package org.graylog.plugins.cef.codec;

import com.github.jcustenborder.cef.CEFParser;
import com.github.jcustenborder.cef.CEFParserFactory;
import com.google.common.base.Strings;
import com.google.common.primitives.Ints;
import com.google.inject.assistedinject.Assisted;
import com.google.inject.assistedinject.AssistedInject;
import java.net.InetSocketAddress;
import java.util.HashMap;
import java.util.Locale;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.graylog.plugins.cef.parser.CEFMapping;
import org.graylog.plugins.cef.parser.MappedMessage;
import org.graylog.plugins.pipelineprocessor.functions.syslog.SyslogUtils;
import org.graylog2.configuration.HttpConfiguration;
import org.graylog2.plugin.Message;
import org.graylog2.plugin.ResolvableInetSocketAddress;
import org.graylog2.plugin.configuration.Configuration;
import org.graylog2.plugin.configuration.ConfigurationRequest;
import org.graylog2.plugin.configuration.fields.BooleanField;
import org.graylog2.plugin.configuration.fields.ConfigurationField;
import org.graylog2.plugin.configuration.fields.TextField;
import org.graylog2.plugin.inputs.annotations.ConfigClass;
import org.graylog2.plugin.inputs.annotations.FactoryClass;
import org.graylog2.plugin.inputs.codecs.AbstractCodec;
import org.graylog2.plugin.inputs.codecs.Codec;
import org.graylog2.plugin.inputs.codecs.CodecAggregator;
import org.graylog2.plugin.journal.RawMessage;
import org.graylog2.shared.SuppressForbidden;
import org.joda.time.DateTime;
import org.joda.time.DateTimeZone;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@SuppressForbidden("Intentionally use system default timezone")
/* loaded from: input_file:org/graylog/plugins/cef/codec/CEFCodec.class */
public class CEFCodec extends AbstractCodec {
    public static final String NAME = "CEF";
    private static final String CK_TIMEZONE = "timezone";
    private static final String CK_LOCALE = "locale";
    private static final String CK_USE_FULL_NAMES = "use_full_names";
    private final DateTimeZone timezone;
    private final Locale locale;
    private final boolean useFullNames;
    private final CEFParser parser;
    private static final Logger LOG = LoggerFactory.getLogger(CEFCodec.class);
    private static final Pattern SYSLOG_PREFIX = Pattern.compile("^<(?<pri>\\d+)>(?<msg>.*)$");
    private static final DateTimeZone DEFAULT_TIMEZONE = DateTimeZone.getDefault();

    @ConfigClass
    /* loaded from: input_file:org/graylog/plugins/cef/codec/CEFCodec$Config.class */
    public static class Config implements Codec.Config {
        @Override // org.graylog2.plugin.inputs.codecs.Codec.Config
        public ConfigurationRequest getRequestedConfiguration() {
            ConfigurationRequest configurationRequest = new ConfigurationRequest();
            configurationRequest.addField(new TextField("timezone", "Timezone", CEFCodec.DEFAULT_TIMEZONE.getID(), "Timezone of the timestamps in CEF messages. Set this to the local timezone if in doubt. Format example: \"+01:00\" or \"America/Chicago\"", ConfigurationField.Optional.NOT_OPTIONAL));
            configurationRequest.addField(new TextField(CEFCodec.CK_LOCALE, "Locale", HttpConfiguration.PATH_WEB, "Locale to use for parsing the timestamps of CEF messages. Set this to english if in doubt. Format example: \"en\" or \"en_US\"", ConfigurationField.Optional.OPTIONAL));
            configurationRequest.addField(new BooleanField(CEFCodec.CK_USE_FULL_NAMES, "Use full field names", false, "Use full field names in CEF messages (as defined in the CEF specification)"));
            return configurationRequest;
        }

        @Override // org.graylog2.plugin.inputs.codecs.Codec.Config
        public void overrideDefaultValues(@Nonnull ConfigurationRequest configurationRequest) {
        }
    }

    @FactoryClass
    /* loaded from: input_file:org/graylog/plugins/cef/codec/CEFCodec$Factory.class */
    public interface Factory extends Codec.Factory<CEFCodec> {
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.graylog2.plugin.inputs.codecs.Codec.Factory
        CEFCodec create(Configuration configuration);

        @Override // org.graylog2.plugin.inputs.codecs.Codec.Factory
        Config getConfig();
    }

    @AssistedInject
    public CEFCodec(@Assisted Configuration configuration) {
        super(configuration);
        DateTimeZone dateTimeZone;
        this.parser = CEFParserFactory.create();
        try {
            dateTimeZone = DateTimeZone.forID(configuration.getString("timezone"));
        } catch (Exception e) {
            LOG.warn("Could not configure CEF input timezone. Falling back to local default. Please check the error message:", e);
            dateTimeZone = DEFAULT_TIMEZONE;
        }
        this.timezone = dateTimeZone;
        this.locale = Locale.forLanguageTag(configuration.getString(CK_LOCALE, HttpConfiguration.PATH_WEB));
        this.useFullNames = configuration.getBoolean(CK_USE_FULL_NAMES);
    }

    @Override // org.graylog2.plugin.inputs.codecs.Codec
    @Nullable
    public Message decode(@Nonnull RawMessage rawMessage) {
        String str = new String(rawMessage.getPayload(), this.charset);
        Matcher matcher = SYSLOG_PREFIX.matcher(str);
        if (!matcher.find()) {
            return decodeCEF(rawMessage, str);
        }
        Integer tryParse = Ints.tryParse(matcher.group("pri"));
        HashMap hashMap = new HashMap();
        if (tryParse != null) {
            int facilityFromPriority = SyslogUtils.facilityFromPriority(tryParse.intValue());
            hashMap.put(Message.FIELD_LEVEL, Integer.valueOf(SyslogUtils.levelFromPriority(tryParse.intValue())));
            hashMap.put("facility", SyslogUtils.facilityToString(facilityFromPriority));
        }
        Message decodeCEF = decodeCEF(rawMessage, matcher.group("msg"));
        decodeCEF.addFields(hashMap);
        return decodeCEF;
    }

    @Override // org.graylog2.plugin.inputs.codecs.AbstractCodec, org.graylog2.plugin.inputs.codecs.Codec
    public String getName() {
        return NAME;
    }

    protected Message decodeCEF(@Nonnull RawMessage rawMessage, String str) {
        try {
            MappedMessage mappedMessage = new MappedMessage(this.parser.parse(str, this.timezone.toTimeZone(), this.locale), this.useFullNames);
            Message message = new Message(buildMessageSummary(mappedMessage), decideSource(mappedMessage, rawMessage), new DateTime(mappedMessage.timestamp()));
            message.addFields(mappedMessage.mappedExtensions());
            message.addField("device_vendor", mappedMessage.deviceVendor());
            message.addField("device_product", mappedMessage.deviceProduct());
            message.addField("device_version", mappedMessage.deviceVersion());
            message.addField("event_class_id", mappedMessage.deviceEventClassId());
            message.addField("name", mappedMessage.name());
            message.addField("severity", mappedMessage.severity());
            return message;
        } catch (Exception e) {
            throw new RuntimeException("Could not decode CEF message.", e);
        }
    }

    protected String buildMessageSummary(com.github.jcustenborder.cef.Message message) {
        return message.deviceProduct() + ": [" + message.deviceEventClassId() + ", " + message.severity() + "] " + message.name();
    }

    protected String decideSource(MappedMessage mappedMessage, RawMessage rawMessage) {
        Map<String, Object> mappedExtensions = mappedMessage.mappedExtensions();
        if (mappedExtensions != null && !mappedExtensions.isEmpty()) {
            String str = (String) mappedExtensions.getOrDefault(CEFMapping.dvc.getFullName(), mappedExtensions.get(CEFMapping.dvc.getKeyName()));
            if (!Strings.isNullOrEmpty(str)) {
                return str;
            }
        }
        if (!Strings.isNullOrEmpty(mappedMessage.host())) {
            return mappedMessage.host();
        }
        ResolvableInetSocketAddress remoteAddress = rawMessage.getRemoteAddress();
        InetSocketAddress inetSocketAddress = remoteAddress == null ? null : remoteAddress.getInetSocketAddress();
        return inetSocketAddress == null ? "unknown" : inetSocketAddress.getAddress().toString();
    }

    @Override // org.graylog2.plugin.inputs.codecs.AbstractCodec, org.graylog2.plugin.inputs.codecs.Codec
    @Nullable
    public CodecAggregator getAggregator() {
        return null;
    }

    @Override // org.graylog2.plugin.inputs.codecs.AbstractCodec, org.graylog2.plugin.inputs.codecs.Codec
    @Nonnull
    public Configuration getConfiguration() {
        return this.configuration;
    }
}
