Version 4.0.8 compatible with Graylog 4.x

Author: huksley

pom.xml

@@ -10,7 +10,7 @@
 
     <groupId>com.wizecore.graylog2</groupId>
     <artifactId>graylog-output-syslog</artifactId>
-    <version>3.3.2</version>
+    <version>4.0.8</version>
     <packaging>jar</packaging>
 
     <name>graylog-output-syslog</name>
@@ -23,7 +23,7 @@
         <maven.install.skip>true</maven.install.skip>
         <maven.deploy.skip>true</maven.deploy.skip>
         <maven.site.skip>true</maven.site.skip>
-        <graylog2.version>3.3.0</graylog2.version>
+        <graylog2.version>4.0.8</graylog2.version>
         <graylog2.syslog4j.version>0.9.60</graylog2.syslog4j.version>
         <graylog2.plugin-dir>/usr/share/graylog-server/plugin</graylog2.plugin-dir>
     </properties>

run-graylog

@@ -1,23 +1,27 @@
 #!/bin/bash
 HERE=$PWD
-GL=~/Downloads/graylog-3.3.1
+GL=~/Downloads/graylog-4.0.8
 TT=$GL/tmp
 mkdir -p $TT
-#sudo umount $TT
-#sudo mount -o bind,noexec $TT $TT
-#export JAVA_OPTS="-Djava.io.tmpdir=$TT"
-#rm -Rf $GL/data
+sudo umount $TT
+sudo mount -o bind,noexec $TT $TT
+export JAVA_OPTS="-Djava.io.tmpdir=$TT"
+rm -Rf $GL/data
 mkdir -p $GL/data
 mvn package -DskipTests
-cp target/graylog-output-syslog-3.3.1.jar $GL/plugin
+cp target/graylog-output-syslog-4.0.8.jar $GL/plugin
 export GRAYLOG_CONF=$GL/graylog.conf
-#docker rm -f elastic
-#docker run --name elastic -p 9200:9200 -d elasticsearch:5
-#docker rm -f mongo
-#docker run --name mongo -p 27017:27017 -d mongo:3.6
-#docker start elastic
-#docker start mongo
-sleep 5
+sudo sysctl -w vm.max_map_count=262144
+
+docker rm -f elastic
+docker run --name elastic -p 9200:9200 -e "discovery.type=single-node" \
+    -e "cluster.routing.allocation.disk.threshold_enabled=false" \
+    -d elasticsearch:7.10.1
+docker rm -f mongo
+docker run --name mongo -p 27017:27017 -d mongo:3.6
+docker start elastic
+docker start mongo
+sleep 10
 $GL/bin/graylogctl run
 
 ## Run two consoles additionally:

src/main/java/com/wizecore/graylog2/plugin/CEFSender.java

@@ -1,147 +1,147 @@
-package com.wizecore.graylog2.plugin;
-
-import java.util.Map;
-
-import org.graylog2.plugin.Message;
-import org.graylog2.syslog4j.SyslogConstants;
-import org.graylog2.syslog4j.SyslogIF;
-
-/**
- * Using CEF format
- */
-
-/*
- * http://blog.rootshell.be/2011/05/11/ossec-speaks-arcsight/
- * 
- * 
- * CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
-
-CEF:0|ArcSight|Logger|5.0.0.5355.2|sensor:115|Logger Internal Event|1|\
-cat=/Monitor/Sensor/Fan5 cs2=Current Value cnt=1 dvc=10.0.0.1 cs3=Ok \
-cs1=null type=0 cs1Label=unit rt=1305034099211 cs3Label=Status cn1Label=value \
-cs2Label=timeframe
- */
-public class CEFSender implements MessageSender {
-
-	@Override
-	public void send(SyslogIF syslog, int level, Message msg) {
-		StringBuilder out = new StringBuilder();
-		
-		// Header:
-		// CEF:Version|Device Vendor|Device Product|Device Version|
-		out.append("CEF:0|Graylog|graylog-output-syslog:cefsender|2.3.1|");
-		
-		// Device Event Class ID
-		out.append("log:1");
-		out.append("|");
-
-		Map<String, Object> fields = msg.getFields();
-		Object fv = fields.get("act");
-		
-		// Name
-		String str = fv != null ? fv.toString() : null;
-		if (str == null) {
-			fv = fields.get("short_message");
-			str = fv != null ? fv.toString() : null;
-		}
-		if (str == null) {
-			str = msg.getId();
-		}
-		str = escape(str, false);
-		out.append(str);
-		
-		// Severity
-		// The valid integer values are 0-3=Low, 4-6=Medium, 7-8=High, and 9-10=Very-High.
-		int cefLevel = 0;
-		/** see {@link org.graylog2.syslog4j.SyslogConstants#LEVEL_INFO} */
-		switch (level) {
-			case (SyslogConstants.LEVEL_DEBUG):
-				cefLevel = 1;
-				break;
-			case (SyslogConstants.LEVEL_NOTICE):
-				cefLevel = 2;
-				break;
-			case (SyslogConstants.LEVEL_INFO):
-				cefLevel = 3;
-				break;
-			case (SyslogConstants.LEVEL_WARN):
-				cefLevel = 6;
-				break;
-			case (SyslogConstants.LEVEL_ERROR):
-				cefLevel = 7;
-				break;
-			case (SyslogConstants.LEVEL_CRITICAL):
-				cefLevel = 8;
-				break;
-			case (SyslogConstants.LEVEL_ALERT):
-				cefLevel = 9;
-				break;
-			case (SyslogConstants.LEVEL_EMERGENCY):
-				cefLevel = 10;
-				break;
-			default:
-				// FIXME: Unknown level
-				cefLevel = 10;
-				break;
-		}
-		out.append("|").append(cefLevel) .append("|"); 
-		
-		// Extension
-		boolean have = false;
-		boolean haveExternalId = false;
-		boolean haveMsg = false;
+package com.wizecore.graylog2.plugin;
+
+import java.util.Map;
+
+import org.graylog2.plugin.Message;
+import org.graylog2.syslog4j.SyslogConstants;
+import org.graylog2.syslog4j.SyslogIF;
+
+/**
+ * Using CEF format
+ */
+
+/*
+ * http://blog.rootshell.be/2011/05/11/ossec-speaks-arcsight/
+ * 
+ * 
+ * CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
+
+CEF:0|ArcSight|Logger|5.0.0.5355.2|sensor:115|Logger Internal Event|1|\
+cat=/Monitor/Sensor/Fan5 cs2=Current Value cnt=1 dvc=10.0.0.1 cs3=Ok \
+cs1=null type=0 cs1Label=unit rt=1305034099211 cs3Label=Status cn1Label=value \
+cs2Label=timeframe
+ */
+public class CEFSender implements MessageSender {
+
+	@Override
+	public void send(SyslogIF syslog, int level, Message msg) {
+		StringBuilder out = new StringBuilder();
+		
+		// Header:
+		// CEF:Version|Device Vendor|Device Product|Device Version|
+		out.append("CEF:0|Graylog|graylog-output-syslog:cefsender|2.3.1|");
+		
+		// Device Event Class ID
+		out.append("log:1");
+		out.append("|");
+
+		Map<String, Object> fields = msg.getFields();
+		Object fv = fields.get("act");
+		
+		// Name
+		String str = fv != null ? fv.toString() : null;
+		if (str == null) {
+			fv = fields.get("short_message");
+			str = fv != null ? fv.toString() : null;
+		}
+		if (str == null) {
+			str = msg.getId();
+		}
+		str = escape(str, false);
+		out.append(str);
+		
+		// Severity
+		// The valid integer values are 0-3=Low, 4-6=Medium, 7-8=High, and 9-10=Very-High.
+		int cefLevel = 0;
+		/** see {@link org.graylog2.syslog4j.SyslogConstants#LEVEL_INFO} */
+		switch (level) {
+			case (SyslogConstants.LEVEL_DEBUG):
+				cefLevel = 1;
+				break;
+			case (SyslogConstants.LEVEL_NOTICE):
+				cefLevel = 2;
+				break;
+			case (SyslogConstants.LEVEL_INFO):
+				cefLevel = 3;
+				break;
+			case (SyslogConstants.LEVEL_WARN):
+				cefLevel = 6;
+				break;
+			case (SyslogConstants.LEVEL_ERROR):
+				cefLevel = 7;
+				break;
+			case (SyslogConstants.LEVEL_CRITICAL):
+				cefLevel = 8;
+				break;
+			case (SyslogConstants.LEVEL_ALERT):
+				cefLevel = 9;
+				break;
+			case (SyslogConstants.LEVEL_EMERGENCY):
+				cefLevel = 10;
+				break;
+			default:
+				// FIXME: Unknown level
+				cefLevel = 10;
+				break;
+		}
+		out.append("|").append(cefLevel) .append("|"); 
+		
+		// Extension
+		boolean have = false;
+		boolean haveExternalId = false;
+		boolean haveMsg = false;
 		boolean haveStart = false;
-		for (String k: fields.keySet()) {
-			Object v = fields.get(k);
-			if (!k.equals("message") && !k.equals("full_message") && !k.equals("short_message")) {
+		for (String k: fields.keySet()) {
+			Object v = fields.get(k);
+			if (!k.equals("message") && !k.equals("full_message") && !k.equals("short_message")) {
     			String s = v != null ? v.toString() : "null";
-				s = escape(s, true);
-				if (have) {
-					out.append(" ");
+				s = escape(s, true);
+				if (have) {
+					out.append(" ");
+				}
+				out.append(k).append('=').append(s);
+				have = true;
+				
+				if (!haveExternalId && k.equals("externalId")) {
+					haveExternalId = true;
+				}
+				
+				if (!haveMsg && k.equals("msg")) {
+					haveMsg = true;
 				}
-				out.append(k).append('=').append(s);
-				have = true;
-				
-				if (!haveExternalId && k.equals("externalId")) {
-					haveExternalId = true;
-				}
-				
-				if (!haveMsg && k.equals("msg")) {
-					haveMsg = true;
-				}
-				
-				if (!haveStart && k.equals("start")) {
-					haveStart = true;
-				}
-			}
-		}
-		
-		if (!haveStart) {
-			out.append(" start=").append(msg.getTimestamp().getMillis());
-		}
-		
-		if (!haveMsg) {
-			out.append(" msg=").append(escape(msg.getMessage(), true));
-		}
-		
-		if (!haveExternalId) {
-			out.append(" externalId=").append(msg.getId());
+				
+				if (!haveStart && k.equals("start")) {
+					haveStart = true;
+				}
+			}
+		}
+		
+		if (!haveStart) {
+			out.append(" start=").append(msg.getTimestamp().getMillis());
+		}
+		
+		if (!haveMsg) {
+			out.append(" msg=").append(escape(msg.getMessage(), true));
 		}
 
-		syslog.log(level, out.toString());
-	}
-
-	public String escape(String s, boolean extension) {
-		s = s.replace("\\", "\\\\");
+		if (!haveExternalId) {
+			out.append(" externalId=").append(msg.getId());
+		}
+		
+		syslog.log(level, out.toString());
+	}
+
+	public String escape(String s, boolean extension) {
+		s = s.replace("\\", "\\\\");
 		if (extension) {
 			s = s.replace("=", "\\=");
 			s = s.replace("\r", "");
-			s = s.replace("\n", "\\n");
-		} else {
-			s = s.replace("|", "\\|");
-			s = s.replace("\r", "");
-			s = s.replace("\n", "");
-		}
-		return s;
-	}
-}
+			s = s.replace("\n", "\\n");
+		} else {
+			s = s.replace("|", "\\|");
+			s = s.replace("\r", "");
+			s = s.replace("\n", "");
+		}
+		return s;
+	}
+}