rsyslog.com"] start 2019-12-20T07:10:15-05:00 ab
systemd[1]:
> > Started System Logging Service. 2019-12-20T07:10:18-05:00 ab TESTING:
Fri
> > 20 Dec 2019 07:10:18 AM EST 2019-12-20T07:15:01-05:00 ab CRON[3283]:
> > pam_unix(cron:session): session opened for user root by (uid=0)
> > 2019-12-20T07:15:01-05:00 ab CRON[3284]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1) 2019-12-20T07:15:01-05:00 ab CRON[3283]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session):
session
> > opened for user root by (uid=0) 2019-12-20T07:17:01-05:00 ab
CRON[3324]:
> > (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
> > 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session):
session
> > closed for user root 2019-12-20T07:25:01-05:00 ab CRON[3333]:
> > pam_unix(cron:session): session opened for user root by (uid=0)
> > 2019-12-20T07:25:01-05:00 ab CRON[3334]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1) 2019-12-20T07:25:01-05:00 ab CRON[3333]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T07:29:38-05:00 ab snapd[666]: storehelpers.go:436: cannot
> > refresh: snap has no updates available: "barrier", "barrier-kvm",
> > "gtk-common-themes", "notepad-plus-plus", "snapd",
> "wine-platform-3-stable"
> > 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> > Usage Attribute: 190 Airflow_Temperature_Cel changed from 67 to 66
> > 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> > Usage Attribute: 194 Temperature_Celsius changed from 110 to 109
> > 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session):
session
> > opened for user root by (uid=0) 2019-12-20T07:35:01-05:00 ab
CRON[3451]:
> > (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
> > 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session):
session
> > closed for user root 2019-12-20T07:39:01-05:00 ab CRON[3460]:
> > pam_unix(cron:session): session opened for user root by (uid=0)
> > 2019-12-20T07:39:01-05:00 ab CRON[3461]: (root) CMD ( [ -x
> > /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> > /usr/lib/php/sessionclean; fi) 2019-12-20T07:39:01-05:00 ab CRON[3460]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T07:39:01-05:00 ab systemd[1]: Starting Clean php session
> > files... 2019-12-20T07:39:01-05:00 ab systemd[1]:
> phpsessionclean.service:
> > Succeeded. 2019-12-20T07:39:01-05:00 ab systemd[1]: Started Clean php
> > session files. 2019-12-20T07:45:01-05:00 ab CRON[3525]:
> > pam_unix(cron:session): session opened for user root by (uid=0)
> > 2019-12-20T07:45:01-05:00 ab CRON[3526]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1) 2019-12-20T07:45:01-05:00 ab CRON[3525]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session):
session
> > opened for user root by (uid=0) 2019-12-20T07:55:01-05:00 ab
CRON[3550]:
> > (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
> > 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session):
session
> > closed for user root 2019-12-20T08:05:01-05:00 ab CRON[3575]:
> > pam_unix(cron:session): session opened for user root by (uid=0)
> > 2019-12-20T08:05:01-05:00 ab CRON[3576]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1) 2019-12-20T08:05:01-05:00 ab CRON[3575]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session):
session
> > opened for user root by (uid=0) 2019-12-20T08:09:01-05:00 ab
CRON[3587]:
> > (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d
> > /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
> > 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session):
session
> > closed for user root 2019-12-20T08:09:01-05:00 ab systemd[1]: Starting
> > Clean php session files... 2019-12-20T08:09:01-05:00 ab systemd[1]:
> > phpsessionclean.service: Succeeded. 2019-12-20T08:09:01-05:00 ab
> > systemd[1]: Started Clean php session files. ' does not match pattern
> > '%{CISCO_TAGGED_SYSLOG}' at
> >
>
org.apache.metron.parsers.asa.BasicAsaParser.parse(BasicAsaParser.java:184)
> > at
> >
>
org.apache.metron.parsers.interfaces.MessageParser.parseOptional(MessageParser.java:54)
>
> > at
> >
>
org.apache.metron.parsers.interfaces.MessageParser.parseOptionalResult(MessageParser.java:67)
>
> > at
> >
>
org.apache.metron.parsers.ParserRunnerImpl.execute(ParserRunnerImpl.java:144)
>
> > at
org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:257)
> > at
> >
>
org.apache.storm.daemon.executor$fn__10195$tuple_action_fn__10197.invoke(executor.clj:735)
>
> > at
> >
>
org.apache.storm.daemon.executor$mk_task_receiver$fn__10114.invoke(executor.clj:466)
>
> > at
> >
>
org.apache.storm.disruptor$clojure_handler$reify__4137.onEvent(disruptor.clj:40)
>
> > at
> >
>
org.apache.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:472)
>
> > at
> >
>
org.apache.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:451)
>
> > at
> >
>
org.apache.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:73)
>
> > at
> >
>
org.apache.storm.daemon.executor$fn__10195$fn__10208$fn__10263.invoke(executor.clj:855)
>
> > at org.apache.storm.util$async_loop$fn__1221.invoke(util.clj:484) at
> > clojure.lang.AFn.run(AFn.java:22) at
> java.lang.Thread.run(Thread.java:745)
> > Caused by: java.lang.RuntimeException: [Metron] Message
> > '2019-12-20T07:06:41-05:00 ab TESTING: Fri 20 Dec 2019 07:06:41 AM EST
> > 2019-12-20T07:06:41-05:00 ab rsyslogd: action 'action-13-builtin:omfwd'
> > resumed (module 'builtin:omfwd') [v8.1911.0 try
> > https://www.rsyslog.com/e/2359 ] 2019-12-20T07:08:04-05:00 ab TESTING:
> Fri
> > 20 Dec 2019 07:08:04 AM EST 2019-12-20T07:08:05-05:00 ab TESTING: Fri
20
> > Dec 2019 07:08:05 AM EST 2019-12-20T07:08:06-05:00 ab TESTING: Fri 20
Dec
> > 2019 07:08:06 AM EST 2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec
> 2019
> > 07:08:06 AM EST 2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:08:08 AM EST 2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:08:08 AM EST 2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:08:09 AM EST 2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:08:09 AM EST 2019-12-20T07:09:01-05:00 ab CRON[3174]:
> > pam_unix(cron:session): session opened for user root by (uid=0)
> > 2019-12-20T07:09:01-05:00 ab CRON[3175]: (root) CMD ( [ -x
> > /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> > /usr/lib/php/sessionclean; fi) 2019-12-20T07:09:01-05:00 ab CRON[3174]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T07:09:01-05:00 ab systemd[1]: Starting Clean php session
> > files... 2019-12-20T07:09:01-05:00 ab systemd[1]:
> phpsessionclean.service:
> > Succeeded. 2019-12-20T07:09:01-05:00 ab systemd[1]: Started Clean php
> > session files. 2019-12-20T07:10:04-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:04 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:05 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:05 AM EST 2019-12-20T07:10:06-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:06 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:07 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:07 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:08 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:08 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:09 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:09 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:10 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:11 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:12 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:13 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:13 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:14 AM EST 2019-12-20T07:10:15-05:00 ab systemd[1]: Stopping
System
> > Logging Service... 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin
> > software="rsyslogd" swVersion="8.1911.0" x-pid="3071" x-info="
> > https://www.rsyslog.com"] exiting on signal 15.
2019-12-20T07:10:15-05:00
> > ab systemd[1]: rsyslog.service: Succeeded. 2019-12-20T07:10:15-05:00 ab
> > systemd[1]: Stopped System Logging Service. 2019-12-20T07:10:15-05:00
ab
> > systemd[1]: Starting System Logging Service...
2019-12-20T07:10:15-05:00
> ab
> > rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog'
> (fd
> > 3) from systemd. [v8.1911.0] 2019-12-20T07:10:15-05:00 ab rsyslogd:
> [origin
> > software="rsyslogd" swVersion="8.1911.0" x-pid="3270" x-info="
> > https://www.rsyslog.com"] start 2019-12-20T07:10:15-05:00 ab
systemd[1]:
> > Started System Logging Service. 2019-12-20T07:10:18-05:00 ab TESTING:
Fri
> > 20 Dec 2019 07:10:18 AM EST 2019-12-20T07:15:01-05:00 ab CRON[3283]:
> > pam_unix(cron:session): session opened for user root by (uid=0)
> > 2019-12-20T07:15:01-05:00 ab CRON[3284]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1) 2019-12-20T07:15:01-05:00 ab CRON[3283]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session):
session
> > opened for user root by (uid=0) 2019-12-20T07:17:01-05:00 ab
CRON[3324]:
> > (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
> > 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session):
session
> > closed for user root 2019-12-20T07:25:01-05:00 ab CRON[3333]:
> > pam_unix(cron:session): session opened for user root by (uid=0)
> > 2019-12-20T07:25:01-05:00 ab CRON[3334]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1) 2019-12-20T07:25:01-05:00 ab CRON[3333]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T07:29:38-05:00 ab snapd[666]: storehelpers.go:436: cannot
> > refresh: snap has no updates available: "barrier", "barrier-kvm",
> > "gtk-common-themes", "notepad-plus-plus", "snapd",
> "wine-platform-3-stable"
> > 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> > Usage Attribute: 190 Airflow_Temperature_Cel changed from 67 to 66
> > 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> > Usage Attribute: 194 Temperature_Celsius changed from 110 to 109
> > 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session):
session
> > opened for user root by (uid=0) 2019-12-20T07:35:01-05:00 ab
CRON[3451]:
> > (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
> > 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session):
session
> > closed for user root 2019-12-20T07:39:01-05:00 ab CRON[3460]:
> > pam_unix(cron:session): session opened for user root by (uid=0)
> > 2019-12-20T07:39:01-05:00 ab CRON[3461]: (root) CMD ( [ -x
> > /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> > /usr/lib/php/sessionclean; fi) 2019-12-20T07:39:01-05:00 ab CRON[3460]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T07:39:01-05:00 ab systemd[1]: Starting Clean php session
> > files... 2019-12-20T07:39:01-05:00 ab systemd[1]:
> phpsessionclean.service:
> > Succeeded. 2019-12-20T07:39:01-05:00 ab systemd[1]: Started Clean php
> > session files. 2019-12-20T07:45:01-05:00 ab CRON[3525]:
> > pam_unix(cron:session): session opened for user root by (uid=0)
> > 2019-12-20T07:45:01-05:00 ab CRON[3526]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1) 2019-12-20T07:45:01-05:00 ab CRON[3525]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session):
session
> > opened for user root by (uid=0) 2019-12-20T07:55:01-05:00 ab
CRON[3550]:
> > (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
> > 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session):
session
> > closed for user root 2019-12-20T08:05:01-05:00 ab CRON[3575]:
> > pam_unix(cron:session): session opened for user root by (uid=0)
> > 2019-12-20T08:05:01-05:00 ab CRON[3576]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1) 2019-12-20T08:05:01-05:00 ab CRON[3575]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session):
session
> > opened for user root by (uid=0) 2019-12-20T08:09:01-05:00 ab
CRON[3587]:
> > (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d
> > /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
> > 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session):
session
> > closed for user root 2019-12-20T08:09:01-05:00 ab systemd[1]: Starting
> > Clean php session files... 2019-12-20T08:09:01-05:00 ab systemd[1]:
> > phpsessionclean.service: Succeeded. 2019-12-20T08:09:01-05:00 ab
> > systemd[1]: Started Clean php session files. ' does not match pattern
> > '%{CISCO_TAGGED_SYSLOG}' at
> >
>
org.apache.metron.parsers.asa.BasicAsaParser.parse(BasicAsaParser.java:178)
> > ... 14 more
> >
> > i need your help???? as always
> >i really appriciate your reply it works when i use sample log on github
> but the problem is that i can't push asa, and websphare and syslog data
> from kibana to metron alert ui i can see them on kibana can you help me
> with that please???? @Otto Fowler
>
Re: streaming rsyslog metron using asa parser
Posted by updates on tube <ab...@gmail.com>.
On 2019/12/26 14:19:09, Otto Fowler <ot...@gmail.com> wrote:
> You are saying different things that are confusing me.
> You seemed to be saying that you couldn’t parse, but now you are saying you
> can parse, and see things in kibana but they are not in the alert ui?
> yes based on what you suggest me before, i can push sample log from (https://github.com/apache/metron/blob/master/metron-platform/metron-integration-test/src/main/sample/data/asa/raw/asa_raw) and to kafka topic and storm parsed it and i see it in kibana ui; but can't see it on the metron alart ui that is the problem. parsing is going well..
>
> On December 25, 2019 at 10:47:54, updates on tube (abrahamfikire@gmail.com)
> wrote:
>
> On 2019/12/23 11:25:45, Otto Fowler <ot...@gmail.com> wrote:
> > That doesn’t look like ASA data.
> >
> https://github.com/apache/metron/blob/master/metron-platform/metron-integration-test/src/main/sample/data/asa/raw/asa_raw
> >
> > Are you trying to do regular syslog, or ASA.
> >
> >
> >
> >
> > On December 23, 2019 at 01:57:38, updates on tube (abrahamfikire@gmail.com)
>
> > wrote:
> >
> > i was trying to stream rsyslog log data to apache metron using asa
> parser.
> > the log look like down below
> >
> > 2019-12-20T07:06:41-05:00 ab TESTING: Fri 20 Dec 2019 07:06:41 AM EST
> > the log 2019-12-20T07:06:41-05:00 ab rsyslogd: action
> > 'action-13-builtin:omfwd' resumed (module 'builtin:omfwd') [v8.1911.0 try
> > https://www.rsyslog.com/e/2359 ]
> > 2019-12-20T07:08:04-05:00 ab TESTING: Fri 20 Dec 2019 07:08:04 AM EST
> > 2019-12-20T07:08:05-05:00 ab TESTING: Fri 20 Dec 2019 07:08:05 AM EST
> > 2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec 2019 07:08:06 AM EST
> > 2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec 2019 07:08:06 AM EST
> > 2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019 07:08:08 AM EST
> > 2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019 07:08:08 AM EST
> > 2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019 07:08:09 AM EST
> > 2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019 07:08:09 AM EST
> > 2019-12-20T07:09:01-05:00 ab CRON[3174]: pam_unix(cron:session): session
> > opened for user root by (uid=0)
> > 2019-12-20T07:09:01-05:00 ab CRON[3175]: (root) CMD ( [ -x
> > /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> > /usr/lib/php/sessionclean; fi)
> > 2019-12-20T07:09:01-05:00 ab CRON[3174]: pam_unix(cron:session): session
> > closed for user root
> > 2019-12-20T07:09:01-05:00 ab systemd[1]: Starting Clean php session
> > files...
> > 2019-12-20T07:09:01-05:00 ab systemd[1]: phpsessionclean.service:
> > Succeeded.
> > 2019-12-20T07:09:01-05:00 ab systemd[1]: Started Clean php session files.
> > 2019-12-20T07:10:04-05:00 ab TESTING: Fri 20 Dec 2019 07:10:04 AM EST
> > 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019 07:10:05 AM EST
> > 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019 07:10:05 AM EST
> > 2019-12-20T07:10:06-05:00 ab TESTING: Fri 20 Dec 2019 07:10:06 AM EST
> > 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019 07:10:07 AM EST
> > 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019 07:10:07 AM EST
> > 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019 07:10:08 AM EST
> > 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019 07:10:08 AM EST
> > 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019 07:10:09 AM EST
> > 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019 07:10:09 AM EST
> > 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST
> > 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST
> > 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST
> > 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST
> > 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST
> > 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST
> > 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST
> > 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST
> > 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST
> > 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019 07:10:13 AM EST
> > 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019 07:10:13 AM EST
> > 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST
> > 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST
> > 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST
> > 2019-12-20T07:10:15-05:00 ab systemd[1]: Stopping System Logging
> Service...
> > 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin software="rsyslogd"
> > swVersion="8.1911.0" x-pid="3071" x-info="https://www.rsyslog.com"]
> exiting
> > on signal 15.
> > 2019-12-20T07:10:15-05:00 ab systemd[1]: rsyslog.service: Succeeded.
> > 2019-12-20T07:10:15-05:00 ab systemd[1]: Stopped System Logging Service.
> > 2019-12-20T07:10:15-05:00 ab systemd[1]: Starting System Logging
> Service...
> > 2019-12-20T07:10:15-05:00 ab rsyslogd: imuxsock: Acquired UNIX socket
> > '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.1911.0]
> > 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin software="rsyslogd"
> > swVersion="8.1911.0" x-pid="3270" x-info="https://www.rsyslog.com"] start
> > 2019-12-20T07:10:15-05:00 ab systemd[1]: Started System Logging Service.
> > 2019-12-20T07:10:18-05:00 ab TESTING: Fri 20 Dec 2019 07:10:18 AM EST
> > 2019-12-20T07:15:01-05:00 ab CRON[3283]: pam_unix(cron:session): session
> > opened for user root by (uid=0)
> > 2019-12-20T07:15:01-05:00 ab CRON[3284]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1)
> > 2019-12-20T07:15:01-05:00 ab CRON[3283]: pam_unix(cron:session): session
> > closed for user root
> > 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
> > opened for user root by (uid=0)
> > 2019-12-20T07:17:01-05:00 ab CRON[3324]: (root) CMD ( cd / && run-parts
> > --report /etc/cron.hourly)
> > 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
> > closed for user root
> > 2019-12-20T07:25:01-05:00 ab CRON[3333]: pam_unix(cron:session): session
> > opened for user root by (uid=0)
> > 2019-12-20T07:25:01-05:00 ab CRON[3334]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1)
> > 2019-12-20T07:25:01-05:00 ab CRON[3333]: pam_unix(cron:session): session
> > closed for user root
> > 2019-12-20T07:29:38-05:00 ab snapd[666]: storehelpers.go:436: cannot
> > refresh: snap has no updates available: "barrier", "barrier-kvm",
> > "gtk-common-themes", "notepad-plus-plus", "snapd",
> "wine-platform-3-stable"
> > 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> > Usage Attribute: 190 Airflow_Temperature_Cel changed from 67 to 66
> > 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> > Usage Attribute: 194 Temperature_Celsius changed from 110 to 109
> > 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
> > opened for user root by (uid=0)
> > 2019-12-20T07:35:01-05:00 ab CRON[3451]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1)
> > 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
> > closed for user root
> > 2019-12-20T07:39:01-05:00 ab CRON[3460]: pam_unix(cron:session): session
> > opened for user root by (uid=0)
> > 2019-12-20T07:39:01-05:00 ab CRON[3461]: (root) CMD ( [ -x
> > /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> > /usr/lib/php/sessionclean; fi)
> > 2019-12-20T07:39:01-05:00 ab CRON[3460]: pam_unix(cron:session): session
> > closed for user root
> > 2019-12-20T07:39:01-05:00 ab systemd[1]: Starting Clean php session
> > files...
> > 2019-12-20T07:39:01-05:00 ab systemd[1]: phpsessionclean.service:
> > Succeeded.
> > 2019-12-20T07:39:01-05:00 ab systemd[1]: Started Clean php session files.
> > 2019-12-20T07:45:01-05:00 ab CRON[3525]: pam_unix(cron:session): session
> > opened for user root by (uid=0)
> > 2019-12-20T07:45:01-05:00 ab CRON[3526]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1)
> > 2019-12-20T07:45:01-05:00 ab CRON[3525]: pam_unix(cron:session): session
> > closed for user root
> > 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
> > opened for user root by (uid=0)
> > 2019-12-20T07:55:01-05:00 ab CRON[3550]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1)
> > 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
> > closed for user root
> > 2019-12-20T08:05:01-05:00 ab CRON[3575]: pam_unix(cron:session): session
> > opened for user root by (uid=0)
> > 2019-12-20T08:05:01-05:00 ab CRON[3576]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1)
> > 2019-12-20T08:05:01-05:00 ab CRON[3575]: pam_unix(cron:session): session
> > closed for user root
> > 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
> > opened for user root by (uid=0)
> > 2019-12-20T08:09:01-05:00 ab CRON[3587]: (root) CMD ( [ -x
> > /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> > /usr/lib/php/sessionclean; fi)
> > 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
> > closed for user root
> > 2019-12-20T08:09:01-05:00 ab systemd[1]: Starting Clean php session
> > files...
> > 2019-12-20T08:09:01-05:00 ab systemd[1]: phpsessionclean.service:
> > Succeeded.
> > 2019-12-20T08:09:01-05:00 ab systemd[1]: Started Clean php session files
> >
> >
> >
> >
> >
> >
> >
> > THIS IS THE ERROR FOUND IN STORM UI parserBolt
> >
> > java.lang.RuntimeException: [Metron] Message '2019-12-20T07:06:41-05:00
> ab
> > TESTING: Fri 20 Dec 2019 07:06:41 AM EST 2019-12-20T07:06:41-05:00 ab
> > rsyslogd: action 'action-13-builtin:omfwd' resumed (module
> 'builtin:omfwd')
> > [v8.1911.0 try https://www.rsyslog.com/e/2359 ] 2019-12-20T07:08:04-05:00
> > ab TESTING: Fri 20 Dec 2019 07:08:04 AM EST 2019-12-20T07:08:05-05:00 ab
> > TESTING: Fri 20 Dec 2019 07:08:05 AM EST 2019-12-20T07:08:06-05:00 ab
> > TESTING: Fri 20 Dec 2019 07:08:06 AM EST 2019-12-20T07:08:06-05:00 ab
> > TESTING: Fri 20 Dec 2019 07:08:06 AM EST 2019-12-20T07:08:08-05:00 ab
> > TESTING: Fri 20 Dec 2019 07:08:08 AM EST 2019-12-20T07:08:08-05:00 ab
> > TESTING: Fri 20 Dec 2019 07:08:08 AM EST 2019-12-20T07:08:09-05:00 ab
> > TESTING: Fri 20 Dec 2019 07:08:09 AM EST 2019-12-20T07:08:09-05:00 ab
> > TESTING: Fri 20 Dec 2019 07:08:09 AM EST 2019-12-20T07:09:01-05:00 ab
> > CRON[3174]: pam_unix(cron:session): session opened for user root by
> (uid=0)
> > 2019-12-20T07:09:01-05:00 ab CRON[3175]: (root) CMD ( [ -x
> > /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> > /usr/lib/php/sessionclean; fi) 2019-12-20T07:09:01-05:00 ab CRON[3174]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T07:09:01-05:00 ab systemd[1]: Starting Clean php session
> > files... 2019-12-20T07:09:01-05:00 ab systemd[1]:
> phpsessionclean.service:
> > Succeeded. 2019-12-20T07:09:01-05:00 ab systemd[1]: Started Clean php
> > session files. 2019-12-20T07:10:04-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:04 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:05 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:05 AM EST 2019-12-20T07:10:06-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:06 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:07 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:07 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:08 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:08 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:09 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:09 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:10 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:11 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:12 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:13 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:13 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:14 AM EST 2019-12-20T07:10:15-05:00 ab systemd[1]: Stopping System
> > Logging Service... 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin
> > software="rsyslogd" swVersion="8.1911.0" x-pid="3071" x-info="
> > https://www.rsyslog.com"] exiting on signal 15. 2019-12-20T07:10:15-05:00
> > ab systemd[1]: rsyslog.service: Succeeded. 2019-12-20T07:10:15-05:00 ab
> > systemd[1]: Stopped System Logging Service. 2019-12-20T07:10:15-05:00 ab
> > systemd[1]: Starting System Logging Service... 2019-12-20T07:10:15-05:00
> ab
> > rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog'
> (fd
> > 3) from systemd. [v8.1911.0] 2019-12-20T07:10:15-05:00 ab rsyslogd:
> [origin
> > software="rsyslogd" swVersion="8.1911.0" x-pid="3270" x-info="
> > https://www.rsyslog.com"] start 2019-12-20T07:10:15-05:00 ab systemd[1]:
> > Started System Logging Service. 2019-12-20T07:10:18-05:00 ab TESTING: Fri
> > 20 Dec 2019 07:10:18 AM EST 2019-12-20T07:15:01-05:00 ab CRON[3283]:
> > pam_unix(cron:session): session opened for user root by (uid=0)
> > 2019-12-20T07:15:01-05:00 ab CRON[3284]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1) 2019-12-20T07:15:01-05:00 ab CRON[3283]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
> > opened for user root by (uid=0) 2019-12-20T07:17:01-05:00 ab CRON[3324]:
> > (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
> > 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
> > closed for user root 2019-12-20T07:25:01-05:00 ab CRON[3333]:
> > pam_unix(cron:session): session opened for user root by (uid=0)
> > 2019-12-20T07:25:01-05:00 ab CRON[3334]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1) 2019-12-20T07:25:01-05:00 ab CRON[3333]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T07:29:38-05:00 ab snapd[666]: storehelpers.go:436: cannot
> > refresh: snap has no updates available: "barrier", "barrier-kvm",
> > "gtk-common-themes", "notepad-plus-plus", "snapd",
> "wine-platform-3-stable"
> > 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> > Usage Attribute: 190 Airflow_Temperature_Cel changed from 67 to 66
> > 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> > Usage Attribute: 194 Temperature_Celsius changed from 110 to 109
> > 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
> > opened for user root by (uid=0) 2019-12-20T07:35:01-05:00 ab CRON[3451]:
> > (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
> > 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
> > closed for user root 2019-12-20T07:39:01-05:00 ab CRON[3460]:
> > pam_unix(cron:session): session opened for user root by (uid=0)
> > 2019-12-20T07:39:01-05:00 ab CRON[3461]: (root) CMD ( [ -x
> > /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> > /usr/lib/php/sessionclean; fi) 2019-12-20T07:39:01-05:00 ab CRON[3460]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T07:39:01-05:00 ab systemd[1]: Starting Clean php session
> > files... 2019-12-20T07:39:01-05:00 ab systemd[1]:
> phpsessionclean.service:
> > Succeeded. 2019-12-20T07:39:01-05:00 ab systemd[1]: Started Clean php
> > session files. 2019-12-20T07:45:01-05:00 ab CRON[3525]:
> > pam_unix(cron:session): session opened for user root by (uid=0)
> > 2019-12-20T07:45:01-05:00 ab CRON[3526]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1) 2019-12-20T07:45:01-05:00 ab CRON[3525]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
> > opened for user root by (uid=0) 2019-12-20T07:55:01-05:00 ab CRON[3550]:
> > (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
> > 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
> > closed for user root 2019-12-20T08:05:01-05:00 ab CRON[3575]:
> > pam_unix(cron:session): session opened for user root by (uid=0)
> > 2019-12-20T08:05:01-05:00 ab CRON[3576]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1) 2019-12-20T08:05:01-05:00 ab CRON[3575]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
> > opened for user root by (uid=0) 2019-12-20T08:09:01-05:00 ab CRON[3587]:
> > (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d
> > /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
> > 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
> > closed for user root 2019-12-20T08:09:01-05:00 ab systemd[1]: Starting
> > Clean php session files... 2019-12-20T08:09:01-05:00 ab systemd[1]:
> > phpsessionclean.service: Succeeded. 2019-12-20T08:09:01-05:00 ab
> > systemd[1]: Started Clean php session files. ' does not match pattern
> > '%{CISCO_TAGGED_SYSLOG}' at
> >
> org.apache.metron.parsers.asa.BasicAsaParser.parse(BasicAsaParser.java:184)
> > at
> >
> org.apache.metron.parsers.interfaces.MessageParser.parseOptional(MessageParser.java:54)
>
> > at
> >
> org.apache.metron.parsers.interfaces.MessageParser.parseOptionalResult(MessageParser.java:67)
>
> > at
> >
> org.apache.metron.parsers.ParserRunnerImpl.execute(ParserRunnerImpl.java:144)
>
> > at org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:257)
> > at
> >
> org.apache.storm.daemon.executor$fn__10195$tuple_action_fn__10197.invoke(executor.clj:735)
>
> > at
> >
> org.apache.storm.daemon.executor$mk_task_receiver$fn__10114.invoke(executor.clj:466)
>
> > at
> >
> org.apache.storm.disruptor$clojure_handler$reify__4137.onEvent(disruptor.clj:40)
>
> > at
> >
> org.apache.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:472)
>
> > at
> >
> org.apache.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:451)
>
> > at
> >
> org.apache.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:73)
>
> > at
> >
> org.apache.storm.daemon.executor$fn__10195$fn__10208$fn__10263.invoke(executor.clj:855)
>
> > at org.apache.storm.util$async_loop$fn__1221.invoke(util.clj:484) at
> > clojure.lang.AFn.run(AFn.java:22) at
> java.lang.Thread.run(Thread.java:745)
> > Caused by: java.lang.RuntimeException: [Metron] Message
> > '2019-12-20T07:06:41-05:00 ab TESTING: Fri 20 Dec 2019 07:06:41 AM EST
> > 2019-12-20T07:06:41-05:00 ab rsyslogd: action 'action-13-builtin:omfwd'
> > resumed (module 'builtin:omfwd') [v8.1911.0 try
> > https://www.rsyslog.com/e/2359 ] 2019-12-20T07:08:04-05:00 ab TESTING:
> Fri
> > 20 Dec 2019 07:08:04 AM EST 2019-12-20T07:08:05-05:00 ab TESTING: Fri 20
> > Dec 2019 07:08:05 AM EST 2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec
> > 2019 07:08:06 AM EST 2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec
> 2019
> > 07:08:06 AM EST 2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:08:08 AM EST 2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:08:08 AM EST 2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:08:09 AM EST 2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:08:09 AM EST 2019-12-20T07:09:01-05:00 ab CRON[3174]:
> > pam_unix(cron:session): session opened for user root by (uid=0)
> > 2019-12-20T07:09:01-05:00 ab CRON[3175]: (root) CMD ( [ -x
> > /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> > /usr/lib/php/sessionclean; fi) 2019-12-20T07:09:01-05:00 ab CRON[3174]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T07:09:01-05:00 ab systemd[1]: Starting Clean php session
> > files... 2019-12-20T07:09:01-05:00 ab systemd[1]:
> phpsessionclean.service:
> > Succeeded. 2019-12-20T07:09:01-05:00 ab systemd[1]: Started Clean php
> > session files. 2019-12-20T07:10:04-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:04 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:05 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:05 AM EST 2019-12-20T07:10:06-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:06 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:07 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:07 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:08 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:08 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:09 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:09 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:10 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:11 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:12 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:13 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:13 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> > 07:10:14 AM EST 2019-12-20T07:10:15-05:00 ab systemd[1]: Stopping System
> > Logging Service... 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin
> > software="rsyslogd" swVersion="8.1911.0" x-pid="3071" x-info="
> > https://www.rsyslog.com"] exiting on signal 15. 2019-12-20T07:10:15-05:00
> > ab systemd[1]: rsyslog.service: Succeeded. 2019-12-20T07:10:15-05:00 ab
> > systemd[1]: Stopped System Logging Service. 2019-12-20T07:10:15-05:00 ab
> > systemd[1]: Starting System Logging Service... 2019-12-20T07:10:15-05:00
> ab
> > rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog'
> (fd
> > 3) from systemd. [v8.1911.0] 2019-12-20T07:10:15-05:00 ab rsyslogd:
> [origin
> > software="rsyslogd" swVersion="8.1911.0" x-pid="3270" x-info="
> > https://www.rsyslog.com"] start 2019-12-20T07:10:15-05:00 ab systemd[1]:
> > Started System Logging Service. 2019-12-20T07:10:18-05:00 ab TESTING: Fri
> > 20 Dec 2019 07:10:18 AM EST 2019-12-20T07:15:01-05:00 ab CRON[3283]:
> > pam_unix(cron:session): session opened for user root by (uid=0)
> > 2019-12-20T07:15:01-05:00 ab CRON[3284]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1) 2019-12-20T07:15:01-05:00 ab CRON[3283]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
> > opened for user root by (uid=0) 2019-12-20T07:17:01-05:00 ab CRON[3324]:
> > (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
> > 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
> > closed for user root 2019-12-20T07:25:01-05:00 ab CRON[3333]:
> > pam_unix(cron:session): session opened for user root by (uid=0)
> > 2019-12-20T07:25:01-05:00 ab CRON[3334]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1) 2019-12-20T07:25:01-05:00 ab CRON[3333]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T07:29:38-05:00 ab snapd[666]: storehelpers.go:436: cannot
> > refresh: snap has no updates available: "barrier", "barrier-kvm",
> > "gtk-common-themes", "notepad-plus-plus", "snapd",
> "wine-platform-3-stable"
> > 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> > Usage Attribute: 190 Airflow_Temperature_Cel changed from 67 to 66
> > 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> > Usage Attribute: 194 Temperature_Celsius changed from 110 to 109
> > 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
> > opened for user root by (uid=0) 2019-12-20T07:35:01-05:00 ab CRON[3451]:
> > (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
> > 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
> > closed for user root 2019-12-20T07:39:01-05:00 ab CRON[3460]:
> > pam_unix(cron:session): session opened for user root by (uid=0)
> > 2019-12-20T07:39:01-05:00 ab CRON[3461]: (root) CMD ( [ -x
> > /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> > /usr/lib/php/sessionclean; fi) 2019-12-20T07:39:01-05:00 ab CRON[3460]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T07:39:01-05:00 ab systemd[1]: Starting Clean php session
> > files... 2019-12-20T07:39:01-05:00 ab systemd[1]:
> phpsessionclean.service:
> > Succeeded. 2019-12-20T07:39:01-05:00 ab systemd[1]: Started Clean php
> > session files. 2019-12-20T07:45:01-05:00 ab CRON[3525]:
> > pam_unix(cron:session): session opened for user root by (uid=0)
> > 2019-12-20T07:45:01-05:00 ab CRON[3526]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1) 2019-12-20T07:45:01-05:00 ab CRON[3525]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
> > opened for user root by (uid=0) 2019-12-20T07:55:01-05:00 ab CRON[3550]:
> > (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
> > 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
> > closed for user root 2019-12-20T08:05:01-05:00 ab CRON[3575]:
> > pam_unix(cron:session): session opened for user root by (uid=0)
> > 2019-12-20T08:05:01-05:00 ab CRON[3576]: (root) CMD (command -v
> debian-sa1
> > > /dev/null && debian-sa1 1 1) 2019-12-20T08:05:01-05:00 ab CRON[3575]:
> > pam_unix(cron:session): session closed for user root
> > 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
> > opened for user root by (uid=0) 2019-12-20T08:09:01-05:00 ab CRON[3587]:
> > (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d
> > /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
> > 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
> > closed for user root 2019-12-20T08:09:01-05:00 ab systemd[1]: Starting
> > Clean php session files... 2019-12-20T08:09:01-05:00 ab systemd[1]:
> > phpsessionclean.service: Succeeded. 2019-12-20T08:09:01-05:00 ab
> > systemd[1]: Started Clean php session files. ' does not match pattern
> > '%{CISCO_TAGGED_SYSLOG}' at
> >
> org.apache.metron.parsers.asa.BasicAsaParser.parse(BasicAsaParser.java:178)
> > ... 14 more
> >
> > i need your help???? as always
> >i really appriciate your reply it works when i use sample log on github
> but the problem is that i can't push asa, and websphare and syslog data
> from kibana to metron alert ui i can see them on kibana can you help me
> with that please???? @Otto Fowler
>
Re: streaming rsyslog metron using asa parser
Posted by Otto Fowler <ot...@gmail.com>.
You are saying different things that are confusing me.
You seemed to be saying that you couldn’t parse, but now you are saying you
can parse, and see things in kibana but they are not in the alert ui?
On December 25, 2019 at 10:47:54, updates on tube (abrahamfikire@gmail.com)
wrote:
On 2019/12/23 11:25:45, Otto Fowler <ot...@gmail.com> wrote:
> That doesn’t look like ASA data.
>
https://github.com/apache/metron/blob/master/metron-platform/metron-integration-test/src/main/sample/data/asa/raw/asa_raw
>
> Are you trying to do regular syslog, or ASA.
>
>
>
>
> On December 23, 2019 at 01:57:38, updates on tube (abrahamfikire@gmail.com)
> wrote:
>
> i was trying to stream rsyslog log data to apache metron using asa
parser.
> the log look like down below
>
> 2019-12-20T07:06:41-05:00 ab TESTING: Fri 20 Dec 2019 07:06:41 AM EST
> the log 2019-12-20T07:06:41-05:00 ab rsyslogd: action
> 'action-13-builtin:omfwd' resumed (module 'builtin:omfwd') [v8.1911.0 try
> https://www.rsyslog.com/e/2359 ]
> 2019-12-20T07:08:04-05:00 ab TESTING: Fri 20 Dec 2019 07:08:04 AM EST
> 2019-12-20T07:08:05-05:00 ab TESTING: Fri 20 Dec 2019 07:08:05 AM EST
> 2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec 2019 07:08:06 AM EST
> 2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec 2019 07:08:06 AM EST
> 2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019 07:08:08 AM EST
> 2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019 07:08:08 AM EST
> 2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019 07:08:09 AM EST
> 2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019 07:08:09 AM EST
> 2019-12-20T07:09:01-05:00 ab CRON[3174]: pam_unix(cron:session): session
> opened for user root by (uid=0)
> 2019-12-20T07:09:01-05:00 ab CRON[3175]: (root) CMD ( [ -x
> /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> /usr/lib/php/sessionclean; fi)
> 2019-12-20T07:09:01-05:00 ab CRON[3174]: pam_unix(cron:session): session
> closed for user root
> 2019-12-20T07:09:01-05:00 ab systemd[1]: Starting Clean php session
> files...
> 2019-12-20T07:09:01-05:00 ab systemd[1]: phpsessionclean.service:
> Succeeded.
> 2019-12-20T07:09:01-05:00 ab systemd[1]: Started Clean php session files.
> 2019-12-20T07:10:04-05:00 ab TESTING: Fri 20 Dec 2019 07:10:04 AM EST
> 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019 07:10:05 AM EST
> 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019 07:10:05 AM EST
> 2019-12-20T07:10:06-05:00 ab TESTING: Fri 20 Dec 2019 07:10:06 AM EST
> 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019 07:10:07 AM EST
> 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019 07:10:07 AM EST
> 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019 07:10:08 AM EST
> 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019 07:10:08 AM EST
> 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019 07:10:09 AM EST
> 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019 07:10:09 AM EST
> 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST
> 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST
> 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST
> 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST
> 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST
> 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST
> 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST
> 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST
> 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST
> 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019 07:10:13 AM EST
> 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019 07:10:13 AM EST
> 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST
> 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST
> 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST
> 2019-12-20T07:10:15-05:00 ab systemd[1]: Stopping System Logging
Service...
> 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin software="rsyslogd"
> swVersion="8.1911.0" x-pid="3071" x-info="https://www.rsyslog.com"]
exiting
> on signal 15.
> 2019-12-20T07:10:15-05:00 ab systemd[1]: rsyslog.service: Succeeded.
> 2019-12-20T07:10:15-05:00 ab systemd[1]: Stopped System Logging Service.
> 2019-12-20T07:10:15-05:00 ab systemd[1]: Starting System Logging
Service...
> 2019-12-20T07:10:15-05:00 ab rsyslogd: imuxsock: Acquired UNIX socket
> '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.1911.0]
> 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin software="rsyslogd"
> swVersion="8.1911.0" x-pid="3270" x-info="https://www.rsyslog.com"] start
> 2019-12-20T07:10:15-05:00 ab systemd[1]: Started System Logging Service.
> 2019-12-20T07:10:18-05:00 ab TESTING: Fri 20 Dec 2019 07:10:18 AM EST
> 2019-12-20T07:15:01-05:00 ab CRON[3283]: pam_unix(cron:session): session
> opened for user root by (uid=0)
> 2019-12-20T07:15:01-05:00 ab CRON[3284]: (root) CMD (command -v
debian-sa1
> > /dev/null && debian-sa1 1 1)
> 2019-12-20T07:15:01-05:00 ab CRON[3283]: pam_unix(cron:session): session
> closed for user root
> 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
> opened for user root by (uid=0)
> 2019-12-20T07:17:01-05:00 ab CRON[3324]: (root) CMD ( cd / && run-parts
> --report /etc/cron.hourly)
> 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
> closed for user root
> 2019-12-20T07:25:01-05:00 ab CRON[3333]: pam_unix(cron:session): session
> opened for user root by (uid=0)
> 2019-12-20T07:25:01-05:00 ab CRON[3334]: (root) CMD (command -v
debian-sa1
> > /dev/null && debian-sa1 1 1)
> 2019-12-20T07:25:01-05:00 ab CRON[3333]: pam_unix(cron:session): session
> closed for user root
> 2019-12-20T07:29:38-05:00 ab snapd[666]: storehelpers.go:436: cannot
> refresh: snap has no updates available: "barrier", "barrier-kvm",
> "gtk-common-themes", "notepad-plus-plus", "snapd",
"wine-platform-3-stable"
> 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> Usage Attribute: 190 Airflow_Temperature_Cel changed from 67 to 66
> 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> Usage Attribute: 194 Temperature_Celsius changed from 110 to 109
> 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
> opened for user root by (uid=0)
> 2019-12-20T07:35:01-05:00 ab CRON[3451]: (root) CMD (command -v
debian-sa1
> > /dev/null && debian-sa1 1 1)
> 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
> closed for user root
> 2019-12-20T07:39:01-05:00 ab CRON[3460]: pam_unix(cron:session): session
> opened for user root by (uid=0)
> 2019-12-20T07:39:01-05:00 ab CRON[3461]: (root) CMD ( [ -x
> /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> /usr/lib/php/sessionclean; fi)
> 2019-12-20T07:39:01-05:00 ab CRON[3460]: pam_unix(cron:session): session
> closed for user root
> 2019-12-20T07:39:01-05:00 ab systemd[1]: Starting Clean php session
> files...
> 2019-12-20T07:39:01-05:00 ab systemd[1]: phpsessionclean.service:
> Succeeded.
> 2019-12-20T07:39:01-05:00 ab systemd[1]: Started Clean php session files.
> 2019-12-20T07:45:01-05:00 ab CRON[3525]: pam_unix(cron:session): session
> opened for user root by (uid=0)
> 2019-12-20T07:45:01-05:00 ab CRON[3526]: (root) CMD (command -v
debian-sa1
> > /dev/null && debian-sa1 1 1)
> 2019-12-20T07:45:01-05:00 ab CRON[3525]: pam_unix(cron:session): session
> closed for user root
> 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
> opened for user root by (uid=0)
> 2019-12-20T07:55:01-05:00 ab CRON[3550]: (root) CMD (command -v
debian-sa1
> > /dev/null && debian-sa1 1 1)
> 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
> closed for user root
> 2019-12-20T08:05:01-05:00 ab CRON[3575]: pam_unix(cron:session): session
> opened for user root by (uid=0)
> 2019-12-20T08:05:01-05:00 ab CRON[3576]: (root) CMD (command -v
debian-sa1
> > /dev/null && debian-sa1 1 1)
> 2019-12-20T08:05:01-05:00 ab CRON[3575]: pam_unix(cron:session): session
> closed for user root
> 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
> opened for user root by (uid=0)
> 2019-12-20T08:09:01-05:00 ab CRON[3587]: (root) CMD ( [ -x
> /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> /usr/lib/php/sessionclean; fi)
> 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
> closed for user root
> 2019-12-20T08:09:01-05:00 ab systemd[1]: Starting Clean php session
> files...
> 2019-12-20T08:09:01-05:00 ab systemd[1]: phpsessionclean.service:
> Succeeded.
> 2019-12-20T08:09:01-05:00 ab systemd[1]: Started Clean php session files
>
>
>
>
>
>
>
> THIS IS THE ERROR FOUND IN STORM UI parserBolt
>
> java.lang.RuntimeException: [Metron] Message '2019-12-20T07:06:41-05:00
ab
> TESTING: Fri 20 Dec 2019 07:06:41 AM EST 2019-12-20T07:06:41-05:00 ab
> rsyslogd: action 'action-13-builtin:omfwd' resumed (module
'builtin:omfwd')
> [v8.1911.0 try https://www.rsyslog.com/e/2359 ] 2019-12-20T07:08:04-05:00
> ab TESTING: Fri 20 Dec 2019 07:08:04 AM EST 2019-12-20T07:08:05-05:00 ab
> TESTING: Fri 20 Dec 2019 07:08:05 AM EST 2019-12-20T07:08:06-05:00 ab
> TESTING: Fri 20 Dec 2019 07:08:06 AM EST 2019-12-20T07:08:06-05:00 ab
> TESTING: Fri 20 Dec 2019 07:08:06 AM EST 2019-12-20T07:08:08-05:00 ab
> TESTING: Fri 20 Dec 2019 07:08:08 AM EST 2019-12-20T07:08:08-05:00 ab
> TESTING: Fri 20 Dec 2019 07:08:08 AM EST 2019-12-20T07:08:09-05:00 ab
> TESTING: Fri 20 Dec 2019 07:08:09 AM EST 2019-12-20T07:08:09-05:00 ab
> TESTING: Fri 20 Dec 2019 07:08:09 AM EST 2019-12-20T07:09:01-05:00 ab
> CRON[3174]: pam_unix(cron:session): session opened for user root by
(uid=0)
> 2019-12-20T07:09:01-05:00 ab CRON[3175]: (root) CMD ( [ -x
> /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> /usr/lib/php/sessionclean; fi) 2019-12-20T07:09:01-05:00 ab CRON[3174]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T07:09:01-05:00 ab systemd[1]: Starting Clean php session
> files... 2019-12-20T07:09:01-05:00 ab systemd[1]:
phpsessionclean.service:
> Succeeded. 2019-12-20T07:09:01-05:00 ab systemd[1]: Started Clean php
> session files. 2019-12-20T07:10:04-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:04 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:05 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:05 AM EST 2019-12-20T07:10:06-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:06 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:07 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:07 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:08 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:08 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:09 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:09 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:10 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:11 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:12 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:13 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:13 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:14 AM EST 2019-12-20T07:10:15-05:00 ab systemd[1]: Stopping System
> Logging Service... 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin
> software="rsyslogd" swVersion="8.1911.0" x-pid="3071" x-info="
> https://www.rsyslog.com"] exiting on signal 15. 2019-12-20T07:10:15-05:00
> ab systemd[1]: rsyslog.service: Succeeded. 2019-12-20T07:10:15-05:00 ab
> systemd[1]: Stopped System Logging Service. 2019-12-20T07:10:15-05:00 ab
> systemd[1]: Starting System Logging Service... 2019-12-20T07:10:15-05:00
ab
> rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog'
(fd
> 3) from systemd. [v8.1911.0] 2019-12-20T07:10:15-05:00 ab rsyslogd:
[origin
> software="rsyslogd" swVersion="8.1911.0" x-pid="3270" x-info="
> https://www.rsyslog.com"] start 2019-12-20T07:10:15-05:00 ab systemd[1]:
> Started System Logging Service. 2019-12-20T07:10:18-05:00 ab TESTING: Fri
> 20 Dec 2019 07:10:18 AM EST 2019-12-20T07:15:01-05:00 ab CRON[3283]:
> pam_unix(cron:session): session opened for user root by (uid=0)
> 2019-12-20T07:15:01-05:00 ab CRON[3284]: (root) CMD (command -v
debian-sa1
> > /dev/null && debian-sa1 1 1) 2019-12-20T07:15:01-05:00 ab CRON[3283]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
> opened for user root by (uid=0) 2019-12-20T07:17:01-05:00 ab CRON[3324]:
> (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
> 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
> closed for user root 2019-12-20T07:25:01-05:00 ab CRON[3333]:
> pam_unix(cron:session): session opened for user root by (uid=0)
> 2019-12-20T07:25:01-05:00 ab CRON[3334]: (root) CMD (command -v
debian-sa1
> > /dev/null && debian-sa1 1 1) 2019-12-20T07:25:01-05:00 ab CRON[3333]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T07:29:38-05:00 ab snapd[666]: storehelpers.go:436: cannot
> refresh: snap has no updates available: "barrier", "barrier-kvm",
> "gtk-common-themes", "notepad-plus-plus", "snapd",
"wine-platform-3-stable"
> 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> Usage Attribute: 190 Airflow_Temperature_Cel changed from 67 to 66
> 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> Usage Attribute: 194 Temperature_Celsius changed from 110 to 109
> 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
> opened for user root by (uid=0) 2019-12-20T07:35:01-05:00 ab CRON[3451]:
> (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
> 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
> closed for user root 2019-12-20T07:39:01-05:00 ab CRON[3460]:
> pam_unix(cron:session): session opened for user root by (uid=0)
> 2019-12-20T07:39:01-05:00 ab CRON[3461]: (root) CMD ( [ -x
> /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> /usr/lib/php/sessionclean; fi) 2019-12-20T07:39:01-05:00 ab CRON[3460]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T07:39:01-05:00 ab systemd[1]: Starting Clean php session
> files... 2019-12-20T07:39:01-05:00 ab systemd[1]:
phpsessionclean.service:
> Succeeded. 2019-12-20T07:39:01-05:00 ab systemd[1]: Started Clean php
> session files. 2019-12-20T07:45:01-05:00 ab CRON[3525]:
> pam_unix(cron:session): session opened for user root by (uid=0)
> 2019-12-20T07:45:01-05:00 ab CRON[3526]: (root) CMD (command -v
debian-sa1
> > /dev/null && debian-sa1 1 1) 2019-12-20T07:45:01-05:00 ab CRON[3525]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
> opened for user root by (uid=0) 2019-12-20T07:55:01-05:00 ab CRON[3550]:
> (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
> 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
> closed for user root 2019-12-20T08:05:01-05:00 ab CRON[3575]:
> pam_unix(cron:session): session opened for user root by (uid=0)
> 2019-12-20T08:05:01-05:00 ab CRON[3576]: (root) CMD (command -v
debian-sa1
> > /dev/null && debian-sa1 1 1) 2019-12-20T08:05:01-05:00 ab CRON[3575]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
> opened for user root by (uid=0) 2019-12-20T08:09:01-05:00 ab CRON[3587]:
> (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d
> /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
> 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
> closed for user root 2019-12-20T08:09:01-05:00 ab systemd[1]: Starting
> Clean php session files... 2019-12-20T08:09:01-05:00 ab systemd[1]:
> phpsessionclean.service: Succeeded. 2019-12-20T08:09:01-05:00 ab
> systemd[1]: Started Clean php session files. ' does not match pattern
> '%{CISCO_TAGGED_SYSLOG}' at
>
org.apache.metron.parsers.asa.BasicAsaParser.parse(BasicAsaParser.java:184)
> at
>
org.apache.metron.parsers.interfaces.MessageParser.parseOptional(MessageParser.java:54)
> at
>
org.apache.metron.parsers.interfaces.MessageParser.parseOptionalResult(MessageParser.java:67)
> at
>
org.apache.metron.parsers.ParserRunnerImpl.execute(ParserRunnerImpl.java:144)
> at org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:257)
> at
>
org.apache.storm.daemon.executor$fn__10195$tuple_action_fn__10197.invoke(executor.clj:735)
> at
>
org.apache.storm.daemon.executor$mk_task_receiver$fn__10114.invoke(executor.clj:466)
> at
>
org.apache.storm.disruptor$clojure_handler$reify__4137.onEvent(disruptor.clj:40)
> at
>
org.apache.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:472)
> at
>
org.apache.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:451)
> at
>
org.apache.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:73)
> at
>
org.apache.storm.daemon.executor$fn__10195$fn__10208$fn__10263.invoke(executor.clj:855)
> at org.apache.storm.util$async_loop$fn__1221.invoke(util.clj:484) at
> clojure.lang.AFn.run(AFn.java:22) at
java.lang.Thread.run(Thread.java:745)
> Caused by: java.lang.RuntimeException: [Metron] Message
> '2019-12-20T07:06:41-05:00 ab TESTING: Fri 20 Dec 2019 07:06:41 AM EST
> 2019-12-20T07:06:41-05:00 ab rsyslogd: action 'action-13-builtin:omfwd'
> resumed (module 'builtin:omfwd') [v8.1911.0 try
> https://www.rsyslog.com/e/2359 ] 2019-12-20T07:08:04-05:00 ab TESTING:
Fri
> 20 Dec 2019 07:08:04 AM EST 2019-12-20T07:08:05-05:00 ab TESTING: Fri 20
> Dec 2019 07:08:05 AM EST 2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec
> 2019 07:08:06 AM EST 2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec
2019
> 07:08:06 AM EST 2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019
> 07:08:08 AM EST 2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019
> 07:08:08 AM EST 2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019
> 07:08:09 AM EST 2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019
> 07:08:09 AM EST 2019-12-20T07:09:01-05:00 ab CRON[3174]:
> pam_unix(cron:session): session opened for user root by (uid=0)
> 2019-12-20T07:09:01-05:00 ab CRON[3175]: (root) CMD ( [ -x
> /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> /usr/lib/php/sessionclean; fi) 2019-12-20T07:09:01-05:00 ab CRON[3174]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T07:09:01-05:00 ab systemd[1]: Starting Clean php session
> files... 2019-12-20T07:09:01-05:00 ab systemd[1]:
phpsessionclean.service:
> Succeeded. 2019-12-20T07:09:01-05:00 ab systemd[1]: Started Clean php
> session files. 2019-12-20T07:10:04-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:04 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:05 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:05 AM EST 2019-12-20T07:10:06-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:06 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:07 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:07 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:08 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:08 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:09 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:09 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:10 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:11 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:12 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:13 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:13 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:14 AM EST 2019-12-20T07:10:15-05:00 ab systemd[1]: Stopping System
> Logging Service... 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin
> software="rsyslogd" swVersion="8.1911.0" x-pid="3071" x-info="
> https://www.rsyslog.com"] exiting on signal 15. 2019-12-20T07:10:15-05:00
> ab systemd[1]: rsyslog.service: Succeeded. 2019-12-20T07:10:15-05:00 ab
> systemd[1]: Stopped System Logging Service. 2019-12-20T07:10:15-05:00 ab
> systemd[1]: Starting System Logging Service... 2019-12-20T07:10:15-05:00
ab
> rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog'
(fd
> 3) from systemd. [v8.1911.0] 2019-12-20T07:10:15-05:00 ab rsyslogd:
[origin
> software="rsyslogd" swVersion="8.1911.0" x-pid="3270" x-info="
> https://www.rsyslog.com"] start 2019-12-20T07:10:15-05:00 ab systemd[1]:
> Started System Logging Service. 2019-12-20T07:10:18-05:00 ab TESTING: Fri
> 20 Dec 2019 07:10:18 AM EST 2019-12-20T07:15:01-05:00 ab CRON[3283]:
> pam_unix(cron:session): session opened for user root by (uid=0)
> 2019-12-20T07:15:01-05:00 ab CRON[3284]: (root) CMD (command -v
debian-sa1
> > /dev/null && debian-sa1 1 1) 2019-12-20T07:15:01-05:00 ab CRON[3283]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
> opened for user root by (uid=0) 2019-12-20T07:17:01-05:00 ab CRON[3324]:
> (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
> 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
> closed for user root 2019-12-20T07:25:01-05:00 ab CRON[3333]:
> pam_unix(cron:session): session opened for user root by (uid=0)
> 2019-12-20T07:25:01-05:00 ab CRON[3334]: (root) CMD (command -v
debian-sa1
> > /dev/null && debian-sa1 1 1) 2019-12-20T07:25:01-05:00 ab CRON[3333]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T07:29:38-05:00 ab snapd[666]: storehelpers.go:436: cannot
> refresh: snap has no updates available: "barrier", "barrier-kvm",
> "gtk-common-themes", "notepad-plus-plus", "snapd",
"wine-platform-3-stable"
> 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> Usage Attribute: 190 Airflow_Temperature_Cel changed from 67 to 66
> 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> Usage Attribute: 194 Temperature_Celsius changed from 110 to 109
> 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
> opened for user root by (uid=0) 2019-12-20T07:35:01-05:00 ab CRON[3451]:
> (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
> 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
> closed for user root 2019-12-20T07:39:01-05:00 ab CRON[3460]:
> pam_unix(cron:session): session opened for user root by (uid=0)
> 2019-12-20T07:39:01-05:00 ab CRON[3461]: (root) CMD ( [ -x
> /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> /usr/lib/php/sessionclean; fi) 2019-12-20T07:39:01-05:00 ab CRON[3460]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T07:39:01-05:00 ab systemd[1]: Starting Clean php session
> files... 2019-12-20T07:39:01-05:00 ab systemd[1]:
phpsessionclean.service:
> Succeeded. 2019-12-20T07:39:01-05:00 ab systemd[1]: Started Clean php
> session files. 2019-12-20T07:45:01-05:00 ab CRON[3525]:
> pam_unix(cron:session): session opened for user root by (uid=0)
> 2019-12-20T07:45:01-05:00 ab CRON[3526]: (root) CMD (command -v
debian-sa1
> > /dev/null && debian-sa1 1 1) 2019-12-20T07:45:01-05:00 ab CRON[3525]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
> opened for user root by (uid=0) 2019-12-20T07:55:01-05:00 ab CRON[3550]:
> (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
> 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
> closed for user root 2019-12-20T08:05:01-05:00 ab CRON[3575]:
> pam_unix(cron:session): session opened for user root by (uid=0)
> 2019-12-20T08:05:01-05:00 ab CRON[3576]: (root) CMD (command -v
debian-sa1
> > /dev/null && debian-sa1 1 1) 2019-12-20T08:05:01-05:00 ab CRON[3575]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
> opened for user root by (uid=0) 2019-12-20T08:09:01-05:00 ab CRON[3587]:
> (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d
> /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
> 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
> closed for user root 2019-12-20T08:09:01-05:00 ab systemd[1]: Starting
> Clean php session files... 2019-12-20T08:09:01-05:00 ab systemd[1]:
> phpsessionclean.service: Succeeded. 2019-12-20T08:09:01-05:00 ab
> systemd[1]: Started Clean php session files. ' does not match pattern
> '%{CISCO_TAGGED_SYSLOG}' at
>
org.apache.metron.parsers.asa.BasicAsaParser.parse(BasicAsaParser.java:178)
> ... 14 more
>
> i need your help???? as always
>i really appriciate your reply it works when i use sample log on github
but the problem is that i can't push asa, and websphare and syslog data
from kibana to metron alert ui i can see them on kibana can you help me
with that please???? @Otto Fowler
Re: streaming rsyslog metron using asa parser
Posted by updates on tube <ab...@gmail.com>.
On 2019/12/23 11:25:45, Otto Fowler <ot...@gmail.com> wrote:
> That doesn’t look like ASA data.
> https://github.com/apache/metron/blob/master/metron-platform/metron-integration-test/src/main/sample/data/asa/raw/asa_raw
>
> Are you trying to do regular syslog, or ASA.
>
>
>
>
> On December 23, 2019 at 01:57:38, updates on tube (abrahamfikire@gmail.com)
> wrote:
>
> i was trying to stream rsyslog log data to apache metron using asa parser.
> the log look like down below
>
> 2019-12-20T07:06:41-05:00 ab TESTING: Fri 20 Dec 2019 07:06:41 AM EST
> the log 2019-12-20T07:06:41-05:00 ab rsyslogd: action
> 'action-13-builtin:omfwd' resumed (module 'builtin:omfwd') [v8.1911.0 try
> https://www.rsyslog.com/e/2359 ]
> 2019-12-20T07:08:04-05:00 ab TESTING: Fri 20 Dec 2019 07:08:04 AM EST
> 2019-12-20T07:08:05-05:00 ab TESTING: Fri 20 Dec 2019 07:08:05 AM EST
> 2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec 2019 07:08:06 AM EST
> 2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec 2019 07:08:06 AM EST
> 2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019 07:08:08 AM EST
> 2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019 07:08:08 AM EST
> 2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019 07:08:09 AM EST
> 2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019 07:08:09 AM EST
> 2019-12-20T07:09:01-05:00 ab CRON[3174]: pam_unix(cron:session): session
> opened for user root by (uid=0)
> 2019-12-20T07:09:01-05:00 ab CRON[3175]: (root) CMD ( [ -x
> /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> /usr/lib/php/sessionclean; fi)
> 2019-12-20T07:09:01-05:00 ab CRON[3174]: pam_unix(cron:session): session
> closed for user root
> 2019-12-20T07:09:01-05:00 ab systemd[1]: Starting Clean php session
> files...
> 2019-12-20T07:09:01-05:00 ab systemd[1]: phpsessionclean.service:
> Succeeded.
> 2019-12-20T07:09:01-05:00 ab systemd[1]: Started Clean php session files.
> 2019-12-20T07:10:04-05:00 ab TESTING: Fri 20 Dec 2019 07:10:04 AM EST
> 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019 07:10:05 AM EST
> 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019 07:10:05 AM EST
> 2019-12-20T07:10:06-05:00 ab TESTING: Fri 20 Dec 2019 07:10:06 AM EST
> 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019 07:10:07 AM EST
> 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019 07:10:07 AM EST
> 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019 07:10:08 AM EST
> 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019 07:10:08 AM EST
> 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019 07:10:09 AM EST
> 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019 07:10:09 AM EST
> 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST
> 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST
> 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST
> 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST
> 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST
> 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST
> 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST
> 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST
> 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST
> 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019 07:10:13 AM EST
> 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019 07:10:13 AM EST
> 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST
> 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST
> 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST
> 2019-12-20T07:10:15-05:00 ab systemd[1]: Stopping System Logging Service...
> 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin software="rsyslogd"
> swVersion="8.1911.0" x-pid="3071" x-info="https://www.rsyslog.com"] exiting
> on signal 15.
> 2019-12-20T07:10:15-05:00 ab systemd[1]: rsyslog.service: Succeeded.
> 2019-12-20T07:10:15-05:00 ab systemd[1]: Stopped System Logging Service.
> 2019-12-20T07:10:15-05:00 ab systemd[1]: Starting System Logging Service...
> 2019-12-20T07:10:15-05:00 ab rsyslogd: imuxsock: Acquired UNIX socket
> '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.1911.0]
> 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin software="rsyslogd"
> swVersion="8.1911.0" x-pid="3270" x-info="https://www.rsyslog.com"] start
> 2019-12-20T07:10:15-05:00 ab systemd[1]: Started System Logging Service.
> 2019-12-20T07:10:18-05:00 ab TESTING: Fri 20 Dec 2019 07:10:18 AM EST
> 2019-12-20T07:15:01-05:00 ab CRON[3283]: pam_unix(cron:session): session
> opened for user root by (uid=0)
> 2019-12-20T07:15:01-05:00 ab CRON[3284]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> 2019-12-20T07:15:01-05:00 ab CRON[3283]: pam_unix(cron:session): session
> closed for user root
> 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
> opened for user root by (uid=0)
> 2019-12-20T07:17:01-05:00 ab CRON[3324]: (root) CMD ( cd / && run-parts
> --report /etc/cron.hourly)
> 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
> closed for user root
> 2019-12-20T07:25:01-05:00 ab CRON[3333]: pam_unix(cron:session): session
> opened for user root by (uid=0)
> 2019-12-20T07:25:01-05:00 ab CRON[3334]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> 2019-12-20T07:25:01-05:00 ab CRON[3333]: pam_unix(cron:session): session
> closed for user root
> 2019-12-20T07:29:38-05:00 ab snapd[666]: storehelpers.go:436: cannot
> refresh: snap has no updates available: "barrier", "barrier-kvm",
> "gtk-common-themes", "notepad-plus-plus", "snapd", "wine-platform-3-stable"
> 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> Usage Attribute: 190 Airflow_Temperature_Cel changed from 67 to 66
> 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> Usage Attribute: 194 Temperature_Celsius changed from 110 to 109
> 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
> opened for user root by (uid=0)
> 2019-12-20T07:35:01-05:00 ab CRON[3451]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
> closed for user root
> 2019-12-20T07:39:01-05:00 ab CRON[3460]: pam_unix(cron:session): session
> opened for user root by (uid=0)
> 2019-12-20T07:39:01-05:00 ab CRON[3461]: (root) CMD ( [ -x
> /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> /usr/lib/php/sessionclean; fi)
> 2019-12-20T07:39:01-05:00 ab CRON[3460]: pam_unix(cron:session): session
> closed for user root
> 2019-12-20T07:39:01-05:00 ab systemd[1]: Starting Clean php session
> files...
> 2019-12-20T07:39:01-05:00 ab systemd[1]: phpsessionclean.service:
> Succeeded.
> 2019-12-20T07:39:01-05:00 ab systemd[1]: Started Clean php session files.
> 2019-12-20T07:45:01-05:00 ab CRON[3525]: pam_unix(cron:session): session
> opened for user root by (uid=0)
> 2019-12-20T07:45:01-05:00 ab CRON[3526]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> 2019-12-20T07:45:01-05:00 ab CRON[3525]: pam_unix(cron:session): session
> closed for user root
> 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
> opened for user root by (uid=0)
> 2019-12-20T07:55:01-05:00 ab CRON[3550]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
> closed for user root
> 2019-12-20T08:05:01-05:00 ab CRON[3575]: pam_unix(cron:session): session
> opened for user root by (uid=0)
> 2019-12-20T08:05:01-05:00 ab CRON[3576]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> 2019-12-20T08:05:01-05:00 ab CRON[3575]: pam_unix(cron:session): session
> closed for user root
> 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
> opened for user root by (uid=0)
> 2019-12-20T08:09:01-05:00 ab CRON[3587]: (root) CMD ( [ -x
> /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> /usr/lib/php/sessionclean; fi)
> 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
> closed for user root
> 2019-12-20T08:09:01-05:00 ab systemd[1]: Starting Clean php session
> files...
> 2019-12-20T08:09:01-05:00 ab systemd[1]: phpsessionclean.service:
> Succeeded.
> 2019-12-20T08:09:01-05:00 ab systemd[1]: Started Clean php session files
>
>
>
>
>
>
>
> THIS IS THE ERROR FOUND IN STORM UI parserBolt
>
> java.lang.RuntimeException: [Metron] Message '2019-12-20T07:06:41-05:00 ab
> TESTING: Fri 20 Dec 2019 07:06:41 AM EST 2019-12-20T07:06:41-05:00 ab
> rsyslogd: action 'action-13-builtin:omfwd' resumed (module 'builtin:omfwd')
> [v8.1911.0 try https://www.rsyslog.com/e/2359 ] 2019-12-20T07:08:04-05:00
> ab TESTING: Fri 20 Dec 2019 07:08:04 AM EST 2019-12-20T07:08:05-05:00 ab
> TESTING: Fri 20 Dec 2019 07:08:05 AM EST 2019-12-20T07:08:06-05:00 ab
> TESTING: Fri 20 Dec 2019 07:08:06 AM EST 2019-12-20T07:08:06-05:00 ab
> TESTING: Fri 20 Dec 2019 07:08:06 AM EST 2019-12-20T07:08:08-05:00 ab
> TESTING: Fri 20 Dec 2019 07:08:08 AM EST 2019-12-20T07:08:08-05:00 ab
> TESTING: Fri 20 Dec 2019 07:08:08 AM EST 2019-12-20T07:08:09-05:00 ab
> TESTING: Fri 20 Dec 2019 07:08:09 AM EST 2019-12-20T07:08:09-05:00 ab
> TESTING: Fri 20 Dec 2019 07:08:09 AM EST 2019-12-20T07:09:01-05:00 ab
> CRON[3174]: pam_unix(cron:session): session opened for user root by (uid=0)
> 2019-12-20T07:09:01-05:00 ab CRON[3175]: (root) CMD ( [ -x
> /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> /usr/lib/php/sessionclean; fi) 2019-12-20T07:09:01-05:00 ab CRON[3174]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T07:09:01-05:00 ab systemd[1]: Starting Clean php session
> files... 2019-12-20T07:09:01-05:00 ab systemd[1]: phpsessionclean.service:
> Succeeded. 2019-12-20T07:09:01-05:00 ab systemd[1]: Started Clean php
> session files. 2019-12-20T07:10:04-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:04 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:05 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:05 AM EST 2019-12-20T07:10:06-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:06 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:07 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:07 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:08 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:08 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:09 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:09 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:10 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:11 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:12 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:13 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:13 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:14 AM EST 2019-12-20T07:10:15-05:00 ab systemd[1]: Stopping System
> Logging Service... 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin
> software="rsyslogd" swVersion="8.1911.0" x-pid="3071" x-info="
> https://www.rsyslog.com"] exiting on signal 15. 2019-12-20T07:10:15-05:00
> ab systemd[1]: rsyslog.service: Succeeded. 2019-12-20T07:10:15-05:00 ab
> systemd[1]: Stopped System Logging Service. 2019-12-20T07:10:15-05:00 ab
> systemd[1]: Starting System Logging Service... 2019-12-20T07:10:15-05:00 ab
> rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd
> 3) from systemd. [v8.1911.0] 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin
> software="rsyslogd" swVersion="8.1911.0" x-pid="3270" x-info="
> https://www.rsyslog.com"] start 2019-12-20T07:10:15-05:00 ab systemd[1]:
> Started System Logging Service. 2019-12-20T07:10:18-05:00 ab TESTING: Fri
> 20 Dec 2019 07:10:18 AM EST 2019-12-20T07:15:01-05:00 ab CRON[3283]:
> pam_unix(cron:session): session opened for user root by (uid=0)
> 2019-12-20T07:15:01-05:00 ab CRON[3284]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1) 2019-12-20T07:15:01-05:00 ab CRON[3283]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
> opened for user root by (uid=0) 2019-12-20T07:17:01-05:00 ab CRON[3324]:
> (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
> 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
> closed for user root 2019-12-20T07:25:01-05:00 ab CRON[3333]:
> pam_unix(cron:session): session opened for user root by (uid=0)
> 2019-12-20T07:25:01-05:00 ab CRON[3334]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1) 2019-12-20T07:25:01-05:00 ab CRON[3333]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T07:29:38-05:00 ab snapd[666]: storehelpers.go:436: cannot
> refresh: snap has no updates available: "barrier", "barrier-kvm",
> "gtk-common-themes", "notepad-plus-plus", "snapd", "wine-platform-3-stable"
> 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> Usage Attribute: 190 Airflow_Temperature_Cel changed from 67 to 66
> 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> Usage Attribute: 194 Temperature_Celsius changed from 110 to 109
> 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
> opened for user root by (uid=0) 2019-12-20T07:35:01-05:00 ab CRON[3451]:
> (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
> 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
> closed for user root 2019-12-20T07:39:01-05:00 ab CRON[3460]:
> pam_unix(cron:session): session opened for user root by (uid=0)
> 2019-12-20T07:39:01-05:00 ab CRON[3461]: (root) CMD ( [ -x
> /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> /usr/lib/php/sessionclean; fi) 2019-12-20T07:39:01-05:00 ab CRON[3460]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T07:39:01-05:00 ab systemd[1]: Starting Clean php session
> files... 2019-12-20T07:39:01-05:00 ab systemd[1]: phpsessionclean.service:
> Succeeded. 2019-12-20T07:39:01-05:00 ab systemd[1]: Started Clean php
> session files. 2019-12-20T07:45:01-05:00 ab CRON[3525]:
> pam_unix(cron:session): session opened for user root by (uid=0)
> 2019-12-20T07:45:01-05:00 ab CRON[3526]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1) 2019-12-20T07:45:01-05:00 ab CRON[3525]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
> opened for user root by (uid=0) 2019-12-20T07:55:01-05:00 ab CRON[3550]:
> (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
> 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
> closed for user root 2019-12-20T08:05:01-05:00 ab CRON[3575]:
> pam_unix(cron:session): session opened for user root by (uid=0)
> 2019-12-20T08:05:01-05:00 ab CRON[3576]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1) 2019-12-20T08:05:01-05:00 ab CRON[3575]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
> opened for user root by (uid=0) 2019-12-20T08:09:01-05:00 ab CRON[3587]:
> (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d
> /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
> 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
> closed for user root 2019-12-20T08:09:01-05:00 ab systemd[1]: Starting
> Clean php session files... 2019-12-20T08:09:01-05:00 ab systemd[1]:
> phpsessionclean.service: Succeeded. 2019-12-20T08:09:01-05:00 ab
> systemd[1]: Started Clean php session files. ' does not match pattern
> '%{CISCO_TAGGED_SYSLOG}' at
> org.apache.metron.parsers.asa.BasicAsaParser.parse(BasicAsaParser.java:184)
> at
> org.apache.metron.parsers.interfaces.MessageParser.parseOptional(MessageParser.java:54)
> at
> org.apache.metron.parsers.interfaces.MessageParser.parseOptionalResult(MessageParser.java:67)
> at
> org.apache.metron.parsers.ParserRunnerImpl.execute(ParserRunnerImpl.java:144)
> at org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:257)
> at
> org.apache.storm.daemon.executor$fn__10195$tuple_action_fn__10197.invoke(executor.clj:735)
> at
> org.apache.storm.daemon.executor$mk_task_receiver$fn__10114.invoke(executor.clj:466)
> at
> org.apache.storm.disruptor$clojure_handler$reify__4137.onEvent(disruptor.clj:40)
> at
> org.apache.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:472)
> at
> org.apache.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:451)
> at
> org.apache.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:73)
> at
> org.apache.storm.daemon.executor$fn__10195$fn__10208$fn__10263.invoke(executor.clj:855)
> at org.apache.storm.util$async_loop$fn__1221.invoke(util.clj:484) at
> clojure.lang.AFn.run(AFn.java:22) at java.lang.Thread.run(Thread.java:745)
> Caused by: java.lang.RuntimeException: [Metron] Message
> '2019-12-20T07:06:41-05:00 ab TESTING: Fri 20 Dec 2019 07:06:41 AM EST
> 2019-12-20T07:06:41-05:00 ab rsyslogd: action 'action-13-builtin:omfwd'
> resumed (module 'builtin:omfwd') [v8.1911.0 try
> https://www.rsyslog.com/e/2359 ] 2019-12-20T07:08:04-05:00 ab TESTING: Fri
> 20 Dec 2019 07:08:04 AM EST 2019-12-20T07:08:05-05:00 ab TESTING: Fri 20
> Dec 2019 07:08:05 AM EST 2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec
> 2019 07:08:06 AM EST 2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec 2019
> 07:08:06 AM EST 2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019
> 07:08:08 AM EST 2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019
> 07:08:08 AM EST 2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019
> 07:08:09 AM EST 2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019
> 07:08:09 AM EST 2019-12-20T07:09:01-05:00 ab CRON[3174]:
> pam_unix(cron:session): session opened for user root by (uid=0)
> 2019-12-20T07:09:01-05:00 ab CRON[3175]: (root) CMD ( [ -x
> /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> /usr/lib/php/sessionclean; fi) 2019-12-20T07:09:01-05:00 ab CRON[3174]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T07:09:01-05:00 ab systemd[1]: Starting Clean php session
> files... 2019-12-20T07:09:01-05:00 ab systemd[1]: phpsessionclean.service:
> Succeeded. 2019-12-20T07:09:01-05:00 ab systemd[1]: Started Clean php
> session files. 2019-12-20T07:10:04-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:04 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:05 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:05 AM EST 2019-12-20T07:10:06-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:06 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:07 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:07 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:08 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:08 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:09 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:09 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:10 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:11 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:12 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:13 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:13 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
> 07:10:14 AM EST 2019-12-20T07:10:15-05:00 ab systemd[1]: Stopping System
> Logging Service... 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin
> software="rsyslogd" swVersion="8.1911.0" x-pid="3071" x-info="
> https://www.rsyslog.com"] exiting on signal 15. 2019-12-20T07:10:15-05:00
> ab systemd[1]: rsyslog.service: Succeeded. 2019-12-20T07:10:15-05:00 ab
> systemd[1]: Stopped System Logging Service. 2019-12-20T07:10:15-05:00 ab
> systemd[1]: Starting System Logging Service... 2019-12-20T07:10:15-05:00 ab
> rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd
> 3) from systemd. [v8.1911.0] 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin
> software="rsyslogd" swVersion="8.1911.0" x-pid="3270" x-info="
> https://www.rsyslog.com"] start 2019-12-20T07:10:15-05:00 ab systemd[1]:
> Started System Logging Service. 2019-12-20T07:10:18-05:00 ab TESTING: Fri
> 20 Dec 2019 07:10:18 AM EST 2019-12-20T07:15:01-05:00 ab CRON[3283]:
> pam_unix(cron:session): session opened for user root by (uid=0)
> 2019-12-20T07:15:01-05:00 ab CRON[3284]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1) 2019-12-20T07:15:01-05:00 ab CRON[3283]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
> opened for user root by (uid=0) 2019-12-20T07:17:01-05:00 ab CRON[3324]:
> (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
> 2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
> closed for user root 2019-12-20T07:25:01-05:00 ab CRON[3333]:
> pam_unix(cron:session): session opened for user root by (uid=0)
> 2019-12-20T07:25:01-05:00 ab CRON[3334]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1) 2019-12-20T07:25:01-05:00 ab CRON[3333]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T07:29:38-05:00 ab snapd[666]: storehelpers.go:436: cannot
> refresh: snap has no updates available: "barrier", "barrier-kvm",
> "gtk-common-themes", "notepad-plus-plus", "snapd", "wine-platform-3-stable"
> 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> Usage Attribute: 190 Airflow_Temperature_Cel changed from 67 to 66
> 2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
> Usage Attribute: 194 Temperature_Celsius changed from 110 to 109
> 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
> opened for user root by (uid=0) 2019-12-20T07:35:01-05:00 ab CRON[3451]:
> (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
> 2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
> closed for user root 2019-12-20T07:39:01-05:00 ab CRON[3460]:
> pam_unix(cron:session): session opened for user root by (uid=0)
> 2019-12-20T07:39:01-05:00 ab CRON[3461]: (root) CMD ( [ -x
> /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
> /usr/lib/php/sessionclean; fi) 2019-12-20T07:39:01-05:00 ab CRON[3460]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T07:39:01-05:00 ab systemd[1]: Starting Clean php session
> files... 2019-12-20T07:39:01-05:00 ab systemd[1]: phpsessionclean.service:
> Succeeded. 2019-12-20T07:39:01-05:00 ab systemd[1]: Started Clean php
> session files. 2019-12-20T07:45:01-05:00 ab CRON[3525]:
> pam_unix(cron:session): session opened for user root by (uid=0)
> 2019-12-20T07:45:01-05:00 ab CRON[3526]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1) 2019-12-20T07:45:01-05:00 ab CRON[3525]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
> opened for user root by (uid=0) 2019-12-20T07:55:01-05:00 ab CRON[3550]:
> (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
> 2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
> closed for user root 2019-12-20T08:05:01-05:00 ab CRON[3575]:
> pam_unix(cron:session): session opened for user root by (uid=0)
> 2019-12-20T08:05:01-05:00 ab CRON[3576]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1) 2019-12-20T08:05:01-05:00 ab CRON[3575]:
> pam_unix(cron:session): session closed for user root
> 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
> opened for user root by (uid=0) 2019-12-20T08:09:01-05:00 ab CRON[3587]:
> (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d
> /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
> 2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
> closed for user root 2019-12-20T08:09:01-05:00 ab systemd[1]: Starting
> Clean php session files... 2019-12-20T08:09:01-05:00 ab systemd[1]:
> phpsessionclean.service: Succeeded. 2019-12-20T08:09:01-05:00 ab
> systemd[1]: Started Clean php session files. ' does not match pattern
> '%{CISCO_TAGGED_SYSLOG}' at
> org.apache.metron.parsers.asa.BasicAsaParser.parse(BasicAsaParser.java:178)
> ... 14 more
>
> i need your help???? as always
>i really appriciate your reply it works when i use sample log on github but the problem is that i can't push asa, and websphare and syslog data from kibana to metron alert ui i can see them on kibana can you help me with that please???? @Otto Fowler
Re: streaming rsyslog metron using asa parser
Posted by Otto Fowler <ot...@gmail.com>.
That doesn’t look like ASA data.
https://github.com/apache/metron/blob/master/metron-platform/metron-integration-test/src/main/sample/data/asa/raw/asa_raw
Are you trying to do regular syslog, or ASA.
On December 23, 2019 at 01:57:38, updates on tube (abrahamfikire@gmail.com)
wrote:
i was trying to stream rsyslog log data to apache metron using asa parser.
the log look like down below
2019-12-20T07:06:41-05:00 ab TESTING: Fri 20 Dec 2019 07:06:41 AM EST
the log 2019-12-20T07:06:41-05:00 ab rsyslogd: action
'action-13-builtin:omfwd' resumed (module 'builtin:omfwd') [v8.1911.0 try
https://www.rsyslog.com/e/2359 ]
2019-12-20T07:08:04-05:00 ab TESTING: Fri 20 Dec 2019 07:08:04 AM EST
2019-12-20T07:08:05-05:00 ab TESTING: Fri 20 Dec 2019 07:08:05 AM EST
2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec 2019 07:08:06 AM EST
2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec 2019 07:08:06 AM EST
2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019 07:08:08 AM EST
2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019 07:08:08 AM EST
2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019 07:08:09 AM EST
2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019 07:08:09 AM EST
2019-12-20T07:09:01-05:00 ab CRON[3174]: pam_unix(cron:session): session
opened for user root by (uid=0)
2019-12-20T07:09:01-05:00 ab CRON[3175]: (root) CMD ( [ -x
/usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
/usr/lib/php/sessionclean; fi)
2019-12-20T07:09:01-05:00 ab CRON[3174]: pam_unix(cron:session): session
closed for user root
2019-12-20T07:09:01-05:00 ab systemd[1]: Starting Clean php session
files...
2019-12-20T07:09:01-05:00 ab systemd[1]: phpsessionclean.service:
Succeeded.
2019-12-20T07:09:01-05:00 ab systemd[1]: Started Clean php session files.
2019-12-20T07:10:04-05:00 ab TESTING: Fri 20 Dec 2019 07:10:04 AM EST
2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019 07:10:05 AM EST
2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019 07:10:05 AM EST
2019-12-20T07:10:06-05:00 ab TESTING: Fri 20 Dec 2019 07:10:06 AM EST
2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019 07:10:07 AM EST
2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019 07:10:07 AM EST
2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019 07:10:08 AM EST
2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019 07:10:08 AM EST
2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019 07:10:09 AM EST
2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019 07:10:09 AM EST
2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST
2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST
2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019 07:10:10 AM EST
2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST
2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST
2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019 07:10:11 AM EST
2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST
2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST
2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019 07:10:12 AM EST
2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019 07:10:13 AM EST
2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019 07:10:13 AM EST
2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST
2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST
2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019 07:10:14 AM EST
2019-12-20T07:10:15-05:00 ab systemd[1]: Stopping System Logging Service...
2019-12-20T07:10:15-05:00 ab rsyslogd: [origin software="rsyslogd"
swVersion="8.1911.0" x-pid="3071" x-info="https://www.rsyslog.com"] exiting
on signal 15.
2019-12-20T07:10:15-05:00 ab systemd[1]: rsyslog.service: Succeeded.
2019-12-20T07:10:15-05:00 ab systemd[1]: Stopped System Logging Service.
2019-12-20T07:10:15-05:00 ab systemd[1]: Starting System Logging Service...
2019-12-20T07:10:15-05:00 ab rsyslogd: imuxsock: Acquired UNIX socket
'/run/systemd/journal/syslog' (fd 3) from systemd. [v8.1911.0]
2019-12-20T07:10:15-05:00 ab rsyslogd: [origin software="rsyslogd"
swVersion="8.1911.0" x-pid="3270" x-info="https://www.rsyslog.com"] start
2019-12-20T07:10:15-05:00 ab systemd[1]: Started System Logging Service.
2019-12-20T07:10:18-05:00 ab TESTING: Fri 20 Dec 2019 07:10:18 AM EST
2019-12-20T07:15:01-05:00 ab CRON[3283]: pam_unix(cron:session): session
opened for user root by (uid=0)
2019-12-20T07:15:01-05:00 ab CRON[3284]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
2019-12-20T07:15:01-05:00 ab CRON[3283]: pam_unix(cron:session): session
closed for user root
2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
opened for user root by (uid=0)
2019-12-20T07:17:01-05:00 ab CRON[3324]: (root) CMD ( cd / && run-parts
--report /etc/cron.hourly)
2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
closed for user root
2019-12-20T07:25:01-05:00 ab CRON[3333]: pam_unix(cron:session): session
opened for user root by (uid=0)
2019-12-20T07:25:01-05:00 ab CRON[3334]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
2019-12-20T07:25:01-05:00 ab CRON[3333]: pam_unix(cron:session): session
closed for user root
2019-12-20T07:29:38-05:00 ab snapd[666]: storehelpers.go:436: cannot
refresh: snap has no updates available: "barrier", "barrier-kvm",
"gtk-common-themes", "notepad-plus-plus", "snapd", "wine-platform-3-stable"
2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
Usage Attribute: 190 Airflow_Temperature_Cel changed from 67 to 66
2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
Usage Attribute: 194 Temperature_Celsius changed from 110 to 109
2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
opened for user root by (uid=0)
2019-12-20T07:35:01-05:00 ab CRON[3451]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
closed for user root
2019-12-20T07:39:01-05:00 ab CRON[3460]: pam_unix(cron:session): session
opened for user root by (uid=0)
2019-12-20T07:39:01-05:00 ab CRON[3461]: (root) CMD ( [ -x
/usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
/usr/lib/php/sessionclean; fi)
2019-12-20T07:39:01-05:00 ab CRON[3460]: pam_unix(cron:session): session
closed for user root
2019-12-20T07:39:01-05:00 ab systemd[1]: Starting Clean php session
files...
2019-12-20T07:39:01-05:00 ab systemd[1]: phpsessionclean.service:
Succeeded.
2019-12-20T07:39:01-05:00 ab systemd[1]: Started Clean php session files.
2019-12-20T07:45:01-05:00 ab CRON[3525]: pam_unix(cron:session): session
opened for user root by (uid=0)
2019-12-20T07:45:01-05:00 ab CRON[3526]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
2019-12-20T07:45:01-05:00 ab CRON[3525]: pam_unix(cron:session): session
closed for user root
2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
opened for user root by (uid=0)
2019-12-20T07:55:01-05:00 ab CRON[3550]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
closed for user root
2019-12-20T08:05:01-05:00 ab CRON[3575]: pam_unix(cron:session): session
opened for user root by (uid=0)
2019-12-20T08:05:01-05:00 ab CRON[3576]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
2019-12-20T08:05:01-05:00 ab CRON[3575]: pam_unix(cron:session): session
closed for user root
2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
opened for user root by (uid=0)
2019-12-20T08:09:01-05:00 ab CRON[3587]: (root) CMD ( [ -x
/usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
/usr/lib/php/sessionclean; fi)
2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
closed for user root
2019-12-20T08:09:01-05:00 ab systemd[1]: Starting Clean php session
files...
2019-12-20T08:09:01-05:00 ab systemd[1]: phpsessionclean.service:
Succeeded.
2019-12-20T08:09:01-05:00 ab systemd[1]: Started Clean php session files
THIS IS THE ERROR FOUND IN STORM UI parserBolt
java.lang.RuntimeException: [Metron] Message '2019-12-20T07:06:41-05:00 ab
TESTING: Fri 20 Dec 2019 07:06:41 AM EST 2019-12-20T07:06:41-05:00 ab
rsyslogd: action 'action-13-builtin:omfwd' resumed (module 'builtin:omfwd')
[v8.1911.0 try https://www.rsyslog.com/e/2359 ] 2019-12-20T07:08:04-05:00
ab TESTING: Fri 20 Dec 2019 07:08:04 AM EST 2019-12-20T07:08:05-05:00 ab
TESTING: Fri 20 Dec 2019 07:08:05 AM EST 2019-12-20T07:08:06-05:00 ab
TESTING: Fri 20 Dec 2019 07:08:06 AM EST 2019-12-20T07:08:06-05:00 ab
TESTING: Fri 20 Dec 2019 07:08:06 AM EST 2019-12-20T07:08:08-05:00 ab
TESTING: Fri 20 Dec 2019 07:08:08 AM EST 2019-12-20T07:08:08-05:00 ab
TESTING: Fri 20 Dec 2019 07:08:08 AM EST 2019-12-20T07:08:09-05:00 ab
TESTING: Fri 20 Dec 2019 07:08:09 AM EST 2019-12-20T07:08:09-05:00 ab
TESTING: Fri 20 Dec 2019 07:08:09 AM EST 2019-12-20T07:09:01-05:00 ab
CRON[3174]: pam_unix(cron:session): session opened for user root by (uid=0)
2019-12-20T07:09:01-05:00 ab CRON[3175]: (root) CMD ( [ -x
/usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
/usr/lib/php/sessionclean; fi) 2019-12-20T07:09:01-05:00 ab CRON[3174]:
pam_unix(cron:session): session closed for user root
2019-12-20T07:09:01-05:00 ab systemd[1]: Starting Clean php session
files... 2019-12-20T07:09:01-05:00 ab systemd[1]: phpsessionclean.service:
Succeeded. 2019-12-20T07:09:01-05:00 ab systemd[1]: Started Clean php
session files. 2019-12-20T07:10:04-05:00 ab TESTING: Fri 20 Dec 2019
07:10:04 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019
07:10:05 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019
07:10:05 AM EST 2019-12-20T07:10:06-05:00 ab TESTING: Fri 20 Dec 2019
07:10:06 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019
07:10:07 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019
07:10:07 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019
07:10:08 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019
07:10:08 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019
07:10:09 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019
07:10:09 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
07:10:10 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
07:10:11 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
07:10:12 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019
07:10:13 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019
07:10:13 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
07:10:14 AM EST 2019-12-20T07:10:15-05:00 ab systemd[1]: Stopping System
Logging Service... 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin
software="rsyslogd" swVersion="8.1911.0" x-pid="3071" x-info="
https://www.rsyslog.com"] exiting on signal 15. 2019-12-20T07:10:15-05:00
ab systemd[1]: rsyslog.service: Succeeded. 2019-12-20T07:10:15-05:00 ab
systemd[1]: Stopped System Logging Service. 2019-12-20T07:10:15-05:00 ab
systemd[1]: Starting System Logging Service... 2019-12-20T07:10:15-05:00 ab
rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd
3) from systemd. [v8.1911.0] 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin
software="rsyslogd" swVersion="8.1911.0" x-pid="3270" x-info="
https://www.rsyslog.com"] start 2019-12-20T07:10:15-05:00 ab systemd[1]:
Started System Logging Service. 2019-12-20T07:10:18-05:00 ab TESTING: Fri
20 Dec 2019 07:10:18 AM EST 2019-12-20T07:15:01-05:00 ab CRON[3283]:
pam_unix(cron:session): session opened for user root by (uid=0)
2019-12-20T07:15:01-05:00 ab CRON[3284]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1) 2019-12-20T07:15:01-05:00 ab CRON[3283]:
pam_unix(cron:session): session closed for user root
2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
opened for user root by (uid=0) 2019-12-20T07:17:01-05:00 ab CRON[3324]:
(root) CMD ( cd / && run-parts --report /etc/cron.hourly)
2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
closed for user root 2019-12-20T07:25:01-05:00 ab CRON[3333]:
pam_unix(cron:session): session opened for user root by (uid=0)
2019-12-20T07:25:01-05:00 ab CRON[3334]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1) 2019-12-20T07:25:01-05:00 ab CRON[3333]:
pam_unix(cron:session): session closed for user root
2019-12-20T07:29:38-05:00 ab snapd[666]: storehelpers.go:436: cannot
refresh: snap has no updates available: "barrier", "barrier-kvm",
"gtk-common-themes", "notepad-plus-plus", "snapd", "wine-platform-3-stable"
2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
Usage Attribute: 190 Airflow_Temperature_Cel changed from 67 to 66
2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
Usage Attribute: 194 Temperature_Celsius changed from 110 to 109
2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
opened for user root by (uid=0) 2019-12-20T07:35:01-05:00 ab CRON[3451]:
(root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
closed for user root 2019-12-20T07:39:01-05:00 ab CRON[3460]:
pam_unix(cron:session): session opened for user root by (uid=0)
2019-12-20T07:39:01-05:00 ab CRON[3461]: (root) CMD ( [ -x
/usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
/usr/lib/php/sessionclean; fi) 2019-12-20T07:39:01-05:00 ab CRON[3460]:
pam_unix(cron:session): session closed for user root
2019-12-20T07:39:01-05:00 ab systemd[1]: Starting Clean php session
files... 2019-12-20T07:39:01-05:00 ab systemd[1]: phpsessionclean.service:
Succeeded. 2019-12-20T07:39:01-05:00 ab systemd[1]: Started Clean php
session files. 2019-12-20T07:45:01-05:00 ab CRON[3525]:
pam_unix(cron:session): session opened for user root by (uid=0)
2019-12-20T07:45:01-05:00 ab CRON[3526]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1) 2019-12-20T07:45:01-05:00 ab CRON[3525]:
pam_unix(cron:session): session closed for user root
2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
opened for user root by (uid=0) 2019-12-20T07:55:01-05:00 ab CRON[3550]:
(root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
closed for user root 2019-12-20T08:05:01-05:00 ab CRON[3575]:
pam_unix(cron:session): session opened for user root by (uid=0)
2019-12-20T08:05:01-05:00 ab CRON[3576]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1) 2019-12-20T08:05:01-05:00 ab CRON[3575]:
pam_unix(cron:session): session closed for user root
2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
opened for user root by (uid=0) 2019-12-20T08:09:01-05:00 ab CRON[3587]:
(root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d
/run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
closed for user root 2019-12-20T08:09:01-05:00 ab systemd[1]: Starting
Clean php session files... 2019-12-20T08:09:01-05:00 ab systemd[1]:
phpsessionclean.service: Succeeded. 2019-12-20T08:09:01-05:00 ab
systemd[1]: Started Clean php session files. ' does not match pattern
'%{CISCO_TAGGED_SYSLOG}' at
org.apache.metron.parsers.asa.BasicAsaParser.parse(BasicAsaParser.java:184)
at
org.apache.metron.parsers.interfaces.MessageParser.parseOptional(MessageParser.java:54)
at
org.apache.metron.parsers.interfaces.MessageParser.parseOptionalResult(MessageParser.java:67)
at
org.apache.metron.parsers.ParserRunnerImpl.execute(ParserRunnerImpl.java:144)
at org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:257)
at
org.apache.storm.daemon.executor$fn__10195$tuple_action_fn__10197.invoke(executor.clj:735)
at
org.apache.storm.daemon.executor$mk_task_receiver$fn__10114.invoke(executor.clj:466)
at
org.apache.storm.disruptor$clojure_handler$reify__4137.onEvent(disruptor.clj:40)
at
org.apache.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:472)
at
org.apache.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:451)
at
org.apache.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:73)
at
org.apache.storm.daemon.executor$fn__10195$fn__10208$fn__10263.invoke(executor.clj:855)
at org.apache.storm.util$async_loop$fn__1221.invoke(util.clj:484) at
clojure.lang.AFn.run(AFn.java:22) at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.RuntimeException: [Metron] Message
'2019-12-20T07:06:41-05:00 ab TESTING: Fri 20 Dec 2019 07:06:41 AM EST
2019-12-20T07:06:41-05:00 ab rsyslogd: action 'action-13-builtin:omfwd'
resumed (module 'builtin:omfwd') [v8.1911.0 try
https://www.rsyslog.com/e/2359 ] 2019-12-20T07:08:04-05:00 ab TESTING: Fri
20 Dec 2019 07:08:04 AM EST 2019-12-20T07:08:05-05:00 ab TESTING: Fri 20
Dec 2019 07:08:05 AM EST 2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec
2019 07:08:06 AM EST 2019-12-20T07:08:06-05:00 ab TESTING: Fri 20 Dec 2019
07:08:06 AM EST 2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019
07:08:08 AM EST 2019-12-20T07:08:08-05:00 ab TESTING: Fri 20 Dec 2019
07:08:08 AM EST 2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019
07:08:09 AM EST 2019-12-20T07:08:09-05:00 ab TESTING: Fri 20 Dec 2019
07:08:09 AM EST 2019-12-20T07:09:01-05:00 ab CRON[3174]:
pam_unix(cron:session): session opened for user root by (uid=0)
2019-12-20T07:09:01-05:00 ab CRON[3175]: (root) CMD ( [ -x
/usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
/usr/lib/php/sessionclean; fi) 2019-12-20T07:09:01-05:00 ab CRON[3174]:
pam_unix(cron:session): session closed for user root
2019-12-20T07:09:01-05:00 ab systemd[1]: Starting Clean php session
files... 2019-12-20T07:09:01-05:00 ab systemd[1]: phpsessionclean.service:
Succeeded. 2019-12-20T07:09:01-05:00 ab systemd[1]: Started Clean php
session files. 2019-12-20T07:10:04-05:00 ab TESTING: Fri 20 Dec 2019
07:10:04 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019
07:10:05 AM EST 2019-12-20T07:10:05-05:00 ab TESTING: Fri 20 Dec 2019
07:10:05 AM EST 2019-12-20T07:10:06-05:00 ab TESTING: Fri 20 Dec 2019
07:10:06 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019
07:10:07 AM EST 2019-12-20T07:10:07-05:00 ab TESTING: Fri 20 Dec 2019
07:10:07 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019
07:10:08 AM EST 2019-12-20T07:10:08-05:00 ab TESTING: Fri 20 Dec 2019
07:10:08 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019
07:10:09 AM EST 2019-12-20T07:10:09-05:00 ab TESTING: Fri 20 Dec 2019
07:10:09 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
07:10:10 AM EST 2019-12-20T07:10:10-05:00 ab TESTING: Fri 20 Dec 2019
07:10:10 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
07:10:11 AM EST 2019-12-20T07:10:11-05:00 ab TESTING: Fri 20 Dec 2019
07:10:11 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
07:10:12 AM EST 2019-12-20T07:10:12-05:00 ab TESTING: Fri 20 Dec 2019
07:10:12 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019
07:10:13 AM EST 2019-12-20T07:10:13-05:00 ab TESTING: Fri 20 Dec 2019
07:10:13 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
07:10:14 AM EST 2019-12-20T07:10:14-05:00 ab TESTING: Fri 20 Dec 2019
07:10:14 AM EST 2019-12-20T07:10:15-05:00 ab systemd[1]: Stopping System
Logging Service... 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin
software="rsyslogd" swVersion="8.1911.0" x-pid="3071" x-info="
https://www.rsyslog.com"] exiting on signal 15. 2019-12-20T07:10:15-05:00
ab systemd[1]: rsyslog.service: Succeeded. 2019-12-20T07:10:15-05:00 ab
systemd[1]: Stopped System Logging Service. 2019-12-20T07:10:15-05:00 ab
systemd[1]: Starting System Logging Service... 2019-12-20T07:10:15-05:00 ab
rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd
3) from systemd. [v8.1911.0] 2019-12-20T07:10:15-05:00 ab rsyslogd: [origin
software="rsyslogd" swVersion="8.1911.0" x-pid="3270" x-info="
https://www.rsyslog.com"] start 2019-12-20T07:10:15-05:00 ab systemd[1]:
Started System Logging Service. 2019-12-20T07:10:18-05:00 ab TESTING: Fri
20 Dec 2019 07:10:18 AM EST 2019-12-20T07:15:01-05:00 ab CRON[3283]:
pam_unix(cron:session): session opened for user root by (uid=0)
2019-12-20T07:15:01-05:00 ab CRON[3284]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1) 2019-12-20T07:15:01-05:00 ab CRON[3283]:
pam_unix(cron:session): session closed for user root
2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
opened for user root by (uid=0) 2019-12-20T07:17:01-05:00 ab CRON[3324]:
(root) CMD ( cd / && run-parts --report /etc/cron.hourly)
2019-12-20T07:17:01-05:00 ab CRON[3323]: pam_unix(cron:session): session
closed for user root 2019-12-20T07:25:01-05:00 ab CRON[3333]:
pam_unix(cron:session): session opened for user root by (uid=0)
2019-12-20T07:25:01-05:00 ab CRON[3334]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1) 2019-12-20T07:25:01-05:00 ab CRON[3333]:
pam_unix(cron:session): session closed for user root
2019-12-20T07:29:38-05:00 ab snapd[666]: storehelpers.go:436: cannot
refresh: snap has no updates available: "barrier", "barrier-kvm",
"gtk-common-themes", "notepad-plus-plus", "snapd", "wine-platform-3-stable"
2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
Usage Attribute: 190 Airflow_Temperature_Cel changed from 67 to 66
2019-12-20T07:34:26-05:00 ab smartd[665]: Device: /dev/sda [SAT], SMART
Usage Attribute: 194 Temperature_Celsius changed from 110 to 109
2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
opened for user root by (uid=0) 2019-12-20T07:35:01-05:00 ab CRON[3451]:
(root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
2019-12-20T07:35:01-05:00 ab CRON[3450]: pam_unix(cron:session): session
closed for user root 2019-12-20T07:39:01-05:00 ab CRON[3460]:
pam_unix(cron:session): session opened for user root by (uid=0)
2019-12-20T07:39:01-05:00 ab CRON[3461]: (root) CMD ( [ -x
/usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then
/usr/lib/php/sessionclean; fi) 2019-12-20T07:39:01-05:00 ab CRON[3460]:
pam_unix(cron:session): session closed for user root
2019-12-20T07:39:01-05:00 ab systemd[1]: Starting Clean php session
files... 2019-12-20T07:39:01-05:00 ab systemd[1]: phpsessionclean.service:
Succeeded. 2019-12-20T07:39:01-05:00 ab systemd[1]: Started Clean php
session files. 2019-12-20T07:45:01-05:00 ab CRON[3525]:
pam_unix(cron:session): session opened for user root by (uid=0)
2019-12-20T07:45:01-05:00 ab CRON[3526]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1) 2019-12-20T07:45:01-05:00 ab CRON[3525]:
pam_unix(cron:session): session closed for user root
2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
opened for user root by (uid=0) 2019-12-20T07:55:01-05:00 ab CRON[3550]:
(root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
2019-12-20T07:55:01-05:00 ab CRON[3549]: pam_unix(cron:session): session
closed for user root 2019-12-20T08:05:01-05:00 ab CRON[3575]:
pam_unix(cron:session): session opened for user root by (uid=0)
2019-12-20T08:05:01-05:00 ab CRON[3576]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1) 2019-12-20T08:05:01-05:00 ab CRON[3575]:
pam_unix(cron:session): session closed for user root
2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
opened for user root by (uid=0) 2019-12-20T08:09:01-05:00 ab CRON[3587]:
(root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d
/run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
2019-12-20T08:09:01-05:00 ab CRON[3586]: pam_unix(cron:session): session
closed for user root 2019-12-20T08:09:01-05:00 ab systemd[1]: Starting
Clean php session files... 2019-12-20T08:09:01-05:00 ab systemd[1]:
phpsessionclean.service: Succeeded. 2019-12-20T08:09:01-05:00 ab
systemd[1]: Started Clean php session files. ' does not match pattern
'%{CISCO_TAGGED_SYSLOG}' at
org.apache.metron.parsers.asa.BasicAsaParser.parse(BasicAsaParser.java:178)
... 14 more
i need your help???? as always