add syslog parsers to support iso8601 date format

normalizers/common_tagTypes.xml

@@ -68,6 +68,13 @@
         </description>
         <regexp>[A-Z][a-z]{2} [ 0-9]\d \d{2}:\d{2}:\d{2}</regexp>
     </tagType>
+    <tagType name="syslogDateISO" type="datetime">
+        <description>
+            <localized_desc language="en">Expression matching syslog dates.</localized_desc>
+            <localized_desc language="fr">Date au format syslog.</localized_desc>
+        </description>
+        <regexp>(?:\d{4}\-\d\d\-\d\d(:?[tT][\d:\.]*)?)(?:[zZ]|(?:[+\-])(:?\d\d):?(:?\d\d))?</regexp>
+    </tagType>
     <tagType name="URL" type="basestring">
         <description>
             <localized_desc language="en">Matches an URL.</localized_desc>

normalizers/syslog.xml

@@ -79,6 +79,10 @@ log["severity"] = "%s" % SEVERITIES[severity]
 log["facility_code"] = "%d" % facility
 log["severity_code"] = "%d" % severity
   </callback>
+  <callback name="iso_to_utc">
+utc_date = extras.iso_to_utc(value)
+log['date'] = utc_date
+  </callback>
  </callbacks>
  <patterns>
   <pattern name="syslog-001">
@@ -257,6 +261,125 @@ log["severity_code"] = "%d" % severity
     </example>
    </examples>
   </pattern>
+  <pattern name="syslog-004-iso-timestamp">
+   <description>
+    <localized_desc language="en">A syslog line with optional priority (if sent through network), source, program and optional PID. Using iso timestamp</localized_desc>
+    <localized_desc language="fr">Une ligne de log encapsulée par syslog comprenant une priorité optionnelle (présente si les logs transitent via le réseau), une source, un programme et un PID (optionnel). Utilise l'horodatage iso</localized_desc>
+   </description>
+   <text>(?:&lt;PRIORITY&gt;)?DATE SOURCE PROGRAM(?:\[PID\])?: BODY</text>
+   <tags>
+    <tag name="__priority" tagType="syslogPriority"><!-- tags starting with double underscores will not appear in the final wallixlog.-->
+     <description>
+      <localized_desc language="en">the log's priority</localized_desc>
+      <localized_desc language="fr">la priorité du log, égale à 8 x facilité + gravité</localized_desc>
+     </description>
+     <substitute>PRIORITY</substitute>
+     <callbacks>
+      <callback>decode_priority</callback>
+     </callbacks>
+    </tag>
+    <tag name="date" tagType="syslogDateISO">
+     <description>
+     <localized_desc language="en">the log's date and time</localized_desc>
+     <localized_desc language="fr">l'horodatage du log par le démon syslog</localized_desc></description>
+     <substitute>DATE</substitute>
+     <callbacks>
+      <callback>iso_to_utc</callback>
+     </callbacks>
+    </tag>
+    <tag name="source" tagType="syslogSource">
+     <description>
+     <localized_desc language="en">the log's source</localized_desc>
+     <localized_desc language="fr">l'équipement d'origine de l'événement</localized_desc></description>
+     <substitute>SOURCE</substitute>
+    </tag>
+    <tag name="program" tagType="syslogProgram">
+     <description>
+     <localized_desc language="en">the log's program</localized_desc>
+     <localized_desc language="fr">le programme à l'origine de l'événement</localized_desc>
+     </description>
+     <substitute>PROGRAM</substitute>
+    </tag>
+    <tag name="pid" tagType="Integer">
+     <description>
+     <localized_desc language="en">the program's process ID</localized_desc>
+     <localized_desc language="fr">le PID du programme</localized_desc>
+     </description>
+     <substitute>PID</substitute>
+    </tag>
+    <tag name="body" tagType="Anything">
+     <description>
+     <localized_desc language="en">the actual event message</localized_desc>
+     <localized_desc language="fr">le message décrivant l'événement</localized_desc>
+     </description>
+     <substitute>BODY</substitute>
+    </tag>
+   </tags>
+   <examples>
+    <example>
+     <text>&lt;29&gt;Jul 18 08:55:35 naruto dhclient[2218]: bound to 10.10.4.11 -- renewal in 2792 seconds.</text>
+     <expectedTags>
+      <expectedTag name="facility">daemon</expectedTag>
+      <expectedTag name="severity">notice</expectedTag>
+      <expectedTag name="source">naruto</expectedTag>
+      <expectedTag name="program">dhclient</expectedTag>
+      <expectedTag name="pid">2218</expectedTag>
+      <expectedTag name="body">bound to 10.10.4.11 -- renewal in 2792 seconds.</expectedTag>
+     </expectedTags>
+    </example>
+   </examples>
+  </pattern>
+  <pattern name="syslog-005-iso-timestamp">
+   <description>
+    <localized_desc language="en">A syslog line with optional priority (if sent through network), source, and no information about program and PID. Using iso timestamp</localized_desc>
+    <localized_desc language="fr">Une ligne de log encapsulée par syslog comprenant une priorité optionnelle (présente si les logs transitent via le réseau), une source, et pas d'information sur le programme. Utilise l'horodatage iso</localized_desc>
+   </description>
+   <text>(?:&lt;PRIORITY&gt;)?DATE SOURCE BODY</text>
+   <tags>
+    <tag name="__priority" tagType="syslogPriority">
+     <description>
+      <localized_desc language="en">the log's priority</localized_desc>
+      <localized_desc language="fr">la priorité du log, égale à 8 x facilité + gravité</localized_desc>
+     </description>
+     <substitute>PRIORITY</substitute>
+     <callbacks>
+      <callback>decode_priority</callback>
+     </callbacks>
+    </tag>
+    <tag name="date" tagType="syslogDateISO">
+     <description>
+     <localized_desc language="en">the log's date and time</localized_desc>
+     <localized_desc language="fr">l'horodatage du log par le démon syslog</localized_desc></description>
+     <substitute>DATE</substitute>
+     <callbacks>
+      <callback>iso_to_utc</callback>
+     </callbacks>
+    </tag>
+    <tag name="source" tagType="syslogSource">
+     <description>
+     <localized_desc language="en">the log's source</localized_desc>
+     <localized_desc language="fr">l'équipement d'origine de l'événement</localized_desc></description>
+     <substitute>SOURCE</substitute>
+    </tag>
+    <tag name="body" tagType="Anything">
+     <description>
+     <localized_desc language="en">the actual event message</localized_desc>
+     <localized_desc language="fr">le message décrivant l'événement</localized_desc>
+     </description>
+     <substitute>BODY</substitute>
+    </tag>
+   </tags>
+   <examples>
+    <example>
+     <text>&lt;29&gt;2013-11-05T11:09:02+01:00 naruto bound to 10.10.4.11 -- renewal in 2792 seconds.</text>
+     <expectedTags>
+      <expectedTag name="facility">daemon</expectedTag>
+      <expectedTag name="severity">notice</expectedTag>
+      <expectedTag name="source">naruto</expectedTag>
+      <expectedTag name="body">bound to 10.10.4.11 -- renewal in 2792 seconds.</expectedTag>
+     </expectedTags>
+    </example>
+   </examples>
+  </pattern>
  </patterns>
-</normalizer>
-
+</normalizer>

tests/test_log_samples.py

@@ -1263,7 +1263,15 @@ def test_eventlogW8EN(self):
                  'status': 'failure',
                  })               
 
-
+    def test_wabObjects(self):
+        """Testing WAB objects logs"""
+        self.aS(u"""<14>Jul 11 11:49:21 wab2-3-1-4 wabengine: [-] Group 'foo' has just been saved by admin""",
+                { 'wab_object_type': 'Group',
+                  'wab_object_content': 'foo',
+                  'wab_object_action': 'save',
+                  'by_user': 'admin',
+
+                 })
 
 
 if __name__ == "__main__":

tests/test_normalizer.py

@@ -173,6 +173,9 @@ def test_normalize_samples_036_eventlogW2008(self):
         self.normalize_samples('eventlog_security_audit_windows2008_fr_2.xml', 'EventLog-Security-Windows2008[FR]_2', 0.99)
         self.normalize_samples('eventlog_security_audit_windows2008_en_3.xml', 'EventLog-Security-Windows2008[EN]_3', 0.99)
         self.normalize_samples('eventlog_security_audit_windows2008_fr_3.xml', 'EventLog-Security-Windows2008[FR]_3', 0.99)
+
+    def test_normalize_samples_037_wabObject(self):
+        self.normalize_samples('wabObjects.xml', 'wabObject', 0.99)
 
 class TestCSVPattern(unittest.TestCase):
     """Test CSVPattern behaviour"""