feat: skill for parser creator

[Kawron]

This is a draft of an AI agent skill (using agentskills specification: https://agentskills.io/home) for SC4S. This agent can be used to create parsers. For now it supports RFC5424 RFC3164 and CEF formats. It can correctly match and parse logs. It also creates and runs unit tests. To use unit test you need docker compose installed.

Example on how to start conversation:

(USER) Create a parser for new sourcetype
(BOT) To create an SC4S parser, I need these details:

Vendor – vendor name in lowercase (e.g. acme)
Product – product name in lowercase (e.g. firewall)
Sourcetype – Splunk sourcetype, usually vendor:product (e.g. acme:firewall)
Index – Splunk index (e.g. netfw, netops)
Sample logs – one or more raw syslog messages (exact lines as sent by the device/app)
Reply with those five items and I’ll create the parser (and tests) for both the main and lite packages.

(USER)
vendor: jatp
product: cortex
sourcetype: jatp:cortex
index: netfw
log:
Dec 6 16:52:22 IP Dec 06 16:51:38 hostname
CEF:0|JATP|Cortex|3.6.0.1444|email|Phishing|8|externalId=1504
eventId=14067 lastActivityTime=2016-12-06 23:51:38+00 src=kwrona dst=kwrona
src_hostname=kwrona dst_hostname=kwrona src_username=kwrona dst_username=
mailto:src_email_id=src@abc.comdst_email_id={mailto:test@abc.com} startTime=2016-12- 06 23:51:38+00 url=http://greatfilesarey.asia/QA/files_to_pcaps/74280968a4917da52b5555351eeda969.bin
fileHash=bce00351cfc559afec5beb90ea387b03788e4af5 fileType=PE32
executable (GUI) Intel 80386, for MS Windows

---

If you find any errors, bugs, mistakes or examples of wrong parsers, please let me know. It will help me develop this project further

[ajasnosz]

if we go the route of not specifying the name maybe here we also should change it

[Kawron]

done