yteraoka/fluentd-plugin-fortigate-csv-parser.rb

## 75 changes: 75 additions & 0 deletions fluentd-plugin-fortigate-csv-parser.rb
@@ -0,0 +1,75 @@

    module Fluent
module Fluent

      class FortigateSyslogParseOutput < Output
  class FortigateSyslogParseOutput < Output

        Fluent::Plugin.register_output('forti_log_parser', self)
    Fluent::Plugin.register_output('forti_log_parser', self)


        config_param :remove_prefix,   :string, :default => nil
    config_param :remove_prefix,   :string, :default => nil

        config_param :add_prefix,      :string, :default => nil
    config_param :add_prefix,      :string, :default => nil

        config_param :message_key,     :string, :default => 'message'
    config_param :message_key,     :string, :default => 'message'

        config_param :keys,            :string, :default => nil
    config_param :keys,            :string, :default => nil

        config_param :remove_keys,     :string, :default => nil
    config_param :remove_keys,     :string, :default => nil


        def configure(conf)
    def configure(conf)

          super
      super


          if @remove_prefix
      if @remove_prefix

            @removed_prefix_string = @remove_prefix + '.'
        @removed_prefix_string = @remove_prefix + '.'

            @removed_length = @removed_prefix_string.length
        @removed_length = @removed_prefix_string.length

          end
      end

          if @add_prefix
      if @add_prefix

            @added_prefix_string = @add_prefix + '.'
        @added_prefix_string = @add_prefix + '.'

          end
      end


          if @keys
      if @keys

            if @remove_keys
        if @remove_keys

              raise ConfigError, "forti_log_parser: 'keys' and 'remove_keys' parameters are exclusive"
          raise ConfigError, "forti_log_parser: 'keys' and 'remove_keys' parameters are exclusive"

            end
        end

            @keys = Hash[@keys.split(',').map {|x| [x, 1] }]
        @keys = Hash[@keys.split(',').map {|x| [x, 1] }]

          end
      end

          if @remove_keys
      if @remove_keys

            @remove_keys = Hash[@remove_keys.split(',').map {|x| [x, 1] }]
        @remove_keys = Hash[@remove_keys.split(',').map {|x| [x, 1] }]

          end
      end

        end
    end


        def emit(tag, es, chain)
    def emit(tag, es, chain)

          _tag = tag.clone
      _tag = tag.clone


          if @remove_prefix and
      if @remove_prefix and

            ((tag.start_with?(@removed_prefix_string) && tag.length > @removed_length) || tag == @remove_prefix)
        ((tag.start_with?(@removed_prefix_string) && tag.length > @removed_length) || tag == @remove_prefix)

            tag = tag[@removed_length..-1] || ''
        tag = tag[@removed_length..-1] || ''

          end
      end


          if @add_prefix
      if @add_prefix

            tag = tag && tag.length > 0 ? @added_prefix_string + tag : @add_prefix
        tag = tag && tag.length > 0 ? @added_prefix_string + tag : @add_prefix

          end
      end


          es.each do |time, record|
      es.each do |time, record|

            time, record = parse(record)
        time, record = parse(record)

            Engine.emit(tag, time, record)
        Engine.emit(tag, time, record)

          end
      end


          chain.next
      chain.next

        end
    end


        def parse(record)
    def parse(record)

          message = record[@message_key]
      message = record[@message_key]

          record.delete(@message_key)
      record.delete(@message_key)

          data = message.split(/\s+/, 5).pop
      data = message.split(/\s+/, 5).pop

          data.gsub(/\G[^,=]+=(:?"[^"]*"|[^,]+)(:?,|$)/) { |kv|
      data.gsub(/\G[^,=]+=(:?"[^"]*"|[^,]+)(:?,|$)/) { |kv|

            (k, v) = kv.strip.split(/=/, 2)
        (k, v) = kv.strip.split(/=/, 2)

            if (k == 'date' or k == 'time' or
        if (k == 'date' or k == 'time' or

               (@keys and @keys.has_key?(k)) or
           (@keys and @keys.has_key?(k)) or

               (@remove_keys and not @remove_keys.has_key?(k)) or
           (@remove_keys and not @remove_keys.has_key?(k)) or

               (!@keys and !@remove_keys))
           (!@keys and !@remove_keys))

              record[k] = v.gsub(/,$/, '').gsub(/^"(.*)"$/, '\1')
          record[k] = v.gsub(/,$/, '').gsub(/^"(.*)"$/, '\1')

            end
        end

          }
      }


          time = Time.strptime(record["date"] + " " + record["time"], '%Y-%m-%d %H: %M:%S').to_i
      time = Time.strptime(record["date"] + " " + record["time"], '%Y-%m-%d %H: %M:%S').to_i


          record.delete("date")
      record.delete("date")

          record.delete("time")
      record.delete("time")


          [ time, record ]
      [ time, record ]

        end
    end

      end
  end

    end
end