Skill for parser creator

Author: Kawron

.cursor/skills/create-sc4s-parser/SKILL.md

@@ -0,0 +1,312 @@
+---
+name: create-sc4s-parser
+description: DEPRECATED DON'T USE IT!. Creates SC4S syslog-ng parsers using a TDD workflow. Use when the user wants to create a new parser, add support for a new log source or vendor, or says "create parser", "add parser", "new log source", or "new vendor support".
+---
+
+# SC4S Parser Creation (TDD Workflow)
+
+Create syslog-ng parsers for SC4S using test-driven development: write the test first, then the parser, then validate against the full test suite.
+
+## Prerequisites
+
+Before starting, gather from the user:
+
+1. **vendor** — vendor name (lowercase, e.g. `acme`)
+2. **product** — product name (lowercase, e.g. `firewall`)
+3. **sourcetype** — Splunk sourcetype (e.g. `acme:firewall`)
+4. **index** — target Splunk index (e.g. `netfw`, `netops`, `netauth`, `netproxy`, `epintel`)
+5. **sample_logs** — one or more raw syslog messages
+6. **parser_type** (optional) — `syslog` (default), `almost-syslog`, `cef`, `netsource`
+
+If any are missing, ask the user. Use the AskQuestion tool for structured input when available.
+
+## Workflow Checklist
+
+Copy this and track progress:
+
+```
+Parser: {vendor}_{product}
+- [ ] Step 1: Analyze sample logs
+- [ ] Step 2: Review existing parsers for conflicts
+- [ ] Step 3: Create parser .conf for lite package and main package
+- [ ] Step 4: Create addon_metadata.yaml (if new vendor)
+- [ ] Step 5: Create unit test
+- [ ] Step 6: Run the parser test
+- [ ] Step 7: Run regression tests
+```
+
+---
+
+## Step 1: Analyze Sample Logs
+
+Examine the raw sample logs to determine:
+
+1. **Syslog format**:
+   - RFC3164: `<PRI>TIMESTAMP HOSTNAME PROGRAM: MESSAGE`
+   - RFC5424: `<PRI>VERSION TIMESTAMP HOSTNAME APP-NAME PROCID MSGID SDATA MESSAGE`
+   - CEF: `<PRI>TIMESTAMP HOSTNAME CEF:0|<Device Vendor>|<Device Product>|<Device Version>|<Signature ID>|<Name>|<Severity>|<Extension fields>`
+
+2. **Identifying features** (what makes this log unique):
+   - PROGRAM field (e.g. `swlogd`, `CISE_`, `%ASA-`)
+   - Message content patterns (e.g. `devid=FG`, `1,TIMESTAMP,SERIAL,TRAFFIC,`)
+   - Structured data fields
+
+3. **Filter strategy** — choose the narrowest filter:
+   - If the log is in CEF format: use `<Device Vendor>` and `<Device Product>` fields
+   - If the log has a unique PROGRAM: use `program()` filter with `sc4s-syslog-pgm` topic
+   - If PROGRAM is empty but message has unique prefix/pattern: use `message()` filter with `sc4s-syslog` topic
+   - If identification requires a dedicated port: use `sc4s-network-source` topic
+
+4. **Template selection**:
+   - `t_hdr_msg` — most common, includes MSGHDR + MESSAGE
+   - `t_msg_only` — message only (no header), used for CSV formats like Palo Alto
+   - `t_5424_hdr_sdata_compact` — RFC5424 with structured data
+   - `t_hdr_sdata_msg` — header + SDATA + message (Juniper)
+   - `t_kv_values` — key-value formatted output
+   - `t_json_values` — JSON formatted extracted values
+
+
+For full template and parser pattern reference, see [parser-reference.md](parser-reference.md).
+
+## Step 2: Review Existing Parsers for Conflicts
+
+Before writing the filter, check that no existing parser uses a filter that would match these logs:
+
+1. Search for similar `program()` filters in `package/lite/etc/addons/`:
+   ```
+   grep -r "program(" package/lite/etc/addons/ --include="*.conf"
+   ```
+
+2. Search for similar `message()` patterns:
+   ```
+   grep -r "message(" package/lite/etc/addons/ --include="*.conf"
+   ```
+
+3. If there IS a conflict, narrow your filter or discuss with the user.
+
+## Step 3: Create Parser Configuration
+
+For main package create `package/etc/conf.d/conflib/{parser_type}/app-{parser_type}-{vendor}_{prodict}.conf`. 
+
+For lite package create `package/lite/etc/addons/{vendor}/app-{parser_type}-{vendor}_{product}.conf`.
+
+**Parser file template (simple case with PROGRAM filter):**
+
+```
+block parser app-{parser_type}-{vendor}_{product}() {
+    channel {
+        rewrite {
+            r_set_splunk_dest_default(
+                index('{INDEX}')
+                sourcetype('{SOURCETYPE}')
+                vendor("{VENDOR}")
+                product("{PRODUCT}")
+                template('{TEMPLATE}')
+            );
+        };
+    };
+};
+application app-{parser_type}-{vendor}_{product}[sc4s-syslog-pgm] {
+    filter {
+        program('{PROGRAM_MATCH}' type(string) flags(prefix));
+    };
+    parser { app-{parser_type}-{vendor}_{product}(); };
+};
+```
+
+**Parser file template (message-based filter, no PROGRAM):**
+
+```
+block parser app-{parser_type}-{vendor}_{product}() {
+    channel {
+        rewrite {
+            r_set_splunk_dest_default(
+                index('{INDEX}')
+                sourcetype('{SOURCETYPE}')
+                vendor("{VENDOR}")
+                product("{PRODUCT}")
+                template('{TEMPLATE}')
+            );
+        };
+    };
+};
+application app-{parser_type}-{vendor}_{product}[sc4s-syslog] {
+    filter {
+        "{dollar}PROGRAM" eq ""
+        and message('{MESSAGE_PATTERN}');
+    };
+    parser { app-{parser_type}-{vendor}_{product}(); };
+};
+```
+
+**Important:**
+- Use `sc4s-syslog-pgm` topic when matching on PROGRAM field.
+- Use `sc4s-syslog` topic when matching on message content with empty PROGRAM.
+- Use `sc4s-network-source` topic for port-based identification.
+- Use `cef` topic for cef logs
+- For complex parsers with field extraction, see [parser-reference.md](parser-reference.md).
+
+## Step 4: Create addon_metadata.yaml (if new vendor)
+
+If the vendor directory doesn't exist yet, create `package/lite/etc/addons/{vendor}/addon_metadata.yaml`:
+
+```yaml
+---
+name: "{vendor}"
+```
+## Step 5: Create Unit Test
+
+Create `tests/test_{vendor}_{product}.py` following the test pattern.
+For the full test template, see [test-reference.md](test-reference.md).
+
+**Key rules for test creation:**
+
+1. **Templatize** the raw sample logs:
+   - Replace the PRI value with `{{ mark }}`
+   - Replace the BSD timestamp with `{{ bsd }}`
+   - Replace the hostname with `{{ host }}`
+   - Keep the message body as-is from the sample
+
+2. **Imports** — always use:
+   ```python
+   from jinja2 import Environment, select_autoescape
+   from .sendmessage import sendsingle
+   from .splunkutils import splunk_single
+   from .timeutils import time_operations
+   import datetime
+   import pytest
+   import shortuuid
+   ```
+
+3. **Test marker** — use `@pytest.mark.addons("{vendor_addon_dir}")` where `{vendor_addon_dir}` matches the addon directory name under `package/lite/etc/addons/`.
+
+4. **Search query** must include: `index`, `_time={{ epoch }}`, `sourcetype`, and `host`.
+
+5. **Assert** `result_count == 1` for each test event.
+
+6. **Multiple test functions** — create one test per log variant (different subtypes, formats, etc.)
+
+**Test file template (simple case):**
+
+```python
+# Copyright 2019 Splunk, Inc.
+#
+# Use of this source code is governed by a BSD-2-clause-style
+# license that can be found in the LICENSE-BSD2 file or at
+# https://opensource.org/licenses/BSD-2-Clause
+import shortuuid
+
+from jinja2 import Environment, select_autoescape
+from .sendmessage import sendsingle
+from .splunkutils import splunk_single
+from .timeutils import time_operations
+import datetime
+import pytest
+
+env = Environment(autoescape=select_autoescape(default_for_string=False))
+
+
+# Paste the original raw log as a comment above testdata
+# <134>Feb 18 09:37:41 myhost myprogram: some message content
+testdata = [
+    "{{ mark }}{{ bsd }} {{ host }} myprogram: some message content",
+]
+
+
+@pytest.mark.addons("{VENDOR_ADDON_DIR}")
+@pytest.mark.parametrize("event", testdata)
+def test_{vendor}_{product}(
+    record_property, get_host_key, setup_splunk, setup_sc4s, event
+):
+    host = get_host_key
+
+    dt = datetime.datetime.now()
+    _, bsd, _, _, _, _, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string(event + "\n")
+    message = mt.render(mark="<134>", bsd=bsd, host=host)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        'search index={INDEX} _time={{ epoch }} sourcetype="{SOURCETYPE}" (host="{{ host }}" OR "{{ host }}")'
+    )
+    search = st.render(epoch=epoch, host=host)
+
+    result_count, _ = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", result_count)
+    record_property("message", message)
+
+    assert result_count == 1
+```
+
+Replace `{VENDOR_ADDON_DIR}`, `{INDEX}`, `{SOURCETYPE}`, `{vendor}`, `{product}` with actual values.
+
+## Step 6: Run the Parser Test
+
+Run only the new test to verify the parser catches the sample logs:
+
+```bash
+poetry run pytest tests/test_{vendor}_{product}.py -v --tb=long \
+  -k "test_{vendor}_{product}" \
+  --splunk_type=external \
+  --sc4s_host=<SC4S_HOST> \
+  --splunk_host=<SPLUNK_HOST>
+```
+
+**If the test fails:**
+1. Read the error output carefully
+2. Common issues:
+   - Filter too narrow → broaden the `program()` or `message()` match
+   - Wrong application topic → switch between `sc4s-syslog-pgm` and `sc4s-syslog`
+   - Wrong template → try `t_hdr_msg`, `t_msg_only`, or `t_legacy_hdr_msg`
+   - Timestamp parsing issues → check if a custom `date-parser` is needed
+3. Fix the parser and re-run until the test passes
+
+## Step 7: Run Regression Tests
+
+Run the full test suite to ensure no existing parsers are broken:
+
+```bash
+poetry run pytest tests/ -v --tb=long -n 14 \
+  -k "not lite and not name_cache" \
+  --splunk_type=external \
+  --sc4s_host=<SC4S_HOST> \
+  --splunk_host=<SPLUNK_HOST>
+```
+
+**If an existing test fails:**
+- Your new parser's filter is too broad — it's matching logs from another vendor
+- Tighten the filter condition (add more specificity to `program()` or `message()` match)
+- Re-run until all tests pass
+
+---
+
+## Decision Guide: Application Topic
+
+| Scenario | Topic | Example |
+|----------|-------|---------|
+| Log has a unique PROGRAM field | `sc4s-syslog-pgm` | `program('swlogd' type(string) flags(prefix))` |
+| PROGRAM is empty, message has pattern | `sc4s-syslog` | `message('^1,[^,]+,[^,]+,[A-Z]+\,')` |
+| Must use a dedicated port | `sc4s-network-source` | Port-based identification |
+| Log is RFC5424 with SDATA | `sc4s-syslog` | `match('\[vendor@' value("SDATA"))` |
+| Log is malformed / non-standard | `sc4s-almost-syslog` | Timestamp or header issues |
+
+## Decision Guide: Filter Type
+
+| Filter | When to use | Syntax |
+|--------|-------------|--------|
+| `program()` | PROGRAM field present and unique | `program('name' type(string) flags(prefix))` |
+| `message()` | Match on message content | `message('pattern' type(string) flags(prefix\|substring))` or regex |
+| `match()` | Match on a specific field | `match('value' value('.field.name'))` |
+| Combined | Multiple conditions needed | `program('X') or message('Y')` |
+
+## Additional Resources
+
+- For parser patterns with field extraction (CSV, KV, regex): [parser-reference.md](parser-reference.md)
+- For advanced test patterns (RFC5424, framed, multi-variant): [test-reference.md](test-reference.md)

.cursor/skills/create-sc4s-parser/cef-refrence.md

@@ -0,0 +1,44 @@
+CEF (Common Event Format)
+
+A CEF-formatted syslog message typically looks like this:
+```
+<PRI>TIMESTAMP HOSTNAME CEF:0|<Device Vendor>|<Device Product>|<Device Version>|<Signature ID>|<Name>|<Severity>|<Extension fields>
+```
+
+**Fields:**
+- `CEF:0` — Literal, indicating CEF version 0
+- `<Device Vendor>` — Name of the vendor, e.g., `Guardicore`
+- `<Device Product>` — Product name, e.g., `Centra`
+- `<Device Version>` — Product version, e.g., `51`
+- `<Signature ID>` — Unique event identifier, e.g., `Network Log`
+- `<Name>` — Short description/name for the event, e.g., `Network Log`
+- `<Severity>` — Event severity, string or number, e.g., `None`
+- `<Extension fields>` — Key-value pairs (space-separated), e.g., `id=157d593c act=Allowed src=10.1.2.3 ...`
+
+**Sample Raw CEF Message:**
+```
+<14>2023-02-20T22:01:00Z myhost CEF:0|Guardicore|Centra|51|Network Log|Network Log|None|id=157d593c act=Allowed src=10.1.1.1 dst=10.2.2.2 proto=TCP cs1Label=connection_type cs1=SUCCESSFUL
+```
+
+- `<14>` — PRI value (syslog priority)
+- `2023-02-20T22:01:00Z` — RFC3339 timestamp
+- `myhost` — Hostname
+- `CEF:0|...` — CEF header and fields
+
+**Common extension fields include:**
+- `id` (event ID), `act` (action), `cnt` (count), `src` (source address), `dst` (destination address), `dpt` (destination port), etc.
+
+For parser development, use the [parser-reference.md](parser-reference.md) for appropriate filters and templates. CEF logs usually require a `[cef]` topic in the application block, and filtering based on `.metadata.cef.device_vendor` and `.metadata.cef.device_product`.
+
+Example minimal application block for Guardicore Centra:
+```
+application app-cef-guardicore_centra[cef] {
+    filter {
+        match("Guardicore" value(".metadata.cef.device_vendor"))
+        and match("Centra" value(".metadata.cef.device_product"));
+    };
+    parser { app-cef-guardicore_centra(); };
+};
+```
+
+See also: [CEF reference documentation](https://community.microfocus.com/cyberres/pdf/cef.pdf) for full field definitions and best practices.