Rsyslog lognormalizer date field parse failure - syslog

I am trying to use lognorm/lognormalizer to test my .rb file to use with rsyslog mmnormalize module. My log file looks like this:
2017-08-19T17:00:12.52Z,john,26,engineer
2017-08-19T17:00:12.59Z,susan,28,doctor
My rb file is as follows:
version=2
rule=:%date:date-rfc3164%,%name:word%,%age:number%,%job:word%
When running lognormalizer:
head -2 /home/debian/olas/test.log | /usr/lib/x86_64-linux-gnu/lognorm/lognormalizer -r /home/debian/olas/rule.rb -e json
I get:
{ "originalmsg": "2017-08-19T17:00:12.52Z,john,26,engineer", "unparsed-data": "2017-08-19T17:00:12.52Z,john,26,engineer" }
{ "originalmsg": "2017-08-19T17:00:13.56Z,susan,28,doctor", "unparsed-data": "2017-08-19T17:00:13.56Z,susan,28,doctor" }
This means the rb script is not correct. Does anyone know what am i doing wrong? The date field I guess is not correctly configured, should I insert any other module? I cant find anything on the web. Thank you


You can use this rule:
version=2
rule=:%date:char-to{"extradata":","}%,%name:char-to{"extradata":","}%,%age:number{"format":"number"}%,%job:rest%
which produces the following output using Lognormalizer (pretty printed):
{
"job": "engineer",
"age": 26,
"name": "john",
"date": "2017-08-19T17:00:12.52Z"
},
{
"job": "doctor",
"age": 28,
"name": "susan",
"date": "2017-08-19T17:00:12.59Z"
}
Test command:
lognormalizer -P -H -r my.rule < mylog.log

Related

How to use jq package to parse name and id from json?

I have an output that i am getting in this format :-
[
{
"_class": "hudson.model.FreeStyleProject",
"name": "my-name",
"id": "123"
},
{
"_class": "hudson.model.FreeStyleProject",
"name": "my-name2",
"id": "456"
},
{
"_class": "hudson.model.FreeStyleProject",
"name": "my-name3",
"id": "789"
}
]
How can i parse the name and id using jq?
I tried to use [].name
but i get curl: (23) Failed writing body (320 != 1338)
Any help will be appreciated. Thank you.

You failed to mention the relevant error:
jq: error (at <stdin>:17): Cannot index array with string "name"
The program should be
.[].name
Because you provided an incorrect program to jq, it exited earlier than it normally would. This caused the pipe between curl and jq to close, which cause curl to become unable to write to the pipe, which caused curl to emit the error message you did provide.

Demo
https://jqplay.org/s/nolGbk3sD1
Use filter
.[] | .name, .id

Re-create openstack artifacts from previous command output?

Is there an easy way to convert Openstack show command outputs into openstack commands ?
The goal is to rebuild an openstack environment after a complete wipe.
(for example: openstack network show myNet > out.txt,
then somehow generate the Openstack CLI command with appropriate fields to re-create this same exact network, based on out.txt ?)
Thanks!

You can write the output of the show commands as json formated string into a file, so you can easily read the information of the output with python-script to create and execute your desired commands.
To print the output of an openstack-command as json, add a -f json at the end of your command.
Example:
openstack server show cirros -f json
{
"OS-DCF:diskConfig": "MANUAL",
"OS-EXT-AZ:availability_zone": "nova",
"OS-EXT-SRV-ATTR:host": "test-system",
"OS-EXT-SRV-ATTR:hypervisor_hostname": "test-system",
"OS-EXT-SRV-ATTR:instance_name": "instance-00000001",
"OS-EXT-STS:power_state": "Shutdown",
"OS-EXT-STS:task_state": null,
"OS-EXT-STS:vm_state": "stopped",
"OS-SRV-USG:launched_at": "2020-07-22T08:41:06.000000",
"OS-SRV-USG:terminated_at": null,
"accessIPv4": "",
"accessIPv6": "",
"addresses": "test-network=192.168.62.207",
"config_drive": "",
"created": "2020-07-22T08:40:46Z",
"flavor": "f1 (273a2179-ac85-4c54-a40a-2c0121b338ff)",
"id": "6d302fcf-4de3-45a5-93c0-eb95650e5952",
"image": "cirros (86dded1f-8e0f-4342-906e-8ff9fbd854e2)",
"name": "cirros",
"project_id": "cbba4b1f3cb4460ca63e8ddb87c9b5fb",
"properties": "",
"security_groups": "name='default'",
"status": "SHUTOFF",
"updated": "2020-08-17T13:26:55Z",
"user_id": "b6505d6801e84fb98d77d2461f9719c2",
"volumes_attached": ""
}

Stopping a user from editing system indices

The below is the code I use to give a certain set of users access to any indices that start with "custom-". But I want the users to be able to do whatever they want to ANY index (so "*"), EXCEPT for the system indices (which start with "."). Is there a way I can do this with the below code, perhaps with a regex? I tried "names": [ "a-zA-Z0-9" ]," but that didn't work.
curl -XPUT https://elasticsearch1:9200/_xpack/security/role/custom-users -u elastic -k -v -H "Content-Type: application/json" -d '
{
"indices": [{
"names": [ "custom-*" ],
"privileges": ["all"]
}],
"metadata": {
"version" : 1
}
}
'

This worked:
{ "names": ["#&~(^..+)"], "privileges": ["all"] }

Transforming json to table using JQ gives "Cannot index string error"

Output of the following command
jq '.data[] | select(.vulnerable_configuration_cpe_2_2 | contains(["2.4.38"]))' search1.json
gives me
{
"Modified": "2019-06-11T17:29:00.647000",
"Published": "2019-06-11T17:29:00.630000",
"cvss": "5.0",
"cwe": "CWE-399",
"id": "CVE-2019-0220",
"last-modified": "2019-06-25T06:15:10.627000",
"reason": "Text search",
"references": [
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00051.html"
],
"summary": "A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.",
"vulnerable_configuration": [
"cpe:2.3:a:apache:http_server:2.4.0",
"cpe:2.3:a:apache:http_server:2.4.1",
"cpe:2.3:a:apache:http_server:2.4.2",
"cpe:2.3:a:apache:http_server:2.4.3",
"cpe:2.3:a:apache:http_server:2.4.4",
"cpe:2.3:a:apache:http_server:2.4.6",
"cpe:2.3:a:apache:http_server:2.4.7",
"cpe:2.3:a:apache:http_server:2.4.8",
"cpe:2.3:a:apache:http_server:2.4.9",
"cpe:2.3:a:apache:http_server:2.4.10",
"cpe:2.3:a:apache:http_server:2.4.12",
"cpe:2.3:a:apache:http_server:2.4.14",
"cpe:2.3:a:apache:http_server:2.4.16",
"cpe:2.3:a:apache:http_server:2.4.17",
"cpe:2.3:a:apache:http_server:2.4.18",
"cpe:2.3:a:apache:http_server:2.4.19",
"cpe:2.3:a:apache:http_server:2.4.20",
"cpe:2.3:a:apache:http_server:2.4.21",
"cpe:2.3:a:apache:http_server:2.4.22",
"cpe:2.3:a:apache:http_server:2.4.23",
"cpe:2.3:a:apache:http_server:2.4.24",
"cpe:2.3:a:apache:http_server:2.4.25",
"cpe:2.3:a:apache:http_server:2.4.26",
"cpe:2.3:a:apache:http_server:2.4.27",
"cpe:2.3:a:apache:http_server:2.4.28",
"cpe:2.3:a:apache:http_server:2.4.29",
"cpe:2.3:a:apache:http_server:2.4.30",
"cpe:2.3:a:apache:http_server:2.4.32",
"cpe:2.3:a:apache:http_server:2.4.33",
"cpe:2.3:a:apache:http_server:2.4.34",
"cpe:2.3:a:apache:http_server:2.4.35",
"cpe:2.3:a:apache:http_server:2.4.36",
"cpe:2.3:a:apache:http_server:2.4.37",
"cpe:2.3:a:apache:http_server:2.4.38",
"cpe:2.3:o:opensuse:leap:15.0",
"cpe:2.3:o:opensuse:leap:42.3",
"cpe:2.3:o:debian:debian_linux:8.0",
"cpe:2.3:o:debian:debian_linux:9.0",
"cpe:2.3:o:fedoraproject:fedora:28",
"cpe:2.3:o:fedoraproject:fedora:29",
"cpe:2.3:o:fedoraproject:fedora:30",
"cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts",
"cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts",
"cpe:2.3:o:canonical:ubuntu_linux:18.04:-:-:-:lts",
"cpe:2.3:o:canonical:ubuntu_linux:18.10"
],
"vulnerable_configuration_cpe_2_2": [
"cpe:/a:apache:http_server:2.4.0",
"cpe:/a:apache:http_server:2.4.1",
"cpe:/a:apache:http_server:2.4.2",
"cpe:/a:apache:http_server:2.4.3",
"cpe:/a:apache:http_server:2.4.4",
"cpe:/a:apache:http_server:2.4.6",
"cpe:/a:apache:http_server:2.4.7",
"cpe:/a:apache:http_server:2.4.8",
"cpe:/a:apache:http_server:2.4.9",
"cpe:/a:apache:http_server:2.4.10",
"cpe:/a:apache:http_server:2.4.12",
"cpe:/a:apache:http_server:2.4.14",
"cpe:/a:apache:http_server:2.4.16",
"cpe:/a:apache:http_server:2.4.17",
"cpe:/a:apache:http_server:2.4.18",
"cpe:/a:apache:http_server:2.4.19",
"cpe:/a:apache:http_server:2.4.20",
"cpe:/a:apache:http_server:2.4.21",
"cpe:/a:apache:http_server:2.4.22",
"cpe:/a:apache:http_server:2.4.23",
"cpe:/a:apache:http_server:2.4.24",
"cpe:/a:apache:http_server:2.4.25",
"cpe:/a:apache:http_server:2.4.26",
"cpe:/a:apache:http_server:2.4.27",
"cpe:/a:apache:http_server:2.4.28",
"cpe:/a:apache:http_server:2.4.29",
"cpe:/a:apache:http_server:2.4.30",
"cpe:/a:apache:http_server:2.4.32",
"cpe:/a:apache:http_server:2.4.33",
"cpe:/a:apache:http_server:2.4.34",
"cpe:/a:apache:http_server:2.4.35",
"cpe:/a:apache:http_server:2.4.36",
"cpe:/a:apache:http_server:2.4.37",
"cpe:/a:apache:http_server:2.4.38",
"cpe:/o:opensuse:leap:15.0",
"cpe:/o:opensuse:leap:42.3",
"cpe:/o:debian:debian_linux:8.0",
"cpe:/o:debian:debian_linux:9.0",
"cpe:/o:fedoraproject:fedora:28",
"cpe:/o:fedoraproject:fedora:29",
"cpe:/o:fedoraproject:fedora:30",
"cpe:/o:canonical:ubuntu_linux:14.04::~~lts~~~",
"cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~",
"cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~",
"cpe:/o:canonical:ubuntu_linux:18.10"
]
}
{
"Modified": "2019-04-08T17:29:00.860000",
"Published": "2019-04-08T17:29:00.843000",
"cvss": "6.0",
"cwe": "CWE-362",
"id": "CVE-2019-0217",
"last-modified": "2019-05-13T23:29:03.847000",
"reason": "Text search",
"references": [
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00051.html"
],
"summary": "In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.",
"vulnerable_configuration": [
"cpe:2.3:a:apache:http_server:2.4.38",
"cpe:2.3:o:debian:debian_linux:8.0",
"cpe:2.3:o:debian:debian_linux:9.0",
"cpe:2.3:o:fedoraproject:fedora:29",
"cpe:2.3:o:fedoraproject:fedora:30",
"cpe:2.3:o:canonical:ubuntu_linux:12.04:-:-:-:esm",
"cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts",
"cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts",
"cpe:2.3:o:canonical:ubuntu_linux:18.04:-:-:-:lts",
"cpe:2.3:o:canonical:ubuntu_linux:18.10",
"cpe:2.3:o:redhat:enterprise_linux:7.0",
"cpe:2.3:o:opensuse:leap:15.0",
"cpe:2.3:o:opensuse:leap:42.3"
],
"vulnerable_configuration_cpe_2_2": [
"cpe:/a:apache:http_server:2.4.38",
"cpe:/o:debian:debian_linux:8.0",
"cpe:/o:debian:debian_linux:9.0",
"cpe:/o:fedoraproject:fedora:29",
"cpe:/o:fedoraproject:fedora:30",
"cpe:/o:canonical:ubuntu_linux:12.04::~~esm~~~",
"cpe:/o:canonical:ubuntu_linux:14.04::~~lts~~~",
"cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~",
"cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~",
"cpe:/o:canonical:ubuntu_linux:18.10",
"cpe:/o:redhat:enterprise_linux:7.0",
"cpe:/o:opensuse:leap:15.0",
"cpe:/o:opensuse:leap:42.3"
]
}
I just want to display all the possible fields in a simple table on the command line but I am not able to achieve it.
I tried the following command
echo $(jq '.data[] | select(.vulnerable_configuration_cpe_2_2 | contains(["2.4.38"]))' search1.json) | jq -r '.[] | "\(.summary)"'
but it gives me error
jq: error (at <stdin>:1): Cannot index string with string "summary"
I already researched about this and tried modifying this command but it sometimes gives me compilation error. I am sure I am making very stupid mistake somewhere
Expected Output
ID CWE CVSS Summary
xyz xyz xyz xyzxyzxyz

I figured it out myself
The correct command is
echo $(jq '.data[] | select(.vulnerable_configuration_cpe_2_2 | contains(["2.4.38"]))' search1.json) | jq -r '. | "\(.summary)"'
After jq -r there should be a . and not .[]

Jfrog artifactory cli

you I am trying to pass two ${key} values in a file spec. Is there any way I can call these two ${key} values through jfrog cli command?
E.g., I have tried the following command
sh "./jfrog rt s --spec compare.spec --spec-vars currentBuild=${currentBuild.number};previousBuild=${currentBuild.previousBuild.number}"
But it is displaying output only for one value.

The command is missing quotes surrounding the spec-vars. So for example with a spec file like
{
"files": [
{
"pattern": "${pat}/",
"target": "${tgt}/"
}
]
}
I need to run the command as
jfrog rt dl --spec otherspec --spec-vars "pat=generic-local;tgt=local"
To make sure that I download the files from the "generic-local" repository to a folder called "local"
If you execute the command with JFROG_CLI_LOG_LEVEL=DEBUG, the output will display both the spec file you provided as well as the resolved file:
$ JFROG_CLI_LOG_LEVEL=DEBUG jfrog rt dl --spec otherspec --spec-vars "pat=generic-local;tgt=local"
[Debug] Replacing variables in the provided File Spec:
{
"files": [
{
"pattern": "${pat}/",
"target": "${tgt}/"
}
]
}
[Debug] Replacing '${pat}' with 'generic-local'
[Debug] Replacing '${tgt}' with 'local'
[Debug] The reformatted File Spec is:
{
"files": [
{
"pattern": "generic-local/",
"target": "local/"
}
]
}
[Info] Searching items to download...

Resources