From 2b446dd9b0284b3dcaee08e26763926f09f46c72 Mon Sep 17 00:00:00 2001 From: Karl-Johan Karlsson Date: Fri, 18 Sep 2020 10:24:43 +0200 Subject: [PATCH 1/2] Add basic Syslog UDP collector bot Extremely basic, probably too slow, but simple and working Syslog collector over UDP. --- intelmq/bots/BOTS | 11 ++++ intelmq/bots/collectors/syslog/__init__.py | 0 intelmq/bots/collectors/syslog/collector.py | 65 +++++++++++++++++++++ 3 files changed, 76 insertions(+) create mode 100644 intelmq/bots/collectors/syslog/__init__.py create mode 100644 intelmq/bots/collectors/syslog/collector.py diff --git a/intelmq/bots/BOTS b/intelmq/bots/BOTS index 31f959412f..9b4ca43fb7 100644 --- a/intelmq/bots/BOTS +++ b/intelmq/bots/BOTS @@ -178,6 +178,17 @@ "rsync_path": "" } }, + "Syslog": { + "description": "Receive Syslog messages.", + "module": "intelmq.bots.collectors.syslog.collector", + "parameters": { + "ip": "0.0.0.0", + "name": "Syslog", + "port": 514, + "protocol": "udp", + "provider": "Syslog" + } + }, "TCP": { "description": "Receive events by opening a TCP port (ex: from TCP Output of another IntelMQ instance).", "module": "intelmq.bots.collectors.tcp.collector", diff --git a/intelmq/bots/collectors/syslog/__init__.py b/intelmq/bots/collectors/syslog/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/intelmq/bots/collectors/syslog/collector.py b/intelmq/bots/collectors/syslog/collector.py new file mode 100644 index 0000000000..50553f0543 --- /dev/null +++ b/intelmq/bots/collectors/syslog/collector.py @@ -0,0 +1,65 @@ +# -*- coding: utf-8 -*- +"""Import Syslog messages + +SPDX-FileCopyrightText: 2020 Linköping University +SPDX-License-Identifier: AGPL-3.0-or-later + +One IntelMQ event per Syslog line. Multi-line Syslog messages are not +supported. + +Parameters: + + ip: string, optional, bind IP (or wildcard, if not set) + + name: string, optional, feed name, default "Syslog" + + port: integer, optional, listen port, default 514 + + protocol: string, optional, default "udp". Only UDP is implemented + currently. + + provider: string, optional, feed provider name, default "Syslog" + +""" + +from intelmq.lib.bot import CollectorBot +from intelmq.lib.exceptions import ConfigurationError + +import socketserver + + +class SyslogCollectorBot(CollectorBot): + + def init(self): + self.ip = getattr(self.parameters, 'ip', '0.0.0.0') + self.name = getattr(self.parameters, 'name', 'Syslog') + self.port = int(getattr(self.parameters, 'port', 514)) + self.protocol = getattr(self.parameters, 'protocol', 'udp').lower() + if self.protocol not in ['udp']: + raise ConfigurationError('Listen port', + 'Invalid protocol %s' % self.protocol) + self.provider = getattr(self.parameters, 'provider', 'Syslog') + + if self.protocol == 'udp': + self.server = socketserver.UDPServer((self.ip, self.port), SyslogUDP) + self.server.logger = self.logger + self.server.send_message = self.send_message + self.server.new_report = self.new_report + self.logger.info("Listening on %s:%d/%s", + self.ip, self.port, self.protocol) + + def process(self): + self.server.serve_forever() + + +class SyslogUDP(socketserver.BaseRequestHandler): + def handle(self): + line = self.request[0].strip() + self.server.logger.debug("Received event from %s", self.client_address) + report = self.server.new_report() + report.add('raw', line) + self.server.send_message(report) + self.finish() + + +BOT = SyslogCollectorBot From 737cb1e10ed9afd8e30c20dd3e1822ba234e698a Mon Sep 17 00:00:00 2001 From: Karl-Johan Karlsson Date: Tue, 20 Oct 2020 16:33:59 +0200 Subject: [PATCH 2/2] Rename Syslog collector to UDP The bot really doesn't care about the Syslog data format, just that it can receive text in UDP packets. Handling Syslog is the job of a later parser bot. --- intelmq/bots/BOTS | 11 +++--- .../collectors/{syslog => udp}/__init__.py | 0 .../collectors/{syslog => udp}/collector.py | 34 ++++++++----------- 3 files changed, 19 insertions(+), 26 deletions(-) rename intelmq/bots/collectors/{syslog => udp}/__init__.py (100%) rename intelmq/bots/collectors/{syslog => udp}/collector.py (51%) diff --git a/intelmq/bots/BOTS b/intelmq/bots/BOTS index 9b4ca43fb7..79488c8f96 100644 --- a/intelmq/bots/BOTS +++ b/intelmq/bots/BOTS @@ -178,15 +178,14 @@ "rsync_path": "" } }, - "Syslog": { - "description": "Receive Syslog messages.", - "module": "intelmq.bots.collectors.syslog.collector", + "UDP": { + "description": "Receive UDP messages.", + "module": "intelmq.bots.collectors.udp.collector", "parameters": { "ip": "0.0.0.0", - "name": "Syslog", + "name": "UDP", "port": 514, - "protocol": "udp", - "provider": "Syslog" + "provider": "UDP" } }, "TCP": { diff --git a/intelmq/bots/collectors/syslog/__init__.py b/intelmq/bots/collectors/udp/__init__.py similarity index 100% rename from intelmq/bots/collectors/syslog/__init__.py rename to intelmq/bots/collectors/udp/__init__.py diff --git a/intelmq/bots/collectors/syslog/collector.py b/intelmq/bots/collectors/udp/collector.py similarity index 51% rename from intelmq/bots/collectors/syslog/collector.py rename to intelmq/bots/collectors/udp/collector.py index 50553f0543..b85a66810d 100644 --- a/intelmq/bots/collectors/syslog/collector.py +++ b/intelmq/bots/collectors/udp/collector.py @@ -1,24 +1,20 @@ # -*- coding: utf-8 -*- -"""Import Syslog messages +"""Receive UDP messages SPDX-FileCopyrightText: 2020 Linköping University SPDX-License-Identifier: AGPL-3.0-or-later -One IntelMQ event per Syslog line. Multi-line Syslog messages are not -supported. +Creates one IntelMQ event per UDP packet. Parameters: ip: string, optional, bind IP (or wildcard, if not set) - name: string, optional, feed name, default "Syslog" + name: string, optional, feed name, default "UDP" - port: integer, optional, listen port, default 514 + port: integer, listen port - protocol: string, optional, default "udp". Only UDP is implemented - currently. - - provider: string, optional, feed provider name, default "Syslog" + provider: string, optional, feed provider name, default "UDP" """ @@ -28,20 +24,18 @@ import socketserver -class SyslogCollectorBot(CollectorBot): +class UDPCollectorBot(CollectorBot): def init(self): self.ip = getattr(self.parameters, 'ip', '0.0.0.0') - self.name = getattr(self.parameters, 'name', 'Syslog') - self.port = int(getattr(self.parameters, 'port', 514)) - self.protocol = getattr(self.parameters, 'protocol', 'udp').lower() - if self.protocol not in ['udp']: + self.name = getattr(self.parameters, 'name', 'UDP') + self.port = int(getattr(self.parameters, 'port', 0)) + if self.port == 0: raise ConfigurationError('Listen port', - 'Invalid protocol %s' % self.protocol) - self.provider = getattr(self.parameters, 'provider', 'Syslog') + 'No port specified') + self.provider = getattr(self.parameters, 'provider', 'UDP') - if self.protocol == 'udp': - self.server = socketserver.UDPServer((self.ip, self.port), SyslogUDP) + self.server = socketserver.UDPServer((self.ip, self.port), UDPServer) self.server.logger = self.logger self.server.send_message = self.send_message self.server.new_report = self.new_report @@ -52,7 +46,7 @@ def process(self): self.server.serve_forever() -class SyslogUDP(socketserver.BaseRequestHandler): +class UDPServer(socketserver.BaseRequestHandler): def handle(self): line = self.request[0].strip() self.server.logger.debug("Received event from %s", self.client_address) @@ -62,4 +56,4 @@ def handle(self): self.finish() -BOT = SyslogCollectorBot +BOT = UDPServer