nsyslog-parser - npm Package Compare versions

Comparing version 0.8.7 to 0.8.8

.git/hooks/README.sample

cef.js

		@@ -53,30 +53,31 @@ const FRX = /[a-zA-Z][a-zA-Z0-9]+=/;

		function splitFields(txt) {
		var tokens = [], map = {};
		var res = null;
		function splitFields(msg) {
		let tokens = msg.split(" ");
		let map = {};

		do {
		res = FRX.exec(txt);
		if(res) {
		var tok = res[0];
		var idx = res.index;
		if(tokens.length) {
		tokens[tokens.length-1] += txt.substring(0,idx);
		let token = null;
		while(tokens.length) {
		if(!token) {
		token = tokens.shift();
		if(token.indexOf('=')>=0) {
		let kv = token.split("=");
		token = kv[0];
		map[token] = kv[1];
		}
		tokens.push(tok);
		txt = txt.substring(idx+tok.length);
		else {
		map[token] = "";
		}
		}
		else if(txt.length && tokens.length) {
		tokens[tokens.length-1] += txt;
		txt = "";
		else {
		let val = tokens.shift();
		if(val.indexOf('=')<0) {
		map[token] += ` ${val}`;
		}
		else {
		token = null;
		tokens.unshift(val);
		}
		}
		}while(res && txt.length);
		}

		tokens.map(t=>t.trim()).map(t=>{
		t = t.split("=");
		return {k:t.shift(), v:t.join("=")}
		}).forEach(t=>{
		map[t.k] = t.v;
		});

		return map;
		@@ -83,0 +84,0 @@ }

dist/nsyslog-parser.js

		@@ -67,32 +67,28 @@ "use strict";

		function splitFields(txt) {
		var tokens = [],
		map = {};
		var res = null;
		function splitFields(msg) {
		var tokens = msg.split(" ");
		var map = {};

		do {
		res = FRX.exec(txt);
		if (res) {
		var tok = res[0];
		var idx = res.index;
		if (tokens.length) {
		tokens[tokens.length - 1] += txt.substring(0, idx);
		var token = null;
		while (tokens.length) {
		if (!token) {
		token = tokens.shift();
		if (token.indexOf('=') >= 0) {
		var kv = token.split("=");
		token = kv[0];
		map[token] = kv[1];
		} else {
		map[token] = "";
		}
		tokens.push(tok);
		txt = txt.substring(idx + tok.length);
		} else if (txt.length && tokens.length) {
		tokens[tokens.length - 1] += txt;
		txt = "";
		} else {
		var val = tokens.shift();
		if (val.indexOf('=') < 0) {
		map[token] += " " + val;
		} else {
		token = null;
		tokens.unshift(val);
		}
		}
		} while (res && txt.length);
		}

		tokens.map(function (t) {
		return t.trim();
		}).map(function (t) {
		t = t.split("=");
		return { k: t.shift(), v: t.join("=") };
		}).forEach(function (t) {
		map[t.k] = t.v;
		});

		return map;
		@@ -99,0 +95,0 @@ }

dist/nsyslog-parser.min.js

		@@ -1,3 +0,3 @@
		/! nsyslog-parser 2018-09-26 /
		/! nsyslog-parser 2019-04-11 /

		"use strict";!function r(s,n,o){function c(i,e){if(!n[i]){if(!s[i]){var t="function"==typeof require&&require;if(!e&&t)return t(i,!0);if(d)return d(i,!0);var a=new Error("Cannot find module '"+i+"'");throw a.code="MODULE_NOT_FOUND",a}var l=n[i]={exports:{}};s[i][0].call(l.exports,function(e){return c(s[i][1][e]\|\|e)},l,l.exports,r,s,n,o)}return n[i].exports}for(var d="function"==typeof require&&require,e=0;e<o.length;e++)c(o[e]);return c}({1:[function(e,i,t){var a,l;a=window,l=e("./parser.js"),a.NSyslog=a.NSyslog\|\|{},a.NSyslog.parse=l},{"./parser.js":3}],2:[function(e,i,t){var n=/[a-zA-Z][a-zA-Z0-9]+=/,o=["version","deviceVendor","deviceProduct","deviceVersion","deviceEventClassID","name","severity","extension"];i.exports={parse:function(e){var t,a,i,l,r,s=(t=[],i=!(a={}),l=7,r="",e.split("").forEach(function(e){l?"\|"==e?i?(i=!1,r+=e):(t.push(r),r="",l--):"\\"==e?(r+=e,i=!i):(i=!1,r+=e):r+=e}),r.length&&t.push(r),o.forEach(function(e,i){return a[e]=t[i]}),a);return{headers:s,fields:function(e){var i=[],t={},a=null;do{if(a=n.exec(e)){var l=a[0],r=a.index;i.length&&(i[i.length-1]+=e.substring(0,r)),i.push(l),e=e.substring(r+l.length)}else e.length&&i.length&&(i[i.length-1]+=e,e="")}while(a&&e.length);return i.map(function(e){return e.trim()}).map(function(e){return{k:(e=e.split("=")).shift(),v:e.join("=")}}).forEach(function(e){t[e.k]=e.v}),t}(s.extension\|\|"")}}}},{}],3:[function(e,i,t){var N=e("./pri.js"),E=e("./cef.js"),x={pri:/^<\d+>/,prinmr:/^\d+ /,prival:/<(\d+)>/,month:/^[A-Za-z][a-z]{2} /,day:/^\d{1,2} /,time:/^\d+:\d+:\d+ /,ts:/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\S+ /,invalid:/[^a-zA-Z0-9\.\$\-_#%\/\[\]]/,sdata:/\[(\S+)( [^\=]+\=\"[^\"]+\")+\]/g,cef:/^CEF:\d+/},w={cef:!0,fields:!0,pid:!0};function j(e){do{var i=e.shift();if(void 0===i)return i;i=i.trim()}while(!i);return i}function D(e,i){if(e.host)if(e.appName)if(e.pid){if(e.messageid)return!!e.structuredData\|\|(e.structuredData=i.trim(),!1);e.messageid=i.trim()}else e.pid=i.trim();else e.appName=i.trim();else e.host=i.trim()}i.exports=function(e,i){try{return function(e,i){i=i\|\|w;var t=e.match(x.pri),r={originalMessage:e};if(t){r.pri=t[0],r.prival=parseInt(r.pri.match(x.prival)[1]);var a=N.get(r.prival);r.facilityval=a.facility,r.levelval=a.level,r.facility=N.FACILITY[a.facility].id,r.level=N.LEVEL[a.level].id}else r.pri="",r.prival=NaN;for(var l=e.substring(r.pri.length).split(" "),s=!1;e.length&&!s;){if((u=j(l)+" ").match(x.prinmr))r.version=parseInt(u),r.type="RFC5424",(u=j(l)+" ").match(x.ts)&&(r.ts=new Date(Date.parse(u.match(x.ts)[0].trim())));else if(u.match(x.month)){r.type="BSD";var n=u.trim(),o=j(l),c=j(l),d=(new Date).getYear()+1900;r.ts=new Date(Date.parse(d+" "+n+" "+o+" "+c))}else r.type="UNKNOWN",l.unshift(u.trim());s=!0}if(r.ts\|\|(r.ts=new Date),r.type){var f=function(e){l.unshift(e),r.message=l.join(" "),s=!0};for(s=!1;e.length&&!s;){var u;if(u=j(l))if(u.endsWith(":")){var p=u.replace(/:$/,"").trim();p.match(x.invalid)?f(u):(D(r,p),r.message=l.join(" "),s=!0)}else if(l.length)if(u.match(x.invalid))f(u);else{var m=D(r,u.replace(/: $/,"").trim());!0===m?(l.unshift(u),r.message=l.join(" "),s=!0):!1===m&&(r.message=l.join(" "),s=!0)}else f(u);else s=!0}}else r.message=l.join(" ");if(r.chain=(r.host\|\|"").split("/"),r.host=r.chain.pop(),"RFC5424"==r.type){var g=r.message.match(x.sdata)\|\|[],h=0;r.structuredData=g.map(function(e){var a={},l=null;return h=r.message.indexOf(e)+e.length+1,e.replace(/(^\[)\|(\]$)/g,"").split(" ").forEach(function(e,i){if(e.trim())if(0==i)a.$id=e;else{var t=e.split("=");t[0]&&t[1]&&'"'!=t[1]?(l=t.shift(),a[l]=t.join("=").replace(/\"/g,"")):t[0]&&void 0===t[1]?a[l]+=" "+(t[0]\|\|"").replace(/\"/g,""):!t[0]\|\|t[1].length&&'"'!=t[1]\|\|(a[l]+=" "+(t[0]\|\|"").replace(/\"/g,"")+"=")}}),a}),r.message=r.message.substring(h)}if(!1!==i.cef&&x.cef.test(r.message)){r.type="CEF";var y=E.parse(r.message);r.cef=y.headers,r.fields=y.fields}else if(!1!==i.fields&&"UNKNOWN"!=r.type){var v=[];r.message.split(",").forEach(function(e){var i=e.split("=");2==i.length&&(v[i[0]]=i[1])}),r.fields=v}if(r.header=e.substring(0,e.length-r.message.length),i.pid&&r.appName&&r.appName.endsWith("]")){var b=r.appName.indexOf("[");0<=b&&(r.pid=r.appName.substring(b+1,r.appName.length-1),r.appName=r.appName.substring(0,b))}return r}(e,i)}catch(e){return{err:e}}}},{"./cef.js":2,"./pri.js":4}],4:[function(e,i,t){var a=[{id:"kern",label:"kernel messages"},{id:"user",label:"user-level messages"},{id:"mail",label:"mail system"},{id:"daemon",label:"system daemons"},{id:"auth",label:"security/authorization messages"},{id:"syslog",label:"messages generated internally by syslogd"},{id:"lpr",label:"line printer subsystem"},{id:"news",label:"network news subsystem"},{id:"uucp",label:"UUCP subsystem"},{id:"cron",label:"clock daemon"},{id:"authpriv",label:"security/authorization messages"},{id:"ftp",label:"FTP daemon"},{id:"ntp",label:"NTP subsystem"},{id:"security",label:"log audit"},{id:"console",label:"log alert"},{id:"solaris-cron",label:"clock daemon"},{id:"local0",label:"locally used facility 0"},{id:"local1",label:"locally used facility 0"},{id:"local2",label:"locally used facility 0"},{id:"local3",label:"locally used facility 0"},{id:"local4",label:"locally used facility 0"},{id:"local5",label:"locally used facility 0"},{id:"local6",label:"locally used facility 0"},{id:"local7",label:"locally used facility 0"}],l=[{id:"emerg",label:"system is unusable"},{id:"alert",label:"action must be taken immediately"},{id:"crit",label:"critical conditions"},{id:"error",label:"error conditions"},{id:"warn",label:"warning conditions"},{id:"notice",label:"normal but significant condition"},{id:"info",label:"informational messages"},{id:"debug",label:"debug-level messages"}],r=[],s=[];a.forEach(function(e,i){return r[e.id]=i}),l.forEach(function(e,i){return s[e.id]=i}),i.exports.LEVEL=l,i.exports.FACILITY=a,i.exports.LEVELS=s,i.exports.FACILITIES=r,i.exports.get=function(e,i){return"number"==typeof e&&void 0===i?{level:7&e,facility:e>>3}:"number"==typeof e&&"number"==typeof i?8e+i:"string"==typeof e&&"number"==typeof i?8(r[e]\|\|0)+i:"number"==typeof e&&"string"==typeof i?8e+(s[i]\|\|0):"string"==typeof e&&"string"==typeof i?8(r[e]\|\|0)+(s[i]\|\|0):{level:0,facility:0}}},{}]},{},[1]);
		"use strict";!function s(r,n,o){function c(i,e){if(!n[i]){if(!r[i]){var a="function"==typeof require&&require;if(!e&&a)return a(i,!0);if(d)return d(i,!0);var t=new Error("Cannot find module '"+i+"'");throw t.code="MODULE_NOT_FOUND",t}var l=n[i]={exports:{}};r[i][0].call(l.exports,function(e){return c(r[i][1][e]\|\|e)},l,l.exports,s,r,n,o)}return n[i].exports}for(var d="function"==typeof require&&require,e=0;e<o.length;e++)c(o[e]);return c}({1:[function(e,i,a){var t,l;t=window,l=e("./parser.js"),t.NSyslog=t.NSyslog\|\|{},t.NSyslog.parse=l},{"./parser.js":3}],2:[function(e,i,a){var n=["version","deviceVendor","deviceProduct","deviceVersion","deviceEventClassID","name","severity","extension"];i.exports={parse:function(e){var a,t,i,l,s,r=(a=[],i=!(t={}),l=7,s="",e.split("").forEach(function(e){l?"\|"==e?i?(i=!1,s+=e):(a.push(s),s="",l--):"\\"==e?(s+=e,i=!i):(i=!1,s+=e):s+=e}),s.length&&a.push(s),n.forEach(function(e,i){return t[e]=a[i]}),t);return{headers:r,fields:function(e){for(var i=e.split(" "),a={},t=null;i.length;)if(t){var l=i.shift();l.indexOf("=")<0?a[t]+=" "+l:(t=null,i.unshift(l))}else if(0<=(t=i.shift()).indexOf("=")){var s=t.split("=");a[t=s[0]]=s[1]}else a[t]="";return a}(r.extension\|\|"")}}}},{}],3:[function(e,i,a){var N=e("./pri.js"),E=e("./cef.js"),x={pri:/^<\d+>/,prinmr:/^\d+ /,prival:/<(\d+)>/,month:/^[A-Za-z][a-z]{2} /,day:/^\d{1,2} /,time:/^\d+:\d+:\d+ /,ts:/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\S+ /,invalid:/[^a-zA-Z0-9\.\$\-_#%\/\[\]]/,sdata:/\[(\S+)( [^\=]+\=\"[^\"]+\")+\]/g,cef:/^CEF:\d+/},w={cef:!0,fields:!0,pid:!0};function D(e){do{var i=e.shift();if(void 0===i)return i;i=i.trim()}while(!i);return i}function j(e,i){if(e.host)if(e.appName)if(e.pid){if(e.messageid)return!!e.structuredData\|\|(e.structuredData=i.trim(),!1);e.messageid=i.trim()}else e.pid=i.trim();else e.appName=i.trim();else e.host=i.trim()}i.exports=function(e,i){try{return function(e,i){i=i\|\|w;var a=e.match(x.pri),s={originalMessage:e};if(a){s.pri=a[0],s.prival=parseInt(s.pri.match(x.prival)[1]);var t=N.get(s.prival);s.facilityval=t.facility,s.levelval=t.level,s.facility=N.FACILITY[t.facility].id,s.level=N.LEVEL[t.level].id}else s.pri="",s.prival=NaN;for(var l=e.substring(s.pri.length).split(" "),r=!1;e.length&&!r;){if((u=D(l)+" ").match(x.prinmr))s.version=parseInt(u),s.type="RFC5424",(u=D(l)+" ").match(x.ts)&&(s.ts=new Date(Date.parse(u.match(x.ts)[0].trim())));else if(u.match(x.month)){s.type="BSD";var n=u.trim(),o=D(l),c=D(l),d=(new Date).getYear()+1900;s.ts=new Date(Date.parse(d+" "+n+" "+o+" "+c))}else s.type="UNKNOWN",l.unshift(u.trim());r=!0}if(s.ts\|\|(s.ts=new Date),s.type){var f=function(e){l.unshift(e),s.message=l.join(" "),r=!0};for(r=!1;e.length&&!r;){var u;if(u=D(l))if(u.endsWith(":")){var p=u.replace(/:$/,"").trim();p.match(x.invalid)?f(u):(j(s,p),s.message=l.join(" "),r=!0)}else if(l.length)if(u.match(x.invalid))f(u);else{var m=j(s,u.replace(/: $/,"").trim());!0===m?(l.unshift(u),s.message=l.join(" "),r=!0):!1===m&&(s.message=l.join(" "),r=!0)}else f(u);else r=!0}}else s.message=l.join(" ");if(s.chain=(s.host\|\|"").split("/"),s.host=s.chain.pop(),"RFC5424"==s.type){var g=s.message.match(x.sdata)\|\|[],y=0;s.structuredData=g.map(function(e){var t={},l=null;return y=s.message.indexOf(e)+e.length+1,e.replace(/(^\[)\|(\]$)/g,"").split(" ").forEach(function(e,i){if(e.trim())if(0==i)t.$id=e;else{var a=e.split("=");a[0]&&a[1]&&'"'!=a[1]?(l=a.shift(),t[l]=a.join("=").replace(/\"/g,"")):a[0]&&void 0===a[1]?t[l]+=" "+(a[0]\|\|"").replace(/\"/g,""):!a[0]\|\|a[1].length&&'"'!=a[1]\|\|(t[l]+=" "+(a[0]\|\|"").replace(/\"/g,"")+"=")}}),t}),s.message=s.message.substring(y)}if(!1!==i.cef&&x.cef.test(s.message)){s.type="CEF";var h=E.parse(s.message);s.cef=h.headers,s.fields=h.fields}else if(!1!==i.fields&&"UNKNOWN"!=s.type){var v=[];s.message.split(",").forEach(function(e){var i=e.split("=");2==i.length&&(v[i[0]]=i[1])}),s.fields=v}if(s.header=e.substring(0,e.length-s.message.length),i.pid&&s.appName&&s.appName.endsWith("]")){var b=s.appName.indexOf("[");0<=b&&(s.pid=s.appName.substring(b+1,s.appName.length-1),s.appName=s.appName.substring(0,b))}return s}(e,i)}catch(e){return{err:e}}}},{"./cef.js":2,"./pri.js":4}],4:[function(e,i,a){var t=[{id:"kern",label:"kernel messages"},{id:"user",label:"user-level messages"},{id:"mail",label:"mail system"},{id:"daemon",label:"system daemons"},{id:"auth",label:"security/authorization messages"},{id:"syslog",label:"messages generated internally by syslogd"},{id:"lpr",label:"line printer subsystem"},{id:"news",label:"network news subsystem"},{id:"uucp",label:"UUCP subsystem"},{id:"cron",label:"clock daemon"},{id:"authpriv",label:"security/authorization messages"},{id:"ftp",label:"FTP daemon"},{id:"ntp",label:"NTP subsystem"},{id:"security",label:"log audit"},{id:"console",label:"log alert"},{id:"solaris-cron",label:"clock daemon"},{id:"local0",label:"locally used facility 0"},{id:"local1",label:"locally used facility 0"},{id:"local2",label:"locally used facility 0"},{id:"local3",label:"locally used facility 0"},{id:"local4",label:"locally used facility 0"},{id:"local5",label:"locally used facility 0"},{id:"local6",label:"locally used facility 0"},{id:"local7",label:"locally used facility 0"}],l=[{id:"emerg",label:"system is unusable"},{id:"alert",label:"action must be taken immediately"},{id:"crit",label:"critical conditions"},{id:"error",label:"error conditions"},{id:"warn",label:"warning conditions"},{id:"notice",label:"normal but significant condition"},{id:"info",label:"informational messages"},{id:"debug",label:"debug-level messages"}],s=[],r=[];t.forEach(function(e,i){return s[e.id]=i}),l.forEach(function(e,i){return r[e.id]=i}),i.exports.LEVEL=l,i.exports.FACILITY=t,i.exports.LEVELS=r,i.exports.FACILITIES=s,i.exports.get=function(e,i){return"number"==typeof e&&void 0===i?{level:7&e,facility:e>>3}:"number"==typeof e&&"number"==typeof i?8e+i:"string"==typeof e&&"number"==typeof i?8(s[e]\|\|0)+i:"number"==typeof e&&"string"==typeof i?8e+(r[i]\|\|0):"string"==typeof e&&"string"==typeof i?8(s[e]\|\|0)+(r[i]\|\|0):{level:0,facility:0}}},{}]},{},[1]);

package.json

		{
		"name": "nsyslog-parser",
		"version": "0.8.7",
		"version": "0.8.8",
		"description": "Syslog Parser. Accepts RFC 3164 (BSD), RFC 5424 and CEF formats",
		@@ -5,0 +5,0 @@ "author": "David Gómez Matarrodona <solzimer@gmail.com>",

test/examples.js

		module.exports = [


		"<34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8",
		@@ -14,3 +14,3 @@ "<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8",
		'Jun 15 17:13:50 192.168.17.72 MSWinEventLog 1 \|\|\|\|MsiInstaller\|\|11707\|\|0\|\|Información\|\|Ninguna\|\|\|\|Clásico\|\|2010/06/15 17:13:50\|\|381\|\|\|\|\|\|0\|\|0\|\|0\|\|0\|\| \|\|Application\|\|WIN-ZARKLN8SUVH\|\|Administrador\|\|Producto: Microsoft .NET Framework 3.5 -- La instalación se completó correctamente.;(NULL);(NULL);;\|\|Producto: Microsoft .NET Framework 3.5 -- La instalación se completó correctamente.',
		'<13>May 9 16:56:32 192.168.110.12 MSWinEventLog 1 \|\|{54849625-5478-4994-A5BA-3E3B0328C30D}\|\|Microsoft-Windows-Security-Auditing\|\|4634\|\|0\|\|Informaciï¿½n\|\|\|\|Informaciï¿½n\|\|Auditorï¿½a correcta\|\|2017-05-09 16:56:32\|\|267119563\|\|\|\|\|\|492\|\|384\|\|0\|\|0\|\| \|\|Security\|\|GICA-DC-02.grupoica.local\|\|\|\|S-1-5-21-1549636476-3519663633-904275800-7216;GVDI-SEV-010$;GRUPOICA;1C5B0D9Fh;3\|\|Se cerrï¿½ sesiï¿½n en una cuenta. Sujeto: \tId. de seguridad:\t\tS-1-5-21-1549636476-3519663633-904275800-7216 \tNombre de cuenta:\t\tGVDI-SEV-010$ \tDominio de cuenta:\t\tGRUPOICA \tId. de inicio de sesiï¿½n:\t\t0x1c5b0d9f Tipo de inicio de sesiï¿½n:\t\t\t3 Este evento se genera cuando se destruye una sesiï¿½n de inicio. Puede estar correlacionado de manera positiva con un evento de inicio de sesiï¿½n mediante el valor Id. de inicio de sesiï¿½n. Los id. de inicio de sesiï¿½n sï¿½lo son ï¿½nicos entre reinicios en el mismo equipo.\n',
		'<13>May 9 16:56:32 192.168.110.12 MSWinEventLog 1 \|\|{54849625-5478-4994-A5BA-3E3B0328C30D}\|\|Microsoft-Windows-Security-Auditing\|\|4634\|\|0\|\|Informaciï¿½n\|\|\|\|Informaciï¿½n\|\|Auditorï¿½a correcta\|\|2017-05-09 16:56:32\|\|267119563\|\|\|\|\|\|492\|\|384\|\|0\|\|0\|\| \|\|Security\|\|GICA-DC-02.acmeco.local\|\|\|\|S-1-5-21-1549636476-3519663633-904275800-7216;GVDI-SEV-010$;acmeco;1C5B0D9Fh;3\|\|Se cerrï¿½ sesiï¿½n en una cuenta. Sujeto: \tId. de seguridad:\t\tS-1-5-21-1549636476-3519663633-904275800-7216 \tNombre de cuenta:\t\tGVDI-SEV-010$ \tDominio de cuenta:\t\tacmeco \tId. de inicio de sesiï¿½n:\t\t0x1c5b0d9f Tipo de inicio de sesiï¿½n:\t\t\t3 Este evento se genera cuando se destruye una sesiï¿½n de inicio. Puede estar correlacionado de manera positiva con un evento de inicio de sesiï¿½n mediante el valor Id. de inicio de sesiï¿½n. Los id. de inicio de sesiï¿½n sï¿½lo son ï¿½nicos entre reinicios en el mismo equipo.\n',
		'<7>1 2017-05-11T14:45:31.995+02:00 logica5p storm1 - - - 192.168.120.172 - - [04/Nov/2015:15:11:33 +0100] "GET /localclassifieds//classifieds/Site_Admin/admin.php HTTP/1.1" 404 1137 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 7.0.2)"',
		@@ -21,4 +21,4 @@ 'May 06 10:05:03 CCLogTap::profileRemoved, Owner: com.apple.iokit.IO80211Family, Name: IO80211AWDLPeerManager',
		"<20>Jun 15 12:33:52 Syslog_LogICAV: Warning: Received an invalid DNS Response: rcode=ServFail data=\"'F\\\\x15\\\\x81\\\\x82\\\\x00\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x06health\\\\x03gov\\\\x02bh\\\\x00\\\\x00\\\\x0f\\\\x00\\\\x01'\" to IP 172.22.204.220 looking up health.gov.bh",
		"<13>Jul 14 10:10:39 172.22.208.24 MSWinEventLog 1 \|\|{54849625-5478-4994-A5BA-3E3B0328C30D}\|\|Microsoft-Windows-Security-Auditing\|\|4634\|\|0\|\|Information\|\|\|\|Info\|\|Audit Success\|\|2017-07-14 10:10:39\|\|1123805\|\|\|\|\|\|612\|\|2192\|\|0\|\|0\|\| \|\|Security\|\|madcpvflexaprtl.indra.es\|\|\|\|S-1-5-21-1506503333-1133455874-5522801-237819;usrnnmi;INDRA;E8CB665h;3\|\|An account was logged off. Subject: \tSecurity ID:\t\tS-1-5-21-1506503333-1133455874-5522801-237819 \tAccount Name:\t\tusrnnmi \tAccount Domain:\t\tINDRA \tLogon ID:\t\t0xE8CB665 Logon Type:\t\t\t3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\n",
		"Sep 14 00:41:58 MADARRBCKOC MSWinEventLog 1 \|\|{54849625-5478-4994-A5BA-3E3B0328C30D}\|\|Microsoft-Windows-Security-Auditing\|\|4672\|\|0\|\|Information\|\|\|\|Info\|\|Audit Success\|\|2017-09-14 00:41:58\|\|154144\|\|\|\|\|\|568\|\|4612\|\|0\|\|0\|\| \|\|Security\|\|madarrbckoc.indra.es\|\|\|\|S-1-5-18;MADARRBCKOC$;INDRA;309CE194h;SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege\|\|Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: MADARRBCKOC$ Account Domain: INDRA Logon ID: 0x309ce194 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege",
		"<13>Jul 14 10:10:39 172.22.208.24 MSWinEventLog 1 \|\|{54849625-5478-4994-A5BA-3E3B0328C30D}\|\|Microsoft-Windows-Security-Auditing\|\|4634\|\|0\|\|Information\|\|\|\|Info\|\|Audit Success\|\|2017-07-14 10:10:39\|\|1123805\|\|\|\|\|\|612\|\|2192\|\|0\|\|0\|\| \|\|Security\|\|madcpvflexaprtl.acme.es\|\|\|\|S-1-5-21-1506503333-1133455874-5522801-237819;usrnnmi;acme;E8CB665h;3\|\|An account was logged off. Subject: \tSecurity ID:\t\tS-1-5-21-1506503333-1133455874-5522801-237819 \tAccount Name:\t\tusrnnmi \tAccount Domain:\t\tacme \tLogon ID:\t\t0xE8CB665 Logon Type:\t\t\t3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\n",
		"Sep 14 00:41:58 MADARRBCKOC MSWinEventLog 1 \|\|{54849625-5478-4994-A5BA-3E3B0328C30D}\|\|Microsoft-Windows-Security-Auditing\|\|4672\|\|0\|\|Information\|\|\|\|Info\|\|Audit Success\|\|2017-09-14 00:41:58\|\|154144\|\|\|\|\|\|568\|\|4612\|\|0\|\|0\|\| \|\|Security\|\|madarrbckoc.acme.es\|\|\|\|S-1-5-18;MADARRBCKOC$;acme;309CE194h;SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege\|\|Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: MADARRBCKOC$ Account Domain: acme Logon ID: 0x309ce194 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege",
		'CEF:0\|security\|threatmanager\|1.0\|100\|detected a \\\| in message\|10\|src=10.0.0.1 act=blocked a \| dst=1.1.1.1',
		@@ -53,2 +53,3 @@ 'Sep 19 08:26:10 host CEF:0\|security\|threatmanager\|1.0\|100\|detected a \\ in packet\|10\|src=10.0.0.1 act=blocked a \\ dst=1.1.1.1',
		'<30>s2413-XXX.aviacion.fomento.es Instancia3[22469]: INFO 17:33:22,521 INFO [stdout] (http--0.0.0.0-8083-299) 2018-09-25 17:33:22,521 INFO - es.XXX.dcta.core.ws.consultas.DctaCoreConsultasPortImpl - Finishing operation obtenerConsentimientos \| usuario= sed1 count= 2\n',
		'<166>Nov 6 13:07:13 MADCPVDS1 CEF:0\|Trend Micro\|Deep Security Manager\|11.0.249\|720\|Policy Sent\|3\|src=172.22.225.30 suser=System target=Colbog7mtt msg=The policy (fingerprint 6B:20:C9:33:9C:C9:5D:AD:2C:51:94:67:17:53:E7:68:95:B9:2B:A1) was successfully sent to the agent. TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 '
		];

dist/nsyslog-parser.js.map

Sorry, the diff of this file is not supported yet

		@@ -1,3 +0,3 @@
		/! nsyslog-parser 2018-09-26 /
		/! nsyslog-parser 2019-04-11 /

		"use strict";!function r(s,n,o){function c(i,e){if(!n[i]){if(!s[i]){var t="function"==typeof require&&require;if(!e&&t)return t(i,!0);if(d)return d(i,!0);var a=new Error("Cannot find module '"+i+"'");throw a.code="MODULE_NOT_FOUND",a}var l=n[i]={exports:{}};s[i][0].call(l.exports,function(e){return c(s[i][1][e]\|\|e)},l,l.exports,r,s,n,o)}return n[i].exports}for(var d="function"==typeof require&&require,e=0;e<o.length;e++)c(o[e]);return c}({1:[function(e,i,t){var a,l;a=window,l=e("./parser.js"),a.NSyslog=a.NSyslog\|\|{},a.NSyslog.parse=l},{"./parser.js":3}],2:[function(e,i,t){var n=/[a-zA-Z][a-zA-Z0-9]+=/,o=["version","deviceVendor","deviceProduct","deviceVersion","deviceEventClassID","name","severity","extension"];i.exports={parse:function(e){var t,a,i,l,r,s=(t=[],i=!(a={}),l=7,r="",e.split("").forEach(function(e){l?"\|"==e?i?(i=!1,r+=e):(t.push(r),r="",l--):"\\"==e?(r+=e,i=!i):(i=!1,r+=e):r+=e}),r.length&&t.push(r),o.forEach(function(e,i){return a[e]=t[i]}),a);return{headers:s,fields:function(e){var i=[],t={},a=null;do{if(a=n.exec(e)){var l=a[0],r=a.index;i.length&&(i[i.length-1]+=e.substring(0,r)),i.push(l),e=e.substring(r+l.length)}else e.length&&i.length&&(i[i.length-1]+=e,e="")}while(a&&e.length);return i.map(function(e){return e.trim()}).map(function(e){return{k:(e=e.split("=")).shift(),v:e.join("=")}}).forEach(function(e){t[e.k]=e.v}),t}(s.extension\|\|"")}}}},{}],3:[function(e,i,t){var N=e("./pri.js"),E=e("./cef.js"),x={pri:/^<\d+>/,prinmr:/^\d+ /,prival:/<(\d+)>/,month:/^[A-Za-z][a-z]{2} /,day:/^\d{1,2} /,time:/^\d+:\d+:\d+ /,ts:/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\S+ /,invalid:/[^a-zA-Z0-9\.\$\-_#%\/\[\]\(\)]/,sdata:/\[(\S+)( [^\=]+\=\"[^\"]+\")+\]/g,cef:/^CEF:\d+/},w={cef:!0,fields:!0,pid:!0};function j(e){do{var i=e.shift();if(void 0===i)return i;i=i.trim()}while(!i);return i}function D(e,i){if(e.host)if(e.appName)if(e.pid){if(e.messageid)return!!e.structuredData\|\|(e.structuredData=i.trim(),!1);e.messageid=i.trim()}else e.pid=i.trim();else e.appName=i.trim();else e.host=i.trim()}i.exports=function(e,i){try{return function(e,i){i=i\|\|w;var t=e.match(x.pri),r={originalMessage:e};if(t){r.pri=t[0],r.prival=parseInt(r.pri.match(x.prival)[1]);var a=N.get(r.prival);r.facilityval=a.facility,r.levelval=a.level,r.facility=N.FACILITY[a.facility].id,r.level=N.LEVEL[a.level].id}else r.pri="",r.prival=NaN;for(var l=e.substring(r.pri.length).split(" "),s=!1;e.length&&!s;){if((u=j(l)+" ").match(x.prinmr))r.version=parseInt(u),r.type="RFC5424",(u=j(l)+" ").match(x.ts)&&(r.ts=new Date(Date.parse(u.match(x.ts)[0].trim())));else if(u.match(x.month)){r.type="BSD";var n=u.trim(),o=j(l),c=j(l),d=(new Date).getYear()+1900;r.ts=new Date(Date.parse(d+" "+n+" "+o+" "+c))}else r.type="UNKNOWN",l.unshift(u.trim());s=!0}if(r.ts\|\|(r.ts=new Date),r.type){var f=function(e){l.unshift(e),r.message=l.join(" "),s=!0};for(s=!1;e.length&&!s;){var u;if(u=j(l))if(u.endsWith(":")){var p=u.replace(/:$/,"").trim();p.match(x.invalid)?f(u):(D(r,p),r.message=l.join(" "),s=!0)}else if(l.length)if(u.match(x.invalid))f(u);else{var m=D(r,u.replace(/: $/,"").trim());!0===m?(l.unshift(u),r.message=l.join(" "),s=!0):!1===m&&(r.message=l.join(" "),s=!0)}else f(u);else s=!0}}else r.message=l.join(" ");if(r.chain=(r.host\|\|"").split("/"),r.host=r.chain.pop(),"RFC5424"==r.type){var g=r.message.match(x.sdata)\|\|[],h=0;r.structuredData=g.map(function(e){var a={},l=null;return h=r.message.indexOf(e)+e.length+1,e.replace(/(^\[)\|(\]$)/g,"").split(" ").forEach(function(e,i){if(e.trim())if(0==i)a.$id=e;else{var t=e.split("=");t[0]&&t[1]&&'"'!=t[1]?(l=t.shift(),a[l]=t.join("=").replace(/\"/g,"")):t[0]&&void 0===t[1]?a[l]+=" "+(t[0]\|\|"").replace(/\"/g,""):!t[0]\|\|t[1].length&&'"'!=t[1]\|\|(a[l]+=" "+(t[0]\|\|"").replace(/\"/g,"")+"=")}}),a}),r.message=r.message.substring(h)}if(!1!==i.cef&&x.cef.test(r.message)){r.type="CEF";var y=E.parse(r.message);r.cef=y.headers,r.fields=y.fields}else if(!1!==i.fields&&"UNKNOWN"!=r.type){var v=[];r.message.split(",").forEach(function(e){var i=e.split("=");2==i.length&&(v[i[0]]=i[1])}),r.fields=v}if(r.header=e.substring(0,e.length-r.message.length),i.pid&&r.appName&&r.appName.endsWith("]")){var b=r.appName.indexOf("[");0<=b&&(r.pid=r.appName.substring(b+1,r.appName.length-1),r.appName=r.appName.substring(0,b))}return r}(e,i)}catch(e){return{err:e}}}},{"./cef.js":2,"./pri.js":4}],4:[function(e,i,t){var a=[{id:"kern",label:"kernel messages"},{id:"user",label:"user-level messages"},{id:"mail",label:"mail system"},{id:"daemon",label:"system daemons"},{id:"auth",label:"security/authorization messages"},{id:"syslog",label:"messages generated internally by syslogd"},{id:"lpr",label:"line printer subsystem"},{id:"news",label:"network news subsystem"},{id:"uucp",label:"UUCP subsystem"},{id:"cron",label:"clock daemon"},{id:"authpriv",label:"security/authorization messages"},{id:"ftp",label:"FTP daemon"},{id:"ntp",label:"NTP subsystem"},{id:"security",label:"log audit"},{id:"console",label:"log alert"},{id:"solaris-cron",label:"clock daemon"},{id:"local0",label:"locally used facility 0"},{id:"local1",label:"locally used facility 0"},{id:"local2",label:"locally used facility 0"},{id:"local3",label:"locally used facility 0"},{id:"local4",label:"locally used facility 0"},{id:"local5",label:"locally used facility 0"},{id:"local6",label:"locally used facility 0"},{id:"local7",label:"locally used facility 0"}],l=[{id:"emerg",label:"system is unusable"},{id:"alert",label:"action must be taken immediately"},{id:"crit",label:"critical conditions"},{id:"error",label:"error conditions"},{id:"warn",label:"warning conditions"},{id:"notice",label:"normal but significant condition"},{id:"info",label:"informational messages"},{id:"debug",label:"debug-level messages"}],r=[],s=[];a.forEach(function(e,i){return r[e.id]=i}),l.forEach(function(e,i){return s[e.id]=i}),i.exports.LEVEL=l,i.exports.FACILITY=a,i.exports.LEVELS=s,i.exports.FACILITIES=r,i.exports.get=function(e,i){return"number"==typeof e&&void 0===i?{level:7&e,facility:e>>3}:"number"==typeof e&&"number"==typeof i?8e+i:"string"==typeof e&&"number"==typeof i?8(r[e]\|\|0)+i:"number"==typeof e&&"string"==typeof i?8e+(s[i]\|\|0):"string"==typeof e&&"string"==typeof i?8(r[e]\|\|0)+(s[i]\|\|0):{level:0,facility:0}}},{}]},{},[1]);
		"use strict";!function s(r,n,o){function c(i,e){if(!n[i]){if(!r[i]){var a="function"==typeof require&&require;if(!e&&a)return a(i,!0);if(d)return d(i,!0);var t=new Error("Cannot find module '"+i+"'");throw t.code="MODULE_NOT_FOUND",t}var l=n[i]={exports:{}};r[i][0].call(l.exports,function(e){return c(r[i][1][e]\|\|e)},l,l.exports,s,r,n,o)}return n[i].exports}for(var d="function"==typeof require&&require,e=0;e<o.length;e++)c(o[e]);return c}({1:[function(e,i,a){var t,l;t=window,l=e("./parser.js"),t.NSyslog=t.NSyslog\|\|{},t.NSyslog.parse=l},{"./parser.js":3}],2:[function(e,i,a){var n=["version","deviceVendor","deviceProduct","deviceVersion","deviceEventClassID","name","severity","extension"];i.exports={parse:function(e){var a,t,i,l,s,r=(a=[],i=!(t={}),l=7,s="",e.split("").forEach(function(e){l?"\|"==e?i?(i=!1,s+=e):(a.push(s),s="",l--):"\\"==e?(s+=e,i=!i):(i=!1,s+=e):s+=e}),s.length&&a.push(s),n.forEach(function(e,i){return t[e]=a[i]}),t);return{headers:r,fields:function(e){for(var i=e.split(" "),a={},t=null;i.length;)if(t){var l=i.shift();l.indexOf("=")<0?a[t]+=" "+l:(t=null,i.unshift(l))}else if(0<=(t=i.shift()).indexOf("=")){var s=t.split("=");a[t=s[0]]=s[1]}else a[t]="";return a}(r.extension\|\|"")}}}},{}],3:[function(e,i,a){var N=e("./pri.js"),E=e("./cef.js"),x={pri:/^<\d+>/,prinmr:/^\d+ /,prival:/<(\d+)>/,month:/^[A-Za-z][a-z]{2} /,day:/^\d{1,2} /,time:/^\d+:\d+:\d+ /,ts:/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\S+ /,invalid:/[^a-zA-Z0-9\.\$\-_#%\/\[\]\(\)]/,sdata:/\[(\S+)( [^\=]+\=\"[^\"]+\")+\]/g,cef:/^CEF:\d+/},w={cef:!0,fields:!0,pid:!0};function D(e){do{var i=e.shift();if(void 0===i)return i;i=i.trim()}while(!i);return i}function j(e,i){if(e.host)if(e.appName)if(e.pid){if(e.messageid)return!!e.structuredData\|\|(e.structuredData=i.trim(),!1);e.messageid=i.trim()}else e.pid=i.trim();else e.appName=i.trim();else e.host=i.trim()}i.exports=function(e,i){try{return function(e,i){i=i\|\|w;var a=e.match(x.pri),s={originalMessage:e};if(a){s.pri=a[0],s.prival=parseInt(s.pri.match(x.prival)[1]);var t=N.get(s.prival);s.facilityval=t.facility,s.levelval=t.level,s.facility=N.FACILITY[t.facility].id,s.level=N.LEVEL[t.level].id}else s.pri="",s.prival=NaN;for(var l=e.substring(s.pri.length).split(" "),r=!1;e.length&&!r;){if((u=D(l)+" ").match(x.prinmr))s.version=parseInt(u),s.type="RFC5424",(u=D(l)+" ").match(x.ts)&&(s.ts=new Date(Date.parse(u.match(x.ts)[0].trim())));else if(u.match(x.month)){s.type="BSD";var n=u.trim(),o=D(l),c=D(l),d=(new Date).getYear()+1900;s.ts=new Date(Date.parse(d+" "+n+" "+o+" "+c))}else s.type="UNKNOWN",l.unshift(u.trim());r=!0}if(s.ts\|\|(s.ts=new Date),s.type){var f=function(e){l.unshift(e),s.message=l.join(" "),r=!0};for(r=!1;e.length&&!r;){var u;if(u=D(l))if(u.endsWith(":")){var p=u.replace(/:$/,"").trim();p.match(x.invalid)?f(u):(j(s,p),s.message=l.join(" "),r=!0)}else if(l.length)if(u.match(x.invalid))f(u);else{var m=j(s,u.replace(/: $/,"").trim());!0===m?(l.unshift(u),s.message=l.join(" "),r=!0):!1===m&&(s.message=l.join(" "),r=!0)}else f(u);else r=!0}}else s.message=l.join(" ");if(s.chain=(s.host\|\|"").split("/"),s.host=s.chain.pop(),"RFC5424"==s.type){var g=s.message.match(x.sdata)\|\|[],y=0;s.structuredData=g.map(function(e){var t={},l=null;return y=s.message.indexOf(e)+e.length+1,e.replace(/(^\[)\|(\]$)/g,"").split(" ").forEach(function(e,i){if(e.trim())if(0==i)t.$id=e;else{var a=e.split("=");a[0]&&a[1]&&'"'!=a[1]?(l=a.shift(),t[l]=a.join("=").replace(/\"/g,"")):a[0]&&void 0===a[1]?t[l]+=" "+(a[0]\|\|"").replace(/\"/g,""):!a[0]\|\|a[1].length&&'"'!=a[1]\|\|(t[l]+=" "+(a[0]\|\|"").replace(/\"/g,"")+"=")}}),t}),s.message=s.message.substring(y)}if(!1!==i.cef&&x.cef.test(s.message)){s.type="CEF";var h=E.parse(s.message);s.cef=h.headers,s.fields=h.fields}else if(!1!==i.fields&&"UNKNOWN"!=s.type){var v=[];s.message.split(",").forEach(function(e){var i=e.split("=");2==i.length&&(v[i[0]]=i[1])}),s.fields=v}if(s.header=e.substring(0,e.length-s.message.length),i.pid&&s.appName&&s.appName.endsWith("]")){var b=s.appName.indexOf("[");0<=b&&(s.pid=s.appName.substring(b+1,s.appName.length-1),s.appName=s.appName.substring(0,b))}return s}(e,i)}catch(e){return{err:e}}}},{"./cef.js":2,"./pri.js":4}],4:[function(e,i,a){var t=[{id:"kern",label:"kernel messages"},{id:"user",label:"user-level messages"},{id:"mail",label:"mail system"},{id:"daemon",label:"system daemons"},{id:"auth",label:"security/authorization messages"},{id:"syslog",label:"messages generated internally by syslogd"},{id:"lpr",label:"line printer subsystem"},{id:"news",label:"network news subsystem"},{id:"uucp",label:"UUCP subsystem"},{id:"cron",label:"clock daemon"},{id:"authpriv",label:"security/authorization messages"},{id:"ftp",label:"FTP daemon"},{id:"ntp",label:"NTP subsystem"},{id:"security",label:"log audit"},{id:"console",label:"log alert"},{id:"solaris-cron",label:"clock daemon"},{id:"local0",label:"locally used facility 0"},{id:"local1",label:"locally used facility 0"},{id:"local2",label:"locally used facility 0"},{id:"local3",label:"locally used facility 0"},{id:"local4",label:"locally used facility 0"},{id:"local5",label:"locally used facility 0"},{id:"local6",label:"locally used facility 0"},{id:"local7",label:"locally used facility 0"}],l=[{id:"emerg",label:"system is unusable"},{id:"alert",label:"action must be taken immediately"},{id:"crit",label:"critical conditions"},{id:"error",label:"error conditions"},{id:"warn",label:"warning conditions"},{id:"notice",label:"normal but significant condition"},{id:"info",label:"informational messages"},{id:"debug",label:"debug-level messages"}],s=[],r=[];t.forEach(function(e,i){return s[e.id]=i}),l.forEach(function(e,i){return r[e.id]=i}),i.exports.LEVEL=l,i.exports.FACILITY=t,i.exports.LEVELS=r,i.exports.FACILITIES=s,i.exports.get=function(e,i){return"number"==typeof e&&void 0===i?{level:7&e,facility:e>>3}:"number"==typeof e&&"number"==typeof i?8e+i:"string"==typeof e&&"number"==typeof i?8(s[e]\|\|0)+i:"number"==typeof e&&"string"==typeof i?8e+(r[i]\|\|0):"string"==typeof e&&"string"==typeof i?8(s[e]\|\|0)+(r[i]\|\|0):{level:0,facility:0}}},{}]},{},[1]);

		module.exports = [


		"<34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8",
		@@ -14,3 +14,3 @@ "<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8",
		'Jun 15 17:13:50 192.168.17.72 MSWinEventLog 1 \|\|\|\|MsiInstaller\|\|11707\|\|0\|\|Información\|\|Ninguna\|\|\|\|Clásico\|\|2010/06/15 17:13:50\|\|381\|\|\|\|\|\|0\|\|0\|\|0\|\|0\|\| \|\|Application\|\|WIN-ZARKLN8SUVH\|\|Administrador\|\|Producto: Microsoft .NET Framework 3.5 -- La instalación se completó correctamente.;(NULL);(NULL);;\|\|Producto: Microsoft .NET Framework 3.5 -- La instalación se completó correctamente.',
		'<13>May 9 16:56:32 192.168.110.12 MSWinEventLog 1 \|\|{54849625-5478-4994-A5BA-3E3B0328C30D}\|\|Microsoft-Windows-Security-Auditing\|\|4634\|\|0\|\|Informaciï¿½n\|\|\|\|Informaciï¿½n\|\|Auditorï¿½a correcta\|\|2017-05-09 16:56:32\|\|267119563\|\|\|\|\|\|492\|\|384\|\|0\|\|0\|\| \|\|Security\|\|GICA-DC-02.grupoica.local\|\|\|\|S-1-5-21-1549636476-3519663633-904275800-7216;GVDI-SEV-010$;GRUPOICA;1C5B0D9Fh;3\|\|Se cerrï¿½ sesiï¿½n en una cuenta. Sujeto: \tId. de seguridad:\t\tS-1-5-21-1549636476-3519663633-904275800-7216 \tNombre de cuenta:\t\tGVDI-SEV-010$ \tDominio de cuenta:\t\tGRUPOICA \tId. de inicio de sesiï¿½n:\t\t0x1c5b0d9f Tipo de inicio de sesiï¿½n:\t\t\t3 Este evento se genera cuando se destruye una sesiï¿½n de inicio. Puede estar correlacionado de manera positiva con un evento de inicio de sesiï¿½n mediante el valor Id. de inicio de sesiï¿½n. Los id. de inicio de sesiï¿½n sï¿½lo son ï¿½nicos entre reinicios en el mismo equipo.\n',
		'<13>May 9 16:56:32 192.168.110.12 MSWinEventLog 1 \|\|{54849625-5478-4994-A5BA-3E3B0328C30D}\|\|Microsoft-Windows-Security-Auditing\|\|4634\|\|0\|\|Informaciï¿½n\|\|\|\|Informaciï¿½n\|\|Auditorï¿½a correcta\|\|2017-05-09 16:56:32\|\|267119563\|\|\|\|\|\|492\|\|384\|\|0\|\|0\|\| \|\|Security\|\|GICA-DC-02.acmeco.local\|\|\|\|S-1-5-21-1549636476-3519663633-904275800-7216;GVDI-SEV-010$;acmeco;1C5B0D9Fh;3\|\|Se cerrï¿½ sesiï¿½n en una cuenta. Sujeto: \tId. de seguridad:\t\tS-1-5-21-1549636476-3519663633-904275800-7216 \tNombre de cuenta:\t\tGVDI-SEV-010$ \tDominio de cuenta:\t\tacmeco \tId. de inicio de sesiï¿½n:\t\t0x1c5b0d9f Tipo de inicio de sesiï¿½n:\t\t\t3 Este evento se genera cuando se destruye una sesiï¿½n de inicio. Puede estar correlacionado de manera positiva con un evento de inicio de sesiï¿½n mediante el valor Id. de inicio de sesiï¿½n. Los id. de inicio de sesiï¿½n sï¿½lo son ï¿½nicos entre reinicios en el mismo equipo.\n',
		'<7>1 2017-05-11T14:45:31.995+02:00 logica5p storm1 - - - 192.168.120.172 - - [04/Nov/2015:15:11:33 +0100] "GET /localclassifieds//classifieds/Site_Admin/admin.php HTTP/1.1" 404 1137 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 7.0.2)"',
		@@ -21,4 +21,4 @@ 'May 06 10:05:03 CCLogTap::profileRemoved, Owner: com.apple.iokit.IO80211Family, Name: IO80211AWDLPeerManager',
		"<20>Jun 15 12:33:52 Syslog_LogICAV: Warning: Received an invalid DNS Response: rcode=ServFail data=\"'F\\\\x15\\\\x81\\\\x82\\\\x00\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x06health\\\\x03gov\\\\x02bh\\\\x00\\\\x00\\\\x0f\\\\x00\\\\x01'\" to IP 172.22.204.220 looking up health.gov.bh",
		"<13>Jul 14 10:10:39 172.22.208.24 MSWinEventLog 1 \|\|{54849625-5478-4994-A5BA-3E3B0328C30D}\|\|Microsoft-Windows-Security-Auditing\|\|4634\|\|0\|\|Information\|\|\|\|Info\|\|Audit Success\|\|2017-07-14 10:10:39\|\|1123805\|\|\|\|\|\|612\|\|2192\|\|0\|\|0\|\| \|\|Security\|\|madcpvflexaprtl.indra.es\|\|\|\|S-1-5-21-1506503333-1133455874-5522801-237819;usrnnmi;INDRA;E8CB665h;3\|\|An account was logged off. Subject: \tSecurity ID:\t\tS-1-5-21-1506503333-1133455874-5522801-237819 \tAccount Name:\t\tusrnnmi \tAccount Domain:\t\tINDRA \tLogon ID:\t\t0xE8CB665 Logon Type:\t\t\t3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\n",
		"Sep 14 00:41:58 MADARRBCKOC MSWinEventLog 1 \|\|{54849625-5478-4994-A5BA-3E3B0328C30D}\|\|Microsoft-Windows-Security-Auditing\|\|4672\|\|0\|\|Information\|\|\|\|Info\|\|Audit Success\|\|2017-09-14 00:41:58\|\|154144\|\|\|\|\|\|568\|\|4612\|\|0\|\|0\|\| \|\|Security\|\|madarrbckoc.indra.es\|\|\|\|S-1-5-18;MADARRBCKOC$;INDRA;309CE194h;SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege\|\|Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: MADARRBCKOC$ Account Domain: INDRA Logon ID: 0x309ce194 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege",
		"<13>Jul 14 10:10:39 172.22.208.24 MSWinEventLog 1 \|\|{54849625-5478-4994-A5BA-3E3B0328C30D}\|\|Microsoft-Windows-Security-Auditing\|\|4634\|\|0\|\|Information\|\|\|\|Info\|\|Audit Success\|\|2017-07-14 10:10:39\|\|1123805\|\|\|\|\|\|612\|\|2192\|\|0\|\|0\|\| \|\|Security\|\|madcpvflexaprtl.acme.es\|\|\|\|S-1-5-21-1506503333-1133455874-5522801-237819;usrnnmi;acme;E8CB665h;3\|\|An account was logged off. Subject: \tSecurity ID:\t\tS-1-5-21-1506503333-1133455874-5522801-237819 \tAccount Name:\t\tusrnnmi \tAccount Domain:\t\tacme \tLogon ID:\t\t0xE8CB665 Logon Type:\t\t\t3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\n",
		"Sep 14 00:41:58 MADARRBCKOC MSWinEventLog 1 \|\|{54849625-5478-4994-A5BA-3E3B0328C30D}\|\|Microsoft-Windows-Security-Auditing\|\|4672\|\|0\|\|Information\|\|\|\|Info\|\|Audit Success\|\|2017-09-14 00:41:58\|\|154144\|\|\|\|\|\|568\|\|4612\|\|0\|\|0\|\| \|\|Security\|\|madarrbckoc.acme.es\|\|\|\|S-1-5-18;MADARRBCKOC$;acme;309CE194h;SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege\|\|Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: MADARRBCKOC$ Account Domain: acme Logon ID: 0x309ce194 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege",
		'CEF:0\|security\|threatmanager\|1.0\|100\|detected a \\\| in message\|10\|src=10.0.0.1 act=blocked a \| dst=1.1.1.1',
		@@ -53,2 +53,3 @@ 'Sep 19 08:26:10 host CEF:0\|security\|threatmanager\|1.0\|100\|detected a \\ in packet\|10\|src=10.0.0.1 act=blocked a \\ dst=1.1.1.1',
		'<30>s2413-XXX.aviacion.fomento.es Instancia3[22469]: INFO 17:33:22,521 INFO [stdout] (http--0.0.0.0-8083-299) 2018-09-25 17:33:22,521 INFO - es.XXX.dcta.core.ws.consultas.DctaCoreConsultasPortImpl - Finishing operation obtenerConsentimientos \| usuario= sed1 count= 2\n',
		'<166>Nov 6 13:07:13 MADCPVDS1 CEF:0\|Trend Micro\|Deep Security Manager\|11.0.249\|720\|Policy Sent\|3\|src=172.22.225.30 suser=System target=Colbog7mtt msg=The policy (fingerprint 6B:20:C9:33:9C:C9:5D:AD:2C:51:94:67:17:53:E7:68:95:B9:2B:A1) was successfully sent to the agent. TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 '
		];

nsyslog-parser - npm Package Compare versions

Improved metrics

Worsened metrics