vrl/stdlib/
parse_linux_authorization.rs

1use super::parse_syslog::ParseSyslogFn;
2use crate::compiler::prelude::*;
3use chrono::{Datelike, Utc};
4use std::sync::LazyLock;
5
6static EXAMPLES: LazyLock<Vec<Example>> = LazyLock::new(|| {
7    let result = Box::leak(
8        format!(
9            indoc! {r#"{{
10                "appname": "sshd",
11                "hostname": "localhost",
12                "message": "Accepted publickey for eng from 10.1.1.1 port 8888 ssh2: RSA SHA256:foobar",
13                "procid": 1111,
14                "timestamp": "{year}-03-23T01:49:58Z"
15            }}"#},
16            year = Utc::now().year()
17        )
18        .into_boxed_str(),
19    );
20    vec![example! {
21        title: "Parse Linux authorization event",
22        source: indoc! {"
23            parse_linux_authorization!(
24                s'Mar 23 01:49:58 localhost sshd[1111]: Accepted publickey for eng from 10.1.1.1 port 8888 ssh2: RSA SHA256:foobar'
25            )
26        "},
27        result: Ok(result),
28    }]
29});
30
31#[derive(Clone, Copy, Debug)]
32pub struct ParseLinuxAuthorization;
33
34impl Function for ParseLinuxAuthorization {
35    fn identifier(&self) -> &'static str {
36        "parse_linux_authorization"
37    }
38
39    fn usage(&self) -> &'static str {
40        "Parses Linux authorization logs usually found under either `/var/log/auth.log` (for Debian-based systems) or `/var/log/secure` (for RedHat-based systems) according to [Syslog](https://en.wikipedia.org/wiki/Syslog) format."
41    }
42
43    fn category(&self) -> &'static str {
44        Category::Parse.as_ref()
45    }
46
47    fn internal_failure_reasons(&self) -> &'static [&'static str] {
48        &["`value` is not a properly formatted Syslog message."]
49    }
50
51    fn return_kind(&self) -> u16 {
52        kind::OBJECT
53    }
54
55    fn notices(&self) -> &'static [&'static str] {
56        &[indoc! {"
57            The function resolves the year for messages that don't include it. If the current month
58            is January, and the message is for December, it will take the previous year. Otherwise,
59            take the current year.
60        "}]
61    }
62
63    fn parameters(&self) -> &'static [Parameter] {
64        const PARAMETERS: &[Parameter] = &[Parameter::required(
65            "value",
66            kind::BYTES,
67            "The text containing the message to parse.",
68        )];
69        PARAMETERS
70    }
71
72    fn examples(&self) -> &'static [Example] {
73        EXAMPLES.as_slice()
74    }
75
76    fn compile(
77        &self,
78        _state: &state::TypeState,
79        _ctx: &mut FunctionCompileContext,
80        arguments: ArgumentList,
81    ) -> Compiled {
82        let value = arguments.required("value");
83
84        // The parse_linux_authorization function is just an alias for parse_syslog
85        Ok(ParseSyslogFn { value }.as_expr())
86    }
87}