Add more syslog sshd grammars

trink · trink · commit 273b1e9d48fa · 2017-10-25T14:59:37.000-07:00
diff --git a/syslog/CMakeLists.txt b/syslog/CMakeLists.txt
@@ -3,7 +3,7 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 cmake_minimum_required(VERSION 3.0)
-project(syslog VERSION 1.0.7 LANGUAGES C)
+project(syslog VERSION 1.0.8 LANGUAGES C)
 set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Syslog parsers and collectors")
 set(CPACK_DEBIAN_PACKAGE_DEPENDS "${PACKAGE_PREFIX}-lpeg (>= 1.0.5), ${PACKAGE_PREFIX}-socket (>= 3.0)")
 string(REGEX REPLACE "[()]" "" CPACK_RPM_PACKAGE_REQUIRES ${CPACK_DEBIAN_PACKAGE_DEPENDS})
diff --git a/syslog/modules/lpeg/linux/sshd.lua b/syslog/modules/lpeg/linux/sshd.lua
@@ -60,6 +60,17 @@ syslog_grammar = l.Ct(
           * l.Cg((l.P(1)-l.S" ")^0, "remote_user")
           * l.P(-1)
         )
+    + (
+            l.P"Connection from "
+            * l.Cg(ipv46, "remote_addr")
+            * l.P" port "
+            * l.Cg(l.digit^1 / tonumber, "remote_port")
+            * l.P" on "
+            * l.Cg(ipv46, "local_addr")
+            * l.P" port "
+            * l.Cg(l.digit^1 / tonumber, "local_port")
+          * l.P(-1)
+        )
     + (
             l.P"Connection closed by "
           * l.Cg(ipv46, "remote_addr")
@@ -106,6 +117,9 @@ syslog_grammar = l.Ct(
           * l.P": "
           * l.Cg(l.P(1)^1, "sshd_error")
         )
+    + (
+            l.Cg(l.P"Set " * l.P(1)^1, "set")
+        )
     )
 
 return M
diff --git a/syslog/tests/linux/sshd.lua b/syslog/tests/linux/sshd.lua
@@ -28,3 +28,13 @@ assert(fields.remote_addr.value == '10.2.3.4', fields.remote_addr)
 assert(fields.disconnect_reason == 11, fields.disconnect_reason)
 assert(fields.disconnect_msg == 'The user disconnected the application [preauth]', fields.disconnect_msg)
 
+log = "Connection from 121.18.238.123 port 60512 on 172.31.41.219 port 22"
+fields = grammar:match(log)
+assert(fields.remote_addr.value == '121.18.238.123', fields.remote_addr)
+assert(fields.remote_port == 60512, fields.remote_port)
+assert(fields.local_addr.value == '172.31.41.219', fields.local_addr)
+assert(fields.local_port == 22, fields.local_port)
+
+log = "Set /proc/self/oom_score_adj to 0"
+fields = grammar:match(log)
+assert(fields.set == log, fields.set)
