From 1344076d7e1b54de326a7c413dfbf8824008bd03 Mon Sep 17 00:00:00 2001 From: PKing70 <39703314+PKing70@users.noreply.github.com> Date: Thu, 11 Apr 2019 10:43:56 -0700 Subject: [PATCH 01/26] Revise README Add Java and Splunk versions tested for compatibility https://jira.splunk.com/browse/DVPL-7485 --- README.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/README.md b/README.md index d06cbf02..f1b53e90 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,21 @@ Splunk logging for Java provides: * Support for batching events (sent to HTTP Event Collector only). +### Requirements + +Here's what you need to get going with Splunk logging for Java. + +#### Splunk + +If you haven't already installed Splunk, download it +[here](http://www.splunk.com/download). For more about installing and running +Splunk and system requirements, see +[Installing & Running Splunk](http://dev.splunk.com/view/SP-CAAADRV). Splunk logging for Java is tested with Splunk Enterprise 7.0 and 7.2. + +#### Java + +You'll need Java version 7 or higher, from [OpenJDK](https://openjdk.java.net) or [Oracle](https://www.oracle.com/technetwork/java). + ## Documentation and resources * For more information about installing and using Splunk logging for Java, see From 6b7fc210631c9987afaa3e488761efa9c54b236e Mon Sep 17 00:00:00 2001 From: Shakeel Mohamed Date: Wed, 8 May 2019 12:38:45 -0700 Subject: [PATCH 02/26] send correct error list in postEventsAsync --- src/main/java/com/splunk/logging/HttpEventCollectorSender.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java index 39ff893a..3753941b 100644 --- a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java +++ b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java @@ -351,7 +351,7 @@ public void completed(int statusCode, String reply) { @Override public void failed(Exception ex) { HttpEventCollectorErrorHandler.error( - eventsBatch, + events, new HttpEventCollectorErrorHandler.ServerErrorException(ex.getMessage())); if (close) { sender.stopHttpClient(); From 3f17a3d79902d392faa58a5c63fe79cab3fc0e3e Mon Sep 17 00:00:00 2001 From: Shakeel Mohamed Date: Wed, 8 May 2019 13:20:21 -0700 Subject: [PATCH 03/26] Remove unnecessary path in test log4j2 config --- src/test/resources/log4j2.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/test/resources/log4j2.xml b/src/test/resources/log4j2.xml index ec3d55eb..27edabbb 100644 --- a/src/test/resources/log4j2.xml +++ b/src/test/resources/log4j2.xml @@ -33,7 +33,7 @@ under the License. Date: Tue, 14 May 2019 11:58:57 -0700 Subject: [PATCH 04/26] update CI password --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index deb12632..fcd13cfc 100644 --- a/.travis.yml +++ b/.travis.yml @@ -10,7 +10,7 @@ before_install: # Create .splunkrc file with default credentials - echo host=localhost >> $HOME/.splunkrc - echo username=admin >> $HOME/.splunkrc - - echo password=changeme >> $HOME/.splunkrc + - echo password=changed! >> $HOME/.splunkrc # Set env vars for TCP/UDP tests (we've punched these through Docker) - export TEST_TCP_PORT=10667 - export TEST_UDP_PORT=10668 From c495bce2fab2244cd5a8ffc312dc4653371dbc6a Mon Sep 17 00:00:00 2001 From: Mikhail Dobrinin Date: Mon, 15 Jul 2019 22:01:09 -0500 Subject: [PATCH 05/26] Changing log4j depependencies to "provided" scope. These dependencies are needed in this project to test HEC communication through appenders in different logging frameworks. However, they are not needed at runtime, and in fact are expected to be provided by the consuming app. This change reduces the footprint of the consuming apps by not including log4j as a transitive dependency. This commit resolves issue #103. --- pom.xml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pom.xml b/pom.xml index a7da2093..b9c5a77c 100644 --- a/pom.xml +++ b/pom.xml @@ -209,12 +209,14 @@ org.apache.logging.log4j log4j-api 2.10.0 + provided org.apache.logging.log4j log4j-core 2.10.0 + provided From e1b7462a073216ddad66a872c3f5478b75271d6e Mon Sep 17 00:00:00 2001 From: Ciaran Kearney Date: Thu, 12 Sep 2019 15:29:49 +0100 Subject: [PATCH 06/26] Added option to use set system properties in inner HTTP client --- README.md | 2 +- pom.xml | 2 +- src/main/java/com/splunk/logging/HttpEventCollectorSender.java | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f511c269..49575602 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Splunk Logging for Java -#### Version 1.7.3 +#### Version 1.7.4 Splunk logging for Java enables you to log events to HTTP Event Collector or to a TCP input on a Splunk Enterprise instance within your Java applications. You can use three major Java logging frameworks: [Logback](http://logback.qos.ch), [Log4j 2](http://logging.apache.org/log4j/2.x/), and [java.util.logging](https://docs.oracle.com/javase/7/docs/api/java/util/logging/package-summary.html). Splunk logging for Java is also enabled for [Simple Logging Facade for Java (SLF4J)](http://www.slf4j.org). diff --git a/pom.xml b/pom.xml index a7da2093..65e539e9 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.splunk.logging splunk-library-javalogging - 1.7.3 + 1.7.4 jar Splunk Logging for Java diff --git a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java index 39ff893a..f9ed7aa1 100644 --- a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java +++ b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java @@ -292,6 +292,7 @@ private void startHttpClient() { // create an http client that validates certificates httpClient = HttpAsyncClients.custom() .setDefaultRequestConfig(RequestConfig.custom().setCookieSpec(CookieSpecs.STANDARD).build()) + .useSystemProperties() .setMaxConnTotal(maxConnTotal) .build(); } else { From 7e3f42db4feeb10f3b7620f1339f6d291f6eddb2 Mon Sep 17 00:00:00 2001 From: Mathias Bachl Date: Wed, 18 Sep 2019 14:35:27 +0200 Subject: [PATCH 07/26] only add THROWABLE_STACKTRACE_ELEMENTS field if stacktraceDepth is greater than 0 --- src/main/java/com/splunk/logging/SplunkCimLogEvent.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/main/java/com/splunk/logging/SplunkCimLogEvent.java b/src/main/java/com/splunk/logging/SplunkCimLogEvent.java index 9cd2ee84..ea0cdb53 100644 --- a/src/main/java/com/splunk/logging/SplunkCimLogEvent.java +++ b/src/main/java/com/splunk/logging/SplunkCimLogEvent.java @@ -114,7 +114,9 @@ public void addThrowableWithStacktrace(Throwable throwable, int stacktraceDepth) sb.append(elements[depth].toString()); } - addField(THROWABLE_STACKTRACE_ELEMENTS, sb.toString()); + if (stacktraceDepth > 0) { + addField(THROWABLE_STACKTRACE_ELEMENTS, sb.toString()); + } } private static final Pattern DOUBLE_QUOTE = Pattern.compile("\""); From 4233147742044940c700cfe5ca702fc5e074c6e7 Mon Sep 17 00:00:00 2001 From: Mathias Bachl Date: Mon, 21 Oct 2019 17:39:02 +0200 Subject: [PATCH 08/26] use null-safe string conversion --- src/main/java/com/splunk/logging/SplunkCimLogEvent.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/com/splunk/logging/SplunkCimLogEvent.java b/src/main/java/com/splunk/logging/SplunkCimLogEvent.java index ea0cdb53..09e70f39 100644 --- a/src/main/java/com/splunk/logging/SplunkCimLogEvent.java +++ b/src/main/java/com/splunk/logging/SplunkCimLogEvent.java @@ -131,7 +131,7 @@ public String toString() { } else { first = false; } - String value = entries.get(key).toString(); + String value = String.valueOf(entries.get(key)); // Escape any " that appear in the key or value. key = DOUBLE_QUOTE.matcher(key).replaceAll("\\\\\""); From f73d593ef0555ee725d6a1bf452444171cd402c0 Mon Sep 17 00:00:00 2001 From: snorwin Date: Wed, 4 Dec 2019 14:07:00 +0000 Subject: [PATCH 09/26] Replace Apache HttpClient with OkHttpClient --- pom.xml | 12 +- .../logging/HttpEventCollectorSender.java | 156 ++++++++---------- 2 files changed, 68 insertions(+), 100 deletions(-) diff --git a/pom.xml b/pom.xml index b9c5a77c..f102b77f 100644 --- a/pom.xml +++ b/pom.xml @@ -194,15 +194,9 @@ - org.apache.httpcomponents - httpclient - 4.5.5 - - - - org.apache.httpcomponents - httpasyncclient - 4.1.3 + com.squareup.okhttp3 + okhttp + 3.12.2 diff --git a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java index 1c382551..4fea8472 100644 --- a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java +++ b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java @@ -18,33 +18,20 @@ * under the License. */ -import org.apache.http.HttpResponse; -import org.apache.http.client.config.CookieSpecs; -import org.apache.http.client.config.RequestConfig; -import org.apache.http.client.methods.HttpPost; -import org.apache.http.concurrent.FutureCallback; -import org.apache.http.conn.ssl.SSLConnectionSocketFactory; -import org.apache.http.conn.ssl.SSLContexts; -import org.apache.http.conn.ssl.TrustStrategy; -import org.apache.http.entity.StringEntity; -import org.apache.http.impl.nio.client.CloseableHttpAsyncClient; -import org.apache.http.impl.nio.client.HttpAsyncClients; -import org.apache.http.util.EntityUtils; +import okhttp3.*; import org.json.simple.JSONObject; -import javax.net.ssl.SSLContext; +import javax.net.ssl.*; import java.io.IOException; import java.io.Serializable; -import java.security.cert.X509Certificate; +import java.security.cert.CertificateException; import java.util.Dictionary; import java.util.Timer; import java.util.TimerTask; import java.util.List; import java.util.LinkedList; import java.util.Map; -import java.util.Locale; - /** @@ -94,7 +81,7 @@ public enum SendMode private Timer timer; private List eventsBatch = new LinkedList(); private long eventsBatchSize = 0; // estimated total size of events batch - private CloseableHttpAsyncClient httpClient; + private static OkHttpClient httpClient = null; private boolean disableCertificateValidation = false; private SendMode sendMode = SendMode.Sequential; private HttpEventCollectorMiddleware middleware = new HttpEventCollectorMiddleware(); @@ -198,14 +185,8 @@ public synchronized void send(final String message) { * Flush all pending events */ public synchronized void flush() { - flush(false); - } - - public synchronized void flush(boolean close) { if (eventsBatch.size() > 0) { - postEventsAsync(eventsBatch, close); - } else if (close) { - this.stopHttpClient(); + postEventsAsync(eventsBatch); } // Clear the batch. A new list should be created because events are // sending asynchronously and "previous" instance of eventsBatch object @@ -214,6 +195,11 @@ public synchronized void flush(boolean close) { eventsBatchSize = 0; } + @Deprecated + public synchronized void flush(boolean close) { + flush(); + } + /** * Close events sender */ @@ -285,56 +271,55 @@ private void startHttpClient() { // http client is already started return; } - // limit max number of async requests in sequential mode, 0 means "use - // default limit" - int maxConnTotal = sendMode == SendMode.Sequential ? 1 : 0; - if (! disableCertificateValidation) { - // create an http client that validates certificates - httpClient = HttpAsyncClients.custom() - .setDefaultRequestConfig(RequestConfig.custom().setCookieSpec(CookieSpecs.STANDARD).build()) - .useSystemProperties() - .setMaxConnTotal(maxConnTotal) - .build(); - } else { - // create strategy that accepts all certificates - TrustStrategy acceptingTrustStrategy = new TrustStrategy() { - public boolean isTrusted(X509Certificate[] certificate, - String type) { - return true; - } - }; - SSLContext sslContext = null; - try { - sslContext = SSLContexts.custom().loadTrustMaterial( - null, acceptingTrustStrategy).build(); - httpClient = HttpAsyncClients.custom() - .setDefaultRequestConfig(RequestConfig.custom().setCookieSpec(CookieSpecs.STANDARD).build()) - .setMaxConnTotal(maxConnTotal) - .setHostnameVerifier(SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER) - .setSSLContext(sslContext) - .build(); - } catch (Exception e) { } + + OkHttpClient.Builder builder = new OkHttpClient.Builder(); + + // limit max number of async requests in sequential mode + if (sendMode == SendMode.Sequential) { + Dispatcher dispatcher = new Dispatcher(); + dispatcher.setMaxRequestsPerHost(1); + builder.dispatcher(dispatcher); } - httpClient.start(); - } - // Currently we never close http client. This method is added for symmetry - // with startHttpClient. - private void stopHttpClient() throws SecurityException { - if (httpClient != null) { + if (disableCertificateValidation) { + final TrustManager[] trustAllCerts = new TrustManager[]{ + new X509TrustManager() { + @Override + public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException { + } + + @Override + public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException { + } + + @Override + public java.security.cert.X509Certificate[] getAcceptedIssuers() { + return new java.security.cert.X509Certificate[]{}; + } + } + }; + try { - httpClient.close(); - } catch (IOException e) { } - httpClient = null; + // install the all-trusting trust manager + final SSLContext sslContext = SSLContext.getInstance("SSL"); + sslContext.init(null, trustAllCerts, new java.security.SecureRandom()); + // create an ssl socket factory with the all-trusting manager + final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory(); + builder.sslSocketFactory(sslSocketFactory, (X509TrustManager) trustAllCerts[0]); + } catch (Exception ignored) { /* nop */ } + + builder.hostnameVerifier(new HostnameVerifier() { + @Override + public boolean verify(String hostname, SSLSession session) { + return true; + } + }); } - } - private void postEventsAsync(final List events) { - postEventsAsync(events, false); + httpClient = builder.build(); } - private void postEventsAsync(final List events, final boolean close) { - final HttpEventCollectorSender sender = this; + private void postEventsAsync(final List events) { this.middleware.postEvents(events, this, new HttpEventCollectorMiddleware.IHttpSenderCallback() { @Override @@ -344,9 +329,6 @@ public void completed(int statusCode, String reply) { events, new HttpEventCollectorErrorHandler.ServerErrorException(reply)); } - if (close) { - sender.stopHttpClient(); - } } @Override @@ -354,9 +336,6 @@ public void failed(Exception ex) { HttpEventCollectorErrorHandler.error( events, new HttpEventCollectorErrorHandler.ServerErrorException(ex.getMessage())); - if (close) { - sender.stopHttpClient(); - } } }); } @@ -364,31 +343,29 @@ public void failed(Exception ex) { public void postEvents(final List events, final HttpEventCollectorMiddleware.IHttpSenderCallback callback) { startHttpClient(); // make sure http client is started - final String encoding = "utf-8"; // convert events list into a string StringBuilder eventsBatchString = new StringBuilder(); for (HttpEventCollectorEventInfo eventInfo : events) eventsBatchString.append(serializeEventInfo(eventInfo)); // create http request - final HttpPost httpPost = new HttpPost(url); - httpPost.setHeader( - AuthorizationHeaderTag, - String.format(AuthorizationHeaderScheme, token)); + Request.Builder requestBldr = new Request.Builder() + .url(url) + .addHeader(AuthorizationHeaderTag, String.format(AuthorizationHeaderScheme, token)) + .post(RequestBody.create(MediaType.parse(HttpContentType), eventsBatchString.toString())); + if ("Raw".equalsIgnoreCase(type) && channel != null && !channel.trim().equals("")) { - httpPost.setHeader(SPLUNKREQUESTCHANNELTag, channel); + requestBldr.addHeader(SPLUNKREQUESTCHANNELTag, channel); } - StringEntity entity = new StringEntity(eventsBatchString.toString(), encoding); - entity.setContentType(HttpContentType); - httpPost.setEntity(entity); - httpClient.execute(httpPost, new FutureCallback() { + + httpClient.newCall(requestBldr.build()).enqueue(new Callback() { @Override - public void completed(HttpResponse response) { + public void onResponse(Call call, final Response response) { String reply = ""; - int httpStatusCode = response.getStatusLine().getStatusCode(); + int httpStatusCode = response.code(); // read reply only in case of a server error - if (httpStatusCode != 200) { + if (httpStatusCode != 200 && response.body() != null) { try { - reply = EntityUtils.toString(response.getEntity(), encoding); + reply = response.body().string(); } catch (IOException e) { reply = e.getMessage(); } @@ -397,12 +374,9 @@ public void completed(HttpResponse response) { } @Override - public void failed(Exception ex) { + public void onFailure(Call call, IOException ex) { callback.failed(ex); } - - @Override - public void cancelled() {} }); } } From 263bc662c8b6897c6dbca15a1d48347a9b05b7a0 Mon Sep 17 00:00:00 2001 From: snorwin Date: Wed, 4 Dec 2019 15:57:10 +0100 Subject: [PATCH 10/26] Use of a stronger protocol in the SSL context --- src/main/java/com/splunk/logging/HttpEventCollectorSender.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java index 4fea8472..305daa71 100644 --- a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java +++ b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java @@ -301,7 +301,7 @@ public java.security.cert.X509Certificate[] getAcceptedIssuers() { try { // install the all-trusting trust manager - final SSLContext sslContext = SSLContext.getInstance("SSL"); + final SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); sslContext.init(null, trustAllCerts, new java.security.SecureRandom()); // create an ssl socket factory with the all-trusting manager final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory(); From 8c4fd030ce6e6baea616e4913e9fb13baa914a2c Mon Sep 17 00:00:00 2001 From: snorwin Date: Wed, 4 Dec 2019 17:05:16 +0100 Subject: [PATCH 11/26] Update OkHttp version --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index f102b77f..c52b2274 100644 --- a/pom.xml +++ b/pom.xml @@ -196,7 +196,7 @@ com.squareup.okhttp3 okhttp - 3.12.2 + 3.14.3 From 17ece749d12d44e375c558e30ceecb614f488a55 Mon Sep 17 00:00:00 2001 From: snorwin Date: Thu, 5 Dec 2019 12:40:31 +0100 Subject: [PATCH 12/26] Change expected error message in the tests --- src/test/java/HttpEventCollector_JavaLoggingTest.java | 2 +- src/test/java/HttpEventCollector_Log4j2Test.java | 2 +- src/test/java/HttpEventCollector_LogbackTest.java | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/test/java/HttpEventCollector_JavaLoggingTest.java b/src/test/java/HttpEventCollector_JavaLoggingTest.java index 1ba3b967..77588ba3 100644 --- a/src/test/java/HttpEventCollector_JavaLoggingTest.java +++ b/src/test/java/HttpEventCollector_JavaLoggingTest.java @@ -343,7 +343,7 @@ public void error(final List data, final Exception Assert.assertEquals(1, errors.size()); System.out.println(logEx.toString()); - if (!(logEx.toString().contains("Connection refused") || logEx.toString().contains("Connection closed"))) + if (!(logEx.toString().contains("Failed to connect to"))) Assert.fail(String.format("Unexpected error message '%s'", logEx.toString())); } diff --git a/src/test/java/HttpEventCollector_Log4j2Test.java b/src/test/java/HttpEventCollector_Log4j2Test.java index 6bcaacfd..f42a0d9b 100644 --- a/src/test/java/HttpEventCollector_Log4j2Test.java +++ b/src/test/java/HttpEventCollector_Log4j2Test.java @@ -328,7 +328,7 @@ public void error(final List data, final Exception Assert.assertTrue(errors.size() >= 1); System.out.println(logEx.toString()); - if (!(logEx.toString().contains("Connection refused") || logEx.toString().contains("Connection closed"))) + if (!(logEx.toString().contains("Failed to connect to"))) Assert.fail(String.format("Unexpected error message '%s'", logEx.toString())); } diff --git a/src/test/java/HttpEventCollector_LogbackTest.java b/src/test/java/HttpEventCollector_LogbackTest.java index 4f7b0367..8b148138 100644 --- a/src/test/java/HttpEventCollector_LogbackTest.java +++ b/src/test/java/HttpEventCollector_LogbackTest.java @@ -320,7 +320,7 @@ public void error(final List data, final Exception Assert.assertEquals(1, errors.size()); System.out.println(logEx.toString()); - if (!(logEx.toString().contains("Connection refused") || logEx.toString().contains("Connection closed"))) + if (!(logEx.toString().contains("Failed to connect to"))) Assert.fail(String.format("Unexpected error message '%s'", logEx.toString())); } From 5963740e957623f3befef4b24ba8947641747375 Mon Sep 17 00:00:00 2001 From: snorwin Date: Thu, 5 Dec 2019 12:46:24 +0100 Subject: [PATCH 13/26] Close the response body to avoid leakage of resources --- pom.xml | 13 +++++++++++++ .../splunk/logging/HttpEventCollectorSender.java | 12 +++++++----- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/pom.xml b/pom.xml index c52b2274..18786397 100644 --- a/pom.xml +++ b/pom.xml @@ -241,6 +241,19 @@ + + + + org.apache.maven.plugins + maven-compiler-plugin + + 8 + 8 + + + + + The Apache Software License, Version 2.0 diff --git a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java index 305daa71..c824e5c9 100644 --- a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java +++ b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java @@ -363,11 +363,13 @@ public void onResponse(Call call, final Response response) { String reply = ""; int httpStatusCode = response.code(); // read reply only in case of a server error - if (httpStatusCode != 200 && response.body() != null) { - try { - reply = response.body().string(); - } catch (IOException e) { - reply = e.getMessage(); + try (ResponseBody body = response.body()) { + if (httpStatusCode != 200 && body != null) { + try { + reply = body.string(); + } catch (IOException e) { + reply = e.getMessage(); + } } } callback.completed(httpStatusCode, reply); From 478af1f9f7341c227bbc804c48f28453f6ada561 Mon Sep 17 00:00:00 2001 From: snorwin Date: Thu, 5 Dec 2019 14:22:01 +0100 Subject: [PATCH 14/26] Change the use of flush() in HttpEventCollectorSender::close() --- src/main/java/com/splunk/logging/HttpEventCollectorSender.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java index c824e5c9..6bc4ae9a 100644 --- a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java +++ b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java @@ -206,7 +206,7 @@ public synchronized void flush(boolean close) { void close() { if (timer != null) timer.cancel(); - flush(true); + flush(); super.cancel(); } From 7a29636c04c24d4928c72d0fa2b247bb1cbbf75d Mon Sep 17 00:00:00 2001 From: snorwin Date: Thu, 5 Dec 2019 14:45:45 +0100 Subject: [PATCH 15/26] Set Java version to 1.8 --- pom.xml | 16 ---------------- .../splunk/logging/HttpEventCollectorSender.java | 7 +------ 2 files changed, 1 insertion(+), 22 deletions(-) diff --git a/pom.xml b/pom.xml index 18786397..91d447bc 100644 --- a/pom.xml +++ b/pom.xml @@ -28,14 +28,6 @@ - - maven-compiler-plugin - 3.1 - - 1.6 - 1.6 - - biz.aQute.bnd bnd-maven-plugin @@ -129,14 +121,6 @@ StressTest - - maven-compiler-plugin - 3.1 - - 1.6 - 1.6 - - org.apache.maven.plugins maven-surefire-plugin diff --git a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java index 6bc4ae9a..8f4e6502 100644 --- a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java +++ b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java @@ -26,12 +26,7 @@ import java.io.IOException; import java.io.Serializable; import java.security.cert.CertificateException; -import java.util.Dictionary; -import java.util.Timer; -import java.util.TimerTask; -import java.util.List; -import java.util.LinkedList; -import java.util.Map; +import java.util.*; /** From 3259161a407241b61036a30e25cb435878d52dd8 Mon Sep 17 00:00:00 2001 From: snorwin Date: Thu, 5 Dec 2019 15:04:06 +0100 Subject: [PATCH 16/26] Fix tests --- pom.xml | 2 +- src/main/java/com/splunk/logging/HttpEventCollectorSender.java | 2 +- src/test/java/HttpEventCollector_JavaLoggingTest.java | 3 ++- src/test/java/HttpEventCollector_Log4j2Test.java | 3 ++- src/test/java/HttpEventCollector_LogbackTest.java | 3 ++- 5 files changed, 8 insertions(+), 5 deletions(-) diff --git a/pom.xml b/pom.xml index 91d447bc..adacbe63 100644 --- a/pom.xml +++ b/pom.xml @@ -219,7 +219,7 @@ org.apache.commons commons-lang3 - 3.0 + 3.4 test diff --git a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java index 8f4e6502..8862a771 100644 --- a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java +++ b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java @@ -272,7 +272,7 @@ private void startHttpClient() { // limit max number of async requests in sequential mode if (sendMode == SendMode.Sequential) { Dispatcher dispatcher = new Dispatcher(); - dispatcher.setMaxRequestsPerHost(1); + dispatcher.setMaxRequests(1); builder.dispatcher(dispatcher); } diff --git a/src/test/java/HttpEventCollector_JavaLoggingTest.java b/src/test/java/HttpEventCollector_JavaLoggingTest.java index 77588ba3..92b46df6 100644 --- a/src/test/java/HttpEventCollector_JavaLoggingTest.java +++ b/src/test/java/HttpEventCollector_JavaLoggingTest.java @@ -21,6 +21,7 @@ import com.splunk.logging.HttpEventCollectorEventInfo; import com.splunk.logging.HttpEventCollectorSender; +import org.apache.commons.lang3.StringUtils; import org.json.simple.JSONObject; import org.junit.Assert; import org.junit.Test; @@ -343,7 +344,7 @@ public void error(final List data, final Exception Assert.assertEquals(1, errors.size()); System.out.println(logEx.toString()); - if (!(logEx.toString().contains("Failed to connect to"))) + if (!StringUtils.containsAny(logEx.toString(), "Failed to connect to", "Remote host terminated the handshake", "Connection reset")) Assert.fail(String.format("Unexpected error message '%s'", logEx.toString())); } diff --git a/src/test/java/HttpEventCollector_Log4j2Test.java b/src/test/java/HttpEventCollector_Log4j2Test.java index f42a0d9b..28680335 100644 --- a/src/test/java/HttpEventCollector_Log4j2Test.java +++ b/src/test/java/HttpEventCollector_Log4j2Test.java @@ -20,6 +20,7 @@ import com.splunk.logging.HttpEventCollectorErrorHandler; import com.splunk.logging.HttpEventCollectorEventInfo; +import org.apache.commons.lang3.StringUtils; import org.apache.logging.log4j.core.LoggerContext; import org.json.simple.JSONObject; import org.junit.Assert; @@ -328,7 +329,7 @@ public void error(final List data, final Exception Assert.assertTrue(errors.size() >= 1); System.out.println(logEx.toString()); - if (!(logEx.toString().contains("Failed to connect to"))) + if (!StringUtils.containsAny(logEx.toString(), "Failed to connect to", "Remote host terminated the handshake", "Connection reset")) Assert.fail(String.format("Unexpected error message '%s'", logEx.toString())); } diff --git a/src/test/java/HttpEventCollector_LogbackTest.java b/src/test/java/HttpEventCollector_LogbackTest.java index 8b148138..464a22ca 100644 --- a/src/test/java/HttpEventCollector_LogbackTest.java +++ b/src/test/java/HttpEventCollector_LogbackTest.java @@ -19,6 +19,7 @@ import com.splunk.logging.HttpEventCollectorErrorHandler; import com.splunk.logging.HttpEventCollectorEventInfo; +import org.apache.commons.lang3.StringUtils; import org.json.simple.JSONObject; import org.junit.Assert; import org.junit.Test; @@ -320,7 +321,7 @@ public void error(final List data, final Exception Assert.assertEquals(1, errors.size()); System.out.println(logEx.toString()); - if (!(logEx.toString().contains("Failed to connect to"))) + if (!StringUtils.containsAny(logEx.toString(), "Failed to connect to", "Remote host terminated the handshake", "Connection reset")) Assert.fail(String.format("Unexpected error message '%s'", logEx.toString())); } From 70fb9575498633b9102833f3497a02f95502b520 Mon Sep 17 00:00:00 2001 From: snorwin Date: Fri, 6 Dec 2019 10:47:22 +0100 Subject: [PATCH 17/26] Implement shutdown for Log4J appender --- .../logging/HttpEventCollectorLog4jAppender.java | 5 +++-- .../com/splunk/logging/HttpEventCollectorSender.java | 11 +++++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/src/main/java/com/splunk/logging/HttpEventCollectorLog4jAppender.java b/src/main/java/com/splunk/logging/HttpEventCollectorLog4jAppender.java index 010b0f25..db5a1bc0 100644 --- a/src/main/java/com/splunk/logging/HttpEventCollectorLog4jAppender.java +++ b/src/main/java/com/splunk/logging/HttpEventCollectorLog4jAppender.java @@ -19,6 +19,7 @@ import java.nio.charset.Charset; import java.util.Dictionary; import java.util.Hashtable; +import java.util.concurrent.TimeUnit; import org.apache.logging.log4j.core.appender.AbstractAppender; import org.apache.logging.log4j.core.Filter; @@ -208,8 +209,8 @@ public void append(final LogEvent event) } @Override - public void stop() { + public boolean stop(long timeout, TimeUnit timeUnit) { this.sender.close(); - super.stop(); + return super.stop(timeout, timeUnit); } } diff --git a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java index 8862a771..361e7d85 100644 --- a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java +++ b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java @@ -192,6 +192,9 @@ public synchronized void flush() { @Deprecated public synchronized void flush(boolean close) { + if (close) { + stopHttpClient(); + } flush(); } @@ -202,6 +205,7 @@ void close() { if (timer != null) timer.cancel(); flush(); + stopHttpClient(); super.cancel(); } @@ -261,6 +265,13 @@ private String serializeEventInfo(HttpEventCollectorEventInfo eventInfo) { return event.toString(); } + private void stopHttpClient() { + if (httpClient != null) { + httpClient.dispatcher().executorService().shutdown(); + httpClient = null; + } + } + private void startHttpClient() { if (httpClient != null) { // http client is already started From b7b81e10e8a05e2598911517656c0d485a6dff77 Mon Sep 17 00:00:00 2001 From: snorwin Date: Mon, 9 Dec 2019 09:40:36 +0100 Subject: [PATCH 18/26] Fix bug in flush method --- src/main/java/com/splunk/logging/HttpEventCollectorSender.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java index 361e7d85..51f82d20 100644 --- a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java +++ b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java @@ -190,12 +190,11 @@ public synchronized void flush() { eventsBatchSize = 0; } - @Deprecated public synchronized void flush(boolean close) { + flush(); if (close) { stopHttpClient(); } - flush(); } /** From 4e6102e08a098662dc3714027ea98bae202c3404 Mon Sep 17 00:00:00 2001 From: David Poncelow Date: Thu, 21 Nov 2019 14:18:18 -0800 Subject: [PATCH 19/26] use gson for json serialization We previously used both gson and json-simple, and the way that we did it meant that attempting to use a JSON payload would mean having that payload JSON encoded in a string in the Splunk event. This behavior is retained when using EventBodySerializer for backwards compatibility, but this should greatly improve the more common case. use deprecated calls for gson json parser Spring Boot pulls in a version of gson that does not have the new calls. --- pom.xml | 54 +++++++---- .../splunk/logging/EventBodySerializer.java | 68 +++++++------ .../HttpEventCollectorErrorHandler.java | 12 +-- .../HttpEventCollectorLog4jAppender.java | 19 ++-- .../HttpEventCollectorLogbackAppender.java | 17 ++-- .../HttpEventCollectorLoggingHandler.java | 28 +++--- .../logging/HttpEventCollectorSender.java | 96 ++++++++++--------- .../com/splunk/logging/MessageFormat.java | 15 +-- .../com/splunk/logging/hec/MetadataTags.java | 24 +++++ .../serialization/EventInfoTypeAdapter.java | 67 +++++++++++++ .../serialization/HecJsonSerializer.java | 60 ++++++++++++ .../HttpEventCollector_JavaLoggingTest.java | 17 ++-- .../java/HttpEventCollector_Log4j2Test.java | 15 +-- .../java/HttpEventCollector_LogbackTest.java | 19 ++-- src/test/java/TestEventBodySerializer.java | 10 -- src/test/java/TestUtil.java | 32 ++++--- 16 files changed, 361 insertions(+), 192 deletions(-) create mode 100644 src/main/java/com/splunk/logging/hec/MetadataTags.java create mode 100644 src/main/java/com/splunk/logging/serialization/EventInfoTypeAdapter.java create mode 100644 src/main/java/com/splunk/logging/serialization/HecJsonSerializer.java diff --git a/pom.xml b/pom.xml index adacbe63..875ec3bf 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.splunk.logging splunk-library-javalogging - 1.7.3 + 1.8.0-SNAPSHOT jar Splunk Logging for Java @@ -28,6 +28,14 @@ + + maven-compiler-plugin + 3.8.1 + + 8 + 8 + + biz.aQute.bnd bnd-maven-plugin @@ -53,7 +61,7 @@ org.apache.maven.plugins maven-surefire-plugin - 2.18.1 + 2.22.2 **/*.class @@ -67,11 +75,11 @@ org.apache.maven.plugins maven-javadoc-plugin + 3.1.1 attach-javadocs - -Xdoclint:syntax -Xdoclint:syntax @@ -90,7 +98,7 @@ org.apache.maven.plugins maven-surefire-plugin - 2.18.1 + 2.22.2 **/HttpEventCollector_*.class @@ -107,7 +115,7 @@ org.apache.maven.plugins maven-surefire-plugin - 2.18.1 + 2.22.2 **/HttpEventCollectorUnitTest.class @@ -124,7 +132,7 @@ org.apache.maven.plugins maven-surefire-plugin - 2.18.1 + 2.22.2 **/HttpLoggerStressTest.class @@ -149,31 +157,31 @@ junit junit - 4.11 + 4.12 test org.slf4j slf4j-api - 1.7.5 + 1.7.29 test ch.qos.logback logback-classic - 1.1.11 + 1.2.3 provided ch.qos.logback logback-core - 1.1.11 + 1.2.3 provided ch.qos.logback logback-access - 1.1.11 + 1.2.3 provided @@ -186,22 +194,28 @@ org.apache.logging.log4j log4j-api - 2.10.0 provided + 2.12.1 org.apache.logging.log4j log4j-core - 2.10.0 provided + 2.12.1 - - com.googlecode.json-simple - json-simple - 1.1.1 - + + + + + + + + + + + com.splunk @@ -213,13 +227,13 @@ com.google.code.gson gson - 2.2.4 + 2.8.6 org.apache.commons commons-lang3 - 3.4 + 3.9 test diff --git a/src/main/java/com/splunk/logging/EventBodySerializer.java b/src/main/java/com/splunk/logging/EventBodySerializer.java index f89987e2..022f17df 100644 --- a/src/main/java/com/splunk/logging/EventBodySerializer.java +++ b/src/main/java/com/splunk/logging/EventBodySerializer.java @@ -1,9 +1,5 @@ package com.splunk.logging; -import java.io.Serializable; -import java.util.Map; -import org.json.simple.JSONObject; - /** * * Define the interface to allow users to define their own event body serializer for HTTP event adapter: @@ -17,36 +13,36 @@ String serializeEventBody( Object formattedMessage ); - class Default implements EventBodySerializer { - - @Override - public String serializeEventBody( - final HttpEventCollectorEventInfo eventInfo, - final Object formattedMessage - ) { - final JSONObject body = new JSONObject(); - HttpEventCollectorSender.putIfPresent(body, "severity", eventInfo.getSeverity()); - HttpEventCollectorSender.putIfPresent(body, "message", formattedMessage); - HttpEventCollectorSender.putIfPresent(body, "logger", eventInfo.getLoggerName()); - HttpEventCollectorSender.putIfPresent(body, "thread", eventInfo.getThreadName()); - // add an exception record if and only if there is one - // in practice, the message also has the exception information attached - if (eventInfo.getExceptionMessage() != null) { - HttpEventCollectorSender.putIfPresent(body, "exception", eventInfo.getExceptionMessage()); - } - - // add properties if and only if there are any - final Map props = eventInfo.getProperties(); - if (props != null && !props.isEmpty()) { - body.put("properties", props); - } - // add marker if and only if there is one - final Serializable marker = eventInfo.getMarker(); - if (marker != null) { - HttpEventCollectorSender.putIfPresent(body, "marker", marker.toString()); - } - - return body.toString(); - } - } +// class Default implements EventBodySerializer { +// +// @Override +// public String serializeEventBody( +// final HttpEventCollectorEventInfo eventInfo, +// final Object formattedMessage +// ) { +// final JsonObject body = new JsonObject(); +// HttpEventCollectorSender.putIfPresent(body, "severity", eventInfo.getSeverity()); +// HttpEventCollectorSender.putIfPresent(body, "message", formattedMessage); +// HttpEventCollectorSender.putIfPresent(body, "logger", eventInfo.getLoggerName()); +// HttpEventCollectorSender.putIfPresent(body, "thread", eventInfo.getThreadName()); +// // add an exception record if and only if there is one +// // in practice, the message also has the exception information attached +// if (eventInfo.getExceptionMessage() != null) { +// HttpEventCollectorSender.putIfPresent(body, "exception", eventInfo.getExceptionMessage()); +// } +// +// // add properties if and only if there are any +// final Map props = eventInfo.getProperties(); +// if (props != null && !props.isEmpty()) { +// body.add("properties", props); +// } +// // add marker if and only if there is one +// final Serializable marker = eventInfo.getMarker(); +// if (marker != null) { +// HttpEventCollectorSender.putIfPresent(body, "marker", marker.toString()); +// } +// +// return body.toString(); +// } +// } } diff --git a/src/main/java/com/splunk/logging/HttpEventCollectorErrorHandler.java b/src/main/java/com/splunk/logging/HttpEventCollectorErrorHandler.java index b722c188..bfd7582a 100644 --- a/src/main/java/com/splunk/logging/HttpEventCollectorErrorHandler.java +++ b/src/main/java/com/splunk/logging/HttpEventCollectorErrorHandler.java @@ -18,8 +18,9 @@ * under the License. */ -import org.json.simple.JSONObject; -import org.json.simple.parser.JSONParser; +import com.google.gson.JsonObject; +import com.google.gson.JsonParser; + import java.util.List; /** @@ -50,12 +51,11 @@ public static class ServerErrorException extends Exception { */ public ServerErrorException(final String serverReply) { reply = serverReply; - JSONParser jsonParser = new JSONParser(); try { // read server reply - JSONObject json = (JSONObject)jsonParser.parse(serverReply); - errorCode = (Long)json.get("code"); - errorText = (String)json.get("text"); + JsonObject json = JsonParser.parseString(serverReply).getAsJsonObject(); + errorCode = json.get("code").getAsLong(); + errorText = json.get("text").getAsString(); } catch (Exception e) { errorText = e.getMessage(); } diff --git a/src/main/java/com/splunk/logging/HttpEventCollectorLog4jAppender.java b/src/main/java/com/splunk/logging/HttpEventCollectorLog4jAppender.java index db5a1bc0..5ee1df6e 100644 --- a/src/main/java/com/splunk/logging/HttpEventCollectorLog4jAppender.java +++ b/src/main/java/com/splunk/logging/HttpEventCollectorLog4jAppender.java @@ -17,10 +17,11 @@ import java.io.Serializable; import java.nio.charset.Charset; -import java.util.Dictionary; -import java.util.Hashtable; +import java.util.HashMap; +import java.util.Map; import java.util.concurrent.TimeUnit; +import com.splunk.logging.hec.MetadataTags; import org.apache.logging.log4j.core.appender.AbstractAppender; import org.apache.logging.log4j.core.Filter; import org.apache.logging.log4j.core.Layout; @@ -73,12 +74,12 @@ private HttpEventCollectorLog4jAppender(final String name, final String eventBodySerializer) { super(name, filter, layout, ignoreExceptions); - Dictionary metadata = new Hashtable(); - metadata.put(HttpEventCollectorSender.MetadataHostTag, host != null ? host : ""); - metadata.put(HttpEventCollectorSender.MetadataIndexTag, index != null ? index : ""); - metadata.put(HttpEventCollectorSender.MetadataSourceTag, source != null ? source : ""); - metadata.put(HttpEventCollectorSender.MetadataSourceTypeTag, sourcetype != null ? sourcetype : ""); - metadata.put(HttpEventCollectorSender.MetadataMessageFormatTag, messageFormat != null ? messageFormat : ""); + Map metadata = new HashMap<>(); + metadata.put(MetadataTags.HOST, host != null ? host : ""); + metadata.put(MetadataTags.INDEX, index != null ? index : ""); + metadata.put(MetadataTags.SOURCE, source != null ? source : ""); + metadata.put(MetadataTags.SOURCETYPE, sourcetype != null ? sourcetype : ""); + metadata.put(MetadataTags.MESSAGEFORMAT, messageFormat != null ? messageFormat : ""); this.sender = new HttpEventCollectorSender(url, token, channel, type, batchInterval, batchCount, batchSize, sendMode, metadata); @@ -125,7 +126,7 @@ public static HttpEventCollectorLog4jAppender createAppender( @PluginAttribute("name") final String name, @PluginAttribute("source") final String source, @PluginAttribute("sourcetype") final String sourcetype, - @PluginAttribute(HttpEventCollectorSender.MetadataMessageFormatTag) final String messageFormat, + @PluginAttribute("messageFormat") final String messageFormat, @PluginAttribute("host") final String host, @PluginAttribute("index") final String index, @PluginAttribute(value = "ignoreExceptions", defaultBoolean = true) final String ignoreExceptions, diff --git a/src/main/java/com/splunk/logging/HttpEventCollectorLogbackAppender.java b/src/main/java/com/splunk/logging/HttpEventCollectorLogbackAppender.java index 62369ea6..a2e5f9de 100644 --- a/src/main/java/com/splunk/logging/HttpEventCollectorLogbackAppender.java +++ b/src/main/java/com/splunk/logging/HttpEventCollectorLogbackAppender.java @@ -19,10 +19,9 @@ import ch.qos.logback.classic.spi.ILoggingEvent; import ch.qos.logback.core.AppenderBase; import ch.qos.logback.core.Layout; +import com.splunk.logging.hec.MetadataTags; -import java.util.Collections; -import java.util.Dictionary; -import java.util.Hashtable; +import java.util.*; /** * Logback Appender which writes its events to Splunk http event collector rest endpoint. @@ -59,21 +58,21 @@ public void start() { return; // init events sender - Dictionary metadata = new Hashtable(); + Map metadata = new HashMap<>(); if (_host != null) - metadata.put(HttpEventCollectorSender.MetadataHostTag, _host); + metadata.put(MetadataTags.HOST, _host); if (_index != null) - metadata.put(HttpEventCollectorSender.MetadataIndexTag, _index); + metadata.put(MetadataTags.INDEX, _index); if (_source != null) - metadata.put(HttpEventCollectorSender.MetadataSourceTag, _source); + metadata.put(MetadataTags.SOURCE, _source); if (_sourcetype != null) - metadata.put(HttpEventCollectorSender.MetadataSourceTypeTag, _sourcetype); + metadata.put(MetadataTags.SOURCETYPE, _sourcetype); if (_messageFormat != null) - metadata.put(HttpEventCollectorSender.MetadataMessageFormatTag, _messageFormat); + metadata.put(MetadataTags.MESSAGEFORMAT, _messageFormat); this.sender = new HttpEventCollectorSender( _url, _token, _channel, _type, _batchInterval, _batchCount, _batchSize, _sendMode, metadata); diff --git a/src/main/java/com/splunk/logging/HttpEventCollectorLoggingHandler.java b/src/main/java/com/splunk/logging/HttpEventCollectorLoggingHandler.java index 23386277..543665e4 100644 --- a/src/main/java/com/splunk/logging/HttpEventCollectorLoggingHandler.java +++ b/src/main/java/com/splunk/logging/HttpEventCollectorLoggingHandler.java @@ -80,9 +80,9 @@ * com.splunk.logging.HttpEventCollectorLoggingHandler.send_mode=sequential */ -import java.util.Dictionary; -import java.util.Hashtable; -import java.util.Locale; +import com.splunk.logging.hec.MetadataTags; + +import java.util.*; import java.util.logging.Handler; import java.util.logging.LogManager; import java.util.logging.LogRecord; @@ -113,22 +113,22 @@ public final class HttpEventCollectorLoggingHandler extends Handler { /** HttpEventCollectorLoggingHandler c-or */ public HttpEventCollectorLoggingHandler() { // read configuration settings - Dictionary metadata = new Hashtable(); - metadata.put(HttpEventCollectorSender.MetadataHostTag, - getConfigurationProperty(HttpEventCollectorSender.MetadataHostTag, "")); + Map metadata = new HashMap<>(); + metadata.put(MetadataTags.HOST, + getConfigurationProperty(MetadataTags.HOST, "")); - metadata.put(HttpEventCollectorSender.MetadataIndexTag, - getConfigurationProperty(HttpEventCollectorSender.MetadataIndexTag, "")); + metadata.put(MetadataTags.INDEX, + getConfigurationProperty(MetadataTags.INDEX, "")); - metadata.put(HttpEventCollectorSender.MetadataSourceTag, - getConfigurationProperty(HttpEventCollectorSender.MetadataSourceTag, "")); + metadata.put(MetadataTags.SOURCE, + getConfigurationProperty(MetadataTags.SOURCE, "")); - metadata.put(HttpEventCollectorSender.MetadataSourceTypeTag, - getConfigurationProperty(HttpEventCollectorSender.MetadataSourceTypeTag, "")); + metadata.put(MetadataTags.SOURCETYPE, + getConfigurationProperty(MetadataTags.SOURCETYPE, "")); // Extract message format value - metadata.put(HttpEventCollectorSender.MetadataMessageFormatTag, - getConfigurationProperty(HttpEventCollectorSender.MetadataMessageFormatTag, "")); + metadata.put(MetadataTags.MESSAGEFORMAT, + getConfigurationProperty(MetadataTags.MESSAGEFORMAT, "")); // http event collector endpoint properties String url = getConfigurationProperty(UrlConfTag, null); diff --git a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java index 51f82d20..56d14a8c 100644 --- a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java +++ b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java @@ -18,10 +18,12 @@ * under the License. */ +import com.google.gson.*; +import com.splunk.logging.hec.MetadataTags; +import com.splunk.logging.serialization.EventInfoTypeAdapter; +import com.splunk.logging.serialization.HecJsonSerializer; import okhttp3.*; -import org.json.simple.JSONObject; - import javax.net.ssl.*; import java.io.IOException; import java.io.Serializable; @@ -33,12 +35,6 @@ * This is an internal helper class that sends logging events to Splunk http event collector. */ public class HttpEventCollectorSender extends TimerTask implements HttpEventCollectorMiddleware.IHttpSender { - public static final String MetadataTimeTag = "time"; - public static final String MetadataHostTag = "host"; - public static final String MetadataIndexTag = "index"; - public static final String MetadataSourceTag = "source"; - public static final String MetadataSourceTypeTag = "sourcetype"; - public static final String MetadataMessageFormatTag = "messageFormat"; private static final String SPLUNKREQUESTCHANNELTag = "X-Splunk-Request-Channel"; private static final String AuthorizationHeaderTag = "Authorization"; private static final String AuthorizationHeaderScheme = "Splunk %s"; @@ -47,6 +43,12 @@ public class HttpEventCollectorSender extends TimerTask implements HttpEventColl private static final String HttpContentType = "application/json; profile=urn:splunk:event:1.0; charset=utf-8"; private static final String SendModeSequential = "sequential"; private static final String SendModeSParallel = "parallel"; + private static final Gson gson = new GsonBuilder() + .registerTypeAdapter(HttpEventCollectorEventInfo.class, new EventInfoTypeAdapter()) + .create(); + + private final HecJsonSerializer serializer; + /** * Sender operation mode. Parallel means that all HTTP requests are @@ -72,7 +74,6 @@ public enum SendMode private String type; private long maxEventsBatchCount; private long maxEventsBatchSize; - private Dictionary metadata; private Timer timer; private List eventsBatch = new LinkedList(); private long eventsBatchSize = 0; // estimated total size of events batch @@ -81,7 +82,6 @@ public enum SendMode private SendMode sendMode = SendMode.Sequential; private HttpEventCollectorMiddleware middleware = new HttpEventCollectorMiddleware(); private final MessageFormat messageFormat; - private EventBodySerializer eventBodySerializer; /** * Initialize HttpEventCollectorSender @@ -98,7 +98,7 @@ public HttpEventCollectorSender( final String Url, final String token, final String channel, final String type, long delay, long maxEventsBatchCount, long maxEventsBatchSize, String sendModeStr, - Dictionary metadata) { + Map metadata) { this.url = Url + HttpEventCollectorUriPath; this.token = token; this.channel = channel; @@ -117,9 +117,9 @@ public HttpEventCollectorSender( } this.maxEventsBatchCount = maxEventsBatchCount; this.maxEventsBatchSize = maxEventsBatchSize; - this.metadata = metadata; - final String format = metadata.get(MetadataMessageFormatTag); + serializer = new HecJsonSerializer(metadata); + final String format = metadata.get(MetadataTags.MESSAGEFORMAT); // Get MessageFormat enum from format string. Do this once per instance in constructor to avoid expensive operation in // each event sender call this.messageFormat = MessageFormat.fromFormat(format); @@ -186,7 +186,7 @@ public synchronized void flush() { // Clear the batch. A new list should be created because events are // sending asynchronously and "previous" instance of eventsBatch object // is still in use. - eventsBatch = new LinkedList(); + eventsBatch = new LinkedList<>(); eventsBatchSize = 0; } @@ -225,44 +225,51 @@ public void disableCertificateValidation() { } public void setEventBodySerializer(EventBodySerializer eventBodySerializer) { - this.eventBodySerializer = eventBodySerializer; + serializer.setEventBodySerializer(eventBodySerializer); } - @SuppressWarnings("unchecked") - public static void putIfPresent(JSONObject collection, String tag, Object value) { + public static void putIfPresent(JsonObject collection, String tag, Object value) { if (value != null) { if (value instanceof String && ((String) value).length() == 0) { // Do not add blank string return; } - collection.put(tag, value); + collection.add(tag, gson.toJsonTree(value)); } } - @SuppressWarnings("unchecked") - private String serializeEventInfo(HttpEventCollectorEventInfo eventInfo) { - // create event json content - // - // cf: http://dev.splunk.com/view/event-collector/SP-CAAAE6P - // - JSONObject event = new JSONObject(); - // event timestamp and metadata - putIfPresent(event, MetadataTimeTag, String.format(Locale.US, "%.3f", eventInfo.getTime())); - putIfPresent(event, MetadataHostTag, metadata.get(MetadataHostTag)); - putIfPresent(event, MetadataIndexTag, metadata.get(MetadataIndexTag)); - putIfPresent(event, MetadataSourceTag, metadata.get(MetadataSourceTag)); - putIfPresent(event, MetadataSourceTypeTag, metadata.get(MetadataSourceTypeTag)); - - // Parse message on the basis of format - final Object parsedMessage = this.messageFormat.parse(eventInfo.getMessage()); - - if (eventBodySerializer == null) { - eventBodySerializer = new EventBodySerializer.Default(); - } - - event.put("event", eventBodySerializer.serializeEventBody(eventInfo, parsedMessage)); - return event.toString(); - } +// private String serializeEventInfo(HttpEventCollectorEventInfo eventInfo) { +//// // create event json content +//// // +//// // cf: http://dev.splunk.com/view/event-collector/SP-CAAAE6P +//// // +//// JsonObject event = new JsonObject(); +//// // event timestamp and metadata +//// putIfPresent(event, MetadataTimeTag, String.format(Locale.US, "%.3f", eventInfo.getTime())); +//// putIfPresent(event, MetadataHostTag, metadata.get(MetadataHostTag)); +//// putIfPresent(event, MetadataIndexTag, metadata.get(MetadataIndexTag)); +//// putIfPresent(event, MetadataSourceTag, metadata.get(MetadataSourceTag)); +//// putIfPresent(event, MetadataSourceTypeTag, metadata.get(MetadataSourceTypeTag)); +//// +//// // Parse message on the basis of format +//// final Object parsedMessage = this.messageFormat.parse(eventInfo.getMessage()); +//// +//// JsonElement eventBody; +//// if (eventBodySerializer != null) { +//// eventBody = new JsonPrimitive(eventBodySerializer.serializeEventBody(eventInfo, parsedMessage)); +//// } else { +//// eventBody = gson.toJsonTree(eventInfo); +//// } +//// +//// // FIXME: need test to ensure this fixes string in json problem +//// // FIXME: rename fields in output JSON to match prior object structure +//// event.add("event", eventBody); +//// System.err.println(event.toString()); +//// return event.toString(); +// String evt = gson.toJson(eventInfo); +// System.err.println(evt); +// return evt; +// } private void stopHttpClient() { if (httpClient != null) { @@ -350,8 +357,9 @@ public void postEvents(final List events, startHttpClient(); // make sure http client is started // convert events list into a string StringBuilder eventsBatchString = new StringBuilder(); - for (HttpEventCollectorEventInfo eventInfo : events) - eventsBatchString.append(serializeEventInfo(eventInfo)); + for (HttpEventCollectorEventInfo eventInfo : events) { + eventsBatchString.append(serializer.serialize(eventInfo)); + } // create http request Request.Builder requestBldr = new Request.Builder() .url(url) diff --git a/src/main/java/com/splunk/logging/MessageFormat.java b/src/main/java/com/splunk/logging/MessageFormat.java index d27add07..f50b0708 100644 --- a/src/main/java/com/splunk/logging/MessageFormat.java +++ b/src/main/java/com/splunk/logging/MessageFormat.java @@ -1,6 +1,9 @@ package com.splunk.logging; -import org.json.simple.JSONValue; +import com.google.gson.Gson; +import com.google.gson.GsonBuilder; +import com.google.gson.JsonObject; +import com.google.gson.JsonSyntaxException; /** * @@ -57,13 +60,13 @@ Object parse(final String message) { * @return the parsed message JSON object or input message if parsing fails */ private Object parseJsonEventMessage(final String message) { - final Object jsonObject = JSONValue.parse(message); - if (jsonObject == null) { + Gson gson = new GsonBuilder().create(); + try { + return gson.fromJson(message, JsonObject.class); + } catch (JsonSyntaxException e) { // If JSON parsing failed then it is likely a text message or a malformed JSON message. // Return input message string in such an event. return message; - } else { - return jsonObject; } } @@ -84,4 +87,4 @@ static MessageFormat fromFormat(String format) { } return TEXT; } -} \ No newline at end of file +} diff --git a/src/main/java/com/splunk/logging/hec/MetadataTags.java b/src/main/java/com/splunk/logging/hec/MetadataTags.java new file mode 100644 index 00000000..797dd83f --- /dev/null +++ b/src/main/java/com/splunk/logging/hec/MetadataTags.java @@ -0,0 +1,24 @@ +/* + Copyright © 2019 Splunk Inc. + SPLUNK CONFIDENTIAL – Use or disclosure of this material in whole or in part + without a valid written license from Splunk Inc. is PROHIBITED. + */ +package com.splunk.logging.hec; + +import java.util.Arrays; +import java.util.Collections; +import java.util.HashSet; +import java.util.Set; + +public class MetadataTags { + public static final String TIME = "time"; + public static final String HOST = "host"; + public static final String INDEX = "index"; + public static final String SOURCE = "source"; + public static final String SOURCETYPE = "sourcetype"; + public static final String MESSAGEFORMAT = "messageFormat"; + public static final Set HEC_TAGS = + new HashSet<>(Arrays.asList(TIME, HOST, INDEX, SOURCE, SOURCETYPE)); + public static final Set INTERNAL_TAGS= + new HashSet<>(Collections.singletonList(MESSAGEFORMAT)); +} diff --git a/src/main/java/com/splunk/logging/serialization/EventInfoTypeAdapter.java b/src/main/java/com/splunk/logging/serialization/EventInfoTypeAdapter.java new file mode 100644 index 00000000..6aedb536 --- /dev/null +++ b/src/main/java/com/splunk/logging/serialization/EventInfoTypeAdapter.java @@ -0,0 +1,67 @@ +/* + Copyright © 2019 Splunk Inc. + SPLUNK CONFIDENTIAL – Use or disclosure of this material in whole or in part + without a valid written license from Splunk Inc. is PROHIBITED. + */ +package com.splunk.logging.serialization; + +import com.google.gson.*; +import com.splunk.logging.EventBodySerializer; +import com.splunk.logging.HttpEventCollectorEventInfo; + +import java.lang.reflect.Type; +import java.util.HashMap; +import java.util.Locale; +import java.util.Map; + +public class EventInfoTypeAdapter implements JsonSerializer { + + @Override + public JsonElement serialize(HttpEventCollectorEventInfo src, Type typeOfSrc, JsonSerializationContext context) { + Map event = new HashMap<>(); + // TODO: JsonParser constructor is deprecated in favor of static methods in gson 1.8.6, + // but Spring Boot does some Gradle magic that downgrades (as of 11/2019) to 1.8.5. This + // should move to static methods once 1.8.6 has widespread adoption. + JsonParser parser = new JsonParser(); + if (src.getTime() > 0) { + event.put("time", String.format(Locale.US, "%.3f", src.getTime())); + } + if (src.getSeverity() != null) { + event.put("severity", src.getSeverity()); + } + + // Always put a message, even if it's empty. + try { + // TODO: Move to JsonParser.parseString (see note above) + event.put("message", parser.parse(src.getMessage())); + } catch (JsonSyntaxException e) { + event.put("message", src.getMessage()); + } + + if (src.getLoggerName() != null && !src.getLoggerName().isEmpty()) { + event.put("logger", src.getLoggerName()); + } + + if (src.getThreadName() != null && !src.getThreadName().isEmpty()) { + event.put("thread", src.getThreadName()); + } + + if (src.getExceptionMessage() != null && ! src.getExceptionMessage().isEmpty()) { + event.put("exception", src.getExceptionMessage()); + } + + Map props = src.getProperties(); + if (props != null && props.size() > 0) { + event.put("properties", props); + } + + if (src.getMarker() != null) { + String markerString = src.getMarker().toString(); + if (!markerString.isEmpty()) { + event.put("marker", src.getMarker().toString()); + } + } + + return context.serialize(event); + } +} diff --git a/src/main/java/com/splunk/logging/serialization/HecJsonSerializer.java b/src/main/java/com/splunk/logging/serialization/HecJsonSerializer.java new file mode 100644 index 00000000..003c452c --- /dev/null +++ b/src/main/java/com/splunk/logging/serialization/HecJsonSerializer.java @@ -0,0 +1,60 @@ +/* + Copyright © 2019 Splunk Inc. + SPLUNK CONFIDENTIAL – Use or disclosure of this material in whole or in part + without a valid written license from Splunk Inc. is PROHIBITED. + */ +package com.splunk.logging.serialization; + +import com.google.gson.Gson; +import com.google.gson.GsonBuilder; +import com.splunk.logging.EventBodySerializer; +import com.splunk.logging.HttpEventCollectorEventInfo; + +import java.util.*; + +public class HecJsonSerializer { + private static final Set KEYWORDS = new HashSet<>(Arrays.asList( + "host", "source", "sourcetype", "index", "time")); + private Map template = new LinkedHashMap<>(); + private EventInfoTypeAdapter typeAdapter = new EventInfoTypeAdapter(); + private Gson gson = new GsonBuilder() + .registerTypeAdapter(HttpEventCollectorEventInfo.class, typeAdapter) + .disableHtmlEscaping() + .create(); + private EventBodySerializer eventBodySerializer; + + public HecJsonSerializer(Map metadata) { + for (Map.Entry entry : metadata.entrySet()) { + setValue(entry.getKey(), entry.getValue()); + } + } + + @SuppressWarnings("unchecked") + private void setValue(String key, String value) { + if (KEYWORDS.contains(key)) { + template.put(key, value); + } else { + if (!template.containsKey("fields")) { + template.put("fields", new HashMap()); + } + Object fields = template.get("fields"); + if (fields instanceof Map) { + ((Map) fields).put(key, value); + } + } + } + + public String serialize(HttpEventCollectorEventInfo info) { + Map event = new HashMap<>(template); + if (this.eventBodySerializer != null) { + event.put("event", eventBodySerializer.serializeEventBody(info, info.getMessage())); + } else { + event.put("event", info); + } + return gson.toJson(event); + } + + public void setEventBodySerializer(EventBodySerializer eventBodySerializer) { + this.eventBodySerializer = eventBodySerializer; + } +} diff --git a/src/test/java/HttpEventCollector_JavaLoggingTest.java b/src/test/java/HttpEventCollector_JavaLoggingTest.java index 92b46df6..b99375f5 100644 --- a/src/test/java/HttpEventCollector_JavaLoggingTest.java +++ b/src/test/java/HttpEventCollector_JavaLoggingTest.java @@ -16,13 +16,12 @@ import java.util.*; -import com.splunk.logging.EventBodySerializer; +import com.google.gson.JsonObject; +import com.google.gson.JsonPrimitive; import com.splunk.logging.HttpEventCollectorErrorHandler; import com.splunk.logging.HttpEventCollectorEventInfo; -import com.splunk.logging.HttpEventCollectorSender; import org.apache.commons.lang3.StringUtils; -import org.json.simple.JSONObject; import org.junit.Assert; import org.junit.Test; @@ -493,21 +492,21 @@ private void canSendJsonEventUsingUtilLoggerWithSourceType(final String sourceTy final long timeMillsec = new Date().getTime(); - final JSONObject jsonObject = new JSONObject(); - jsonObject.put("transactionId", "11"); - jsonObject.put("userId", "21"); - jsonObject.put("eventTimestamp", timeMillsec); + final JsonObject jsonObject = new JsonObject(); + jsonObject.add("transactionId", new JsonPrimitive("11")); + jsonObject.add("userId", new JsonPrimitive("21")); + jsonObject.add("eventTimestamp", new JsonPrimitive(timeMillsec)); final Logger logger = Logger.getLogger(loggerName); // Test with a json event message - jsonObject.put("severity", "info"); + jsonObject.add("severity", new JsonPrimitive("info")); final String infoJson = jsonObject.toString(); logger.info(infoJson); msgs.add(infoJson); // Test with a text event message - jsonObject.put("severity", "info"); + jsonObject.add("severity", new JsonPrimitive("info")); final String infoText = String.format("{EventTimestamp:%s, EventMsg:'this is a text info for java util logger}", timeMillsec); logger.info(infoText); msgs.add(infoText); diff --git a/src/test/java/HttpEventCollector_Log4j2Test.java b/src/test/java/HttpEventCollector_Log4j2Test.java index 28680335..b049f812 100644 --- a/src/test/java/HttpEventCollector_Log4j2Test.java +++ b/src/test/java/HttpEventCollector_Log4j2Test.java @@ -17,12 +17,13 @@ import java.io.*; import java.util.*; +import com.google.gson.JsonObject; +import com.google.gson.JsonPrimitive; import com.splunk.logging.HttpEventCollectorErrorHandler; import com.splunk.logging.HttpEventCollectorEventInfo; import org.apache.commons.lang3.StringUtils; import org.apache.logging.log4j.core.LoggerContext; -import org.json.simple.JSONObject; import org.junit.Assert; import org.junit.Test; import org.apache.logging.log4j.Logger; @@ -30,7 +31,7 @@ public final class HttpEventCollector_Log4j2Test { private String httpEventCollectorName = "Log4j2Test"; List> errors = new ArrayList>(); - List logEx = new ArrayList(); + List logEx = new ArrayList<>(); /** * sending a message via httplogging using log4j2 to splunk @@ -403,13 +404,13 @@ private void canSendJsonEventUsingUtilLoggerWithSourceType(final String sourceTy final long timeMillsec = new Date().getTime(); - final JSONObject jsonObject = new JSONObject(); - jsonObject.put("transactionId", "11"); - jsonObject.put("userId", "21"); - jsonObject.put("eventTimestap", timeMillsec); + final JsonObject jsonObject = new JsonObject(); + jsonObject.add("transactionId", new JsonPrimitive("11")); + jsonObject.add("userId", new JsonPrimitive("21")); + jsonObject.add("eventTimestamp", new JsonPrimitive(timeMillsec)); // Test with a json event message - jsonObject.put("severity", "info"); + jsonObject.add("severity", new JsonPrimitive("info")); final String infoJson = jsonObject.toString(); logger.info(infoJson); msgs.add(infoJson); diff --git a/src/test/java/HttpEventCollector_LogbackTest.java b/src/test/java/HttpEventCollector_LogbackTest.java index 464a22ca..3fa2c20e 100644 --- a/src/test/java/HttpEventCollector_LogbackTest.java +++ b/src/test/java/HttpEventCollector_LogbackTest.java @@ -16,11 +16,12 @@ import java.util.*; +import com.google.gson.JsonObject; +import com.google.gson.JsonPrimitive; import com.splunk.logging.HttpEventCollectorErrorHandler; import com.splunk.logging.HttpEventCollectorEventInfo; import org.apache.commons.lang3.StringUtils; -import org.json.simple.JSONObject; import org.junit.Assert; import org.junit.Test; import org.slf4j.Logger; @@ -390,30 +391,30 @@ private void canSendJsonEventUsingLogbackWithSourceType(final String sourceType) TestUtil.resetLogbackConfiguration("logback_template.xml", "logback.xml", userInputs); - final List msgs = new ArrayList(); + final List msgs = new ArrayList<>(); final long timeMillsec = new Date().getTime(); - final JSONObject jsonObject = new JSONObject(); - jsonObject.put("transactionId", "11"); - jsonObject.put("userId", "21"); - jsonObject.put("eventTimestamp", timeMillsec); + final JsonObject jsonObject = new JsonObject(); + jsonObject.add("transactionId", new JsonPrimitive("11")); + jsonObject.add("userId", new JsonPrimitive("21")); + jsonObject.add("eventTimestamp", new JsonPrimitive(timeMillsec)); final Logger logger = LoggerFactory.getLogger(loggerName); // Test with a json event message - jsonObject.put("severity", "info"); + jsonObject.add("severity", new JsonPrimitive("info")); final String infoJson = jsonObject.toString(); logger.info(infoJson); msgs.add(infoJson); - jsonObject.put("severity", "error"); + jsonObject.add("severity", new JsonPrimitive("error")); final String errorJson = jsonObject.toString(); logger.error(errorJson); msgs.add(errorJson); // Test with a text event message - jsonObject.put("severity", "debug"); + jsonObject.add("severity", new JsonPrimitive("debug")); final String debugText = String.format("{EventTimestamp:%s, EventMsg:'this is a test debug for Logback Test}", timeMillsec); logger.debug(debugText); msgs.add(debugText); diff --git a/src/test/java/TestEventBodySerializer.java b/src/test/java/TestEventBodySerializer.java index 73bb7625..fdf3022a 100644 --- a/src/test/java/TestEventBodySerializer.java +++ b/src/test/java/TestEventBodySerializer.java @@ -15,17 +15,7 @@ */ import com.splunk.logging.EventBodySerializer; -import com.splunk.logging.HttpEventCollectorErrorHandler; import com.splunk.logging.HttpEventCollectorEventInfo; -import org.json.simple.JSONObject; -import org.junit.Assert; -import org.junit.Test; - -import java.util.ArrayList; -import java.util.Date; -import java.util.HashMap; -import java.util.List; -import java.util.logging.Logger; // Implement the interface of EventBodySerializer for testing public class TestEventBodySerializer implements EventBodySerializer { diff --git a/src/test/java/TestUtil.java b/src/test/java/TestUtil.java index 631695d0..cc783848 100644 --- a/src/test/java/TestUtil.java +++ b/src/test/java/TestUtil.java @@ -17,15 +17,15 @@ import ch.qos.logback.classic.LoggerContext; import ch.qos.logback.classic.joran.JoranConfigurator; import ch.qos.logback.core.joran.spi.JoranException; +import com.google.gson.*; import com.splunk.*; -import org.json.simple.JSONObject; -import org.json.simple.JSONValue; import org.junit.Assert; import org.slf4j.*; import java.io.*; import java.nio.charset.Charset; +import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.util.*; import java.util.Map.Entry; @@ -135,7 +135,7 @@ public static String createHttpEventCollectorToken(String httpEventCollectorName enableHttpEventCollector(); //create an httpEventCollector - Map args = new HashMap(); + Map args = new HashMap<>(); args.put("name", httpEventCollectorName); args.put("description", "test http event collector"); @@ -146,9 +146,9 @@ public static String createHttpEventCollectorToken(String httpEventCollectorName assert msg.getStatus() == 201; //get httpEventCollector token - args = new HashMap(); + args = new HashMap<>(); ResponseMessage response = service.get(httpEventCollectorTokenEndpointPath + "/" + httpEventCollectorName, args); - BufferedReader reader = new BufferedReader(new InputStreamReader(response.getContent(), "UTF-8")); + BufferedReader reader = new BufferedReader(new InputStreamReader(response.getContent(), StandardCharsets.UTF_8)); String token = ""; while (true) { String line = reader.readLine(); @@ -385,10 +385,15 @@ public static void verifyEventsSentToSplunk(List msgs) throws IOExceptio int eventCount = 0; InputStream resultsStream = null; ResultsReaderXml resultsReader = null; - final Object parsedObject = JSONValue.parse(msg); + Object parsedObject; + try { + parsedObject = JsonParser.parseString(msg); + } catch (JsonSyntaxException e) { + parsedObject = msg; + } while (System.currentTimeMillis() - startTime < 30 * 1000)/*wait for up to 30s*/ { - if (parsedObject instanceof JSONObject) { - resultsStream = searchJsonMessageEvent((JSONObject) parsedObject); + if (parsedObject instanceof JsonObject) { + resultsStream = searchJsonMessageEvent((JsonObject) parsedObject); } else { resultsStream = service.oneshotSearch("search " + msg); } @@ -422,20 +427,21 @@ public static void verifyEventsSentToSplunk(List msgs) throws IOExceptio * @return the input stream linked with the search result */ @SuppressWarnings("rawtypes") - private static InputStream searchJsonMessageEvent(final JSONObject jsonObject) { - String searchQuery = ""; + private static InputStream searchJsonMessageEvent(final JsonObject jsonObject) { + StringBuilder searchQuery = new StringBuilder(); boolean firstSearchTerm = true; for (final Object entryObject : jsonObject.entrySet()) { final Entry jsonEntry = (Entry) entryObject; if (firstSearchTerm) { - searchQuery += String.format("search \"message.%s\"=%s", jsonEntry.getKey(), jsonEntry.getValue()); + searchQuery.append(String.format("search \"message.%s\"=%s", jsonEntry.getKey(), jsonEntry.getValue())); firstSearchTerm = false; } else { - searchQuery += String.format(" | search \"message.%s\"=%s", jsonEntry.getKey(), jsonEntry.getValue()); + searchQuery.append(String.format(" | search \"message.%s\"=%s", jsonEntry.getKey(), jsonEntry.getValue())); } } + System.err.println(searchQuery.toString()); - return service.oneshotSearch(searchQuery); + return service.oneshotSearch(searchQuery.toString()); } public static void verifyEventsSentInOrder(String prefix, int totalEventsCount, String index) throws IOException { From 666f72c5ffe80d7dc2b333db56154978cbedd2c0 Mon Sep 17 00:00:00 2001 From: David Poncelow Date: Fri, 6 Dec 2019 11:25:25 -0800 Subject: [PATCH 20/26] add source distribution --- pom.xml | 49 +++++++++++++++++++++++++++++++++++++------------ 1 file changed, 37 insertions(+), 12 deletions(-) diff --git a/pom.xml b/pom.xml index 875ec3bf..246748ae 100644 --- a/pom.xml +++ b/pom.xml @@ -36,6 +36,19 @@ 8 + + org.apache.maven.plugins + maven-source-plugin + 3.1.0 + + + attach-sources + + jar + + + + biz.aQute.bnd bnd-maven-plugin @@ -205,18 +218,6 @@ 2.12.1 - - - - - - - - - - - - com.splunk splunk @@ -249,6 +250,30 @@ 8 + + org.apache.maven.plugins + maven-source-plugin + + + attach-sources + + jar + + + + + + org.apache.maven.plugins + maven-javadoc-plugin + + + attach-javadocs + + jar + + + + From 714195ccdc2e5c570cf158d798430ae3a831eb62 Mon Sep 17 00:00:00 2001 From: David Poncelow Date: Fri, 3 Jan 2020 10:00:34 -0800 Subject: [PATCH 21/26] fix getMessage on ServerErrorException --- .../HttpEventCollectorErrorHandler.java | 8 ++++++- src/test/java/HttpEventCollector_Test.java | 24 ++++++++++--------- 2 files changed, 20 insertions(+), 12 deletions(-) diff --git a/src/main/java/com/splunk/logging/HttpEventCollectorErrorHandler.java b/src/main/java/com/splunk/logging/HttpEventCollectorErrorHandler.java index bfd7582a..d84cbe86 100644 --- a/src/main/java/com/splunk/logging/HttpEventCollectorErrorHandler.java +++ b/src/main/java/com/splunk/logging/HttpEventCollectorErrorHandler.java @@ -43,7 +43,7 @@ public class HttpEventCollectorErrorHandler { public static class ServerErrorException extends Exception { private String reply; private long errorCode = -1; - private String errorText = "unknown error"; + private String errorText; /** * Create an exception with server error reply @@ -82,6 +82,12 @@ public String getErrorText() { return errorText; } + @Override + public String getMessage() { + return getErrorText(); + } + + @Override public String toString() { return getReply(); } diff --git a/src/test/java/HttpEventCollector_Test.java b/src/test/java/HttpEventCollector_Test.java index 410f7e00..35a32920 100644 --- a/src/test/java/HttpEventCollector_Test.java +++ b/src/test/java/HttpEventCollector_Test.java @@ -100,17 +100,16 @@ public void BatchLogToSplunkViaDifferentLoggers() throws Exception { LogToSplunk(true); } - public static volatile boolean exceptionWasRaised = false; + public boolean exceptionWasRaised = false; + private String message = null; + private List data = null; @Test public void TryToLogToSplunkWithDisabledHttpEventCollector() throws Exception { - HttpEventCollectorErrorHandler.onError(new HttpEventCollectorErrorHandler.ErrorCallback() { - public void error(final List data, final Exception ex) { - String exceptionInfo = ex.getMessage() + " " + ex.getStackTrace(); - HttpEventCollectorErrorHandler.ServerErrorException serverErrorException = - new HttpEventCollectorErrorHandler.ServerErrorException(exceptionInfo); - System.out.printf("Callback has been called on error\n"); - exceptionWasRaised = true; - } + HttpEventCollectorErrorHandler.onError((data, ex) -> { + System.out.print("Callback has been called on error\n"); + message = ex.getMessage(); + this.data = data; + exceptionWasRaised = true; }); int expectedCounter = 200; exceptionWasRaised = false; @@ -118,7 +117,7 @@ public void error(final List data, final Exception System.out.printf("\tSetting up http event collector with %s ... ", batching ? "batching" : "no batching"); TestUtil.enableHttpEventCollector(); String token=TestUtil.createHttpEventCollectorToken(httpEventCollectorName); - System.out.printf("set\n"); + System.out.print("set\n"); //modify the config file with the generated token String loggerName = "splunkLogger_disabled"; @@ -143,6 +142,9 @@ public void error(final List data, final Exception Thread.sleep(15000); } Assert.assertTrue(exceptionWasRaised); + Assert.assertNotNull(message); + Assert.assertNotNull(data); + Assert.assertTrue(data.size() > 0); System.out.printf("PASSED with %d events sent.\n\n", expectedCounter); } @@ -150,7 +152,7 @@ private boolean insertDataWithLoggerAndVerify(String token, String loggerType, i System.out.printf("\tInserting data with logger '%s'... ", loggerType); long startTime = System.currentTimeMillis() / 1000; Thread.sleep(2000); - HashMap userInputs = new HashMap(); + HashMap userInputs = new HashMap<>(); userInputs.put("user_httpEventCollector_token", token); if (batching) { userInputs.put("user_batch_interval", "200"); From 871c389ea09f2dca8ec470fb698a05079b29a5fc Mon Sep 17 00:00:00 2001 From: David Poncelow Date: Fri, 3 Jan 2020 10:49:05 -0800 Subject: [PATCH 22/26] remove commented code --- .../splunk/logging/EventBodySerializer.java | 33 ------------------- .../logging/HttpEventCollectorSender.java | 32 ------------------ 2 files changed, 65 deletions(-) diff --git a/src/main/java/com/splunk/logging/EventBodySerializer.java b/src/main/java/com/splunk/logging/EventBodySerializer.java index 022f17df..27447a4c 100644 --- a/src/main/java/com/splunk/logging/EventBodySerializer.java +++ b/src/main/java/com/splunk/logging/EventBodySerializer.java @@ -12,37 +12,4 @@ String serializeEventBody( HttpEventCollectorEventInfo eventInfo, Object formattedMessage ); - -// class Default implements EventBodySerializer { -// -// @Override -// public String serializeEventBody( -// final HttpEventCollectorEventInfo eventInfo, -// final Object formattedMessage -// ) { -// final JsonObject body = new JsonObject(); -// HttpEventCollectorSender.putIfPresent(body, "severity", eventInfo.getSeverity()); -// HttpEventCollectorSender.putIfPresent(body, "message", formattedMessage); -// HttpEventCollectorSender.putIfPresent(body, "logger", eventInfo.getLoggerName()); -// HttpEventCollectorSender.putIfPresent(body, "thread", eventInfo.getThreadName()); -// // add an exception record if and only if there is one -// // in practice, the message also has the exception information attached -// if (eventInfo.getExceptionMessage() != null) { -// HttpEventCollectorSender.putIfPresent(body, "exception", eventInfo.getExceptionMessage()); -// } -// -// // add properties if and only if there are any -// final Map props = eventInfo.getProperties(); -// if (props != null && !props.isEmpty()) { -// body.add("properties", props); -// } -// // add marker if and only if there is one -// final Serializable marker = eventInfo.getMarker(); -// if (marker != null) { -// HttpEventCollectorSender.putIfPresent(body, "marker", marker.toString()); -// } -// -// return body.toString(); -// } -// } } diff --git a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java index 56d14a8c..fc3c25bd 100644 --- a/src/main/java/com/splunk/logging/HttpEventCollectorSender.java +++ b/src/main/java/com/splunk/logging/HttpEventCollectorSender.java @@ -238,38 +238,6 @@ public static void putIfPresent(JsonObject collection, String tag, Object value) } } -// private String serializeEventInfo(HttpEventCollectorEventInfo eventInfo) { -//// // create event json content -//// // -//// // cf: http://dev.splunk.com/view/event-collector/SP-CAAAE6P -//// // -//// JsonObject event = new JsonObject(); -//// // event timestamp and metadata -//// putIfPresent(event, MetadataTimeTag, String.format(Locale.US, "%.3f", eventInfo.getTime())); -//// putIfPresent(event, MetadataHostTag, metadata.get(MetadataHostTag)); -//// putIfPresent(event, MetadataIndexTag, metadata.get(MetadataIndexTag)); -//// putIfPresent(event, MetadataSourceTag, metadata.get(MetadataSourceTag)); -//// putIfPresent(event, MetadataSourceTypeTag, metadata.get(MetadataSourceTypeTag)); -//// -//// // Parse message on the basis of format -//// final Object parsedMessage = this.messageFormat.parse(eventInfo.getMessage()); -//// -//// JsonElement eventBody; -//// if (eventBodySerializer != null) { -//// eventBody = new JsonPrimitive(eventBodySerializer.serializeEventBody(eventInfo, parsedMessage)); -//// } else { -//// eventBody = gson.toJsonTree(eventInfo); -//// } -//// -//// // FIXME: need test to ensure this fixes string in json problem -//// // FIXME: rename fields in output JSON to match prior object structure -//// event.add("event", eventBody); -//// System.err.println(event.toString()); -//// return event.toString(); -// String evt = gson.toJson(eventInfo); -// System.err.println(evt); -// return evt; -// } private void stopHttpClient() { if (httpClient != null) { From 7db99d36f266b07e6d8bfb559ec5df7f0786de49 Mon Sep 17 00:00:00 2001 From: David Poncelow Date: Tue, 7 Jan 2020 15:36:44 -0800 Subject: [PATCH 23/26] Specify source level of 8 for javadoc --- pom.xml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pom.xml b/pom.xml index 246748ae..c4095b51 100644 --- a/pom.xml +++ b/pom.xml @@ -271,6 +271,9 @@ jar + + 8 + From 99de01de2d9ac0a813f4de72ae96628b4c472345 Mon Sep 17 00:00:00 2001 From: David Poncelow Date: Wed, 8 Jan 2020 13:31:54 -0800 Subject: [PATCH 24/26] remove outdated html tags from javadoc --- .../HttpEventCollectorLog4jAppender.java | 13 +- .../com/splunk/logging/SplunkCimLogEvent.java | 4484 ++++++++--------- src/test/java/Util.java | 6 +- 3 files changed, 2255 insertions(+), 2248 deletions(-) diff --git a/src/main/java/com/splunk/logging/HttpEventCollectorLog4jAppender.java b/src/main/java/com/splunk/logging/HttpEventCollectorLog4jAppender.java index 5ee1df6e..5562b74d 100644 --- a/src/main/java/com/splunk/logging/HttpEventCollectorLog4jAppender.java +++ b/src/main/java/com/splunk/logging/HttpEventCollectorLog4jAppender.java @@ -17,6 +17,7 @@ import java.io.Serializable; import java.nio.charset.Charset; +import java.nio.charset.StandardCharsets; import java.util.HashMap; import java.util.Map; import java.util.concurrent.TimeUnit; @@ -25,6 +26,7 @@ import org.apache.logging.log4j.core.appender.AbstractAppender; import org.apache.logging.log4j.core.Filter; import org.apache.logging.log4j.core.Layout; +import org.apache.logging.log4j.core.config.Property; import org.apache.logging.log4j.core.layout.PatternLayout; import org.apache.logging.log4j.core.LogEvent; import org.apache.logging.log4j.core.config.plugins.Plugin; @@ -73,7 +75,7 @@ private HttpEventCollectorLog4jAppender(final String name, final String disableCertificateValidation, final String eventBodySerializer) { - super(name, filter, layout, ignoreExceptions); + super(name, filter, layout, ignoreExceptions, Property.EMPTY_ARRAY); Map metadata = new HashMap<>(); metadata.put(MetadataTags.HOST, host != null ? host : ""); metadata.put(MetadataTags.INDEX, index != null ? index : ""); @@ -167,7 +169,12 @@ public static HttpEventCollectorLog4jAppender createAppender( if (layout == null) { - layout = PatternLayout.createLayout("%m", null, null, null, Charset.forName("UTF-8"), true, false, null, null); + layout = PatternLayout.newBuilder() + .withPattern("%m") + .withCharset(StandardCharsets.UTF_8) + .withAlwaysWriteExceptions(true) + .withNoConsoleNoAnsi(false) + .build(); } final boolean ignoreExceptionsBool = Boolean.getBoolean(ignoreExceptions); @@ -203,7 +210,7 @@ public void append(final LogEvent event) getLayout().toSerializable(event).toString(), includeLoggerName ? event.getLoggerName() : null, includeThreadName ? event.getThreadName() : null, - includeMDC ? event.getContextMap() : null, + includeMDC ? event.getContextData().toMap() : null, (!includeException || event.getThrown() == null) ? null : event.getThrown().getMessage(), includeMarker ? event.getMarker() : null ); diff --git a/src/main/java/com/splunk/logging/SplunkCimLogEvent.java b/src/main/java/com/splunk/logging/SplunkCimLogEvent.java index 09e70f39..861c374b 100644 --- a/src/main/java/com/splunk/logging/SplunkCimLogEvent.java +++ b/src/main/java/com/splunk/logging/SplunkCimLogEvent.java @@ -1,2242 +1,2242 @@ -package com.splunk.logging; - -/* - * Copyright 2013-2014 Splunk, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"): you may - * not use this file except in compliance with the License. You may obtain - * a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - * License for the specific language governing permissions and limitations - * under the License. - */ - - -import java.util.LinkedHashMap; -import java.util.regex.Pattern; - -/** - * SplunkCimLogEvent encapsulates the best practice logging semantics recommended by Splunk. - * - * It produces events of key, value pairs, properly formatted and quoted for logging with any of Java's standard - * logging libraries (logback, log4j, java.util.logging, etc.) and indexing by Splunk. The class has convenience - * methods to set the fields defined in the standard Splunk Common Information Model. - * - * SplunkCimLogEvent adds no timestamp to its fields, leaving you free to configure whatever timestamp - * format you prefer in your logging configuration. - * - * - * Logger logger = LoggerFactory.getLogger("splunk.logger"); - * SplunkCimLogEvent event = new SplunkCimLogEvent("Failed Login", "sshd:failure"); - * event.setAuthApp("jane"); - * event.setAuthUser("jane"); - * event.addField("somefieldname", "foobar"); - * logger.info(event.toString()); - * - * - * @see Splunk - * CIM - * @see Splunk - * Logging Best Practices - */ -public class SplunkCimLogEvent { - /** - * Delimiters to use in formatting the event. - */ - private static final String KVDELIM = "="; - private static final String PAIRDELIM = " "; - private static final char QUOTE = '"'; - - private LinkedHashMap entries; - - /** - * @param eventName event name - * @param eventID event ID - */ - public SplunkCimLogEvent(String eventName, String eventID) { - entries = new LinkedHashMap(); - - addField(PREFIX_NAME, eventName); - addField(PREFIX_EVENT_ID, eventID); - } - - /** - * Add a key value pair. The value may be any Java object which returns a sensible - * result from its toString method. - * - * For logging exceptions, consider using addThrowableWithStacktrace instead. - * - * @param key key - * @param value value - */ - public void addField(String key, Object value) { - entries.put(key, value); - } - - /** - * Logs an exception with its stacktrace nicely formatted for indexing and searching by Splunk. - * - * @param throwable - * the Throwable object to add to the event - */ - public void addThrowableWithStacktrace(Throwable throwable) { - - addThrowableWithStacktrace(throwable, Integer.MAX_VALUE); - } - - /** - * Logs an exception with the first stacktraceDepth elements of its stacktrace nicely - * formatted for indexing and searching by Splunk, - * - * - * @param throwable - * the Throwable object to add to the event - * @param stacktraceDepth - * maximum number of stacktrace elements to log - */ - - public void addThrowableWithStacktrace(Throwable throwable, int stacktraceDepth) { - addField(THROWABLE_CLASS, throwable.getClass().getCanonicalName()); - addField(THROWABLE_MESSAGE, throwable.getMessage()); - - StackTraceElement[] elements = throwable.getStackTrace(); - StringBuilder sb = new StringBuilder(); - for (int depth = 0; depth < elements.length && depth < stacktraceDepth; depth++) { - if (depth > 0) - sb.append(","); - sb.append(elements[depth].toString()); - } - - if (stacktraceDepth > 0) { - addField(THROWABLE_STACKTRACE_ELEMENTS, sb.toString()); - } - } - - private static final Pattern DOUBLE_QUOTE = Pattern.compile("\""); - @Override - public String toString() { - StringBuilder output = new StringBuilder(); - - boolean first = true; - for (String key : entries.keySet()) { - if (!first) { - output.append(PAIRDELIM); - } else { - first = false; - } - String value = String.valueOf(entries.get(key)); - - // Escape any " that appear in the key or value. - key = DOUBLE_QUOTE.matcher(key).replaceAll("\\\\\""); - value = DOUBLE_QUOTE.matcher(value).replaceAll("\\\\\""); - - output.append(QUOTE).append(key).append(KVDELIM).append(value).append(QUOTE); - } - - return output.toString(); - } - - - /** - * Event prefix fields - */ - private static final String PREFIX_NAME = "name"; - private static final String PREFIX_EVENT_ID = "event_id"; - - /** - * Java Throwable type fields - */ - private static final String THROWABLE_CLASS = "throwable_class"; - private static final String THROWABLE_MESSAGE = "throwable_message"; - private static final String THROWABLE_STACKTRACE_ELEMENTS = "stacktrace_elements"; - - /** - * Splunk Common Information Model(CIM) Fields - */ - - // ------------------ - // Account management - // ------------------ - - /** - * The domain containing the user that is affected by the account management event. - */ - public void setAcManagementDestNtDomain(String acManagementDestNtDomain) { - addField(AC_MANAGEMENT_DEST_NT_DOMAIN, acManagementDestNtDomain); - } - public static String AC_MANAGEMENT_DEST_NT_DOMAIN = "dest_nt_domain"; - - /** - * Description of the account management change performed. - */ - public void setAcManagementSignature(String acManagementSignature) { - addField(AC_MANAGEMENT_SIGNATURE, acManagementSignature); - } - public static String AC_MANAGEMENT_SIGNATURE = "signature"; - - /** - * The NT source of the destination. In the case of an account management - * event, this is the domain that contains the user that generated the - * event. - */ - public void setAcManagementSrcNtDomain(String acManagementSrcNtDomain) { - addField(AC_MANAGEMENT_SRC_NT_DOMAIN, acManagementSrcNtDomain); - } - public static String AC_MANAGEMENT_SRC_NT_DOMAIN = "src_nt_domain"; - - // ---------------------------------- - // Authentication - Access protection - // ---------------------------------- - - /** - * The action performed on the resource. success, failure - */ - public void setAuthAction(String authAction) { - addField(AUTH_ACTION, authAction); - } - public static String AUTH_ACTION = "action"; - /** - * The application involved in the event (such as ssh, spunk, win:local). - */ - public void setAuthApp(String authApp) { - addField(AUTH_APP, authApp); - } - public static String AUTH_APP = "app"; - - /** - * The target involved in the authentication. If your field is named - * dest_host, dest_ip, dest_ipv6, or dest_nt_host you can alias it as dest - * to make it CIM-compliant. - */ - public void setAuthDest(String authDest) { - addField(AUTH_DEST, authDest); - } - public static String AUTH_DEST = "dest"; - - /** - * The source involved in the authentication. In the case of endpoint - * protection authentication the src is the client. If your field is named - * src_host, src_ip, src_ipv6, or src_nt_host you can alias it as src to - * make it CIM-compliant.. It is required for all events dealing with - * endpoint protection (Authentication, change analysis, malware, system - * center, and update). Note: Do not confuse this with the event source or - * sourcetype fields. - */ - public void setAuthSrc(String authSrc) { - addField(AUTH_SRC, authSrc); - } - public static String AUTH_SRC = "src"; - - /** - * In privilege escalation events, src_user represents the user who - * initiated the privilege escalation. - */ - public void setAuthSrcUser(String authSrcUser) { - addField(AUTH_SRC_USER, authSrcUser); - } - public static String AUTH_SRC_USER = "src_user"; - - /** - * The name of the user involved in the event, or who initiated the event. - * For authentication privilege escalation events this should represent the - * user targeted by the escalation. - */ - public void setAuthUser(String authUser) { - addField(AUTH_USER, authUser); - } - public static String AUTH_USER = "user"; - - // ---------------------------------- - // Change analysis - Endpoint protection - // ---------------------------------- - - /** - * The action performed on the resource. - */ - public void setChangeEndpointProtectionAction( - String changeEndpointProtectionAction) { - addField(CHANGE_ENDPOINT_PROTECTION_ACTION, - changeEndpointProtectionAction); - } - public static String CHANGE_ENDPOINT_PROTECTION_ACTION = "action"; - - /** - * The type of change discovered in the change analysis event. - */ - public void setChangeEndpointProtectionChangeType( - String changeEndpointProtectionChangeType) { - addField(CHANGE_ENDPOINT_PROTECTION_CHANGE_TYPE, - changeEndpointProtectionChangeType); - } - public static String CHANGE_ENDPOINT_PROTECTION_CHANGE_TYPE = "change_type"; - - /** - * The host that was affected by the change. If your field is named - * dest_host,dest_ip,dest_ipv6, or dest_nt_host you can alias it as dest to - * make it CIM-compliant. - */ - public void setChangeEndpointProtectionDest( - String changeEndpointProtectionDest) { - addField(CHANGE_ENDPOINT_PROTECTION_DEST, changeEndpointProtectionDest); - } - public static String CHANGE_ENDPOINT_PROTECTION_DEST = "dest"; - - /** - * The hash signature of the modified resource. - */ - public void setChangeEndpointProtectionHash( - String changeEndpointProtectionHash) { - addField(CHANGE_ENDPOINT_PROTECTION_HASH, changeEndpointProtectionHash); - } - public static String CHANGE_ENDPOINT_PROTECTION_HASH = "hash"; - - /** - * The group ID of the modified resource. - */ - public void setChangeEndpointProtectionGid(long changeEndpointProtectionGid) { - addField(CHANGE_ENDPOINT_PROTECTION_GID, changeEndpointProtectionGid); - } - public static String CHANGE_ENDPOINT_PROTECTION_GID = "gid"; - - /** - * Indicates whether or not the modified resource is a directory. - */ - public void setChangeEndpointProtectionIsdr( - boolean changeEndpointProtectionIsdr) { - addField(CHANGE_ENDPOINT_PROTECTION_ISDR, changeEndpointProtectionIsdr); - } - public static String CHANGE_ENDPOINT_PROTECTION_ISDR = "isdr"; - - /** - * The permissions mode of the modified resource. - */ - public void setChangeEndpointProtectionMode( - long changeEndpointProtectionMode) { - addField(CHANGE_ENDPOINT_PROTECTION_MODE, changeEndpointProtectionMode); - } - public static String CHANGE_ENDPOINT_PROTECTION_MODE = "mode"; - - /** - * The modification time of the modified resource. - */ - public void setChangeEndpointProtectionModtime( - String changeEndpointProtectionModtime) { - addField(CHANGE_ENDPOINT_PROTECTION_MODTIME, - changeEndpointProtectionModtime); - } - public static String CHANGE_ENDPOINT_PROTECTION_MODTIME = "modtime"; - - /** - * The file path of the modified resource. - */ - public void setChangeEndpointProtectionPath( - String changeEndpointProtectionPath) { - addField(CHANGE_ENDPOINT_PROTECTION_PATH, changeEndpointProtectionPath); - } - public static String CHANGE_ENDPOINT_PROTECTION_PATH = "path"; - - /** - * The size of the modified resource. - */ - public void setChangeEndpointProtectionSize( - long changeEndpointProtectionSize) { - addField(CHANGE_ENDPOINT_PROTECTION_SIZE, changeEndpointProtectionSize); - } - public static String CHANGE_ENDPOINT_PROTECTION_SIZE = "size"; - - /** - * The user ID of the modified resource. - */ - public void setChangeEndpointProtectionUid(long changeEndpointProtectionUid) { - addField(CHANGE_ENDPOINT_PROTECTION_UID, changeEndpointProtectionUid); - } - public static String CHANGE_ENDPOINT_PROTECTION_UID = "uid"; - - // ---------------------------------- - // Change analysis - Network protection - // ---------------------------------- - - /** - * The type of change observed. - */ - public void setChangeNetworkProtectionAction( - String changeNetworkProtectionAction) { - addField(CHANGE_NETWORK_PROTECTION_ACTION, changeNetworkProtectionAction); - } - public static String CHANGE_NETWORK_PROTECTION_ACTION = "action"; - - /** - * The command that initiated the change. - */ - public void setChangeNetworkProtectionCommand( - String changeNetworkProtectionCommand) { - addField(CHANGE_NETWORK_PROTECTION_COMMAND, - changeNetworkProtectionCommand); - } - public static String CHANGE_NETWORK_PROTECTION_COMMAND = "command"; - - /** - * The device that is directly affected by the change. - */ - public void setChangeNetworkProtectionDvc(String changeNetworkProtectionDvc) { - addField(CHANGE_NETWORK_PROTECTION_DVC, changeNetworkProtectionDvc); - } - public static String CHANGE_NETWORK_PROTECTION_DVC = "dvc"; - - /** - * The user that initiated the change. - */ - public void setChangeNetworkProtectionUser( - String changeNetworkProtectionUser) { - addField(CHANGE_NETWORK_PROTECTION_USER, changeNetworkProtectionUser); - } - public static String CHANGE_NETWORK_PROTECTION_USER = "user"; - - // ---------------------------------- - // Common event fields - // ---------------------------------- - - /** - * A device-specific classification provided as part of the event. - */ - public void setCommonCategory(String commonCategory) { - addField(COMMON_CATEGORY, commonCategory); - } - public static String COMMON_CATEGORY = "category"; - - /** - * A device-specific classification provided as part of the event. - */ - public void setCommonCount(String commonCount) { - addField(COMMON_COUNT, commonCount); - } - public static String COMMON_COUNT = "count"; - - /** - * The free-form description of a particular event. - */ - public void setCommonDesc(String commonDesc) { - addField(COMMON_DESC, commonDesc); - } - public static String COMMON_DESC = "desc"; - - /** - * The name of a given DHCP pool on a DHCP server. - */ - public void setCommonDhcpPool(String commonDhcpPool) { - addField(COMMON_DHCP_POOL, commonDhcpPool); - } - public static String COMMON_DHCP_POOL = "dhcp_pool"; - - /** - * The amount of time the event lasted. - */ - public void setCommonDuration(long commonDuration) { - addField(COMMON_DURATION, commonDuration); - } - public static String COMMON_DURATION = "duration"; - - /** - * The fully qualified domain name of the device transmitting or recording - * the log record. - */ - public void setCommonDvcHost(String commonDvcHost) { - addField(COMMON_DVC_HOST, commonDvcHost); - } - public static String COMMON_DVC_HOST = "dvc_host"; - - /** - * The IPv4 address of the device reporting the event. - */ - public void setCommonDvcIp(String commonDvcIp) { - addField(COMMON_DVC_IP, commonDvcIp); - } - public static String COMMON_DVC_IP = "dvc_ip"; - - /** - * The IPv6 address of the device reporting the event. - */ - public void setCommonDvcIp6(String commonDvcIp6) { - addField(COMMON_DVC_IP6, commonDvcIp6); - } - public static String COMMON_DVC_IP6 = "dvc_ip6"; - - /** - * The free-form description of the device's physical location. - */ - public void setCommonDvcLocation(String commonDvcLocation) { - addField(COMMON_DVC_LOCATION, commonDvcLocation); - } - public static String COMMON_DVC_LOCATION = "dvc_location"; - - /** - * The MAC (layer 2) address of the device reporting the event. - */ - public void setCommonDvcMac(String commonDvcMac) { - addField(COMMON_DVC_MAC, commonDvcMac); - } - public static String COMMON_DVC_MAC = "dvc_mac"; - - /** - * The Windows NT domain of the device recording or transmitting the event. - */ - public void setCommonDvcNtDomain(String commonDvcNtDomain) { - addField(COMMON_DVC_NT_DOMAIN, commonDvcNtDomain); - } - public static String COMMON_DVC_NT_DOMAIN = "dvc_nt_domain"; - - /** - * The Windows NT host name of the device recording or transmitting the - * event. - */ - public void setCommonDvcNtHost(String commonDvcNtHost) { - addField(COMMON_DVC_NT_HOST, commonDvcNtHost); - } - public static String COMMON_DVC_NT_HOST = "dvc_nt_host"; - - /** - * Time at which the device recorded the event. - */ - public void setCommonDvcTime(long commonDvcTime) { - addField(COMMON_DVC_TIME, commonDvcTime); - } - public static String COMMON_DVC_TIME = "dvc_time"; - - /** - * The event's specified end time. - */ - public void setCommonEndTime(long commonEndTime) { - addField(COMMON_END_TIME, commonEndTime); - } - public static String COMMON_END_TIME = "end_time"; - - /** - * A unique identifier that identifies the event. This is unique to the - * reporting device. - */ - public void setCommonEventId(long commonEventId) { - addField(COMMON_EVENT_ID, commonEventId); - } - public static String COMMON_EVENT_ID = "event_id"; - - /** - * The length of the datagram, event, message, or packet. - */ - public void setCommonLength(long commonLength) { - addField(COMMON_LENGTH, commonLength); - } - public static String COMMON_LENGTH = "length"; - - /** - * The log-level that was set on the device and recorded in the event. - */ - public void setCommonLogLevel(String commonLogLevel) { - addField(COMMON_LOG_LEVEL, commonLogLevel); - } - public static String COMMON_LOG_LEVEL = "log_level"; - - /** - * The name of the event as reported by the device. The name should not - * contain information that's already being parsed into other fields from - * the event, such as IP addresses. - */ - public void setCommonName(String commonName) { - addField(COMMON_NAME, commonName); - } - public static String COMMON_NAME = "name"; - - /** - * An integer assigned by the device operating system to the process - * creating the record. - */ - public void setCommonPid(long commonPid) { - addField(COMMON_PID, commonPid); - } - public static String COMMON_PID = "pid"; - - /** - * An environment-specific assessment of the event's importance, based on - * elements such as event severity, business function of the affected - * system, or other locally defined variables. - */ - public void setCommonPriority(long commonPriority) { - addField(COMMON_PRIORITY, commonPriority); - } - public static String COMMON_PRIORITY = "priority"; - - /** - * The product that generated the event. - */ - public void setCommonProduct(String commonProduct) { - addField(COMMON_PRODUCT, commonProduct); - } - public static String COMMON_PRODUCT = "product"; - - /** - * The version of the product that generated the event. - */ - public void setCommonProductVersion(long commonProductVersion) { - addField(COMMON_PRODUCT_VERSION, commonProductVersion); - } - public static String COMMON_PRODUCT_VERSION = "product_version"; - - /** - * The result root cause, such as connection refused, timeout, crash, and so - * on. - */ - public void setCommonReason(String commonReason) { - addField(COMMON_REASON, commonReason); - } - public static String COMMON_REASON = "reason"; - - /** - * The action result. Often is a binary choice: succeeded and failed, - * allowed and denied, and so on. - */ - public void setCommonResult(String commonResult) { - addField(COMMON_RESULT, commonResult); - } - public static String COMMON_RESULT = "result"; - - /** - * The severity (or priority) of an event as reported by the originating - * device. - */ - public void setCommonSeverity(String commonSeverity) { - addField(COMMON_SEVERITY, commonSeverity); - } - public static String COMMON_SEVERITY = "severity"; - - /** - * The event's specified start time. - */ - public void setCommonStartTime(long commonStartTime) { - addField(COMMON_START_TIME, commonStartTime); - } - public static String COMMON_START_TIME = "start_time"; - - /** - * The transaction identifier. - */ - public void setCommonTransactionId(String commonTransactionId) { - addField(COMMON_TRANSACTION_ID, commonTransactionId); - } - public static String COMMON_TRANSACTION_ID = "transaction_id"; - - /** - * A uniform record locator (a web address, in other words) included in a - * record. - */ - public void setCommonUrl(String commonUrl) { - addField(COMMON_URL, commonUrl); - } - public static String COMMON_URL = "url"; - - /** - * The vendor who made the product that generated the event. - */ - public void setCommonVendor(String commonVendor) { - addField(COMMON_VENDOR, commonVendor); - } - public static String COMMON_VENDOR = "vendor"; - - // ---------------------------------- - // DNS protocol - // ---------------------------------- - - /** - * The DNS domain that has been queried. - */ - public void setDnsDestDomain(String dnsDestDomain) { - addField(DNS_DEST_DOMAIN, dnsDestDomain); - } - public static String DNS_DEST_DOMAIN = "dest_domain"; - - /** - * The remote DNS resource record being acted upon. - */ - public void setDnsDestRecord(String dnsDestRecord) { - addField(DNS_DEST_RECORD, dnsDestRecord); - } - public static String DNS_DEST_RECORD = "dest_record"; - - /** - * The DNS zone that is being received by the slave as part of a zone - * transfer. - */ - public void setDnsDestZone(String dnsDestZone) { - addField(DNS_DEST_ZONE, dnsDestZone); - } - public static String DNS_DEST_ZONE = "dest_zone"; - - /** - * The DNS resource record class. - */ - public void setDnsRecordClass(String dnsRecordClass) { - addField(DNS_RECORD_CLASS, dnsRecordClass); - } - public static String DNS_RECORD_CLASS = "record_class"; - - /** - * The DNS resource record type. - * - * @see see - * this Wikipedia article on DNS record types - */ - public void setDnsRecordType(String dnsRecordType) { - addField(DNS_RECORD_TYPE, dnsRecordType); - } - public static String DNS_RECORD_TYPE = "record_type"; - - /** - * The local DNS domain that is being queried. - */ - public void setDnsSrcDomain(String dnsSrcDomain) { - addField(DNS_SRC_DOMAIN, dnsSrcDomain); - } - public static String DNS_SRC_DOMAIN = "src_domain"; - - /** - * The local DNS resource record being acted upon. - */ - public void setDnsSrcRecord(String dnsSrcRecord) { - addField(DNS_SRC_RECORD, dnsSrcRecord); - } - public static String DNS_SRC_RECORD = "src_record"; - - /** - * The DNS zone that is being transferred by the master as part of a zone - * transfer. - */ - public void setDnsSrcZone(String dnsSrcZone) { - addField(DNS_SRC_ZONE, dnsSrcZone); - } - public static String DNS_SRC_ZONE = "src_zone"; - - // ---------------------------------- - // Email tracking - // ---------------------------------- - - /** - * The person to whom an email is sent. - */ - public void setEmailRecipient(String emailRecipient) { - addField(EMAIL_RECIPIENT, emailRecipient); - } - public static String EMAIL_RECIPIENT = "recipient"; - - /** - * The person responsible for sending an email. - */ - public void setEmailSender(String emailSender) { - addField(EMAIL_SENDER, emailSender); - } - public static String EMAIL_SENDER = "sender"; - - /** - * The email subject line. - */ - public void setEmailSubject(String emailSubject) { - addField(EMAIL_SUBJECT, emailSubject); - } - public static String EMAIL_SUBJECT = "subject"; - - // ---------------------------------- - // File management - // ---------------------------------- - - /** - * The time the file (the object of the event) was accessed. - */ - public void setFileAccessTime(long fileAccessTime) { - addField(FILE_ACCESS_TIME, fileAccessTime); - } - public static String FILE_ACCESS_TIME = "file_access_time"; - - /** - * The time the file (the object of the event) was created. - */ - public void setFileCreateTime(long fileCreateTime) { - addField(FILE_CREATE_TIME, fileCreateTime); - } - public static String FILE_CREATE_TIME = "file_create_time"; - - /** - * A cryptographic identifier assigned to the file object affected by the - * event. - */ - public void setFileHash(String fileHash) { - addField(FILE_HASH, fileHash); - } - public static String FILE_HASH = "file_hash"; - - /** - * The time the file (the object of the event) was altered. - */ - public void setFileModifyTime(long fileModifyTime) { - addField(FILE_MODIFY_TIME, fileModifyTime); - } - public static String FILE_MODIFY_TIME = "file_modify_time"; - - /** - * The name of the file that is the object of the event (without location - * information related to local file or directory structure). - */ - public void setFileName(String fileName) { - addField(FILE_NAME, fileName); - } - public static String FILE_NAME = "file_name"; - - /** - * The location of the file that is the object of the event, in terms of - * local file and directory structure. - */ - public void setFilePath(String filePath) { - addField(FILE_PATH, filePath); - } - public static String FILE_PATH = "file_path"; - - /** - * Access controls associated with the file affected by the event. - */ - public void setFilePermission(String filePermission) { - addField(FILE_PERMISSION, filePermission); - } - public static String FILE_PERMISSION = "file_permission"; - - /** - * The size of the file that is the object of the event. Indicate whether - * Bytes, KB, MB, GB. - */ - public void setFileSize(long fileSize) { - addField(FILE_SIZE, fileSize); - } - public static String FILE_SIZE = "file_size"; - - // ---------------------------------- - // Intrusion detection - // ---------------------------------- - - /** - * The category of the triggered signature. - */ - public void setIntrusionDetectionCategory(String intrusionDetectionCategory) { - addField(INTRUSION_DETECTION_CATEGORY, intrusionDetectionCategory); - } - public static String INTRUSION_DETECTION_CATEGORY = "category"; - - /** - * The destination of the attack detected by the intrusion detection system - * (IDS). If your field is named dest_host, dest_ip, dest_ipv6, or - * dest_nt_host you can alias it as dest to make it CIM-compliant. - */ - public void setIntrusionDetectionDest(String intrusionDetectionDest) { - addField(INTRUSION_DETECTION_DEST, intrusionDetectionDest); - } - public static String INTRUSION_DETECTION_DEST = "dest"; - - /** - * The device that detected the intrusion event. - */ - public void setIntrusionDetectionDvc(String intrusionDetectionDvc) { - addField(INTRUSION_DETECTION_DVC, intrusionDetectionDvc); - } - public static String INTRUSION_DETECTION_DVC = "dvc"; - - /** - * The type of IDS that generated the event. - */ - public void setIntrusionDetectionIdsType(String intrusionDetectionIdsType) { - addField(INTRUSION_DETECTION_IDS_TYPE, intrusionDetectionIdsType); - } - public static String INTRUSION_DETECTION_IDS_TYPE = "ids_type"; - - /** - * The product name of the vendor technology generating network protection - * data, such as IDP, Providentia, and ASA. - * - * Note: Required for all events dealing with network protection (Change - * analysis, proxy, malware, intrusion detection, packet filtering, and - * vulnerability). - */ - public void setIntrusionDetectionProduct(String intrusionDetectionProduct) { - addField(INTRUSION_DETECTION_PRODUCT, intrusionDetectionProduct); - } - public static String INTRUSION_DETECTION_PRODUCT = "product"; - - /** - * The severity of the network protection event (such as critical, high, - * medium, low, or informational). - * - * Note: This field is a string. Please use a severity_id field for severity - * ID fields that are integer data types. - */ - public void setIntrusionDetectionSeverity(String intrusionDetectionSeverity) { - addField(INTRUSION_DETECTION_SEVERITY, intrusionDetectionSeverity); - } - public static String INTRUSION_DETECTION_SEVERITY = "severity"; - - /** - * The name of the intrusion detected on the client (the src), such as - * PlugAndPlay_BO and JavaScript_Obfuscation_Fre. - */ - public void setIntrusionDetectionSignature( - String intrusionDetectionSignature) { - addField(INTRUSION_DETECTION_SIGNATURE, intrusionDetectionSignature); - } - public static String INTRUSION_DETECTION_SIGNATURE = "signature"; - - /** - * The source involved in the attack detected by the IDS. If your field is - * named src_host, src_ip, src_ipv6, or src_nt_host you can alias it as src - * to make it CIM-compliant. - */ - public void setIntrusionDetectionSrc(String intrusionDetectionSrc) { - addField(INTRUSION_DETECTION_SRC, intrusionDetectionSrc); - } - public static String INTRUSION_DETECTION_SRC = "src"; - - /** - * The user involved with the intrusion detection event. - */ - public void setIntrusionDetectionUser(String intrusionDetectionUser) { - addField(INTRUSION_DETECTION_USER, intrusionDetectionUser); - } - public static String INTRUSION_DETECTION_USER = "user"; - - /** - * The vendor technology used to generate network protection data, such as - * IDP, Providentia, and ASA. - * - * Note: Required for all events dealing with network protection (Change - * analysis, proxy, malware, intrusion detection, packet filtering, and - * vulnerability). - */ - public void setIntrusionDetectionVendor(String intrusionDetectionVendor) { - addField(INTRUSION_DETECTION_VENDOR, intrusionDetectionVendor); - } - public static String INTRUSION_DETECTION_VENDOR = "vendor"; - - - // ---------------------------------- - // Malware - Endpoint protection - // ---------------------------------- - - /** - * The outcome of the infection - */ - public void setMalwareEndpointProtectionAction( - String malwareEndpointProtectionAction) { - addField(MALWARE_ENDPOINT_PROTECTION_ACTION, - malwareEndpointProtectionAction); - } - public static String MALWARE_ENDPOINT_PROTECTION_ACTION = "action"; - - /** - * The NT domain of the destination (the dest_bestmatch). - */ - public void setMalwareEndpointProtectionDestNtDomain( - String malwareEndpointProtectionDestNtDomain) { - addField(MALWARE_ENDPOINT_PROTECTION_DEST_NT_DOMAIN, - malwareEndpointProtectionDestNtDomain); - } - public static String MALWARE_ENDPOINT_PROTECTION_DEST_NT_DOMAIN = "dest_nt_domain"; - - /** - * The cryptographic hash of the file associated with the malware event - * (such as the malicious or infected file). - */ - public void setMalwareEndpointProtectionFileHash( - String malwareEndpointProtectionFileHash) { - addField(MALWARE_ENDPOINT_PROTECTION_FILE_HASH, - malwareEndpointProtectionFileHash); - } - public static String MALWARE_ENDPOINT_PROTECTION_FILE_HASH = "file_hash"; - - /** - * The name of the file involved in the malware event (such as the infected - * or malicious file). - */ - public void setMalwareEndpointProtectionFileName( - String malwareEndpointProtectionFileName) { - addField(MALWARE_ENDPOINT_PROTECTION_FILE_NAME, - malwareEndpointProtectionFileName); - } - public static String MALWARE_ENDPOINT_PROTECTION_FILE_NAME = "file_name"; - - /** - * The path of the file involved in the malware event (such as the infected - * or malicious file). - */ - public void setMalwareEndpointProtectionFilePath( - String malwareEndpointProtectionFilePath) { - addField(MALWARE_ENDPOINT_PROTECTION_FILE_PATH, - malwareEndpointProtectionFilePath); - } - public static String MALWARE_ENDPOINT_PROTECTION_FILE_PATH = "file_path"; - - /** - * The product name of the vendor technology (the vendor field) that is - * generating malware data (such as Antivirus or EPO). - */ - public void setMalwareEndpointProtectionProduct( - String malwareEndpointProtectionProduct) { - addField(MALWARE_ENDPOINT_PROTECTION_PRODUCT, - malwareEndpointProtectionProduct); - } - public static String MALWARE_ENDPOINT_PROTECTION_PRODUCT = "product"; - - /** - * The product version number of the vendor technology installed on the - * client (such as 10.4.3 or 11.0.2). - */ - public void setMalwareEndpointProtectionProductVersion( - String malwareEndpointProtectionProductVersion) { - addField(MALWARE_ENDPOINT_PROTECTION_PRODUCT_VERSION, - malwareEndpointProtectionProductVersion); - } - public static String MALWARE_ENDPOINT_PROTECTION_PRODUCT_VERSION = "product_version"; - - /** - * The name of the malware infection detected on the client (the src), such - * as Trojan.Vundo,Spyware.Gaobot,W32.Nimbda). - * - * Note: This field is a string. Please use a signature_id field for - * signature ID fields that are integer data types. - */ - public void setMalwareEndpointProtectionSignature( - String malwareEndpointProtectionSignature) { - addField(MALWARE_ENDPOINT_PROTECTION_SIGNATURE, - malwareEndpointProtectionSignature); - } - public static String MALWARE_ENDPOINT_PROTECTION_SIGNATURE = "signature"; - - /** - * The current signature definition set running on the client, such as - * 11hsvx) - */ - public void setMalwareEndpointProtectionSignatureVersion( - String malwareEndpointProtectionSignatureVersion) { - addField(MALWARE_ENDPOINT_PROTECTION_SIGNATURE_VERSION, - malwareEndpointProtectionSignatureVersion); - } - public static String MALWARE_ENDPOINT_PROTECTION_SIGNATURE_VERSION = "signature_version"; - - /** - * The target affected or infected by the malware. If your field is named - * dest_host, dest_ip, dest_ipv6, or dest_nt_host you can alias it as dest - * to make it CIM-compliant. - */ - public void setMalwareEndpointProtectionDest( - String malwareEndpointProtectionDest) { - addField(MALWARE_ENDPOINT_PROTECTION_DEST, malwareEndpointProtectionDest); - } - public static String MALWARE_ENDPOINT_PROTECTION_DEST = "dest"; - - /** - * The NT domain of the source (the src). - */ - public void setMalwareEndpointProtectionSrcNtDomain( - String malwareEndpointProtectionSrcNtDomain) { - addField(MALWARE_ENDPOINT_PROTECTION_SRC_NT_DOMAIN, - malwareEndpointProtectionSrcNtDomain); - } - public static String MALWARE_ENDPOINT_PROTECTION_SRC_NT_DOMAIN = "src_nt_domain"; - - /** - * The name of the user involved in the malware event. - */ - public void setMalwareEndpointProtectionUser( - String malwareEndpointProtectionUser) { - addField(MALWARE_ENDPOINT_PROTECTION_USER, malwareEndpointProtectionUser); - } - public static String MALWARE_ENDPOINT_PROTECTION_USER = "user"; - - /** - * The name of the vendor technology generating malware data, such as - * Symantec or McAfee. - */ - public void setMalwareEndpointProtectionVendor( - String malwareEndpointProtectionVendor) { - addField(MALWARE_ENDPOINT_PROTECTION_VENDOR, - malwareEndpointProtectionVendor); - } - public static String MALWARE_ENDPOINT_PROTECTION_VENDOR = "vendor"; - - // ---------------------------------- - // Malware - Network protection - // ---------------------------------- - - /** - * The product name of the vendor technology generating network protection - * data, such as IDP, Proventia, and ASA. - * - * Note: Required for all events dealing with network protection (Change - * analysis, proxy, malware, intrusion detection, packet filtering, and - * vulnerability). - */ - public void setMalwareNetworkProtectionProduct( - String malwareNetworkProtectionProduct) { - addField(MALWARE_NETWORK_PROTECTION_PRODUCT, - malwareNetworkProtectionProduct); - } - public static String MALWARE_NETWORK_PROTECTION_PRODUCT = "product"; - - /** - * The severity of the network protection event (such as critical, high, - * medium, low, or informational). - * - * Note: This field is a string. Please use a severity_id field for severity - * ID fields that are integer data types. - */ - public void setMalwareNetworkProtectionSeverity( - String malwareNetworkProtectionSeverity) { - addField(MALWARE_NETWORK_PROTECTION_SEVERITY, - malwareNetworkProtectionSeverity); - } - public static String MALWARE_NETWORK_PROTECTION_SEVERITY = "severity"; - - /** - * The vendor technology used to generate network protection data, such as - * IDP, Proventia, and ASA. - * - * Note: Required for all events dealing with network protection (Change - * analysis, proxy, malware, intrusion detection, packet filtering, and - * vulnerability). - */ - public void setMalwareNetworkProtectionVendor( - String malwareNetworkProtectionVendor) { - addField(MALWARE_NETWORK_PROTECTION_VENDOR, - malwareNetworkProtectionVendor); - } - public static String MALWARE_NETWORK_PROTECTION_VENDOR = "vendor"; - - - // ---------------------------------- - // Network traffic - ESS - // ---------------------------------- - - /** - * The action of the network traffic. - */ - public void setNetworkTrafficEssAction(String networkTrafficEssAction) { - addField(NETWORK_TRAFFIC_ESS_ACTION, networkTrafficEssAction); - } - public static String NETWORK_TRAFFIC_ESS_ACTION = "action"; - - /** - * The destination port of the network traffic. - */ - public void setNetworkTrafficEssDestPort(int networkTrafficEssDestPort) { - addField(NETWORK_TRAFFIC_ESS_DEST_PORT, networkTrafficEssDestPort); - } - public static String NETWORK_TRAFFIC_ESS_DEST_PORT = "dest_port"; - - /** - * The product name of the vendor technology generating NetworkProtection - * data, such as IDP, Proventia, and ASA. - * - * Note: Required for all events dealing with network protection (Change - * analysis, proxy, malware, intrusion detection, packet filtering, and - * vulnerability). - */ - public void setNetworkTrafficEssProduct(String networkTrafficEssProduct) { - addField(NETWORK_TRAFFIC_ESS_PRODUCT, networkTrafficEssProduct); - } - public static String NETWORK_TRAFFIC_ESS_PRODUCT = "product"; - - /** - * The source port of the network traffic. - */ - public void setNetworkTrafficEssSrcPort(int networkTrafficEssSrcPort) { - addField(NETWORK_TRAFFIC_ESS_SRC_PORT, networkTrafficEssSrcPort); - } - public static String NETWORK_TRAFFIC_ESS_SRC_PORT = "src_port"; - - /** - * The vendor technology used to generate NetworkProtection data, such as - * IDP, Proventia, and ASA. - * - * Note: Required for all events dealing with network protection (Change - * analysis, proxy, malware, intrusion detection, packet filtering, and - * vulnerability). - */ - public void setNetworkTrafficEssVendor(String networkTrafficEssVendor) { - addField(NETWORK_TRAFFIC_ESS_VENDOR, networkTrafficEssVendor); - } - public static String NETWORK_TRAFFIC_ESS_VENDOR = "vendor"; - - // ---------------------------------- - // Network traffic - Generic - // ---------------------------------- - - /** - * The ISO layer 7 (application layer) protocol, such as HTTP, HTTPS, SSH, - * and IMAP. - */ - public void setNetworkTrafficGenericAppLayer( - String networkTrafficGenericAppLayer) { - addField(NETWORK_TRAFFIC_GENERIC_APP_LAYER, - networkTrafficGenericAppLayer); - } - public static String NETWORK_TRAFFIC_GENERIC_APP_LAYER = "app_layer"; - /** - * How many bytes this device/interface received. - */ - public void setNetworkTrafficGenericBytesIn( - long networkTrafficGenericBytesIn) { - addField(NETWORK_TRAFFIC_GENERIC_BYTES_IN, networkTrafficGenericBytesIn); - } - public static String NETWORK_TRAFFIC_GENERIC_BYTES_IN = "bytes_in"; - - - /** - * How many bytes this device/interface transmitted. - */ - public void setNetworkTrafficGenericBytesOut( - long networkTrafficGenericBytesOut) { - addField(NETWORK_TRAFFIC_GENERIC_BYTES_OUT, - networkTrafficGenericBytesOut); - } - public static String NETWORK_TRAFFIC_GENERIC_BYTES_OUT = "bytes_out"; - - /** - * 802.11 channel number used by a wireless network. - */ - public void setNetworkTrafficGenericChannel( - String networkTrafficGenericChannel) { - addField(NETWORK_TRAFFIC_GENERIC_CHANNEL, networkTrafficGenericChannel); - } - public static String NETWORK_TRAFFIC_GENERIC_CHANNEL = "channel"; - - /** - * The Common Vulnerabilities and Exposures (CVE) reference value. - */ - public void setNetworkTrafficGenericCve(String networkTrafficGenericCve) { - addField(NETWORK_TRAFFIC_GENERIC_CVE, networkTrafficGenericCve); - } - public static String NETWORK_TRAFFIC_GENERIC_CVE = "cve"; - - /** - * The destination application being targeted. - */ - public void setNetworkTrafficGenericDestApp( - String networkTrafficGenericDestApp) { - addField(NETWORK_TRAFFIC_GENERIC_DEST_APP, networkTrafficGenericDestApp); - } - public static String NETWORK_TRAFFIC_GENERIC_DEST_APP = "dest_app"; - - /** - * The destination command and control service channel. - */ - public void setNetworkTrafficGenericDestCncChannel( - String networkTrafficGenericDestCncChannel) { - addField(NETWORK_TRAFFIC_GENERIC_DEST_CNC_CHANNEL, - networkTrafficGenericDestCncChannel); - } - public static String NETWORK_TRAFFIC_GENERIC_DEST_CNC_CHANNEL = "dest_cnc_channel"; - - /** - * The destination command and control service name. - */ - public void setNetworkTrafficGenericDestCncName( - String networkTrafficGenericDestCncName) { - addField(NETWORK_TRAFFIC_GENERIC_DEST_CNC_NAME, - networkTrafficGenericDestCncName); - } - public static String NETWORK_TRAFFIC_GENERIC_DEST_CNC_NAME = "dest_cnc_name"; - - /** - * The destination command and control service port. - */ - public void setNetworkTrafficGenericDestCncPort( - String networkTrafficGenericDestCncPort) { - addField(NETWORK_TRAFFIC_GENERIC_DEST_CNC_PORT, - networkTrafficGenericDestCncPort); - } - public static String NETWORK_TRAFFIC_GENERIC_DEST_CNC_PORT = "dest_cnc_port"; - - /** - * The country associated with a packet's recipient. - */ - public void setNetworkTrafficGenericDestCountry( - String networkTrafficGenericDestCountry) { - addField(NETWORK_TRAFFIC_GENERIC_DEST_COUNTRY, - networkTrafficGenericDestCountry); - } - public static String NETWORK_TRAFFIC_GENERIC_DEST_COUNTRY = "dest_country"; - - /** - * The fully qualified host name of a packet's recipient. For HTTP sessions, - * this is the host header. - */ - public void setNetworkTrafficGenericDestHost( - String networkTrafficGenericDestHost) { - addField(NETWORK_TRAFFIC_GENERIC_DEST_HOST, - networkTrafficGenericDestHost); - } - public static String NETWORK_TRAFFIC_GENERIC_DEST_HOST = "dest_host"; - - /** - * The interface that is listening remotely or receiving packets locally. - */ - public void setNetworkTrafficGenericDestInt( - String networkTrafficGenericDestInt) { - addField(NETWORK_TRAFFIC_GENERIC_DEST_INT, networkTrafficGenericDestInt); - } - public static String NETWORK_TRAFFIC_GENERIC_DEST_INT = "dest_int"; - - /** - * The IPv4 address of a packet's recipient. - */ - public void setNetworkTrafficGenericDestIp( - String networkTrafficGenericDestIp) { - addField(NETWORK_TRAFFIC_GENERIC_DEST_IP, networkTrafficGenericDestIp); - } - public static String NETWORK_TRAFFIC_GENERIC_DEST_IP = "dest_ip"; - - /** - * The IPv6 address of a packet's recipient. - */ - public void setNetworkTrafficGenericDestIpv6( - String networkTrafficGenericDestIpv6) { - addField(NETWORK_TRAFFIC_GENERIC_DEST_IPV6, - networkTrafficGenericDestIpv6); - } - public static String NETWORK_TRAFFIC_GENERIC_DEST_IPV6 = "dest_ipv6"; - - /** - * The (physical) latitude of a packet's destination. - */ - public void setNetworkTrafficGenericDestLat(int networkTrafficGenericDestLat) { - addField(NETWORK_TRAFFIC_GENERIC_DEST_LAT, networkTrafficGenericDestLat); - } - public static String NETWORK_TRAFFIC_GENERIC_DEST_LAT = "dest_lat"; - - /** - * The (physical) longitude of a packet's destination. - */ - public void setNetworkTrafficGenericDestLong( - int networkTrafficGenericDestLong) { - addField(NETWORK_TRAFFIC_GENERIC_DEST_LONG, - networkTrafficGenericDestLong); - } - public static String NETWORK_TRAFFIC_GENERIC_DEST_LONG = "dest_long"; - - /** - * The destination TCP/IP layer 2 Media Access Control (MAC) address of a - * packet's destination. - */ - public void setNetworkTrafficGenericDestMac( - String networkTrafficGenericDestMac) { - addField(NETWORK_TRAFFIC_GENERIC_DEST_MAC, networkTrafficGenericDestMac); - } - public static String NETWORK_TRAFFIC_GENERIC_DEST_MAC = "dest_mac"; - - /** - * The Windows NT domain containing a packet's destination. - */ - public void setNetworkTrafficGenericDestNtDomain( - String networkTrafficGenericDestNtDomain) { - addField(NETWORK_TRAFFIC_GENERIC_DEST_NT_DOMAIN, - networkTrafficGenericDestNtDomain); - } - public static String NETWORK_TRAFFIC_GENERIC_DEST_NT_DOMAIN = "dest_nt_domain"; - - /** - * The Windows NT host name of a packet's destination. - */ - public void setNetworkTrafficGenericDestNtHost( - String networkTrafficGenericDestNtHost) { - addField(NETWORK_TRAFFIC_GENERIC_DEST_NT_HOST, - networkTrafficGenericDestNtHost); - } - public static String NETWORK_TRAFFIC_GENERIC_DEST_NT_HOST = "dest_nt_host"; - - /** - * TCP/IP port to which a packet is being sent. - */ - public void setNetworkTrafficGenericDestPort( - int networkTrafficGenericDestPort) { - addField(NETWORK_TRAFFIC_GENERIC_DEST_PORT, - networkTrafficGenericDestPort); - } - public static String NETWORK_TRAFFIC_GENERIC_DEST_PORT = "dest_port"; - - /** - * The NATed IPv4 address to which a packet has been sent. - */ - public void setNetworkTrafficGenericDestTranslatedIp( - String networkTrafficGenericDestTranslatedIp) { - addField(NETWORK_TRAFFIC_GENERIC_DEST_TRANSLATED_IP, - networkTrafficGenericDestTranslatedIp); - } - public static String NETWORK_TRAFFIC_GENERIC_DEST_TRANSLATED_IP = "dest_translated_ip"; - - /** - * The NATed port to which a packet has been sent. - */ - public void setNetworkTrafficGenericDestTranslatedPort( - int networkTrafficGenericDestTranslatedPort) { - addField(NETWORK_TRAFFIC_GENERIC_DEST_TRANSLATED_PORT, - networkTrafficGenericDestTranslatedPort); - } - public static String NETWORK_TRAFFIC_GENERIC_DEST_TRANSLATED_PORT = "dest_translated_port"; - - /** - * The numbered Internet Protocol version. - */ - public void setNetworkTrafficGenericIpVersion( - int networkTrafficGenericIpVersion) { - addField(NETWORK_TRAFFIC_GENERIC_IP_VERSION, - networkTrafficGenericIpVersion); - } - public static String NETWORK_TRAFFIC_GENERIC_IP_VERSION = "ip_version"; - - /** - * The network interface through which a packet was transmitted. - */ - public void setNetworkTrafficGenericOutboundInterface( - String networkTrafficGenericOutboundInterface) { - addField(NETWORK_TRAFFIC_GENERIC_OUTBOUND_INTERFACE, - networkTrafficGenericOutboundInterface); - } - public static String NETWORK_TRAFFIC_GENERIC_OUTBOUND_INTERFACE = "outbound_interface"; - - /** - * How many packets this device/interface received. - */ - public void setNetworkTrafficGenericPacketsIn( - long networkTrafficGenericPacketsIn) { - addField(NETWORK_TRAFFIC_GENERIC_PACKETS_IN, - networkTrafficGenericPacketsIn); - } - public static String NETWORK_TRAFFIC_GENERIC_PACKETS_IN = "packets_in"; - - /** - * How many packets this device/interface transmitted. - */ - public void setNetworkTrafficGenericPacketsOut( - long networkTrafficGenericPacketsOut) { - addField(NETWORK_TRAFFIC_GENERIC_PACKETS_OUT, - networkTrafficGenericPacketsOut); - } - public static String NETWORK_TRAFFIC_GENERIC_PACKETS_OUT = "packets_out"; - - /** - * The OSI layer 3 (Network Layer) protocol, such as IPv4/IPv6, ICMP, IPsec, - * IGMP or RIP. - */ - public void setNetworkTrafficGenericProto(String networkTrafficGenericProto) { - addField(NETWORK_TRAFFIC_GENERIC_PROTO, networkTrafficGenericProto); - } - public static String NETWORK_TRAFFIC_GENERIC_PROTO = "proto"; - - /** - * The session identifier. Multiple transactions build a session. - */ - public void setNetworkTrafficGenericSessionId( - String networkTrafficGenericSessionId) { - addField(NETWORK_TRAFFIC_GENERIC_SESSION_ID, - networkTrafficGenericSessionId); - } - public static String NETWORK_TRAFFIC_GENERIC_SESSION_ID = "session_id"; - - /** - * The 802.11 service set identifier (ssid) assigned to a wireless session. - */ - public void setNetworkTrafficGenericSsid(String networkTrafficGenericSsid) { - addField(NETWORK_TRAFFIC_GENERIC_SSID, networkTrafficGenericSsid); - } - public static String NETWORK_TRAFFIC_GENERIC_SSID = "ssid"; - - /** - * The country from which the packet was sent. - */ - public void setNetworkTrafficGenericSrcCountry( - String networkTrafficGenericSrcCountry) { - addField(NETWORK_TRAFFIC_GENERIC_SRC_COUNTRY, - networkTrafficGenericSrcCountry); - } - public static String NETWORK_TRAFFIC_GENERIC_SRC_COUNTRY = "src_country"; - - /** - * The fully qualified host name of the system that transmitted the packet. - * For Web logs, this is the HTTP client. - */ - public void setNetworkTrafficGenericSrcHost( - String networkTrafficGenericSrcHost) { - addField(NETWORK_TRAFFIC_GENERIC_SRC_HOST, networkTrafficGenericSrcHost); - } - public static String NETWORK_TRAFFIC_GENERIC_SRC_HOST = "src_host"; - - /** - * The interface that is listening locally or sending packets remotely. - */ - public void setNetworkTrafficGenericSrcInt( - String networkTrafficGenericSrcInt) { - addField(NETWORK_TRAFFIC_GENERIC_SRC_INT, networkTrafficGenericSrcInt); - } - public static String NETWORK_TRAFFIC_GENERIC_SRC_INT = "src_int"; - - /** - * The IPv4 address of the packet's source. For Web logs, this is the http - * client. - */ - public void setNetworkTrafficGenericSrcIp(String networkTrafficGenericSrcIp) { - addField(NETWORK_TRAFFIC_GENERIC_SRC_IP, networkTrafficGenericSrcIp); - } - public static String NETWORK_TRAFFIC_GENERIC_SRC_IP = "src_ip"; - - /** - * The IPv6 address of the packet's source. - */ - public void setNetworkTrafficGenericSrcIpv6( - String networkTrafficGenericSrcIpv6) { - addField(NETWORK_TRAFFIC_GENERIC_SRC_IPV6, networkTrafficGenericSrcIpv6); - } - public static String NETWORK_TRAFFIC_GENERIC_SRC_IPV6 = "src_ipv6"; - - /** - * The (physical) latitude of the packet's source. - */ - public void setNetworkTrafficGenericSrcLat(int networkTrafficGenericSrcLat) { - addField(NETWORK_TRAFFIC_GENERIC_SRC_LAT, networkTrafficGenericSrcLat); - } - public static String NETWORK_TRAFFIC_GENERIC_SRC_LAT = "src_lat"; - - /** - * The (physical) longitude of the packet's source. - */ - public void setNetworkTrafficGenericSrcLong(int networkTrafficGenericSrcLong) { - addField(NETWORK_TRAFFIC_GENERIC_SRC_LONG, networkTrafficGenericSrcLong); - } - public static String NETWORK_TRAFFIC_GENERIC_SRC_LONG = "src_long"; - - /** - * The Media Access Control (MAC) address from which a packet was - * transmitted. - */ - public void setNetworkTrafficGenericSrcMac( - String networkTrafficGenericSrcMac) { - addField(NETWORK_TRAFFIC_GENERIC_SRC_MAC, networkTrafficGenericSrcMac); - } - public static String NETWORK_TRAFFIC_GENERIC_SRC_MAC = "src_mac"; - - /** - * The Windows NT domain containing the machines that generated the event. - */ - public void setNetworkTrafficGenericSrcNtDomain( - String networkTrafficGenericSrcNtDomain) { - addField(NETWORK_TRAFFIC_GENERIC_SRC_NT_DOMAIN, - networkTrafficGenericSrcNtDomain); - } - public static String NETWORK_TRAFFIC_GENERIC_SRC_NT_DOMAIN = "src_nt_domain"; - - /** - * The Windows NT hostname of the system that generated the event. - */ - public void setNetworkTrafficGenericSrcNtHost( - String networkTrafficGenericSrcNtHost) { - addField(NETWORK_TRAFFIC_GENERIC_SRC_NT_HOST, - networkTrafficGenericSrcNtHost); - } - public static String NETWORK_TRAFFIC_GENERIC_SRC_NT_HOST = "src_nt_host"; - - /** - * The network port from which a packet originated. - */ - public void setNetworkTrafficGenericSrcPort(int networkTrafficGenericSrcPort) { - addField(NETWORK_TRAFFIC_GENERIC_SRC_PORT, networkTrafficGenericSrcPort); - } - public static String NETWORK_TRAFFIC_GENERIC_SRC_PORT = "src_port"; - - /** - * The NATed IPv4 address from which a packet has been sent. - */ - public void setNetworkTrafficGenericSrcTranslatedIp( - String networkTrafficGenericSrcTranslatedIp) { - addField(NETWORK_TRAFFIC_GENERIC_SRC_TRANSLATED_IP, - networkTrafficGenericSrcTranslatedIp); - } - public static String NETWORK_TRAFFIC_GENERIC_SRC_TRANSLATED_IP = "src_translated_ip"; - - /** - * The NATed network port from which a packet has been sent. - */ - public void setNetworkTrafficGenericSrcTranslatedPort( - int networkTrafficGenericSrcTranslatedPort) { - addField(NETWORK_TRAFFIC_GENERIC_SRC_TRANSLATED_PORT, - networkTrafficGenericSrcTranslatedPort); - } - public static String NETWORK_TRAFFIC_GENERIC_SRC_TRANSLATED_PORT = "src_translated_port"; - - /** - * The application, process, or OS subsystem that generated the event. - */ - public void setNetworkTrafficGenericSyslogId( - String networkTrafficGenericSyslogId) { - addField(NETWORK_TRAFFIC_GENERIC_SYSLOG_ID, - networkTrafficGenericSyslogId); - } - public static String NETWORK_TRAFFIC_GENERIC_SYSLOG_ID = "syslog_id"; - - /** - * The criticality of an event, as recorded by UNIX syslog. - */ - public void setNetworkTrafficGenericSyslogPriority( - String networkTrafficGenericSyslogPriority) { - addField(NETWORK_TRAFFIC_GENERIC_SYSLOG_PRIORITY, - networkTrafficGenericSyslogPriority); - } - public static String NETWORK_TRAFFIC_GENERIC_SYSLOG_PRIORITY = "syslog_priority"; - - /** - * The TCP flag(s) specified in the event. - */ - public void setNetworkTrafficGenericTcpFlag( - String networkTrafficGenericTcpFlag) { - addField(NETWORK_TRAFFIC_GENERIC_TCP_FLAG, networkTrafficGenericTcpFlag); - } - public static String NETWORK_TRAFFIC_GENERIC_TCP_FLAG = "tcp_flag"; - - /** - * The hex bit that specifies TCP 'type of service' - * - * @see Type of - * Service - */ - public void setNetworkTrafficGenericTos(String networkTrafficGenericTos) { - addField(NETWORK_TRAFFIC_GENERIC_TOS, networkTrafficGenericTos); - } - public static String NETWORK_TRAFFIC_GENERIC_TOS = "tos"; - - /** - * The transport protocol. - */ - public void setNetworkTrafficGenericTransport( - String networkTrafficGenericTransport) { - addField(NETWORK_TRAFFIC_GENERIC_TRANSPORT, - networkTrafficGenericTransport); - } - public static String NETWORK_TRAFFIC_GENERIC_TRANSPORT = "transport"; - - /** - * The "time to live" of a packet or datagram. - */ - public void setNetworkTrafficGenericTtl(int networkTrafficGenericTtl) { - addField(NETWORK_TRAFFIC_GENERIC_TTL, networkTrafficGenericTtl); - } - public static String NETWORK_TRAFFIC_GENERIC_TTL = "ttl"; - - /** - * The numeric identifier assigned to the virtual local area network (VLAN) - * specified in the record. - */ - public void setNetworkTrafficGenericVlanId(long networkTrafficGenericVlanId) { - addField(NETWORK_TRAFFIC_GENERIC_VLAN_ID, networkTrafficGenericVlanId); - } - public static String NETWORK_TRAFFIC_GENERIC_VLAN_ID = "vlan_id"; - - /** - * The name assigned to the virtual local area network (VLAN) specified in - * the record. - */ - public void setNetworkTrafficGenericVlanName( - String networkTrafficGenericVlanName) { - addField(NETWORK_TRAFFIC_GENERIC_VLAN_NAME, - networkTrafficGenericVlanName); - } - public static String NETWORK_TRAFFIC_GENERIC_VLAN_NAME = "vlan_name"; - - - // ---------------------------------- - // Packet filtering - // ---------------------------------- - - /** - * The action the filtering device (the dvc_bestmatch field) performed on - * the communication. - */ - public void setPacketFilteringAction(String packetFilteringAction) { - addField(PACKET_FILTERING_ACTION, packetFilteringAction); - } - public static String PACKET_FILTERING_ACTION = "action"; - - /** - * The IP port of the packet's destination, such as 22. - */ - public void setPacketFilteringDestPort(int packetFilteringDestPort) { - addField(PACKET_FILTERING_DEST_PORT, packetFilteringDestPort); - } - public static String PACKET_FILTERING_DEST_PORT = "dest_port"; - - /** - * The direction the packet is traveling. - */ - public void setPacketFilteringDirection(String packetFilteringDirection) { - addField(PACKET_FILTERING_DIRECTION, packetFilteringDirection); - } - public static String PACKET_FILTERING_DIRECTION = "direction"; - - /** - * The name of the packet filtering device. If your field is named dvc_host, - * dvc_ip, or dvc_nt_host you can alias it as dvc to make it CIM-compliant. - */ - public void setPacketFilteringDvc(String packetFilteringDvc) { - addField(PACKET_FILTERING_DVC, packetFilteringDvc); - } - public static String PACKET_FILTERING_DVC = "dvc"; - - /** - * The rule which took action on the packet, such as 143. - */ - public void setPacketFilteringRule(String packetFilteringRule) { - addField(PACKET_FILTERING_RULE, packetFilteringRule); - } - public static String PACKET_FILTERING_RULE = "rule"; - - /** - * The IP port of the packet's source, such as 34541. - */ - public void setPacketFilteringSvcPort(int packetFilteringSvcPort) { - addField(PACKET_FILTERING_SVC_PORT, packetFilteringSvcPort); - } - public static String PACKET_FILTERING_SVC_PORT = "svc_port"; - - - // ---------------------------------- - // Proxy - // ---------------------------------- - - /** - * The action taken by the proxy. - */ - public void setProxyAction(String proxyAction) { - addField(PROXY_ACTION, proxyAction); - } - public static String PROXY_ACTION = "action"; - - /** - * The destination of the network traffic (the remote host). - */ - public void setProxyDest(String proxyDest) { - addField(PROXY_DEST, proxyDest); - } - public static String PROXY_DEST = "dest"; - - /** - * The content-type of the requested HTTP resource. - */ - public void setProxyHttpContentType(String proxyHttpContentType) { - addField(PROXY_HTTP_CONTENT_TYPE, proxyHttpContentType); - } - public static String PROXY_HTTP_CONTENT_TYPE = "http_content_type"; - - /** - * The HTTP method used to request the resource. - */ - public void setProxyHttpMethod(String proxyHttpMethod) { - addField(PROXY_HTTP_METHOD, proxyHttpMethod); - } - public static String PROXY_HTTP_METHOD = "http_method"; - - /** - * The HTTP referrer used to request the HTTP resource. - */ - public void setProxyHttpRefer(String proxyHttpRefer) { - addField(PROXY_HTTP_REFER, proxyHttpRefer); - } - public static String PROXY_HTTP_REFER = "http_refer"; - - /** - * The HTTP response code. - */ - public void setProxyHttpResponse(int proxyHttpResponse) { - addField(PROXY_HTTP_RESPONSE, proxyHttpResponse); - } - public static String PROXY_HTTP_RESPONSE = "http_response"; - - /** - * The user agent used to request the HTTP resource. - */ - public void setProxyHttpUserAgent(String proxyHttpUserAgent) { - addField(PROXY_HTTP_USER_AGENT, proxyHttpUserAgent); - } - public static String PROXY_HTTP_USER_AGENT = "http_user_agent"; - - /** - * The product name of the vendor technology generating Network Protection - * data, such as IDP, Providentia, and ASA. - */ - public void setProxyProduct(String proxyProduct) { - addField(PROXY_PRODUCT, proxyProduct); - } - public static String PROXY_PRODUCT = "product"; - - /** - * The source of the network traffic (the client requesting the connection). - */ - public void setProxySrc(String proxySrc) { - addField(PROXY_SRC, proxySrc); - } - public static String PROXY_SRC = "src"; - - /** - * The HTTP response code indicating the status of the proxy request. - */ - public void setProxyStatus(int proxyStatus) { - addField(PROXY_STATUS, proxyStatus); - } - public static String PROXY_STATUS = "status"; - - /** - * The user that requested the HTTP resource. - */ - public void setProxyUser(String proxyUser) { - addField(PROXY_USER, proxyUser); - } - public static String PROXY_USER = "user"; - - /** - * The URL of the requested HTTP resource. - */ - public void setProxyUrl(String proxyUrl) { - addField(PROXY_URL, proxyUrl); - } - public static String PROXY_URL = "url"; - - /** - * The vendor technology generating Network Protection data, such as IDP, - * Providentia, and ASA. - */ - public void setProxyVendor(String proxyVendor) { - addField(PROXY_VENDOR, proxyVendor); - } - public static String PROXY_VENDOR = "vendor"; - - - // ---------------------------------- - // System center - // ---------------------------------- - - /** - * The running application or service on the system (the src field), such as - * explorer.exe or sshd. - */ - public void setSystemCenterApp(String systemCenterApp) { - addField(SYSTEM_CENTER_APP, systemCenterApp); - } - public static String SYSTEM_CENTER_APP = "app"; - - /** - * The amount of disk space available per drive or mount (the mount field) - * on the system (the src field). - */ - public void setSystemCenterFreembytes(long systemCenterFreembytes) { - addField(SYSTEM_CENTER_FREEMBYTES, systemCenterFreembytes); - } - public static String SYSTEM_CENTER_FREEMBYTES = "FreeMBytes"; - - /** - * The version of operating system installed on the host (the src field), - * such as 6.0.1.4 or 2.6.27.30-170.2.82.fc10.x86_64. - */ - public void setSystemCenterKernelRelease(String systemCenterKernelRelease) { - addField(SYSTEM_CENTER_KERNEL_RELEASE, systemCenterKernelRelease); - } - public static String SYSTEM_CENTER_KERNEL_RELEASE = "kernel_release"; - - /** - * Human-readable version of the SystemUptime value. - */ - public void setSystemCenterLabel(String systemCenterLabel) { - addField(SYSTEM_CENTER_LABEL, systemCenterLabel); - } - public static String SYSTEM_CENTER_LABEL = "label"; - - /** - * The drive or mount reporting available disk space (the FreeMBytes field) - * on the system (the src field). - */ - public void setSystemCenterMount(String systemCenterMount) { - addField(SYSTEM_CENTER_MOUNT, systemCenterMount); - } - public static String SYSTEM_CENTER_MOUNT = "mount"; - - /** - * The name of the operating system installed on the host (the src), such as - * Microsoft Windows Server 2003 or GNU/Linux). - */ - public void setSystemCenterOs(String systemCenterOs) { - addField(SYSTEM_CENTER_OS, systemCenterOs); - } - public static String SYSTEM_CENTER_OS = "os"; - - /** - * The percentage of processor utilization. - */ - public void setSystemCenterPercentprocessortime( - int systemCenterPercentprocessortime) { - addField(SYSTEM_CENTER_PERCENTPROCESSORTIME, - systemCenterPercentprocessortime); - } - public static String SYSTEM_CENTER_PERCENTPROCESSORTIME = "PercentProcessorTime"; - - /** - * The setlocaldefs setting from the SE Linux configuration. - */ - public void setSystemCenterSetlocaldefs(int systemCenterSetlocaldefs) { - addField(SYSTEM_CENTER_SETLOCALDEFS, systemCenterSetlocaldefs); - } - public static String SYSTEM_CENTER_SETLOCALDEFS = "setlocaldefs"; - - /** - * Values from the SE Linux configuration file. - */ - public void setSystemCenterSelinux(String systemCenterSelinux) { - addField(SYSTEM_CENTER_SELINUX, systemCenterSelinux); - } - public static String SYSTEM_CENTER_SELINUX = "selinux"; - - /** - * The SE Linux type (such as targeted). - */ - public void setSystemCenterSelinuxtype(String systemCenterSelinuxtype) { - addField(SYSTEM_CENTER_SELINUXTYPE, systemCenterSelinuxtype); - } - public static String SYSTEM_CENTER_SELINUXTYPE = "selinuxtype"; - - /** - * The shell provided to the User Account (the user field) upon logging into - * the system (the src field). - */ - public void setSystemCenterShell(String systemCenterShell) { - addField(SYSTEM_CENTER_SHELL, systemCenterShell); - } - public static String SYSTEM_CENTER_SHELL = "shell"; - - /** - * The TCP/UDP source port on the system (the src field). - */ - public void setSystemCenterSrcPort(int systemCenterSrcPort) { - addField(SYSTEM_CENTER_SRC_PORT, systemCenterSrcPort); - } - public static String SYSTEM_CENTER_SRC_PORT = "src_port"; - - /** - * The sshd protocol version. - */ - public void setSystemCenterSshdProtocol(String systemCenterSshdProtocol) { - addField(SYSTEM_CENTER_SSHD_PROTOCOL, systemCenterSshdProtocol); - } - public static String SYSTEM_CENTER_SSHD_PROTOCOL = "sshd_protocol"; - - /** - * The start mode of the given service. - */ - public void setSystemCenterStartmode(String systemCenterStartmode) { - addField(SYSTEM_CENTER_STARTMODE, systemCenterStartmode); - } - public static String SYSTEM_CENTER_STARTMODE = "Startmode"; - - /** - * The number of seconds since the system (the src) has been "up." - */ - public void setSystemCenterSystemuptime(long systemCenterSystemuptime) { - addField(SYSTEM_CENTER_SYSTEMUPTIME, systemCenterSystemuptime); - } - public static String SYSTEM_CENTER_SYSTEMUPTIME = "SystemUptime"; - - /** - * The total amount of available memory on the system (the src). - */ - public void setSystemCenterTotalmbytes(long systemCenterTotalmbytes) { - addField(SYSTEM_CENTER_TOTALMBYTES, systemCenterTotalmbytes); - } - public static String SYSTEM_CENTER_TOTALMBYTES = "TotalMBytes"; - - /** - * The amount of used memory on the system (the src). - */ - public void setSystemCenterUsedmbytes(long systemCenterUsedmbytes) { - addField(SYSTEM_CENTER_USEDMBYTES, systemCenterUsedmbytes); - } - public static String SYSTEM_CENTER_USEDMBYTES = "UsedMBytes"; - - /** - * The User Account present on the system (the src). - */ - public void setSystemCenterUser(String systemCenterUser) { - addField(SYSTEM_CENTER_USER, systemCenterUser); - } - public static String SYSTEM_CENTER_USER = "user"; - - /** - * The number of updates the system (the src) is missing. - */ - public void setSystemCenterUpdates(long systemCenterUpdates) { - addField(SYSTEM_CENTER_UPDATES, systemCenterUpdates); - } - public static String SYSTEM_CENTER_UPDATES = "updates"; - - - // ---------------------------------- - // Traffic - // ---------------------------------- - - /** - * The destination of the network traffic. If your field is named dest_host, - * dest_ip, dest_ipv6, or dest_nt_host you can alias it as dest to make it - * CIM-compliant. - */ - public void setTrafficDest(String trafficDest) { - addField(TRAFFIC_DEST, trafficDest); - } - public static String TRAFFIC_DEST = "dest"; - - /** - * The name of the packet filtering device. If your field is named dvc_host, - * dvc_ip, or dvc_nt_host you can alias it as dvc to make it CIM-compliant. - */ - public void setTrafficDvc(String trafficDvc) { - addField(TRAFFIC_DVC, trafficDvc); - } - public static String TRAFFIC_DVC = "dvc"; - - /** - * The source of the network traffic. If your field is named src_host, - * src_ip, src_ipv6, or src_nt_host you can alias it as src to make it - * CIM-compliant. - */ - public void setTrafficSrc(String trafficSrc) { - addField(TRAFFIC_SRC, trafficSrc); - } - public static String TRAFFIC_SRC = "src"; - - - // ---------------------------------- - // Update - // ---------------------------------- - - /** - * The name of the installed update. - */ - public void setUpdatePackage(String updatePackage) { - addField(UPDATE_PACKAGE, updatePackage); - } - public static String UPDATE_PACKAGE = "package"; - - - // ---------------------------------- - // User information updates - // ---------------------------------- - - /** - * A user that has been affected by a change. For example, user fflanda - * changed the name of user rhallen, so affected_user=rhallen. - */ - public void setUserInfoUpdatesAffectedUser( - String userInfoUpdatesAffectedUser) { - addField(USER_INFO_UPDATES_AFFECTED_USER, userInfoUpdatesAffectedUser); - } - public static String USER_INFO_UPDATES_AFFECTED_USER = "affected_user"; - - /** - * The user group affected by a change. - */ - public void setUserInfoUpdatesAffectedUserGroup( - String userInfoUpdatesAffectedUserGroup) { - addField(USER_INFO_UPDATES_AFFECTED_USER_GROUP, - userInfoUpdatesAffectedUserGroup); - } - public static String USER_INFO_UPDATES_AFFECTED_USER_GROUP = "affected_user_group"; - - /** - * The identifier of the user group affected by a change. - */ - public void setUserInfoUpdatesAffectedUserGroupId( - int userInfoUpdatesAffectedUserGroupId) { - addField(USER_INFO_UPDATES_AFFECTED_USER_GROUP_ID, - userInfoUpdatesAffectedUserGroupId); - } - public static String USER_INFO_UPDATES_AFFECTED_USER_GROUP_ID = "affected_user_group_id"; - - /** - * The identifier of the user affected by a change. - */ - public void setUserInfoUpdatesAffectedUserId( - int userInfoUpdatesAffectedUserId) { - addField(USER_INFO_UPDATES_AFFECTED_USER_ID, - userInfoUpdatesAffectedUserId); - } - public static String USER_INFO_UPDATES_AFFECTED_USER_ID = "affected_user_id"; - - /** - * The security context associated with the user affected by a change. - */ - public void setUserInfoUpdatesAffectedUserPrivilege( - String userInfoUpdatesAffectedUserPrivilege) { - addField(USER_INFO_UPDATES_AFFECTED_USER_PRIVILEGE, - userInfoUpdatesAffectedUserPrivilege); - } - public static String USER_INFO_UPDATES_AFFECTED_USER_PRIVILEGE = "affected_user_privilege"; - - /** - * The name of the user affected by the recorded event. - */ - public void setUserInfoUpdatesUser(String userInfoUpdatesUser) { - addField(USER_INFO_UPDATES_USER, userInfoUpdatesUser); - } - public static String USER_INFO_UPDATES_USER = "user"; - - /** - * A user group that is the object of an event, expressed in human-readable - * terms. - */ - public void setUserInfoUpdatesUserGroup(String userInfoUpdatesUserGroup) { - addField(USER_INFO_UPDATES_USER_GROUP, userInfoUpdatesUserGroup); - } - public static String USER_INFO_UPDATES_USER_GROUP = "user_group"; - - /** - * The numeric identifier assigned to the user group event object. - */ - public void setUserInfoUpdatesUserGroupId(int userInfoUpdatesUserGroupId) { - addField(USER_INFO_UPDATES_USER_GROUP_ID, userInfoUpdatesUserGroupId); - } - public static String USER_INFO_UPDATES_USER_GROUP_ID = "user_group_id"; - - /** - * The system-assigned identifier for the user affected by an event. - */ - public void setUserInfoUpdatesUserId(int userInfoUpdatesUserId) { - addField(USER_INFO_UPDATES_USER_ID, userInfoUpdatesUserId); - } - public static String USER_INFO_UPDATES_USER_ID = "user_id"; - - /** - * The security context associated with the object of an event (the affected - * user). - */ - public void setUserInfoUpdatesUserPrivilege( - String userInfoUpdatesUserPrivilege) { - addField(USER_INFO_UPDATES_USER_PRIVILEGE, userInfoUpdatesUserPrivilege); - } - public static String USER_INFO_UPDATES_USER_PRIVILEGE = "user_privilege"; - - /** - * The name of the user that is the subject of an event--the user executing - * the action, in other words. - */ - public void setUserInfoUpdatesUserSubject(String userInfoUpdatesUserSubject) { - addField(USER_INFO_UPDATES_USER_SUBJECT, userInfoUpdatesUserSubject); - } - public static String USER_INFO_UPDATES_USER_SUBJECT = "user_subject"; - - /** - * The ID number of the user that is the subject of an event. - */ - public void setUserInfoUpdatesUserSubjectId(int userInfoUpdatesUserSubjectId) { - addField(USER_INFO_UPDATES_USER_SUBJECT_ID, userInfoUpdatesUserSubjectId); - } - public static String USER_INFO_UPDATES_USER_SUBJECT_ID = "user_subject_id"; - - /** - * The security context associated with the subject of an event (the user - * causing a change). - */ - public void setUserInfoUpdatesUserSubjectPrivilege( - String userInfoUpdatesUserSubjectPrivilege) { - addField(USER_INFO_UPDATES_USER_SUBJECT_PRIVILEGE, - userInfoUpdatesUserSubjectPrivilege); - } - public static String USER_INFO_UPDATES_USER_SUBJECT_PRIVILEGE = "user_subject_privilege"; - - - // ---------------------------------- - // Vulnerability - // ---------------------------------- - - /** - * The category of the discovered vulnerability. - */ - public void setVulnerabilityCategory(String vulnerabilityCategory) { - addField(VULNERABILITY_CATEGORY, vulnerabilityCategory); - } - public static String VULNERABILITY_CATEGORY = "category"; - - /** - * The host with the discovered vulnerability. If your field is named - * dest_host, dest_ip, dest_ipv6, or dest_nt_host you can alias it as dest - * to make it CIM-compliant. - */ - public void setVulnerabilityDest(String vulnerabilityDest) { - addField(VULNERABILITY_DEST, vulnerabilityDest); - } - public static String VULNERABILITY_DEST = "dest"; - - /** - * The operating system of the host containing the vulnerability detected on - * the client (the src field), such as SuSE Security Update, or cups - * security update. - */ - public void setVulnerabilityOs(String vulnerabilityOs) { - addField(VULNERABILITY_OS, vulnerabilityOs); - } - public static String VULNERABILITY_OS = "os"; - - /** - * The severity of the discovered vulnerability. - */ - public void setVulnerabilitySeverity(String vulnerabilitySeverity) { - addField(VULNERABILITY_SEVERITY, vulnerabilitySeverity); - } - public static String VULNERABILITY_SEVERITY = "severity"; - - /** - * The name of the vulnerability detected on the client (the src field), - * such as SuSE Security Update, or cups security update. - */ - public void setVulnerabilitySignature(String vulnerabilitySignature) { - addField(VULNERABILITY_SIGNATURE, vulnerabilitySignature); - } - public static String VULNERABILITY_SIGNATURE = "signature"; - - - // ---------------------------------- - // Windows administration - // ---------------------------------- - - /** - * The object name (associated only with Windows). - */ - public void setWindowsAdminObjectName(String windowsAdminObjectName) { - addField(WINDOWS_ADMIN_OBJECT_NAME, windowsAdminObjectName); - } - public static String WINDOWS_ADMIN_OBJECT_NAME = "object_name"; - - /** - * The object type (associated only with Windows). - */ - public void setWindowsAdminObjectType(String windowsAdminObjectType) { - addField(WINDOWS_ADMIN_OBJECT_TYPE, windowsAdminObjectType); - } - public static String WINDOWS_ADMIN_OBJECT_TYPE = "object_type"; - - /** - * The object handle (associated only with Windows). - */ - public void setWindowsAdminObjectHandle(String windowsAdminObjectHandle) { - addField(WINDOWS_ADMIN_OBJECT_HANDLE, windowsAdminObjectHandle); - } - public static String WINDOWS_ADMIN_OBJECT_HANDLE = "object_handle"; -} +package com.splunk.logging; + +/* + * Copyright 2013-2014 Splunk, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"): you may + * not use this file except in compliance with the License. You may obtain + * a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations + * under the License. + */ + + +import java.util.LinkedHashMap; +import java.util.regex.Pattern; + +/** + * SplunkCimLogEvent encapsulates the best practice logging semantics recommended by Splunk. + * + * It produces events of key, value pairs, properly formatted and quoted for logging with any of Java's standard + * logging libraries (logback, log4j, java.util.logging, etc.) and indexing by Splunk. The class has convenience + * methods to set the fields defined in the standard Splunk Common Information Model. + * + * SplunkCimLogEvent adds no timestamp to its fields, leaving you free to configure whatever timestamp + * format you prefer in your logging configuration. + * + * + * Logger logger = LoggerFactory.getLogger("splunk.logger"); + * SplunkCimLogEvent event = new SplunkCimLogEvent("Failed Login", "sshd:failure"); + * event.setAuthApp("jane"); + * event.setAuthUser("jane"); + * event.addField("somefieldname", "foobar"); + * logger.info(event.toString()); + * + * + * @see Splunk + * CIM + * @see Splunk + * Logging Best Practices + */ +public class SplunkCimLogEvent { + /** + * Delimiters to use in formatting the event. + */ + private static final String KVDELIM = "="; + private static final String PAIRDELIM = " "; + private static final char QUOTE = '"'; + + private LinkedHashMap entries; + + /** + * @param eventName event name + * @param eventID event ID + */ + public SplunkCimLogEvent(String eventName, String eventID) { + entries = new LinkedHashMap(); + + addField(PREFIX_NAME, eventName); + addField(PREFIX_EVENT_ID, eventID); + } + + /** + * Add a key value pair. The value may be any Java object which returns a sensible + * result from its toString method. + * + * For logging exceptions, consider using addThrowableWithStacktrace instead. + * + * @param key key + * @param value value + */ + public void addField(String key, Object value) { + entries.put(key, value); + } + + /** + * Logs an exception with its stacktrace nicely formatted for indexing and searching by Splunk. + * + * @param throwable + * the Throwable object to add to the event + */ + public void addThrowableWithStacktrace(Throwable throwable) { + + addThrowableWithStacktrace(throwable, Integer.MAX_VALUE); + } + + /** + * Logs an exception with the first stacktraceDepth elements of its stacktrace nicely + * formatted for indexing and searching by Splunk, + * + * + * @param throwable + * the Throwable object to add to the event + * @param stacktraceDepth + * maximum number of stacktrace elements to log + */ + + public void addThrowableWithStacktrace(Throwable throwable, int stacktraceDepth) { + addField(THROWABLE_CLASS, throwable.getClass().getCanonicalName()); + addField(THROWABLE_MESSAGE, throwable.getMessage()); + + StackTraceElement[] elements = throwable.getStackTrace(); + StringBuilder sb = new StringBuilder(); + for (int depth = 0; depth < elements.length && depth < stacktraceDepth; depth++) { + if (depth > 0) + sb.append(","); + sb.append(elements[depth].toString()); + } + + if (stacktraceDepth > 0) { + addField(THROWABLE_STACKTRACE_ELEMENTS, sb.toString()); + } + } + + private static final Pattern DOUBLE_QUOTE = Pattern.compile("\""); + @Override + public String toString() { + StringBuilder output = new StringBuilder(); + + boolean first = true; + for (String key : entries.keySet()) { + if (!first) { + output.append(PAIRDELIM); + } else { + first = false; + } + String value = String.valueOf(entries.get(key)); + + // Escape any " that appear in the key or value. + key = DOUBLE_QUOTE.matcher(key).replaceAll("\\\\\""); + value = DOUBLE_QUOTE.matcher(value).replaceAll("\\\\\""); + + output.append(QUOTE).append(key).append(KVDELIM).append(value).append(QUOTE); + } + + return output.toString(); + } + + + /** + * Event prefix fields + */ + private static final String PREFIX_NAME = "name"; + private static final String PREFIX_EVENT_ID = "event_id"; + + /** + * Java Throwable type fields + */ + private static final String THROWABLE_CLASS = "throwable_class"; + private static final String THROWABLE_MESSAGE = "throwable_message"; + private static final String THROWABLE_STACKTRACE_ELEMENTS = "stacktrace_elements"; + + /** + * Splunk Common Information Model(CIM) Fields + */ + + // ------------------ + // Account management + // ------------------ + + /** + * The domain containing the user that is affected by the account management event. + */ + public void setAcManagementDestNtDomain(String acManagementDestNtDomain) { + addField(AC_MANAGEMENT_DEST_NT_DOMAIN, acManagementDestNtDomain); + } + public static String AC_MANAGEMENT_DEST_NT_DOMAIN = "dest_nt_domain"; + + /** + * Description of the account management change performed. + */ + public void setAcManagementSignature(String acManagementSignature) { + addField(AC_MANAGEMENT_SIGNATURE, acManagementSignature); + } + public static String AC_MANAGEMENT_SIGNATURE = "signature"; + + /** + * The NT source of the destination. In the case of an account management + * event, this is the domain that contains the user that generated the + * event. + */ + public void setAcManagementSrcNtDomain(String acManagementSrcNtDomain) { + addField(AC_MANAGEMENT_SRC_NT_DOMAIN, acManagementSrcNtDomain); + } + public static String AC_MANAGEMENT_SRC_NT_DOMAIN = "src_nt_domain"; + + // ---------------------------------- + // Authentication - Access protection + // ---------------------------------- + + /** + * The action performed on the resource. success, failure + */ + public void setAuthAction(String authAction) { + addField(AUTH_ACTION, authAction); + } + public static String AUTH_ACTION = "action"; + /** + * The application involved in the event (such as ssh, spunk, win:local). + */ + public void setAuthApp(String authApp) { + addField(AUTH_APP, authApp); + } + public static String AUTH_APP = "app"; + + /** + * The target involved in the authentication. If your field is named + * dest_host, dest_ip, dest_ipv6, or dest_nt_host you can alias it as dest + * to make it CIM-compliant. + */ + public void setAuthDest(String authDest) { + addField(AUTH_DEST, authDest); + } + public static String AUTH_DEST = "dest"; + + /** + * The source involved in the authentication. In the case of endpoint + * protection authentication the src is the client. If your field is named + * src_host, src_ip, src_ipv6, or src_nt_host you can alias it as src to + * make it CIM-compliant.. It is required for all events dealing with + * endpoint protection (Authentication, change analysis, malware, system + * center, and update). Note: Do not confuse this with the event source or + * sourcetype fields. + */ + public void setAuthSrc(String authSrc) { + addField(AUTH_SRC, authSrc); + } + public static String AUTH_SRC = "src"; + + /** + * In privilege escalation events, src_user represents the user who + * initiated the privilege escalation. + */ + public void setAuthSrcUser(String authSrcUser) { + addField(AUTH_SRC_USER, authSrcUser); + } + public static String AUTH_SRC_USER = "src_user"; + + /** + * The name of the user involved in the event, or who initiated the event. + * For authentication privilege escalation events this should represent the + * user targeted by the escalation. + */ + public void setAuthUser(String authUser) { + addField(AUTH_USER, authUser); + } + public static String AUTH_USER = "user"; + + // ---------------------------------- + // Change analysis - Endpoint protection + // ---------------------------------- + + /** + * The action performed on the resource. + */ + public void setChangeEndpointProtectionAction( + String changeEndpointProtectionAction) { + addField(CHANGE_ENDPOINT_PROTECTION_ACTION, + changeEndpointProtectionAction); + } + public static String CHANGE_ENDPOINT_PROTECTION_ACTION = "action"; + + /** + * The type of change discovered in the change analysis event. + */ + public void setChangeEndpointProtectionChangeType( + String changeEndpointProtectionChangeType) { + addField(CHANGE_ENDPOINT_PROTECTION_CHANGE_TYPE, + changeEndpointProtectionChangeType); + } + public static String CHANGE_ENDPOINT_PROTECTION_CHANGE_TYPE = "change_type"; + + /** + * The host that was affected by the change. If your field is named + * dest_host,dest_ip,dest_ipv6, or dest_nt_host you can alias it as dest to + * make it CIM-compliant. + */ + public void setChangeEndpointProtectionDest( + String changeEndpointProtectionDest) { + addField(CHANGE_ENDPOINT_PROTECTION_DEST, changeEndpointProtectionDest); + } + public static String CHANGE_ENDPOINT_PROTECTION_DEST = "dest"; + + /** + * The hash signature of the modified resource. + */ + public void setChangeEndpointProtectionHash( + String changeEndpointProtectionHash) { + addField(CHANGE_ENDPOINT_PROTECTION_HASH, changeEndpointProtectionHash); + } + public static String CHANGE_ENDPOINT_PROTECTION_HASH = "hash"; + + /** + * The group ID of the modified resource. + */ + public void setChangeEndpointProtectionGid(long changeEndpointProtectionGid) { + addField(CHANGE_ENDPOINT_PROTECTION_GID, changeEndpointProtectionGid); + } + public static String CHANGE_ENDPOINT_PROTECTION_GID = "gid"; + + /** + * Indicates whether or not the modified resource is a directory. + */ + public void setChangeEndpointProtectionIsdr( + boolean changeEndpointProtectionIsdr) { + addField(CHANGE_ENDPOINT_PROTECTION_ISDR, changeEndpointProtectionIsdr); + } + public static String CHANGE_ENDPOINT_PROTECTION_ISDR = "isdr"; + + /** + * The permissions mode of the modified resource. + */ + public void setChangeEndpointProtectionMode( + long changeEndpointProtectionMode) { + addField(CHANGE_ENDPOINT_PROTECTION_MODE, changeEndpointProtectionMode); + } + public static String CHANGE_ENDPOINT_PROTECTION_MODE = "mode"; + + /** + * The modification time of the modified resource. + */ + public void setChangeEndpointProtectionModtime( + String changeEndpointProtectionModtime) { + addField(CHANGE_ENDPOINT_PROTECTION_MODTIME, + changeEndpointProtectionModtime); + } + public static String CHANGE_ENDPOINT_PROTECTION_MODTIME = "modtime"; + + /** + * The file path of the modified resource. + */ + public void setChangeEndpointProtectionPath( + String changeEndpointProtectionPath) { + addField(CHANGE_ENDPOINT_PROTECTION_PATH, changeEndpointProtectionPath); + } + public static String CHANGE_ENDPOINT_PROTECTION_PATH = "path"; + + /** + * The size of the modified resource. + */ + public void setChangeEndpointProtectionSize( + long changeEndpointProtectionSize) { + addField(CHANGE_ENDPOINT_PROTECTION_SIZE, changeEndpointProtectionSize); + } + public static String CHANGE_ENDPOINT_PROTECTION_SIZE = "size"; + + /** + * The user ID of the modified resource. + */ + public void setChangeEndpointProtectionUid(long changeEndpointProtectionUid) { + addField(CHANGE_ENDPOINT_PROTECTION_UID, changeEndpointProtectionUid); + } + public static String CHANGE_ENDPOINT_PROTECTION_UID = "uid"; + + // ---------------------------------- + // Change analysis - Network protection + // ---------------------------------- + + /** + * The type of change observed. + */ + public void setChangeNetworkProtectionAction( + String changeNetworkProtectionAction) { + addField(CHANGE_NETWORK_PROTECTION_ACTION, changeNetworkProtectionAction); + } + public static String CHANGE_NETWORK_PROTECTION_ACTION = "action"; + + /** + * The command that initiated the change. + */ + public void setChangeNetworkProtectionCommand( + String changeNetworkProtectionCommand) { + addField(CHANGE_NETWORK_PROTECTION_COMMAND, + changeNetworkProtectionCommand); + } + public static String CHANGE_NETWORK_PROTECTION_COMMAND = "command"; + + /** + * The device that is directly affected by the change. + */ + public void setChangeNetworkProtectionDvc(String changeNetworkProtectionDvc) { + addField(CHANGE_NETWORK_PROTECTION_DVC, changeNetworkProtectionDvc); + } + public static String CHANGE_NETWORK_PROTECTION_DVC = "dvc"; + + /** + * The user that initiated the change. + */ + public void setChangeNetworkProtectionUser( + String changeNetworkProtectionUser) { + addField(CHANGE_NETWORK_PROTECTION_USER, changeNetworkProtectionUser); + } + public static String CHANGE_NETWORK_PROTECTION_USER = "user"; + + // ---------------------------------- + // Common event fields + // ---------------------------------- + + /** + * A device-specific classification provided as part of the event. + */ + public void setCommonCategory(String commonCategory) { + addField(COMMON_CATEGORY, commonCategory); + } + public static String COMMON_CATEGORY = "category"; + + /** + * A device-specific classification provided as part of the event. + */ + public void setCommonCount(String commonCount) { + addField(COMMON_COUNT, commonCount); + } + public static String COMMON_COUNT = "count"; + + /** + * The free-form description of a particular event. + */ + public void setCommonDesc(String commonDesc) { + addField(COMMON_DESC, commonDesc); + } + public static String COMMON_DESC = "desc"; + + /** + * The name of a given DHCP pool on a DHCP server. + */ + public void setCommonDhcpPool(String commonDhcpPool) { + addField(COMMON_DHCP_POOL, commonDhcpPool); + } + public static String COMMON_DHCP_POOL = "dhcp_pool"; + + /** + * The amount of time the event lasted. + */ + public void setCommonDuration(long commonDuration) { + addField(COMMON_DURATION, commonDuration); + } + public static String COMMON_DURATION = "duration"; + + /** + * The fully qualified domain name of the device transmitting or recording + * the log record. + */ + public void setCommonDvcHost(String commonDvcHost) { + addField(COMMON_DVC_HOST, commonDvcHost); + } + public static String COMMON_DVC_HOST = "dvc_host"; + + /** + * The IPv4 address of the device reporting the event. + */ + public void setCommonDvcIp(String commonDvcIp) { + addField(COMMON_DVC_IP, commonDvcIp); + } + public static String COMMON_DVC_IP = "dvc_ip"; + + /** + * The IPv6 address of the device reporting the event. + */ + public void setCommonDvcIp6(String commonDvcIp6) { + addField(COMMON_DVC_IP6, commonDvcIp6); + } + public static String COMMON_DVC_IP6 = "dvc_ip6"; + + /** + * The free-form description of the device's physical location. + */ + public void setCommonDvcLocation(String commonDvcLocation) { + addField(COMMON_DVC_LOCATION, commonDvcLocation); + } + public static String COMMON_DVC_LOCATION = "dvc_location"; + + /** + * The MAC (layer 2) address of the device reporting the event. + */ + public void setCommonDvcMac(String commonDvcMac) { + addField(COMMON_DVC_MAC, commonDvcMac); + } + public static String COMMON_DVC_MAC = "dvc_mac"; + + /** + * The Windows NT domain of the device recording or transmitting the event. + */ + public void setCommonDvcNtDomain(String commonDvcNtDomain) { + addField(COMMON_DVC_NT_DOMAIN, commonDvcNtDomain); + } + public static String COMMON_DVC_NT_DOMAIN = "dvc_nt_domain"; + + /** + * The Windows NT host name of the device recording or transmitting the + * event. + */ + public void setCommonDvcNtHost(String commonDvcNtHost) { + addField(COMMON_DVC_NT_HOST, commonDvcNtHost); + } + public static String COMMON_DVC_NT_HOST = "dvc_nt_host"; + + /** + * Time at which the device recorded the event. + */ + public void setCommonDvcTime(long commonDvcTime) { + addField(COMMON_DVC_TIME, commonDvcTime); + } + public static String COMMON_DVC_TIME = "dvc_time"; + + /** + * The event's specified end time. + */ + public void setCommonEndTime(long commonEndTime) { + addField(COMMON_END_TIME, commonEndTime); + } + public static String COMMON_END_TIME = "end_time"; + + /** + * A unique identifier that identifies the event. This is unique to the + * reporting device. + */ + public void setCommonEventId(long commonEventId) { + addField(COMMON_EVENT_ID, commonEventId); + } + public static String COMMON_EVENT_ID = "event_id"; + + /** + * The length of the datagram, event, message, or packet. + */ + public void setCommonLength(long commonLength) { + addField(COMMON_LENGTH, commonLength); + } + public static String COMMON_LENGTH = "length"; + + /** + * The log-level that was set on the device and recorded in the event. + */ + public void setCommonLogLevel(String commonLogLevel) { + addField(COMMON_LOG_LEVEL, commonLogLevel); + } + public static String COMMON_LOG_LEVEL = "log_level"; + + /** + * The name of the event as reported by the device. The name should not + * contain information that's already being parsed into other fields from + * the event, such as IP addresses. + */ + public void setCommonName(String commonName) { + addField(COMMON_NAME, commonName); + } + public static String COMMON_NAME = "name"; + + /** + * An integer assigned by the device operating system to the process + * creating the record. + */ + public void setCommonPid(long commonPid) { + addField(COMMON_PID, commonPid); + } + public static String COMMON_PID = "pid"; + + /** + * An environment-specific assessment of the event's importance, based on + * elements such as event severity, business function of the affected + * system, or other locally defined variables. + */ + public void setCommonPriority(long commonPriority) { + addField(COMMON_PRIORITY, commonPriority); + } + public static String COMMON_PRIORITY = "priority"; + + /** + * The product that generated the event. + */ + public void setCommonProduct(String commonProduct) { + addField(COMMON_PRODUCT, commonProduct); + } + public static String COMMON_PRODUCT = "product"; + + /** + * The version of the product that generated the event. + */ + public void setCommonProductVersion(long commonProductVersion) { + addField(COMMON_PRODUCT_VERSION, commonProductVersion); + } + public static String COMMON_PRODUCT_VERSION = "product_version"; + + /** + * The result root cause, such as connection refused, timeout, crash, and so + * on. + */ + public void setCommonReason(String commonReason) { + addField(COMMON_REASON, commonReason); + } + public static String COMMON_REASON = "reason"; + + /** + * The action result. Often is a binary choice: succeeded and failed, + * allowed and denied, and so on. + */ + public void setCommonResult(String commonResult) { + addField(COMMON_RESULT, commonResult); + } + public static String COMMON_RESULT = "result"; + + /** + * The severity (or priority) of an event as reported by the originating + * device. + */ + public void setCommonSeverity(String commonSeverity) { + addField(COMMON_SEVERITY, commonSeverity); + } + public static String COMMON_SEVERITY = "severity"; + + /** + * The event's specified start time. + */ + public void setCommonStartTime(long commonStartTime) { + addField(COMMON_START_TIME, commonStartTime); + } + public static String COMMON_START_TIME = "start_time"; + + /** + * The transaction identifier. + */ + public void setCommonTransactionId(String commonTransactionId) { + addField(COMMON_TRANSACTION_ID, commonTransactionId); + } + public static String COMMON_TRANSACTION_ID = "transaction_id"; + + /** + * A uniform record locator (a web address, in other words) included in a + * record. + */ + public void setCommonUrl(String commonUrl) { + addField(COMMON_URL, commonUrl); + } + public static String COMMON_URL = "url"; + + /** + * The vendor who made the product that generated the event. + */ + public void setCommonVendor(String commonVendor) { + addField(COMMON_VENDOR, commonVendor); + } + public static String COMMON_VENDOR = "vendor"; + + // ---------------------------------- + // DNS protocol + // ---------------------------------- + + /** + * The DNS domain that has been queried. + */ + public void setDnsDestDomain(String dnsDestDomain) { + addField(DNS_DEST_DOMAIN, dnsDestDomain); + } + public static String DNS_DEST_DOMAIN = "dest_domain"; + + /** + * The remote DNS resource record being acted upon. + */ + public void setDnsDestRecord(String dnsDestRecord) { + addField(DNS_DEST_RECORD, dnsDestRecord); + } + public static String DNS_DEST_RECORD = "dest_record"; + + /** + * The DNS zone that is being received by the slave as part of a zone + * transfer. + */ + public void setDnsDestZone(String dnsDestZone) { + addField(DNS_DEST_ZONE, dnsDestZone); + } + public static String DNS_DEST_ZONE = "dest_zone"; + + /** + * The DNS resource record class. + */ + public void setDnsRecordClass(String dnsRecordClass) { + addField(DNS_RECORD_CLASS, dnsRecordClass); + } + public static String DNS_RECORD_CLASS = "record_class"; + + /** + * The DNS resource record type. + * + * @see see + * this Wikipedia article on DNS record types + */ + public void setDnsRecordType(String dnsRecordType) { + addField(DNS_RECORD_TYPE, dnsRecordType); + } + public static String DNS_RECORD_TYPE = "record_type"; + + /** + * The local DNS domain that is being queried. + */ + public void setDnsSrcDomain(String dnsSrcDomain) { + addField(DNS_SRC_DOMAIN, dnsSrcDomain); + } + public static String DNS_SRC_DOMAIN = "src_domain"; + + /** + * The local DNS resource record being acted upon. + */ + public void setDnsSrcRecord(String dnsSrcRecord) { + addField(DNS_SRC_RECORD, dnsSrcRecord); + } + public static String DNS_SRC_RECORD = "src_record"; + + /** + * The DNS zone that is being transferred by the master as part of a zone + * transfer. + */ + public void setDnsSrcZone(String dnsSrcZone) { + addField(DNS_SRC_ZONE, dnsSrcZone); + } + public static String DNS_SRC_ZONE = "src_zone"; + + // ---------------------------------- + // Email tracking + // ---------------------------------- + + /** + * The person to whom an email is sent. + */ + public void setEmailRecipient(String emailRecipient) { + addField(EMAIL_RECIPIENT, emailRecipient); + } + public static String EMAIL_RECIPIENT = "recipient"; + + /** + * The person responsible for sending an email. + */ + public void setEmailSender(String emailSender) { + addField(EMAIL_SENDER, emailSender); + } + public static String EMAIL_SENDER = "sender"; + + /** + * The email subject line. + */ + public void setEmailSubject(String emailSubject) { + addField(EMAIL_SUBJECT, emailSubject); + } + public static String EMAIL_SUBJECT = "subject"; + + // ---------------------------------- + // File management + // ---------------------------------- + + /** + * The time the file (the object of the event) was accessed. + */ + public void setFileAccessTime(long fileAccessTime) { + addField(FILE_ACCESS_TIME, fileAccessTime); + } + public static String FILE_ACCESS_TIME = "file_access_time"; + + /** + * The time the file (the object of the event) was created. + */ + public void setFileCreateTime(long fileCreateTime) { + addField(FILE_CREATE_TIME, fileCreateTime); + } + public static String FILE_CREATE_TIME = "file_create_time"; + + /** + * A cryptographic identifier assigned to the file object affected by the + * event. + */ + public void setFileHash(String fileHash) { + addField(FILE_HASH, fileHash); + } + public static String FILE_HASH = "file_hash"; + + /** + * The time the file (the object of the event) was altered. + */ + public void setFileModifyTime(long fileModifyTime) { + addField(FILE_MODIFY_TIME, fileModifyTime); + } + public static String FILE_MODIFY_TIME = "file_modify_time"; + + /** + * The name of the file that is the object of the event (without location + * information related to local file or directory structure). + */ + public void setFileName(String fileName) { + addField(FILE_NAME, fileName); + } + public static String FILE_NAME = "file_name"; + + /** + * The location of the file that is the object of the event, in terms of + * local file and directory structure. + */ + public void setFilePath(String filePath) { + addField(FILE_PATH, filePath); + } + public static String FILE_PATH = "file_path"; + + /** + * Access controls associated with the file affected by the event. + */ + public void setFilePermission(String filePermission) { + addField(FILE_PERMISSION, filePermission); + } + public static String FILE_PERMISSION = "file_permission"; + + /** + * The size of the file that is the object of the event. Indicate whether + * Bytes, KB, MB, GB. + */ + public void setFileSize(long fileSize) { + addField(FILE_SIZE, fileSize); + } + public static String FILE_SIZE = "file_size"; + + // ---------------------------------- + // Intrusion detection + // ---------------------------------- + + /** + * The category of the triggered signature. + */ + public void setIntrusionDetectionCategory(String intrusionDetectionCategory) { + addField(INTRUSION_DETECTION_CATEGORY, intrusionDetectionCategory); + } + public static String INTRUSION_DETECTION_CATEGORY = "category"; + + /** + * The destination of the attack detected by the intrusion detection system + * (IDS). If your field is named dest_host, dest_ip, dest_ipv6, or + * dest_nt_host you can alias it as dest to make it CIM-compliant. + */ + public void setIntrusionDetectionDest(String intrusionDetectionDest) { + addField(INTRUSION_DETECTION_DEST, intrusionDetectionDest); + } + public static String INTRUSION_DETECTION_DEST = "dest"; + + /** + * The device that detected the intrusion event. + */ + public void setIntrusionDetectionDvc(String intrusionDetectionDvc) { + addField(INTRUSION_DETECTION_DVC, intrusionDetectionDvc); + } + public static String INTRUSION_DETECTION_DVC = "dvc"; + + /** + * The type of IDS that generated the event. + */ + public void setIntrusionDetectionIdsType(String intrusionDetectionIdsType) { + addField(INTRUSION_DETECTION_IDS_TYPE, intrusionDetectionIdsType); + } + public static String INTRUSION_DETECTION_IDS_TYPE = "ids_type"; + + /** + * The product name of the vendor technology generating network protection + * data, such as IDP, Providentia, and ASA. + * + * Note: Required for all events dealing with network protection (Change + * analysis, proxy, malware, intrusion detection, packet filtering, and + * vulnerability). + */ + public void setIntrusionDetectionProduct(String intrusionDetectionProduct) { + addField(INTRUSION_DETECTION_PRODUCT, intrusionDetectionProduct); + } + public static String INTRUSION_DETECTION_PRODUCT = "product"; + + /** + * The severity of the network protection event (such as critical, high, + * medium, low, or informational). + * + * Note: This field is a string. Please use a severity_id field for severity + * ID fields that are integer data types. + */ + public void setIntrusionDetectionSeverity(String intrusionDetectionSeverity) { + addField(INTRUSION_DETECTION_SEVERITY, intrusionDetectionSeverity); + } + public static String INTRUSION_DETECTION_SEVERITY = "severity"; + + /** + * The name of the intrusion detected on the client (the src), such as + * PlugAndPlay_BO and JavaScript_Obfuscation_Fre. + */ + public void setIntrusionDetectionSignature( + String intrusionDetectionSignature) { + addField(INTRUSION_DETECTION_SIGNATURE, intrusionDetectionSignature); + } + public static String INTRUSION_DETECTION_SIGNATURE = "signature"; + + /** + * The source involved in the attack detected by the IDS. If your field is + * named src_host, src_ip, src_ipv6, or src_nt_host you can alias it as src + * to make it CIM-compliant. + */ + public void setIntrusionDetectionSrc(String intrusionDetectionSrc) { + addField(INTRUSION_DETECTION_SRC, intrusionDetectionSrc); + } + public static String INTRUSION_DETECTION_SRC = "src"; + + /** + * The user involved with the intrusion detection event. + */ + public void setIntrusionDetectionUser(String intrusionDetectionUser) { + addField(INTRUSION_DETECTION_USER, intrusionDetectionUser); + } + public static String INTRUSION_DETECTION_USER = "user"; + + /** + * The vendor technology used to generate network protection data, such as + * IDP, Providentia, and ASA. + * + * Note: Required for all events dealing with network protection (Change + * analysis, proxy, malware, intrusion detection, packet filtering, and + * vulnerability). + */ + public void setIntrusionDetectionVendor(String intrusionDetectionVendor) { + addField(INTRUSION_DETECTION_VENDOR, intrusionDetectionVendor); + } + public static String INTRUSION_DETECTION_VENDOR = "vendor"; + + + // ---------------------------------- + // Malware - Endpoint protection + // ---------------------------------- + + /** + * The outcome of the infection + */ + public void setMalwareEndpointProtectionAction( + String malwareEndpointProtectionAction) { + addField(MALWARE_ENDPOINT_PROTECTION_ACTION, + malwareEndpointProtectionAction); + } + public static String MALWARE_ENDPOINT_PROTECTION_ACTION = "action"; + + /** + * The NT domain of the destination (the dest_bestmatch). + */ + public void setMalwareEndpointProtectionDestNtDomain( + String malwareEndpointProtectionDestNtDomain) { + addField(MALWARE_ENDPOINT_PROTECTION_DEST_NT_DOMAIN, + malwareEndpointProtectionDestNtDomain); + } + public static String MALWARE_ENDPOINT_PROTECTION_DEST_NT_DOMAIN = "dest_nt_domain"; + + /** + * The cryptographic hash of the file associated with the malware event + * (such as the malicious or infected file). + */ + public void setMalwareEndpointProtectionFileHash( + String malwareEndpointProtectionFileHash) { + addField(MALWARE_ENDPOINT_PROTECTION_FILE_HASH, + malwareEndpointProtectionFileHash); + } + public static String MALWARE_ENDPOINT_PROTECTION_FILE_HASH = "file_hash"; + + /** + * The name of the file involved in the malware event (such as the infected + * or malicious file). + */ + public void setMalwareEndpointProtectionFileName( + String malwareEndpointProtectionFileName) { + addField(MALWARE_ENDPOINT_PROTECTION_FILE_NAME, + malwareEndpointProtectionFileName); + } + public static String MALWARE_ENDPOINT_PROTECTION_FILE_NAME = "file_name"; + + /** + * The path of the file involved in the malware event (such as the infected + * or malicious file). + */ + public void setMalwareEndpointProtectionFilePath( + String malwareEndpointProtectionFilePath) { + addField(MALWARE_ENDPOINT_PROTECTION_FILE_PATH, + malwareEndpointProtectionFilePath); + } + public static String MALWARE_ENDPOINT_PROTECTION_FILE_PATH = "file_path"; + + /** + * The product name of the vendor technology (the vendor field) that is + * generating malware data (such as Antivirus or EPO). + */ + public void setMalwareEndpointProtectionProduct( + String malwareEndpointProtectionProduct) { + addField(MALWARE_ENDPOINT_PROTECTION_PRODUCT, + malwareEndpointProtectionProduct); + } + public static String MALWARE_ENDPOINT_PROTECTION_PRODUCT = "product"; + + /** + * The product version number of the vendor technology installed on the + * client (such as 10.4.3 or 11.0.2). + */ + public void setMalwareEndpointProtectionProductVersion( + String malwareEndpointProtectionProductVersion) { + addField(MALWARE_ENDPOINT_PROTECTION_PRODUCT_VERSION, + malwareEndpointProtectionProductVersion); + } + public static String MALWARE_ENDPOINT_PROTECTION_PRODUCT_VERSION = "product_version"; + + /** + * The name of the malware infection detected on the client (the src), such + * as Trojan.Vundo,Spyware.Gaobot,W32.Nimbda). + * + * Note: This field is a string. Please use a signature_id field for + * signature ID fields that are integer data types. + */ + public void setMalwareEndpointProtectionSignature( + String malwareEndpointProtectionSignature) { + addField(MALWARE_ENDPOINT_PROTECTION_SIGNATURE, + malwareEndpointProtectionSignature); + } + public static String MALWARE_ENDPOINT_PROTECTION_SIGNATURE = "signature"; + + /** + * The current signature definition set running on the client, such as + * 11hsvx) + */ + public void setMalwareEndpointProtectionSignatureVersion( + String malwareEndpointProtectionSignatureVersion) { + addField(MALWARE_ENDPOINT_PROTECTION_SIGNATURE_VERSION, + malwareEndpointProtectionSignatureVersion); + } + public static String MALWARE_ENDPOINT_PROTECTION_SIGNATURE_VERSION = "signature_version"; + + /** + * The target affected or infected by the malware. If your field is named + * dest_host, dest_ip, dest_ipv6, or dest_nt_host you can alias it as dest + * to make it CIM-compliant. + */ + public void setMalwareEndpointProtectionDest( + String malwareEndpointProtectionDest) { + addField(MALWARE_ENDPOINT_PROTECTION_DEST, malwareEndpointProtectionDest); + } + public static String MALWARE_ENDPOINT_PROTECTION_DEST = "dest"; + + /** + * The NT domain of the source (the src). + */ + public void setMalwareEndpointProtectionSrcNtDomain( + String malwareEndpointProtectionSrcNtDomain) { + addField(MALWARE_ENDPOINT_PROTECTION_SRC_NT_DOMAIN, + malwareEndpointProtectionSrcNtDomain); + } + public static String MALWARE_ENDPOINT_PROTECTION_SRC_NT_DOMAIN = "src_nt_domain"; + + /** + * The name of the user involved in the malware event. + */ + public void setMalwareEndpointProtectionUser( + String malwareEndpointProtectionUser) { + addField(MALWARE_ENDPOINT_PROTECTION_USER, malwareEndpointProtectionUser); + } + public static String MALWARE_ENDPOINT_PROTECTION_USER = "user"; + + /** + * The name of the vendor technology generating malware data, such as + * Symantec or McAfee. + */ + public void setMalwareEndpointProtectionVendor( + String malwareEndpointProtectionVendor) { + addField(MALWARE_ENDPOINT_PROTECTION_VENDOR, + malwareEndpointProtectionVendor); + } + public static String MALWARE_ENDPOINT_PROTECTION_VENDOR = "vendor"; + + // ---------------------------------- + // Malware - Network protection + // ---------------------------------- + + /** + * The product name of the vendor technology generating network protection + * data, such as IDP, Proventia, and ASA. + * + * Note: Required for all events dealing with network protection (Change + * analysis, proxy, malware, intrusion detection, packet filtering, and + * vulnerability). + */ + public void setMalwareNetworkProtectionProduct( + String malwareNetworkProtectionProduct) { + addField(MALWARE_NETWORK_PROTECTION_PRODUCT, + malwareNetworkProtectionProduct); + } + public static String MALWARE_NETWORK_PROTECTION_PRODUCT = "product"; + + /** + * The severity of the network protection event (such as critical, high, + * medium, low, or informational). + * + * Note: This field is a string. Please use a severity_id field for severity + * ID fields that are integer data types. + */ + public void setMalwareNetworkProtectionSeverity( + String malwareNetworkProtectionSeverity) { + addField(MALWARE_NETWORK_PROTECTION_SEVERITY, + malwareNetworkProtectionSeverity); + } + public static String MALWARE_NETWORK_PROTECTION_SEVERITY = "severity"; + + /** + * The vendor technology used to generate network protection data, such as + * IDP, Proventia, and ASA. + * + * Note: Required for all events dealing with network protection (Change + * analysis, proxy, malware, intrusion detection, packet filtering, and + * vulnerability). + */ + public void setMalwareNetworkProtectionVendor( + String malwareNetworkProtectionVendor) { + addField(MALWARE_NETWORK_PROTECTION_VENDOR, + malwareNetworkProtectionVendor); + } + public static String MALWARE_NETWORK_PROTECTION_VENDOR = "vendor"; + + + // ---------------------------------- + // Network traffic - ESS + // ---------------------------------- + + /** + * The action of the network traffic. + */ + public void setNetworkTrafficEssAction(String networkTrafficEssAction) { + addField(NETWORK_TRAFFIC_ESS_ACTION, networkTrafficEssAction); + } + public static String NETWORK_TRAFFIC_ESS_ACTION = "action"; + + /** + * The destination port of the network traffic. + */ + public void setNetworkTrafficEssDestPort(int networkTrafficEssDestPort) { + addField(NETWORK_TRAFFIC_ESS_DEST_PORT, networkTrafficEssDestPort); + } + public static String NETWORK_TRAFFIC_ESS_DEST_PORT = "dest_port"; + + /** + * The product name of the vendor technology generating NetworkProtection + * data, such as IDP, Proventia, and ASA. + * + * Note: Required for all events dealing with network protection (Change + * analysis, proxy, malware, intrusion detection, packet filtering, and + * vulnerability). + */ + public void setNetworkTrafficEssProduct(String networkTrafficEssProduct) { + addField(NETWORK_TRAFFIC_ESS_PRODUCT, networkTrafficEssProduct); + } + public static String NETWORK_TRAFFIC_ESS_PRODUCT = "product"; + + /** + * The source port of the network traffic. + */ + public void setNetworkTrafficEssSrcPort(int networkTrafficEssSrcPort) { + addField(NETWORK_TRAFFIC_ESS_SRC_PORT, networkTrafficEssSrcPort); + } + public static String NETWORK_TRAFFIC_ESS_SRC_PORT = "src_port"; + + /** + * The vendor technology used to generate NetworkProtection data, such as + * IDP, Proventia, and ASA. + * + * Note: Required for all events dealing with network protection (Change + * analysis, proxy, malware, intrusion detection, packet filtering, and + * vulnerability). + */ + public void setNetworkTrafficEssVendor(String networkTrafficEssVendor) { + addField(NETWORK_TRAFFIC_ESS_VENDOR, networkTrafficEssVendor); + } + public static String NETWORK_TRAFFIC_ESS_VENDOR = "vendor"; + + // ---------------------------------- + // Network traffic - Generic + // ---------------------------------- + + /** + * The ISO layer 7 (application layer) protocol, such as HTTP, HTTPS, SSH, + * and IMAP. + */ + public void setNetworkTrafficGenericAppLayer( + String networkTrafficGenericAppLayer) { + addField(NETWORK_TRAFFIC_GENERIC_APP_LAYER, + networkTrafficGenericAppLayer); + } + public static String NETWORK_TRAFFIC_GENERIC_APP_LAYER = "app_layer"; + /** + * How many bytes this device/interface received. + */ + public void setNetworkTrafficGenericBytesIn( + long networkTrafficGenericBytesIn) { + addField(NETWORK_TRAFFIC_GENERIC_BYTES_IN, networkTrafficGenericBytesIn); + } + public static String NETWORK_TRAFFIC_GENERIC_BYTES_IN = "bytes_in"; + + + /** + * How many bytes this device/interface transmitted. + */ + public void setNetworkTrafficGenericBytesOut( + long networkTrafficGenericBytesOut) { + addField(NETWORK_TRAFFIC_GENERIC_BYTES_OUT, + networkTrafficGenericBytesOut); + } + public static String NETWORK_TRAFFIC_GENERIC_BYTES_OUT = "bytes_out"; + + /** + * 802.11 channel number used by a wireless network. + */ + public void setNetworkTrafficGenericChannel( + String networkTrafficGenericChannel) { + addField(NETWORK_TRAFFIC_GENERIC_CHANNEL, networkTrafficGenericChannel); + } + public static String NETWORK_TRAFFIC_GENERIC_CHANNEL = "channel"; + + /** + * The Common Vulnerabilities and Exposures (CVE) reference value. + */ + public void setNetworkTrafficGenericCve(String networkTrafficGenericCve) { + addField(NETWORK_TRAFFIC_GENERIC_CVE, networkTrafficGenericCve); + } + public static String NETWORK_TRAFFIC_GENERIC_CVE = "cve"; + + /** + * The destination application being targeted. + */ + public void setNetworkTrafficGenericDestApp( + String networkTrafficGenericDestApp) { + addField(NETWORK_TRAFFIC_GENERIC_DEST_APP, networkTrafficGenericDestApp); + } + public static String NETWORK_TRAFFIC_GENERIC_DEST_APP = "dest_app"; + + /** + * The destination command and control service channel. + */ + public void setNetworkTrafficGenericDestCncChannel( + String networkTrafficGenericDestCncChannel) { + addField(NETWORK_TRAFFIC_GENERIC_DEST_CNC_CHANNEL, + networkTrafficGenericDestCncChannel); + } + public static String NETWORK_TRAFFIC_GENERIC_DEST_CNC_CHANNEL = "dest_cnc_channel"; + + /** + * The destination command and control service name. + */ + public void setNetworkTrafficGenericDestCncName( + String networkTrafficGenericDestCncName) { + addField(NETWORK_TRAFFIC_GENERIC_DEST_CNC_NAME, + networkTrafficGenericDestCncName); + } + public static String NETWORK_TRAFFIC_GENERIC_DEST_CNC_NAME = "dest_cnc_name"; + + /** + * The destination command and control service port. + */ + public void setNetworkTrafficGenericDestCncPort( + String networkTrafficGenericDestCncPort) { + addField(NETWORK_TRAFFIC_GENERIC_DEST_CNC_PORT, + networkTrafficGenericDestCncPort); + } + public static String NETWORK_TRAFFIC_GENERIC_DEST_CNC_PORT = "dest_cnc_port"; + + /** + * The country associated with a packet's recipient. + */ + public void setNetworkTrafficGenericDestCountry( + String networkTrafficGenericDestCountry) { + addField(NETWORK_TRAFFIC_GENERIC_DEST_COUNTRY, + networkTrafficGenericDestCountry); + } + public static String NETWORK_TRAFFIC_GENERIC_DEST_COUNTRY = "dest_country"; + + /** + * The fully qualified host name of a packet's recipient. For HTTP sessions, + * this is the host header. + */ + public void setNetworkTrafficGenericDestHost( + String networkTrafficGenericDestHost) { + addField(NETWORK_TRAFFIC_GENERIC_DEST_HOST, + networkTrafficGenericDestHost); + } + public static String NETWORK_TRAFFIC_GENERIC_DEST_HOST = "dest_host"; + + /** + * The interface that is listening remotely or receiving packets locally. + */ + public void setNetworkTrafficGenericDestInt( + String networkTrafficGenericDestInt) { + addField(NETWORK_TRAFFIC_GENERIC_DEST_INT, networkTrafficGenericDestInt); + } + public static String NETWORK_TRAFFIC_GENERIC_DEST_INT = "dest_int"; + + /** + * The IPv4 address of a packet's recipient. + */ + public void setNetworkTrafficGenericDestIp( + String networkTrafficGenericDestIp) { + addField(NETWORK_TRAFFIC_GENERIC_DEST_IP, networkTrafficGenericDestIp); + } + public static String NETWORK_TRAFFIC_GENERIC_DEST_IP = "dest_ip"; + + /** + * The IPv6 address of a packet's recipient. + */ + public void setNetworkTrafficGenericDestIpv6( + String networkTrafficGenericDestIpv6) { + addField(NETWORK_TRAFFIC_GENERIC_DEST_IPV6, + networkTrafficGenericDestIpv6); + } + public static String NETWORK_TRAFFIC_GENERIC_DEST_IPV6 = "dest_ipv6"; + + /** + * The (physical) latitude of a packet's destination. + */ + public void setNetworkTrafficGenericDestLat(int networkTrafficGenericDestLat) { + addField(NETWORK_TRAFFIC_GENERIC_DEST_LAT, networkTrafficGenericDestLat); + } + public static String NETWORK_TRAFFIC_GENERIC_DEST_LAT = "dest_lat"; + + /** + * The (physical) longitude of a packet's destination. + */ + public void setNetworkTrafficGenericDestLong( + int networkTrafficGenericDestLong) { + addField(NETWORK_TRAFFIC_GENERIC_DEST_LONG, + networkTrafficGenericDestLong); + } + public static String NETWORK_TRAFFIC_GENERIC_DEST_LONG = "dest_long"; + + /** + * The destination TCP/IP layer 2 Media Access Control (MAC) address of a + * packet's destination. + */ + public void setNetworkTrafficGenericDestMac( + String networkTrafficGenericDestMac) { + addField(NETWORK_TRAFFIC_GENERIC_DEST_MAC, networkTrafficGenericDestMac); + } + public static String NETWORK_TRAFFIC_GENERIC_DEST_MAC = "dest_mac"; + + /** + * The Windows NT domain containing a packet's destination. + */ + public void setNetworkTrafficGenericDestNtDomain( + String networkTrafficGenericDestNtDomain) { + addField(NETWORK_TRAFFIC_GENERIC_DEST_NT_DOMAIN, + networkTrafficGenericDestNtDomain); + } + public static String NETWORK_TRAFFIC_GENERIC_DEST_NT_DOMAIN = "dest_nt_domain"; + + /** + * The Windows NT host name of a packet's destination. + */ + public void setNetworkTrafficGenericDestNtHost( + String networkTrafficGenericDestNtHost) { + addField(NETWORK_TRAFFIC_GENERIC_DEST_NT_HOST, + networkTrafficGenericDestNtHost); + } + public static String NETWORK_TRAFFIC_GENERIC_DEST_NT_HOST = "dest_nt_host"; + + /** + * TCP/IP port to which a packet is being sent. + */ + public void setNetworkTrafficGenericDestPort( + int networkTrafficGenericDestPort) { + addField(NETWORK_TRAFFIC_GENERIC_DEST_PORT, + networkTrafficGenericDestPort); + } + public static String NETWORK_TRAFFIC_GENERIC_DEST_PORT = "dest_port"; + + /** + * The NATed IPv4 address to which a packet has been sent. + */ + public void setNetworkTrafficGenericDestTranslatedIp( + String networkTrafficGenericDestTranslatedIp) { + addField(NETWORK_TRAFFIC_GENERIC_DEST_TRANSLATED_IP, + networkTrafficGenericDestTranslatedIp); + } + public static String NETWORK_TRAFFIC_GENERIC_DEST_TRANSLATED_IP = "dest_translated_ip"; + + /** + * The NATed port to which a packet has been sent. + */ + public void setNetworkTrafficGenericDestTranslatedPort( + int networkTrafficGenericDestTranslatedPort) { + addField(NETWORK_TRAFFIC_GENERIC_DEST_TRANSLATED_PORT, + networkTrafficGenericDestTranslatedPort); + } + public static String NETWORK_TRAFFIC_GENERIC_DEST_TRANSLATED_PORT = "dest_translated_port"; + + /** + * The numbered Internet Protocol version. + */ + public void setNetworkTrafficGenericIpVersion( + int networkTrafficGenericIpVersion) { + addField(NETWORK_TRAFFIC_GENERIC_IP_VERSION, + networkTrafficGenericIpVersion); + } + public static String NETWORK_TRAFFIC_GENERIC_IP_VERSION = "ip_version"; + + /** + * The network interface through which a packet was transmitted. + */ + public void setNetworkTrafficGenericOutboundInterface( + String networkTrafficGenericOutboundInterface) { + addField(NETWORK_TRAFFIC_GENERIC_OUTBOUND_INTERFACE, + networkTrafficGenericOutboundInterface); + } + public static String NETWORK_TRAFFIC_GENERIC_OUTBOUND_INTERFACE = "outbound_interface"; + + /** + * How many packets this device/interface received. + */ + public void setNetworkTrafficGenericPacketsIn( + long networkTrafficGenericPacketsIn) { + addField(NETWORK_TRAFFIC_GENERIC_PACKETS_IN, + networkTrafficGenericPacketsIn); + } + public static String NETWORK_TRAFFIC_GENERIC_PACKETS_IN = "packets_in"; + + /** + * How many packets this device/interface transmitted. + */ + public void setNetworkTrafficGenericPacketsOut( + long networkTrafficGenericPacketsOut) { + addField(NETWORK_TRAFFIC_GENERIC_PACKETS_OUT, + networkTrafficGenericPacketsOut); + } + public static String NETWORK_TRAFFIC_GENERIC_PACKETS_OUT = "packets_out"; + + /** + * The OSI layer 3 (Network Layer) protocol, such as IPv4/IPv6, ICMP, IPsec, + * IGMP or RIP. + */ + public void setNetworkTrafficGenericProto(String networkTrafficGenericProto) { + addField(NETWORK_TRAFFIC_GENERIC_PROTO, networkTrafficGenericProto); + } + public static String NETWORK_TRAFFIC_GENERIC_PROTO = "proto"; + + /** + * The session identifier. Multiple transactions build a session. + */ + public void setNetworkTrafficGenericSessionId( + String networkTrafficGenericSessionId) { + addField(NETWORK_TRAFFIC_GENERIC_SESSION_ID, + networkTrafficGenericSessionId); + } + public static String NETWORK_TRAFFIC_GENERIC_SESSION_ID = "session_id"; + + /** + * The 802.11 service set identifier (ssid) assigned to a wireless session. + */ + public void setNetworkTrafficGenericSsid(String networkTrafficGenericSsid) { + addField(NETWORK_TRAFFIC_GENERIC_SSID, networkTrafficGenericSsid); + } + public static String NETWORK_TRAFFIC_GENERIC_SSID = "ssid"; + + /** + * The country from which the packet was sent. + */ + public void setNetworkTrafficGenericSrcCountry( + String networkTrafficGenericSrcCountry) { + addField(NETWORK_TRAFFIC_GENERIC_SRC_COUNTRY, + networkTrafficGenericSrcCountry); + } + public static String NETWORK_TRAFFIC_GENERIC_SRC_COUNTRY = "src_country"; + + /** + * The fully qualified host name of the system that transmitted the packet. + * For Web logs, this is the HTTP client. + */ + public void setNetworkTrafficGenericSrcHost( + String networkTrafficGenericSrcHost) { + addField(NETWORK_TRAFFIC_GENERIC_SRC_HOST, networkTrafficGenericSrcHost); + } + public static String NETWORK_TRAFFIC_GENERIC_SRC_HOST = "src_host"; + + /** + * The interface that is listening locally or sending packets remotely. + */ + public void setNetworkTrafficGenericSrcInt( + String networkTrafficGenericSrcInt) { + addField(NETWORK_TRAFFIC_GENERIC_SRC_INT, networkTrafficGenericSrcInt); + } + public static String NETWORK_TRAFFIC_GENERIC_SRC_INT = "src_int"; + + /** + * The IPv4 address of the packet's source. For Web logs, this is the http + * client. + */ + public void setNetworkTrafficGenericSrcIp(String networkTrafficGenericSrcIp) { + addField(NETWORK_TRAFFIC_GENERIC_SRC_IP, networkTrafficGenericSrcIp); + } + public static String NETWORK_TRAFFIC_GENERIC_SRC_IP = "src_ip"; + + /** + * The IPv6 address of the packet's source. + */ + public void setNetworkTrafficGenericSrcIpv6( + String networkTrafficGenericSrcIpv6) { + addField(NETWORK_TRAFFIC_GENERIC_SRC_IPV6, networkTrafficGenericSrcIpv6); + } + public static String NETWORK_TRAFFIC_GENERIC_SRC_IPV6 = "src_ipv6"; + + /** + * The (physical) latitude of the packet's source. + */ + public void setNetworkTrafficGenericSrcLat(int networkTrafficGenericSrcLat) { + addField(NETWORK_TRAFFIC_GENERIC_SRC_LAT, networkTrafficGenericSrcLat); + } + public static String NETWORK_TRAFFIC_GENERIC_SRC_LAT = "src_lat"; + + /** + * The (physical) longitude of the packet's source. + */ + public void setNetworkTrafficGenericSrcLong(int networkTrafficGenericSrcLong) { + addField(NETWORK_TRAFFIC_GENERIC_SRC_LONG, networkTrafficGenericSrcLong); + } + public static String NETWORK_TRAFFIC_GENERIC_SRC_LONG = "src_long"; + + /** + * The Media Access Control (MAC) address from which a packet was + * transmitted. + */ + public void setNetworkTrafficGenericSrcMac( + String networkTrafficGenericSrcMac) { + addField(NETWORK_TRAFFIC_GENERIC_SRC_MAC, networkTrafficGenericSrcMac); + } + public static String NETWORK_TRAFFIC_GENERIC_SRC_MAC = "src_mac"; + + /** + * The Windows NT domain containing the machines that generated the event. + */ + public void setNetworkTrafficGenericSrcNtDomain( + String networkTrafficGenericSrcNtDomain) { + addField(NETWORK_TRAFFIC_GENERIC_SRC_NT_DOMAIN, + networkTrafficGenericSrcNtDomain); + } + public static String NETWORK_TRAFFIC_GENERIC_SRC_NT_DOMAIN = "src_nt_domain"; + + /** + * The Windows NT hostname of the system that generated the event. + */ + public void setNetworkTrafficGenericSrcNtHost( + String networkTrafficGenericSrcNtHost) { + addField(NETWORK_TRAFFIC_GENERIC_SRC_NT_HOST, + networkTrafficGenericSrcNtHost); + } + public static String NETWORK_TRAFFIC_GENERIC_SRC_NT_HOST = "src_nt_host"; + + /** + * The network port from which a packet originated. + */ + public void setNetworkTrafficGenericSrcPort(int networkTrafficGenericSrcPort) { + addField(NETWORK_TRAFFIC_GENERIC_SRC_PORT, networkTrafficGenericSrcPort); + } + public static String NETWORK_TRAFFIC_GENERIC_SRC_PORT = "src_port"; + + /** + * The NATed IPv4 address from which a packet has been sent. + */ + public void setNetworkTrafficGenericSrcTranslatedIp( + String networkTrafficGenericSrcTranslatedIp) { + addField(NETWORK_TRAFFIC_GENERIC_SRC_TRANSLATED_IP, + networkTrafficGenericSrcTranslatedIp); + } + public static String NETWORK_TRAFFIC_GENERIC_SRC_TRANSLATED_IP = "src_translated_ip"; + + /** + * The NATed network port from which a packet has been sent. + */ + public void setNetworkTrafficGenericSrcTranslatedPort( + int networkTrafficGenericSrcTranslatedPort) { + addField(NETWORK_TRAFFIC_GENERIC_SRC_TRANSLATED_PORT, + networkTrafficGenericSrcTranslatedPort); + } + public static String NETWORK_TRAFFIC_GENERIC_SRC_TRANSLATED_PORT = "src_translated_port"; + + /** + * The application, process, or OS subsystem that generated the event. + */ + public void setNetworkTrafficGenericSyslogId( + String networkTrafficGenericSyslogId) { + addField(NETWORK_TRAFFIC_GENERIC_SYSLOG_ID, + networkTrafficGenericSyslogId); + } + public static String NETWORK_TRAFFIC_GENERIC_SYSLOG_ID = "syslog_id"; + + /** + * The criticality of an event, as recorded by UNIX syslog. + */ + public void setNetworkTrafficGenericSyslogPriority( + String networkTrafficGenericSyslogPriority) { + addField(NETWORK_TRAFFIC_GENERIC_SYSLOG_PRIORITY, + networkTrafficGenericSyslogPriority); + } + public static String NETWORK_TRAFFIC_GENERIC_SYSLOG_PRIORITY = "syslog_priority"; + + /** + * The TCP flag(s) specified in the event. + */ + public void setNetworkTrafficGenericTcpFlag( + String networkTrafficGenericTcpFlag) { + addField(NETWORK_TRAFFIC_GENERIC_TCP_FLAG, networkTrafficGenericTcpFlag); + } + public static String NETWORK_TRAFFIC_GENERIC_TCP_FLAG = "tcp_flag"; + + /** + * The hex bit that specifies TCP 'type of service' + * + * @see Type of + * Service + */ + public void setNetworkTrafficGenericTos(String networkTrafficGenericTos) { + addField(NETWORK_TRAFFIC_GENERIC_TOS, networkTrafficGenericTos); + } + public static String NETWORK_TRAFFIC_GENERIC_TOS = "tos"; + + /** + * The transport protocol. + */ + public void setNetworkTrafficGenericTransport( + String networkTrafficGenericTransport) { + addField(NETWORK_TRAFFIC_GENERIC_TRANSPORT, + networkTrafficGenericTransport); + } + public static String NETWORK_TRAFFIC_GENERIC_TRANSPORT = "transport"; + + /** + * The "time to live" of a packet or datagram. + */ + public void setNetworkTrafficGenericTtl(int networkTrafficGenericTtl) { + addField(NETWORK_TRAFFIC_GENERIC_TTL, networkTrafficGenericTtl); + } + public static String NETWORK_TRAFFIC_GENERIC_TTL = "ttl"; + + /** + * The numeric identifier assigned to the virtual local area network (VLAN) + * specified in the record. + */ + public void setNetworkTrafficGenericVlanId(long networkTrafficGenericVlanId) { + addField(NETWORK_TRAFFIC_GENERIC_VLAN_ID, networkTrafficGenericVlanId); + } + public static String NETWORK_TRAFFIC_GENERIC_VLAN_ID = "vlan_id"; + + /** + * The name assigned to the virtual local area network (VLAN) specified in + * the record. + */ + public void setNetworkTrafficGenericVlanName( + String networkTrafficGenericVlanName) { + addField(NETWORK_TRAFFIC_GENERIC_VLAN_NAME, + networkTrafficGenericVlanName); + } + public static String NETWORK_TRAFFIC_GENERIC_VLAN_NAME = "vlan_name"; + + + // ---------------------------------- + // Packet filtering + // ---------------------------------- + + /** + * The action the filtering device (the dvc_bestmatch field) performed on + * the communication. + */ + public void setPacketFilteringAction(String packetFilteringAction) { + addField(PACKET_FILTERING_ACTION, packetFilteringAction); + } + public static String PACKET_FILTERING_ACTION = "action"; + + /** + * The IP port of the packet's destination, such as 22. + */ + public void setPacketFilteringDestPort(int packetFilteringDestPort) { + addField(PACKET_FILTERING_DEST_PORT, packetFilteringDestPort); + } + public static String PACKET_FILTERING_DEST_PORT = "dest_port"; + + /** + * The direction the packet is traveling. + */ + public void setPacketFilteringDirection(String packetFilteringDirection) { + addField(PACKET_FILTERING_DIRECTION, packetFilteringDirection); + } + public static String PACKET_FILTERING_DIRECTION = "direction"; + + /** + * The name of the packet filtering device. If your field is named dvc_host, + * dvc_ip, or dvc_nt_host you can alias it as dvc to make it CIM-compliant. + */ + public void setPacketFilteringDvc(String packetFilteringDvc) { + addField(PACKET_FILTERING_DVC, packetFilteringDvc); + } + public static String PACKET_FILTERING_DVC = "dvc"; + + /** + * The rule which took action on the packet, such as 143. + */ + public void setPacketFilteringRule(String packetFilteringRule) { + addField(PACKET_FILTERING_RULE, packetFilteringRule); + } + public static String PACKET_FILTERING_RULE = "rule"; + + /** + * The IP port of the packet's source, such as 34541. + */ + public void setPacketFilteringSvcPort(int packetFilteringSvcPort) { + addField(PACKET_FILTERING_SVC_PORT, packetFilteringSvcPort); + } + public static String PACKET_FILTERING_SVC_PORT = "svc_port"; + + + // ---------------------------------- + // Proxy + // ---------------------------------- + + /** + * The action taken by the proxy. + */ + public void setProxyAction(String proxyAction) { + addField(PROXY_ACTION, proxyAction); + } + public static String PROXY_ACTION = "action"; + + /** + * The destination of the network traffic (the remote host). + */ + public void setProxyDest(String proxyDest) { + addField(PROXY_DEST, proxyDest); + } + public static String PROXY_DEST = "dest"; + + /** + * The content-type of the requested HTTP resource. + */ + public void setProxyHttpContentType(String proxyHttpContentType) { + addField(PROXY_HTTP_CONTENT_TYPE, proxyHttpContentType); + } + public static String PROXY_HTTP_CONTENT_TYPE = "http_content_type"; + + /** + * The HTTP method used to request the resource. + */ + public void setProxyHttpMethod(String proxyHttpMethod) { + addField(PROXY_HTTP_METHOD, proxyHttpMethod); + } + public static String PROXY_HTTP_METHOD = "http_method"; + + /** + * The HTTP referrer used to request the HTTP resource. + */ + public void setProxyHttpRefer(String proxyHttpRefer) { + addField(PROXY_HTTP_REFER, proxyHttpRefer); + } + public static String PROXY_HTTP_REFER = "http_refer"; + + /** + * The HTTP response code. + */ + public void setProxyHttpResponse(int proxyHttpResponse) { + addField(PROXY_HTTP_RESPONSE, proxyHttpResponse); + } + public static String PROXY_HTTP_RESPONSE = "http_response"; + + /** + * The user agent used to request the HTTP resource. + */ + public void setProxyHttpUserAgent(String proxyHttpUserAgent) { + addField(PROXY_HTTP_USER_AGENT, proxyHttpUserAgent); + } + public static String PROXY_HTTP_USER_AGENT = "http_user_agent"; + + /** + * The product name of the vendor technology generating Network Protection + * data, such as IDP, Providentia, and ASA. + */ + public void setProxyProduct(String proxyProduct) { + addField(PROXY_PRODUCT, proxyProduct); + } + public static String PROXY_PRODUCT = "product"; + + /** + * The source of the network traffic (the client requesting the connection). + */ + public void setProxySrc(String proxySrc) { + addField(PROXY_SRC, proxySrc); + } + public static String PROXY_SRC = "src"; + + /** + * The HTTP response code indicating the status of the proxy request. + */ + public void setProxyStatus(int proxyStatus) { + addField(PROXY_STATUS, proxyStatus); + } + public static String PROXY_STATUS = "status"; + + /** + * The user that requested the HTTP resource. + */ + public void setProxyUser(String proxyUser) { + addField(PROXY_USER, proxyUser); + } + public static String PROXY_USER = "user"; + + /** + * The URL of the requested HTTP resource. + */ + public void setProxyUrl(String proxyUrl) { + addField(PROXY_URL, proxyUrl); + } + public static String PROXY_URL = "url"; + + /** + * The vendor technology generating Network Protection data, such as IDP, + * Providentia, and ASA. + */ + public void setProxyVendor(String proxyVendor) { + addField(PROXY_VENDOR, proxyVendor); + } + public static String PROXY_VENDOR = "vendor"; + + + // ---------------------------------- + // System center + // ---------------------------------- + + /** + * The running application or service on the system (the src field), such as + * explorer.exe or sshd. + */ + public void setSystemCenterApp(String systemCenterApp) { + addField(SYSTEM_CENTER_APP, systemCenterApp); + } + public static String SYSTEM_CENTER_APP = "app"; + + /** + * The amount of disk space available per drive or mount (the mount field) + * on the system (the src field). + */ + public void setSystemCenterFreembytes(long systemCenterFreembytes) { + addField(SYSTEM_CENTER_FREEMBYTES, systemCenterFreembytes); + } + public static String SYSTEM_CENTER_FREEMBYTES = "FreeMBytes"; + + /** + * The version of operating system installed on the host (the src field), + * such as 6.0.1.4 or 2.6.27.30-170.2.82.fc10.x86_64. + */ + public void setSystemCenterKernelRelease(String systemCenterKernelRelease) { + addField(SYSTEM_CENTER_KERNEL_RELEASE, systemCenterKernelRelease); + } + public static String SYSTEM_CENTER_KERNEL_RELEASE = "kernel_release"; + + /** + * Human-readable version of the SystemUptime value. + */ + public void setSystemCenterLabel(String systemCenterLabel) { + addField(SYSTEM_CENTER_LABEL, systemCenterLabel); + } + public static String SYSTEM_CENTER_LABEL = "label"; + + /** + * The drive or mount reporting available disk space (the FreeMBytes field) + * on the system (the src field). + */ + public void setSystemCenterMount(String systemCenterMount) { + addField(SYSTEM_CENTER_MOUNT, systemCenterMount); + } + public static String SYSTEM_CENTER_MOUNT = "mount"; + + /** + * The name of the operating system installed on the host (the src), such as + * Microsoft Windows Server 2003 or GNU/Linux). + */ + public void setSystemCenterOs(String systemCenterOs) { + addField(SYSTEM_CENTER_OS, systemCenterOs); + } + public static String SYSTEM_CENTER_OS = "os"; + + /** + * The percentage of processor utilization. + */ + public void setSystemCenterPercentprocessortime( + int systemCenterPercentprocessortime) { + addField(SYSTEM_CENTER_PERCENTPROCESSORTIME, + systemCenterPercentprocessortime); + } + public static String SYSTEM_CENTER_PERCENTPROCESSORTIME = "PercentProcessorTime"; + + /** + * The setlocaldefs setting from the SE Linux configuration. + */ + public void setSystemCenterSetlocaldefs(int systemCenterSetlocaldefs) { + addField(SYSTEM_CENTER_SETLOCALDEFS, systemCenterSetlocaldefs); + } + public static String SYSTEM_CENTER_SETLOCALDEFS = "setlocaldefs"; + + /** + * Values from the SE Linux configuration file. + */ + public void setSystemCenterSelinux(String systemCenterSelinux) { + addField(SYSTEM_CENTER_SELINUX, systemCenterSelinux); + } + public static String SYSTEM_CENTER_SELINUX = "selinux"; + + /** + * The SE Linux type (such as targeted). + */ + public void setSystemCenterSelinuxtype(String systemCenterSelinuxtype) { + addField(SYSTEM_CENTER_SELINUXTYPE, systemCenterSelinuxtype); + } + public static String SYSTEM_CENTER_SELINUXTYPE = "selinuxtype"; + + /** + * The shell provided to the User Account (the user field) upon logging into + * the system (the src field). + */ + public void setSystemCenterShell(String systemCenterShell) { + addField(SYSTEM_CENTER_SHELL, systemCenterShell); + } + public static String SYSTEM_CENTER_SHELL = "shell"; + + /** + * The TCP/UDP source port on the system (the src field). + */ + public void setSystemCenterSrcPort(int systemCenterSrcPort) { + addField(SYSTEM_CENTER_SRC_PORT, systemCenterSrcPort); + } + public static String SYSTEM_CENTER_SRC_PORT = "src_port"; + + /** + * The sshd protocol version. + */ + public void setSystemCenterSshdProtocol(String systemCenterSshdProtocol) { + addField(SYSTEM_CENTER_SSHD_PROTOCOL, systemCenterSshdProtocol); + } + public static String SYSTEM_CENTER_SSHD_PROTOCOL = "sshd_protocol"; + + /** + * The start mode of the given service. + */ + public void setSystemCenterStartmode(String systemCenterStartmode) { + addField(SYSTEM_CENTER_STARTMODE, systemCenterStartmode); + } + public static String SYSTEM_CENTER_STARTMODE = "Startmode"; + + /** + * The number of seconds since the system (the src) has been "up." + */ + public void setSystemCenterSystemuptime(long systemCenterSystemuptime) { + addField(SYSTEM_CENTER_SYSTEMUPTIME, systemCenterSystemuptime); + } + public static String SYSTEM_CENTER_SYSTEMUPTIME = "SystemUptime"; + + /** + * The total amount of available memory on the system (the src). + */ + public void setSystemCenterTotalmbytes(long systemCenterTotalmbytes) { + addField(SYSTEM_CENTER_TOTALMBYTES, systemCenterTotalmbytes); + } + public static String SYSTEM_CENTER_TOTALMBYTES = "TotalMBytes"; + + /** + * The amount of used memory on the system (the src). + */ + public void setSystemCenterUsedmbytes(long systemCenterUsedmbytes) { + addField(SYSTEM_CENTER_USEDMBYTES, systemCenterUsedmbytes); + } + public static String SYSTEM_CENTER_USEDMBYTES = "UsedMBytes"; + + /** + * The User Account present on the system (the src). + */ + public void setSystemCenterUser(String systemCenterUser) { + addField(SYSTEM_CENTER_USER, systemCenterUser); + } + public static String SYSTEM_CENTER_USER = "user"; + + /** + * The number of updates the system (the src) is missing. + */ + public void setSystemCenterUpdates(long systemCenterUpdates) { + addField(SYSTEM_CENTER_UPDATES, systemCenterUpdates); + } + public static String SYSTEM_CENTER_UPDATES = "updates"; + + + // ---------------------------------- + // Traffic + // ---------------------------------- + + /** + * The destination of the network traffic. If your field is named dest_host, + * dest_ip, dest_ipv6, or dest_nt_host you can alias it as dest to make it + * CIM-compliant. + */ + public void setTrafficDest(String trafficDest) { + addField(TRAFFIC_DEST, trafficDest); + } + public static String TRAFFIC_DEST = "dest"; + + /** + * The name of the packet filtering device. If your field is named dvc_host, + * dvc_ip, or dvc_nt_host you can alias it as dvc to make it CIM-compliant. + */ + public void setTrafficDvc(String trafficDvc) { + addField(TRAFFIC_DVC, trafficDvc); + } + public static String TRAFFIC_DVC = "dvc"; + + /** + * The source of the network traffic. If your field is named src_host, + * src_ip, src_ipv6, or src_nt_host you can alias it as src to make it + * CIM-compliant. + */ + public void setTrafficSrc(String trafficSrc) { + addField(TRAFFIC_SRC, trafficSrc); + } + public static String TRAFFIC_SRC = "src"; + + + // ---------------------------------- + // Update + // ---------------------------------- + + /** + * The name of the installed update. + */ + public void setUpdatePackage(String updatePackage) { + addField(UPDATE_PACKAGE, updatePackage); + } + public static String UPDATE_PACKAGE = "package"; + + + // ---------------------------------- + // User information updates + // ---------------------------------- + + /** + * A user that has been affected by a change. For example, user fflanda + * changed the name of user rhallen, so affected_user=rhallen. + */ + public void setUserInfoUpdatesAffectedUser( + String userInfoUpdatesAffectedUser) { + addField(USER_INFO_UPDATES_AFFECTED_USER, userInfoUpdatesAffectedUser); + } + public static String USER_INFO_UPDATES_AFFECTED_USER = "affected_user"; + + /** + * The user group affected by a change. + */ + public void setUserInfoUpdatesAffectedUserGroup( + String userInfoUpdatesAffectedUserGroup) { + addField(USER_INFO_UPDATES_AFFECTED_USER_GROUP, + userInfoUpdatesAffectedUserGroup); + } + public static String USER_INFO_UPDATES_AFFECTED_USER_GROUP = "affected_user_group"; + + /** + * The identifier of the user group affected by a change. + */ + public void setUserInfoUpdatesAffectedUserGroupId( + int userInfoUpdatesAffectedUserGroupId) { + addField(USER_INFO_UPDATES_AFFECTED_USER_GROUP_ID, + userInfoUpdatesAffectedUserGroupId); + } + public static String USER_INFO_UPDATES_AFFECTED_USER_GROUP_ID = "affected_user_group_id"; + + /** + * The identifier of the user affected by a change. + */ + public void setUserInfoUpdatesAffectedUserId( + int userInfoUpdatesAffectedUserId) { + addField(USER_INFO_UPDATES_AFFECTED_USER_ID, + userInfoUpdatesAffectedUserId); + } + public static String USER_INFO_UPDATES_AFFECTED_USER_ID = "affected_user_id"; + + /** + * The security context associated with the user affected by a change. + */ + public void setUserInfoUpdatesAffectedUserPrivilege( + String userInfoUpdatesAffectedUserPrivilege) { + addField(USER_INFO_UPDATES_AFFECTED_USER_PRIVILEGE, + userInfoUpdatesAffectedUserPrivilege); + } + public static String USER_INFO_UPDATES_AFFECTED_USER_PRIVILEGE = "affected_user_privilege"; + + /** + * The name of the user affected by the recorded event. + */ + public void setUserInfoUpdatesUser(String userInfoUpdatesUser) { + addField(USER_INFO_UPDATES_USER, userInfoUpdatesUser); + } + public static String USER_INFO_UPDATES_USER = "user"; + + /** + * A user group that is the object of an event, expressed in human-readable + * terms. + */ + public void setUserInfoUpdatesUserGroup(String userInfoUpdatesUserGroup) { + addField(USER_INFO_UPDATES_USER_GROUP, userInfoUpdatesUserGroup); + } + public static String USER_INFO_UPDATES_USER_GROUP = "user_group"; + + /** + * The numeric identifier assigned to the user group event object. + */ + public void setUserInfoUpdatesUserGroupId(int userInfoUpdatesUserGroupId) { + addField(USER_INFO_UPDATES_USER_GROUP_ID, userInfoUpdatesUserGroupId); + } + public static String USER_INFO_UPDATES_USER_GROUP_ID = "user_group_id"; + + /** + * The system-assigned identifier for the user affected by an event. + */ + public void setUserInfoUpdatesUserId(int userInfoUpdatesUserId) { + addField(USER_INFO_UPDATES_USER_ID, userInfoUpdatesUserId); + } + public static String USER_INFO_UPDATES_USER_ID = "user_id"; + + /** + * The security context associated with the object of an event (the affected + * user). + */ + public void setUserInfoUpdatesUserPrivilege( + String userInfoUpdatesUserPrivilege) { + addField(USER_INFO_UPDATES_USER_PRIVILEGE, userInfoUpdatesUserPrivilege); + } + public static String USER_INFO_UPDATES_USER_PRIVILEGE = "user_privilege"; + + /** + * The name of the user that is the subject of an event--the user executing + * the action, in other words. + */ + public void setUserInfoUpdatesUserSubject(String userInfoUpdatesUserSubject) { + addField(USER_INFO_UPDATES_USER_SUBJECT, userInfoUpdatesUserSubject); + } + public static String USER_INFO_UPDATES_USER_SUBJECT = "user_subject"; + + /** + * The ID number of the user that is the subject of an event. + */ + public void setUserInfoUpdatesUserSubjectId(int userInfoUpdatesUserSubjectId) { + addField(USER_INFO_UPDATES_USER_SUBJECT_ID, userInfoUpdatesUserSubjectId); + } + public static String USER_INFO_UPDATES_USER_SUBJECT_ID = "user_subject_id"; + + /** + * The security context associated with the subject of an event (the user + * causing a change). + */ + public void setUserInfoUpdatesUserSubjectPrivilege( + String userInfoUpdatesUserSubjectPrivilege) { + addField(USER_INFO_UPDATES_USER_SUBJECT_PRIVILEGE, + userInfoUpdatesUserSubjectPrivilege); + } + public static String USER_INFO_UPDATES_USER_SUBJECT_PRIVILEGE = "user_subject_privilege"; + + + // ---------------------------------- + // Vulnerability + // ---------------------------------- + + /** + * The category of the discovered vulnerability. + */ + public void setVulnerabilityCategory(String vulnerabilityCategory) { + addField(VULNERABILITY_CATEGORY, vulnerabilityCategory); + } + public static String VULNERABILITY_CATEGORY = "category"; + + /** + * The host with the discovered vulnerability. If your field is named + * dest_host, dest_ip, dest_ipv6, or dest_nt_host you can alias it as dest + * to make it CIM-compliant. + */ + public void setVulnerabilityDest(String vulnerabilityDest) { + addField(VULNERABILITY_DEST, vulnerabilityDest); + } + public static String VULNERABILITY_DEST = "dest"; + + /** + * The operating system of the host containing the vulnerability detected on + * the client (the src field), such as SuSE Security Update, or cups + * security update. + */ + public void setVulnerabilityOs(String vulnerabilityOs) { + addField(VULNERABILITY_OS, vulnerabilityOs); + } + public static String VULNERABILITY_OS = "os"; + + /** + * The severity of the discovered vulnerability. + */ + public void setVulnerabilitySeverity(String vulnerabilitySeverity) { + addField(VULNERABILITY_SEVERITY, vulnerabilitySeverity); + } + public static String VULNERABILITY_SEVERITY = "severity"; + + /** + * The name of the vulnerability detected on the client (the src field), + * such as SuSE Security Update, or cups security update. + */ + public void setVulnerabilitySignature(String vulnerabilitySignature) { + addField(VULNERABILITY_SIGNATURE, vulnerabilitySignature); + } + public static String VULNERABILITY_SIGNATURE = "signature"; + + + // ---------------------------------- + // Windows administration + // ---------------------------------- + + /** + * The object name (associated only with Windows). + */ + public void setWindowsAdminObjectName(String windowsAdminObjectName) { + addField(WINDOWS_ADMIN_OBJECT_NAME, windowsAdminObjectName); + } + public static String WINDOWS_ADMIN_OBJECT_NAME = "object_name"; + + /** + * The object type (associated only with Windows). + */ + public void setWindowsAdminObjectType(String windowsAdminObjectType) { + addField(WINDOWS_ADMIN_OBJECT_TYPE, windowsAdminObjectType); + } + public static String WINDOWS_ADMIN_OBJECT_TYPE = "object_type"; + + /** + * The object handle (associated only with Windows). + */ + public void setWindowsAdminObjectHandle(String windowsAdminObjectHandle) { + addField(WINDOWS_ADMIN_OBJECT_HANDLE, windowsAdminObjectHandle); + } + public static String WINDOWS_ADMIN_OBJECT_HANDLE = "object_handle"; +} diff --git a/src/test/java/Util.java b/src/test/java/Util.java index 82827fd1..603897d3 100644 --- a/src/test/java/Util.java +++ b/src/test/java/Util.java @@ -34,11 +34,11 @@ public static class StringContainer { /** * Asynchronously read a line from a TCP port or time out. * - * This method immediately returns a StringContainer object with its value set to null. - * It then listens on TCP port port. If a line arrives on that port within timeoutInMs + * This method immediately returns a StringContainer object with its value set to null. + * It then listens on TCP port port. If a line arrives on that port within timeoutInMs * milliseconds, its sets that line (minus the terminating newline) as the value of the returned * StringContainer and calls notifyAll on the StringContainer. If no line as arrived after the timeout - * expires, it calls notifyAll but leaves the value null. + * expires, it calls notifyAll but leaves the value null. * * A user of the method should call it something like this: * From dccb33d12e73c32fb120259ca260192ebea5de8f Mon Sep 17 00:00:00 2001 From: David Poncelow Date: Thu, 9 Jan 2020 13:24:14 -0800 Subject: [PATCH 25/26] add changelog entry for v1.8 --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 349fc689..5206d386 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Splunk Logging for Java Changelog +## Version 1.8.0 + +* Update JSON serialization- message property should not be encoded as a string +* Changed underlying HTTP client to OkHttp. This change should decrease memory + usage and increase performance. +* Updated Gradle build plugins to latest versions + ## Version 1.7.3 * Update Log4j dependency version to 2.10.0 [#114](https://github.com/splunk/splunk-library-javalogging/pull/114). From 5cff2199083a831a658c7e7dca67417e658f2404 Mon Sep 17 00:00:00 2001 From: David Poncelow Date: Thu, 16 Jan 2020 15:03:09 -0800 Subject: [PATCH 26/26] release 1.8.0 --- README.md | 7 ++++--- pom.xml | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index b601ffc3..3ec6069a 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Splunk Logging for Java -#### Version 1.7.3 +#### Version 1.8.0 Splunk logging for Java enables you to log events to HTTP Event Collector or to a TCP input on a Splunk Enterprise instance within your Java applications. You can use three major Java logging frameworks: [Logback](http://logback.qos.ch), [Log4j 2](http://logging.apache.org/log4j/2.x/), and [java.util.logging](https://docs.oracle.com/javase/7/docs/api/java/util/logging/package-summary.html). Splunk logging for Java is also enabled for [Simple Logging Facade for Java (SLF4J)](http://www.slf4j.org). @@ -28,7 +28,7 @@ Splunk and system requirements, see [Installing & Running Splunk](http://dev.spl #### Java -You'll need Java version 7 or higher, from [OpenJDK](https://openjdk.java.net) or [Oracle](https://www.oracle.com/technetwork/java). +You'll need Java version 8 or higher, from [OpenJDK](https://openjdk.java.net) or [Oracle](https://www.oracle.com/technetwork/java). ## Documentation and resources @@ -36,7 +36,8 @@ You'll need Java version 7 or higher, from [OpenJDK](https://openjdk.java.net) o [Overview of Splunk logging for Java](http://dev.splunk.com/goto/sdk-slj). * For reference documentation, see the - [Splunk logging for Java API reference](https://docs.splunk.com/DocumentationStatic/JavaLogging/1.6.2/index.html). + [Splunk logging for Java API reference](https://docs.splunk.com + /DocumentationStatic/JavaLogging/1.8.0/index.html). * For all things developer with Splunk, see the [Splunk Developer Portal](http://dev.splunk.com). diff --git a/pom.xml b/pom.xml index c4095b51..a5103c1c 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.splunk.logging splunk-library-javalogging - 1.8.0-SNAPSHOT + 1.8.0 jar Splunk Logging for Java