PoC for new Audiocodes filter

[gedia]

Hello all,

I'm uploading here an attempt at creating a more robust (for my use case) filter for audiocodes. The one available in the next branch doesn't seem to work with the Audiocodes SBC version I have access to (7.20A.256.721), and it wasn't reliable when I tweaked it a bit to overcome some obvious parsing issues.

Compared to the existing filter, this PoC

• Doesn't handle all cases yet (e.g. media reports)
• Doesn't support autodiscovery of IPs (but it's trivial to add)
• Has only been tested/developed for version 7.20A.256.721
• Regexes may need to be adjusted for other versions
• Uses older newline replacement of \n instead of \r\n (pre-commit b5af708ffa5be36e0f89e76fd485608e2c4f2d7c)
• Assumes no packet loss, messages arriving in order, but other than that the holding/merging/dissecting syslog messages logic seems more robust now

To anyone interested in working on this, here's the logic behind it. Syslog messages from Audiocodes SBC are expected to conform to the following structure:

____________________________
[S= xxxxxxxxxx](always) [SID= xxxxxxxxxx](optional) [BID= xxxxxxxxxx](optional) (N  xxxxxxxxxx)(optional) msg1

(N  xxxxxxxxxx) S= is unique to each syslog msg, may contain multiple N

(N  xxxxxxxxxx) Beginning of SIP message is indicated immediately after an N (instead of this text) and is indicated by a preamble similar to ` ---- Incoming SIP Message from IP:PORT to SIPInterface #0 (ALIAS) UDP TO(#0) ---- `
____________________________
[S= xxxxxxxxxx](always) [SID= xxxxxxxxxx](optional) [BID= xxxxxxxxxx](optional) (N  xxxxxxxxxx)(optional) msg2: SIP message preamble may be found in the first syslog line (this one, instead of this text as well). In this case, the N parameter is not optional.

(N  xxxxxxxxxx) Presence of a new N occurence following the SIP message preamble in last N can be assumed to be a delimiter for the SIP message: this is a new syslog entry

(N  xxxxxxxxxx) ---- Incoming SIP Message from IP:PORT to SIPInterface #0 (ALIAS) UDP TO(#0) ---- preamble may be found at the end of a syslog message ([S= xxxxxxxxxx] entry). In this case the message itself will be carried in the next syslog msg.
____________________________
[S= xxxxxxxxxx](always) [SID= xxxxxxxxxx] same rules apply, until we find a new (N xxxxxxxxxx) entry, consider this a part of the SIP message preambled by the last ---- Incoming/Outgoing occurence
____________________________
[S= xxxxxxxxxx](always) [SID= xxxxxxxxxx] still no N found, so this text may be part of the same SIP message introduced two syslog messages ago

(N  xxxxxxxxxx) ---- New N line, this is a new syslog entry. If is carries SIP, it should include the preamble.
____________________________

filter_app_audiocodes_new.txt

[lmangani]

Thanks @gedia for sharing this! We really appreciate you taking the time to share this with the community. @Dletta has been working on a new parser for some weeks so he'll check this out and see if there's any element we should consider for the new universal parser. Would you be willing to give it a try and help consolidate some details?

[gedia]

Sure, ping me and I'll give it a try

[Dletta]

@gedia I put together a branch for reassembly, some of your changes I had already added in (such as the regex parser for all versions)

Thank you for confirming my hunch there.

Could you checkout my branch and see if it works for you and your use case?