search

imperva / incapsula-logs-downloader

A Python script for downloading log files from Incapsula
MIT License
30 stars 35 forks source link

Added the date and host for each Syslog message #29

Closed CodingFree closed 3 years ago

CodingFree commented 3 years ago

According to Microsoft's documentation, they are not able to process the Syslog messages because they must follow the following expression:

(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)

Therefore, I have used the start and sourceServiceName fields to append them before the CEF message starts.

Since this only happens with Syslog messages, because it is a regular expression included in the security_events.conf file, there is no need to append it for CustomLog messages; just only for Syslog messages.

CodingFree commented 3 years ago

I have renamed also Settings.config to Settings.config.example. This way, every time someone does a pull, they will not see their configuration being overwritten.

CodingFree commented 3 years ago

Nevermid, ignore this PR. If I'm not wrong, the date should be added by the Syslog facility itself, it was not a good idea to modify the Syslog message.