package org.graylog.integrations.inputs.paloalto;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.Lists;
import jakarta.validation.constraints.NotNull;
import java.io.IOException;
import java.io.StringReader;
import java.util.List;
import java.util.Locale;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.Nullable;
import org.apache.commons.csv.CSVFormat;
import org.apache.commons.csv.CSVParser;
import org.apache.commons.csv.CSVRecord;
import org.apache.commons.lang.StringUtils;
import org.joda.time.DateTime;
import org.joda.time.DateTimeZone;
import org.joda.time.format.DateTimeFormat;
import org.joda.time.format.DateTimeFormatter;
import org.joda.time.format.ISODateTimeFormat;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/graylog/integrations/inputs/paloalto/PaloAltoParser.class */
public class PaloAltoParser {
    private static final Logger LOG = LoggerFactory.getLogger(PaloAltoParser.class);
    private static final DateTimeFormatter SYSLOG_TIMESTAMP_FORMATTER = DateTimeFormat.forPattern("MMM d HH:mm:ss YYYY").withLocale(Locale.US);
    private static final Pattern PANORAMA_SYSLOG_PARSER = Pattern.compile("<\\d+>[0-9] (.+?) (.+?)\\s[-]\\s[-]\\s[-]\\s[-]\\s(\\d,.*)");
    private static final Pattern STANDARD_SYSLOG_PARSER = Pattern.compile("<\\d+>([A-Z][a-z][a-z]\\s{1,2}\\d{1,2}\\s\\d{1,2}[:]\\d{1,2}[:]\\d{2})\\s(.+?)\\s(\\d,.*)");
    private static final Pattern STANDARD_SYSLOG_NO_HOST_PARSER = Pattern.compile("<\\d+>([A-Z][a-z][a-z]\\s{1,2}\\d{1,2}\\s\\d{1,2}[:]\\d{1,2}[:]\\d{2})\\s(\\d,.*)");
    private static final String SINGLE_SPACE = " ";
    private static final String DOUBLE_SPACE = "\\s{2}";

    @Nullable
    public PaloAltoMessageBase parse(@NotNull String str, DateTimeZone dateTimeZone) {
        String trim = StringUtils.trim(str);
        if (PANORAMA_SYSLOG_PARSER.matcher(trim).matches()) {
            LOG.trace("Message is in Panorama format [{}]", trim);
            Matcher matcher = PANORAMA_SYSLOG_PARSER.matcher(trim);
            if (!matcher.find()) {
                LOG.error("Cannot parse malformed Panorama message: {}", trim);
                return null;
            }
            String group = matcher.group(1);
            String group2 = matcher.group(2);
            return buildPaloAltoMessageBase(group.substring(group.length() - 6).matches(".*[Z+-].*") ? DateTime.parse(group) : DateTime.parse(group, ISODateTimeFormat.dateTimeParser().withZone(dateTimeZone)), matcher.group(3), group2);
        }
        if (STANDARD_SYSLOG_PARSER.matcher(trim).matches()) {
            LOG.trace("Message is in structured syslog format [{}]", trim);
            Matcher matcher2 = STANDARD_SYSLOG_PARSER.matcher(trim);
            if (matcher2.matches()) {
                return buildPaloAltoMessageBase(SYSLOG_TIMESTAMP_FORMATTER.withZone(dateTimeZone).parseDateTime(matcher2.group(1).replaceFirst(DOUBLE_SPACE, SINGLE_SPACE) + " " + DateTime.now(DateTimeZone.UTC).getYear()), matcher2.group(3), matcher2.group(2));
            }
            LOG.error("Cannot parse malformed Syslog message: {}", trim);
            return null;
        }
        if (!STANDARD_SYSLOG_NO_HOST_PARSER.matcher(trim).matches()) {
            LOG.error("Cannot parse malformed PAN message [unrecognized format]: {}", trim);
            return null;
        }
        LOG.trace("Message is in structured syslog (with no hostname) format [{}]", trim);
        Matcher matcher3 = STANDARD_SYSLOG_NO_HOST_PARSER.matcher(trim);
        if (matcher3.matches()) {
            return buildPaloAltoMessageBase(SYSLOG_TIMESTAMP_FORMATTER.parseDateTime(matcher3.group(1).replaceFirst(DOUBLE_SPACE, SINGLE_SPACE) + " " + DateTime.now(DateTimeZone.UTC).getYear()).withZone(dateTimeZone), matcher3.group(2), "");
        }
        LOG.error("Cannot parse malformed Syslog message: {}", trim);
        return null;
    }

    private PaloAltoMessageBase buildPaloAltoMessageBase(DateTime dateTime, String str, String str2) {
        ImmutableList<String> parseCSVFields = parseCSVFields(str);
        if (parseCSVFields == null) {
            return null;
        }
        return PaloAltoMessageBase.create(str2, dateTime, str, (String) parseCSVFields.get(3), parseCSVFields);
    }

    private ImmutableList<String> parseCSVFields(String str) {
        try {
            List records = new CSVParser(new StringReader(str), CSVFormat.DEFAULT).getRecords();
            if (records.size() == 1) {
                return ImmutableList.copyOf(Lists.newArrayList(((CSVRecord) records.get(0)).iterator()));
            }
            LOG.error("Cannot parse malformed/multiline Syslog message: {}", str);
            return null;
        } catch (IOException e) {
            LOG.error("Cannot parse CSV PAN message: {}", str, e);
            return null;
        }
    }
}
