9 releases
| 0.1.0 | Aug 3, 2023 |
|---|---|
| 0.0.8 | Apr 24, 2022 |
| 0.0.7 | Mar 26, 2022 |
| 0.0.6 | Jan 21, 2022 |
| 0.0.3 | Mar 28, 2021 |
#2202 in Parser implementations
44 downloads per month
30KB
635 lines
µSIEM Parser
Basic Parser component that supports multiple different sources and log formats
Usage
// Create component and register parsers
let mut parser_component = BasicParserComponent::new();
parser_component.add_parser(Box::from(parser1));
parser_component.add_parser(Box::from(parser2));
// Send the component to the kernel to be managed
kernel.add_component(parser_component);
How to build parsers
There are some examples in the µSIEM library used for testing.
#[derive(Clone)]
pub struct DummyParserText {
schema : FieldSchema
}
impl DummyParserText {
pub fn new() -> Self {
Self {
schema : FieldSchema::new()
}
}
}
impl LogParser for DummyParserText {
fn parse_log(
&self,
mut log: SiemLog,
_datasets: &DatasetHolder,
) -> Result<SiemLog, LogParsingError> {
if !log.message().contains("DUMMY") {
return Err(LogParsingError::NoValidParser(log));
}
log.add_field("parser", SiemField::from_str("DummyParserText"));
Ok(log)
}
fn name(&self) -> &'static str {
"DummyParserText"
}
fn description(&self) -> &'static str {
"This is a dummy that parsers if contains DUMMY in text"
}
fn schema(&self) -> & FieldSchema {
&self.schema
}
fn generator(&self) -> Box<dyn LogGenerator> {
return Box::new(DummyLogGenerator {});
}
}
let parser1 = DummyParserText::new();
parser_component.add_parser(Box::from(parser1));
Dependencies
~5.5–7.5MB
~122K SLoC