Add Nxlog format (#124)

cea-sec · Apr 30, 2024 · 2313e90 · 2313e90
1 parent dd21fd4
commit 2313e90
Show file tree

Hide file tree

Showing 11 changed files with 781 additions and 16 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -27,6 +27,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Add `locale` and `data_locale` subscriptions parameters
 - Add support for Proxy Protocol to allow openwec to be used behind a layer 4 load
 balancer whilst preserving the client IP address and port.
+- Add Nxlog format (#124)
 
 ### Changed
 

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/cli/src/skell.rs b/cli/src/skell.rs
@@ -136,6 +136,10 @@ fn get_outputs() -> String {
 # Outputs
 #
 
+# For each output, you must configure a driver and a format.
+# The format can be one of: "Raw", "JsonRaw", "Json", "Nxlog"
+# The driver can be one of: "Files", "Kafka", "Tcp", "Redis", "UnixDatagram"
+
 # Configure a Files output
 # [[outputs]]
 # driver = "Files"

diff --git a/common/src/models/config.rs b/common/src/models/config.rs
@@ -137,16 +137,16 @@ enum SubscriptionOutputFormat {
     Json,
     Raw,
     RawJson,
+    Nxlog
 }
 
 impl From<SubscriptionOutputFormat> for crate::subscription::SubscriptionOutputFormat {
     fn from(value: SubscriptionOutputFormat) -> Self {
         match value {
             SubscriptionOutputFormat::Json => crate::subscription::SubscriptionOutputFormat::Json,
             SubscriptionOutputFormat::Raw => crate::subscription::SubscriptionOutputFormat::Raw,
-            SubscriptionOutputFormat::RawJson => {
-                crate::subscription::SubscriptionOutputFormat::RawJson
-            }
+            SubscriptionOutputFormat::RawJson => crate::subscription::SubscriptionOutputFormat::RawJson,
+            SubscriptionOutputFormat::Nxlog => crate::subscription::SubscriptionOutputFormat::Nxlog
         }
     }
 }
@@ -382,7 +382,7 @@ port = 8080
 ## Redis output
 [[outputs]]
 driver = "Redis"
-format = "Json"
+format = "Nxlog"
 enabled = false
 
 [outputs.config]
@@ -456,7 +456,7 @@ path = "/tmp/openwec.socket"
                 true,
             ),
             crate::subscription::SubscriptionOutput::new(
-                crate::subscription::SubscriptionOutputFormat::Json,
+                crate::subscription::SubscriptionOutputFormat::Nxlog,
                 crate::subscription::SubscriptionOutputDriver::Redis(
                     crate::subscription::RedisConfiguration::new(
                         "localhost".to_string(),

diff --git a/common/src/models/export.rs b/common/src/models/export.rs
@@ -206,6 +206,7 @@ mod v1 {
         Json,
         Raw,
         RawJson,
+        Nxlog,
     }
 
     impl From<SubscriptionOutputFormat> for crate::subscription::SubscriptionOutputFormat {
@@ -215,9 +216,8 @@ mod v1 {
                     crate::subscription::SubscriptionOutputFormat::Json
                 }
                 SubscriptionOutputFormat::Raw => crate::subscription::SubscriptionOutputFormat::Raw,
-                SubscriptionOutputFormat::RawJson => {
-                    crate::subscription::SubscriptionOutputFormat::RawJson
-                }
+                SubscriptionOutputFormat::RawJson => crate::subscription::SubscriptionOutputFormat::RawJson,
+                SubscriptionOutputFormat::Nxlog => crate::subscription::SubscriptionOutputFormat::Nxlog,
             }
         }
     }
@@ -229,9 +229,8 @@ mod v1 {
                     SubscriptionOutputFormat::Json
                 }
                 crate::subscription::SubscriptionOutputFormat::Raw => SubscriptionOutputFormat::Raw,
-                crate::subscription::SubscriptionOutputFormat::RawJson => {
-                    SubscriptionOutputFormat::RawJson
-                }
+                crate::subscription::SubscriptionOutputFormat::RawJson => SubscriptionOutputFormat::RawJson,
+                crate::subscription::SubscriptionOutputFormat::Nxlog => SubscriptionOutputFormat::Nxlog,
             }
         }
     }

diff --git a/common/src/subscription.rs b/common/src/subscription.rs
@@ -217,6 +217,7 @@ pub enum SubscriptionOutputFormat {
     Json,
     Raw,
     RawJson,
+    Nxlog,
 }
 
 impl SubscriptionOutputFormat {
@@ -227,6 +228,7 @@ impl SubscriptionOutputFormat {
             SubscriptionOutputFormat::Raw => false,
             SubscriptionOutputFormat::RawJson => false,
             SubscriptionOutputFormat::Json => true,
+            SubscriptionOutputFormat::Nxlog => true,
         }
     }
 }

diff --git a/doc/formats.md b/doc/formats.md
@@ -245,11 +245,58 @@ processing_error_data := {
 }
 ```
 
+## Nxlog format
+
+This format mimics the output of the `im_msvistalog` module of Nxlog (see https://docs.nxlog.co/refman/current/im/msvistalog.html).
+
+Fields are documentated here:
+- https://docs.nxlog.co/refman/current/im/msvistalog.html#fields
+- https://docs.nxlog.co/refman/current/im/msvistalog_providers.html
+
+There are some differencies between the OpenWEC's Nxlog format and the original format:
+- Some fields are not present in OpenWEC's Nxlog format: `AccountName`, `AccountType`, `Domain`, `SourceModuleName`, `SourceModuleType`.
+- Some fields are only present if OpenWEC's subscription content format is set to `RenderedText`: `Category`, `Message`, `Opcode`.
+- Dates are formatted using RFC3389 format (instead of "Y-m-d H:M:S")
+- A field named `OpenWEC` is added with the following format:
+```json
+openwec_data := {
+    /* IP Address of the Windows client */
+    "IpAddress": string,
+    /* Time when the event was received by OpenWEC */
+    "TimeReceived": date,
+    /* Principal of the Windows client */
+    "Principal": string,
+    /* OpenWEC node that received the event.
+      Only present if server.node_name configuration setting is set */
+    "Node": string,
+    "Subscription": {
+        "Name": string,
+        "Version": string,
+        "Uuid": string,
+        "Uri": string,
+        /* Only if revision is set for this subscription */
+        "ServerRevision": string,
+        "ClientRevision": string
+    },
+    /* Only in case of error during event parsing or serializing */
+    "Error": {
+        "OriginalContent": string,
+        "Type": string,
+        "Message": string
+    }
+}
+```
+
+
 ## How to add a new format ?
 
-- Create a new dedicated module in `server::formats` with a structure that implements `OutputFormat`
 - Add a new variant to `common::subscription::SubscriptionOutputFormat`
-- Fix all the compiler errors about missing variant in matches :-)
 - Adapt import/export format in `common::models::export` (version don't need to be changed if only new variants are added)
 - Adapt config format in `common::models::config`
+
+- Create a new dedicated module in `server::formats` with a structure that implements `OutputFormat`
+
+- Fix all the compiler errors about missing variant in matches :-)
+- Add the new format in `cli::skell`
+
 - Add documentation in `doc/formats.md`
diff --git a/server/Cargo.toml b/server/Cargo.toml
@@ -50,3 +50,4 @@ socket2 = "0.5.6"
 http-body-util = "0.1"
 ppp = "2.2.0"
 tokio-rustls = "0.26.0"
+strum = { version = "0.26.1", features = ["derive"] }
diff --git a/server/src/formats/mod.rs b/server/src/formats/mod.rs
@@ -1,3 +1,4 @@
 pub mod json;
 pub mod raw;
-pub mod raw_json;
+pub mod raw_json;
+pub mod nxlog;