usiem-basic-parser

Crates.iousiem-basic-parser
lib.rsusiem-basic-parser
version0.1.0
sourcesrc
created_at2021-03-28 15:03:40.151924+00
updated_at2023-08-03 20:38:36.707455+00
descriptionuSIEM parser component that allows using multiple and different parsers
homepage
repositoryhttps://github.com/u-siem/usiem-basic-parser
max_upload_size
id374690
size31,349
Samuel Garcés Marín (SecSamDev)

documentation

README

µSIEM Parser

Documentation crates.io

Basic Parser component that supports multiple different sources and log formats

Usage

// Create component and register parsers
let mut parser_component = BasicParserComponent::new();
parser_component.add_parser(Box::from(parser1));
parser_component.add_parser(Box::from(parser2));

// Send the component to the kernel to be managed
kernel.add_component(parser_component);

How to build parsers

There are some examples in the µSIEM library used for testing.

#[derive(Clone)]
pub struct DummyParserText {
    schema : FieldSchema
}
impl DummyParserText {
    pub fn new() -> Self {
        Self {
            schema : FieldSchema::new()
        }
    }
}

impl LogParser for DummyParserText {
    fn parse_log(
        &self,
        mut log: SiemLog,
        _datasets: &DatasetHolder,
    ) -> Result<SiemLog, LogParsingError> {
        if !log.message().contains("DUMMY") {
            return Err(LogParsingError::NoValidParser(log));
        }
        log.add_field("parser", SiemField::from_str("DummyParserText"));
        Ok(log)
    }
    fn name(&self) -> &'static str {
        "DummyParserText"
    }
    fn description(&self) -> &'static str {
        "This is a dummy that parsers if contains DUMMY in text"
    }
    fn schema(&self) -> & FieldSchema {
        &self.schema
    }

    fn generator(&self) -> Box<dyn LogGenerator> {
        return Box::new(DummyLogGenerator {});
    }
}

let parser1 = DummyParserText::new();
parser_component.add_parser(Box::from(parser1));
Commit count: 11

cargo fmt