# Flume OPSEC source
Flume source that uses the native [fw1-loggrabber](https://github.com/certego/fw1-loggrabber) utility to get logs from CheckPoint using the LEA API.
The Log Grabber subprocess is spawn by the flume source and it's STDOUT is piped to an in-memory queue.
The in-memory queue is then polled by Flume when the process() method is called.
This Source produces event whose body is a byte array representing an UTF-8 json string.<br/>
Example, let's assume CheckPoint sends the following message:
time=17Apr2015 8:10:16|action=accept|orig=localhost|i/f_dir=inbound|i/f_name=Exp2-1.715
then this source will produce the following json:<br/>
{time:"17Apr2015 8:10:16",action:"accept",orig:"localhost",i/f_dir="inbound",i/f_name="Exp2-1.715"}
If the input line is null or empty, an empty JSON is returned.
If one of the fields of the input line is not in the form `key=value`, the output
json will have a field whose name is the received field and whose value is empty.
Example:
time=17Apr2015 8:10:16|action|orig=localhost
The resulting JSON will be:
{time:"17Apr2015 8:10:16",action:"",orig:"localhost"}
**Important**: this source assumes `fw1-loggrabber` produces messages whose fields are separated by the pipe char (|).
This source correctly parses messages where the field value contains an escaped pipe char `\|`.
If the fw1 loggrabber process dies, the source tries to flush the in-memory queue to the channel processor before dying.
## Configuration
You need to configure the property `loggrabber.config.path` in the flume context to point to an existing folder containing both `lea.conf` and `fw1-loggrabber.conf` (config file names are not parametrizable).
### Example configuration
Flume context source configuration:
<pre><code>agent.sources = opsec
agent.channels = memoryChannel
agent.sinks = loggerSink
agent.sources.opsec.type = <b>com.keedio.flume.source.OpsecSource</b>
agent.sources.opsec.<b>loggrabber.config.path</b>=<b>/path/to/fw1-loggrabber/conf/dir/</b>
agent.sources.opsec.channels = memoryChannel
agent.sinks.loggerSink.type = logger
agent.sinks.loggerSink.channel = memoryChannel
agent.channels.memoryChannel.type = memory
agent.channels.memoryChannel.capacity = 10000
</code></pre>
Example LEA configuration `lea.conf`:
## LEA Config Section
lea_server auth_type sslca
lea_server ip 22.15.237.33
lea_server auth_port 18184
opsec_sic_name "CN=my_app_name,O=IDENTIFIER..xxxxxx" # full OPSEC sic name as provided by opsec_pull_cert
opsec_sslca_file /path/to/opsec.p12 # cert file as provided by opsec_pull_cert
lea_server opsec_entity_sic_name "CN=cp_mgmt,O=IDENTIFIER..xxxxxx"
Example `fw1-loggrabber.conf`:
<pre><code># DEBUG_LEVEL=<debuglevel>
DEBUG_LEVEL="0" <b># DO NOT CHANGE THIS</b>
# FW1_LOGFILE=<Name of FW1-Logfilename>
FW1_LOGFILE="fw.log"
# FW1_OUTPUT=<files|logs>
FW1_OUTPUT="logs"
# FW1_TYPE=<ng|2000>
FW1_TYPE="ng"
# FW1_MODE=<audit|normal>
FW1_MODE="normal"
# ONLINE_MODE=<yes|no>
ONLINE_MODE="yes"
# RESOLVE_MODE=<yes|no>
RESOLVE_MODE="yes"
# RECORD_SEPARATOR=<char>
RECORD_SEPARATOR="|" <b># DO NOT CHANGE THIS</b>
# LOGGING_CONFIGURATION=<screen|file|syslog>
LOGGING_CONFIGURATION=screen <b># DO NOT CHANGE THIS</b>
</code></pre>
**Important:** it's mandatory to set `LOGGING_CONFIGURATION=screen` and `DEBUG_LEVEL="0"` since the OPSEC source will parse log messages from STDOUT.
没有合适的资源?快使用搜索试试~ 我知道了~
flume-opsec-source
共12个文件
java:6个
md:1个
log:1个
需积分: 10 1 下载量 178 浏览量
2021-06-06
06:18:29
上传
评论
收藏 17KB ZIP 举报
温馨提示
Flume OPSEC 源码 Flume 源使用本机实用程序使用 LEA API 从 CheckPoint 获取日志。 Log Grabber 子进程由水槽源产生,它的 STDOUT 通过管道传输到内存队列。 当 process() 方法被调用时,内存队列会被 Flume 轮询。 此 Source 生成事件,其主体是表示 UTF-8 json 字符串的字节数组。 例如,假设 CheckPoint 发送以下消息: time=17Apr2015 8:10:16|action=accept|orig=localhost|i/f_dir=inbound|i/f_name=Exp2-1.715 那么这个源将产生以下 json: {time:"17Apr2015 8:10:16",action:"accept",orig:"localhost",i/f_dir="inbound",i
资源详情
资源评论
资源推荐
收起资源包目录
flume-opsec-source-master.zip (12个子文件)
flume-opsec-source-master
pom.xml 3KB
src
test
resources
log4j.properties 368B
fw.log 1KB
java
com
keedio
flume
source
metrics
OpsecSourceMetricsTest.java 2KB
OpsecSourceTest.java 8KB
main
java
com
keedio
flume
source
metrics
OpsecSourceMetrics.java 5KB
MetricsMBean.java 3KB
MetricsEvent.java 966B
OpsecSource.java 12KB
doc
fw1-loggrabber-dependencies 644B
.gitignore 46B
README.md 3KB
共 12 条
- 1
dilikong
- 粉丝: 24
- 资源: 4598
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论0