Merge pull request #1604 from shane-lawrence/pmsnare-update

Update pmsnare: allow different tab escapes
2025-12-20 10:50:41 +01:00 · 2017-06-09 14:46:25 +02:00 · 2017-06-09 14:46:25 +02:00 · a6c465c969
commit a6c465c969
parent 202760c1de ed5ea46a65
15 changed files with 808 additions and 98 deletions
--- a/contrib/pmsnare/pmsnare.c
+++ b/contrib/pmsnare/pmsnare.c
@ -10,10 +10,13 @@
 *
 * hostname<tab>tag<tab>otherstuff
 *
+ * The tabs can be represented in different ways. This module will auto-detect the tab representation based on
+ * the global config settings, but they can be overridden for each instance in the config file if needed.
+ *
 * ToDo, take advantage of items in the message itself to set more friendly information
 * where the normal parser will find it by re-writing more of the message
 *
- * Intereting information includes:
+ * Interesting information includes:
 *
 * in the case of windows snare messages:
 *   the system hostname is field 12
@ -22,6 +25,7 @@
 * 
 * 
 * created 2010-12-13 by David Lang based on pmlastmsg
+ * Modified 2017-05-29 by Shane Lawrence.
 *
 * This file is part of rsyslog.
 *
@ -59,6 +63,7 @@
 MODULE_TYPE_PARSER
 MODULE_TYPE_NOKEEP
 PARSER_NAME("rsyslog.snare")
+MODULE_CNFNAME("pmsnare")

 /* internal structures
 */
@ -72,6 +77,120 @@ DEFobjCurrIf(datetime)
 /* static data */
 static int bParseHOSTNAMEandTAG;	/* cache for the equally-named global param - performance enhancement */

+/* Keep a list of parser instances so we can apply global settings after config is loaded. */
+typedef struct modInstances_s {
+	instanceConf_t *root;
+	instanceConf_t *tail;	
+} modInstances_t;
+static modInstances_t *modInstances = NULL;
+
+struct modConfData_s {
+	rsconf_t *pConf;	/* our overall config object */
+};
+static modConfData_t *modConf = NULL;
+
+/* Per-instance config settings. */
+static struct cnfparamdescr parserpdescr[] = {
+	{ "parser.controlcharacterescapeprefix", eCmdHdlrGetChar, 0 },
+	{ "parser.escapecontrolcharactersonreceive", eCmdHdlrBinary, 0 },
+	{ "parser.escapecontrolcharactertab", eCmdHdlrBinary, 0},
+	{ "parser.escapecontrolcharacterscstyle", eCmdHdlrBinary, 0 }
+};
+static struct cnfparamblk parserpblk = {
+	CNFPARAMBLK_VERSION,
+	sizeof(parserpdescr)/sizeof(struct cnfparamdescr),
+	parserpdescr
+};
+struct instanceConf_s {
+	int bEscapeCCOnRcv;
+	int bEscapeTab;
+	int bParserEscapeCCCStyle;
+	uchar cCCEscapeChar;
+	int tabLength;
+	char tabRepresentation[5];
+	struct instanceConf_s *next;
+};
+
+/* Creates the instance and adds it to the list of instances. */
+static rsRetVal createInstance(instanceConf_t **pinst) {
+	instanceConf_t *inst;
+	DEFiRet;
+	CHKmalloc(inst = MALLOC(sizeof(instanceConf_t)));
+	inst->next = NULL;
+	*pinst = inst;
+	
+	/*  Add to list of instances. */
+	if(modInstances == NULL) {
+		CHKmalloc(modInstances = MALLOC(sizeof(modInstances_t)));
+		modInstances->tail = modInstances->root = NULL;
+	}
+	if (modInstances->tail == NULL) {
+		modInstances->tail = modInstances->root = inst;
+	} else {
+		modInstances->tail->next = inst;
+		modInstances->tail = inst;
+	}
+
+	finalize_it:
+	RETiRet;
+}
+
+BEGINnewParserInst
+	struct cnfparamvals *pvals = NULL;
+	int i;
+CODESTARTnewParserInst
+	DBGPRINTF("newParserInst (pmsnare)\n");
+	inst = NULL;
+	CHKiRet(createInstance(&inst));
+
+	/* Mark these as unset so we know if they should be overridden later. */
+	inst->bEscapeCCOnRcv = -1;
+	inst->bEscapeTab = -1;
+	inst->bParserEscapeCCCStyle = -1;
+	inst->cCCEscapeChar = '\0';
+
+	/* If using the old config, just use global settings for each instance. */
+	if (lst == NULL)
+		FINALIZE;
+	
+	/* If using the new config, process module settings for this instance. */
+	if((pvals = nvlstGetParams(lst, &parserpblk, NULL)) == NULL) {
+		ABORT_FINALIZE(RS_RET_MISSING_CNFPARAMS);
+	}
+
+	if(Debug) {
+		dbgprintf("pmsnare: parser param blk:\n");
+		cnfparamsPrint(&parserpblk, pvals);
+	}
+
+	for(i = 0 ; i < parserpblk.nParams ; ++i) {
+		if(!pvals[i].bUsed)
+			continue;
+		if(!strcmp(parserpblk.descr[i].name, "parser.escapecontrolcharactersonreceive")) {
+			inst->bEscapeCCOnRcv = pvals[i].val.d.n;
+		} else if(!strcmp(parserpblk.descr[i].name, "parser.escapecontrolcharactertab")) {
+			inst->bEscapeTab = pvals[i].val.d.n;
+		} else if(!strcmp(parserpblk.descr[i].name, "parser.escapecontrolcharacterscstyle")) {
+			inst->bParserEscapeCCCStyle = pvals[i].val.d.n;
+		} else if(!strcmp(parserpblk.descr[i].name, "parser.controlcharacterescapeprefix")) {
+			inst->cCCEscapeChar = (uchar) *es_str2cstr(pvals[i].val.d.estr, NULL);
+		} else {
+			dbgprintf("pmsnare: program error, non-handled param '%s'\n", parserpblk.descr[i].name);
+		}
+	}
+	
+finalize_it:
+CODE_STD_FINALIZERnewParserInst
+	if(lst != NULL)
+		cnfparamvalsDestruct(pvals, &parserpblk);
+	if(iRet != RS_RET_OK)
+		free(inst);
+ENDnewParserInst
+
+BEGINfreeParserInst
+CODESTARTfreeParserInst
+	dbgprintf("pmsnare: free parser instance %p\n", pInst);
+ENDfreeParserInst

 BEGINisCompatibleWithFeature
 CODESTARTisCompatibleWithFeature
@ -81,94 +200,164 @@ CODESTARTisCompatibleWithFeature
 		iRet = RS_RET_OK;
 ENDisCompatibleWithFeature

+/* Interface with the global config. */
+BEGINbeginCnfLoad
+CODESTARTbeginCnfLoad
+	modConf = pModConf;
+	pModConf->pConf = pConf;
+ENDbeginCnfLoad

-BEGINparse
+BEGINsetModCnf
+CODESTARTsetModCnf
+	/* Could use module-globals here, but not global globals. */
+	(void) lst;
+ENDsetModCnf
+
+BEGINendCnfLoad
+	instanceConf_t *inst;
+CODESTARTendCnfLoad
+	dbgprintf("pmsnare: Begin endCnfLoad\n");
+	/* Loop through each parser instance and apply global settings to any option that hasn't been overridden.
+	 * This can't be done any earlier because the config wasn't fully loaded until now. */
+	for(inst = modInstances->root; inst != NULL; inst = inst->next) {
+		if(inst->bEscapeCCOnRcv == -1)
+			inst->bEscapeCCOnRcv = glbl.GetParserEscapeControlCharactersOnReceive();
+		if(inst->bEscapeTab == -1)
+			inst->bEscapeTab = glbl.GetParserEscapeControlCharacterTab();
+		if(inst->bParserEscapeCCCStyle == -1)
+			inst->bParserEscapeCCCStyle = glbl.GetParserEscapeControlCharactersCStyle();
+		if(inst->cCCEscapeChar == '\0')
+			inst->cCCEscapeChar = glbl.GetParserControlCharacterEscapePrefix();
+
+		/* Determine tab representation. Possible options:
+		 *		"#011"	escape on, escapetabs on, no change to prefix (default)
+		 *		"?011"	prefix changed in config
+		 *		"\\t"	C style
+		 *		'\t' 	escape turned off
+		 */
+		if (inst->bEscapeCCOnRcv && inst->bEscapeTab) {
+			if (inst->bParserEscapeCCCStyle) {
+				strncpy(inst->tabRepresentation, "\\t", 5);
+			} else {
+				strncpy(inst->tabRepresentation, "#011", 5);
+				inst->tabRepresentation[0] = inst->cCCEscapeChar;
+			}
+		} else {
+			strncpy(inst->tabRepresentation, "\t", 5);
+		}
+		inst->tabLength=strlen(inst->tabRepresentation);
+		/* TODO: This debug message would be more useful if it told which Snare instance! */
+		dbgprintf("pmsnare: Snare parser will treat '%s' as tab.\n", inst->tabRepresentation);
+	}
+
+	assert(pModConf == modConf);
+ENDendCnfLoad
+
+BEGINcheckCnf
+CODESTARTcheckCnf
+ENDcheckCnf 
+
+BEGINactivateCnf
+CODESTARTactivateCnf
+ENDactivateCnf
+
+BEGINfreeCnf
+	instanceConf_t *inst, *del;	
+CODESTARTfreeCnf
+	for(inst = modInstances->root ; inst != NULL ; ) {
+		del = inst;
+		inst = inst->next;
+		free(del);
+	}
+	free(modInstances);
+ENDfreeCnf
+
+BEGINparse2
 	uchar *p2parse;
 	int lenMsg;
-	int snaremessage;
-	int tablength;
-
-CODESTARTparse
-	#define TabRepresentation "#011"
-	tablength=sizeof(TabRepresentation);
+	int snaremessage; /* 0 means not a snare message, otherwise it's the index of the tab after the tag  */
+	
+CODESTARTparse2
 	dbgprintf("Message will now be parsed by fix Snare parser.\n");
 	assert(pMsg != NULL);
 	assert(pMsg->pszRawMsg != NULL);

 	/* check if this message is of the type we handle in this (very limited) parser
-
-	 find out if we have a space separated or tab separated for the first item
-	 if tab separated see if the second word is one of our expected tags
-	  if so replace the tabs with spaces so that hostname and syslog tag are going to be parsed properly
-	   optionally replace the hostname at the beginning of the message with one from later in the message
-	  else, wrong message, abort
-	 else, assume that we have a valid timestamp, move over to the syslog tag
-	  if that is tab separated from the rest of the message and one of our expected tags
-	   if so, replace the tab with a space so that it will be parsed properly
-	    optionally replace the hostname at the beginning of the message withone from later in the message 
-
-	*/
+	 *
+	 * - Find out if the first separator is a tab.
+	 * - If it is, see if the second word is one of our expected tags.
+	 *   - If so, flag as Snare and replace the first tab with space so that hostname and syslog tag are going to be parsed properly
+	 *   - Else not a snare message, abort.
+	 * - Else assume valid 3164 timestamp, move over to the syslog tag.
+	 * - See if syslog header is followed by tab and one of our expected tags.
+	 *   - If so, flag as Snare.
+	 * - See if either type flagged as Snare.
+	 *   - If so, replace the tab with a space so that it will be parsed properly.
+	 */
+	 
 	snaremessage=0;
-	lenMsg = pMsg->iLenRawMsg - pMsg->offAfterPRI;
 	/* note: offAfterPRI is already the number of PRI chars (do not add one!) */
-	p2parse = pMsg->pszRawMsg + pMsg->offAfterPRI; /* point to start of text, after PRI */
+	lenMsg = pMsg->iLenRawMsg - pMsg->offAfterPRI;
+	/* point to start of text, after PRI */
+	p2parse = pMsg->pszRawMsg + pMsg->offAfterPRI;
 	dbgprintf("pmsnare: msg to look at: [%d]'%s'\n", lenMsg, p2parse);
 	if((unsigned) lenMsg < 30) {
 		/* too short, can not be "our" message */
-		dbgprintf("msg too short!\n");
+		dbgprintf("pmsnare: Message is too short to be Snare!\n");
 		ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE);
 	}

-	while(lenMsg && *p2parse != ' ' && *p2parse != '\t' && *p2parse != '#') {
+	/* Find the first separator and check if it's a tab. */
+	while(lenMsg && *p2parse != ' ' && *p2parse != '\t' && *p2parse != pInst->tabRepresentation[0]) {
 		--lenMsg;
 		++p2parse;
 	}
-	dbgprintf("pmsnare: separator [%d]'%s'  msg after the first separator: [%d]'%s'\n", tablength,
-	TabRepresentation,lenMsg, p2parse);
-	if ((lenMsg > tablength) && (*p2parse == '\t' || strncasecmp((char*) p2parse, TabRepresentation ,
-	tablength-1) == 0)) {
-	//if ((lenMsg > tablength) && (*p2parse == '\t' || *p2parse == '#')) {
-	dbgprintf("pmsnare: tab separated message\n");
-		if(strncasecmp((char*) (p2parse + tablength - 1), "MSWinEventLog", 13) == 0) {
-			snaremessage=13; /* 0 means not a snare message, a number is how long the tag is */
+	if ((lenMsg > pInst->tabLength) && (strncasecmp((char *)p2parse, pInst->tabRepresentation, 
+			pInst->tabLength) == 0)) {
+		dbgprintf("pmsnare: tab separated message\n");
+		dbgprintf("pmsnare: tab [%d]'%s'	msg at the first separator: [%d]'%s'\n",
+			pInst->tabLength, pInst->tabRepresentation, lenMsg, p2parse);
+
+		/* Look for the Snare tag. */
+		if(strncasecmp((char*)(p2parse + pInst->tabLength), "MSWinEventLog", 13) == 0) {
+			dbgprintf("Found a non-syslog Windows Snare message.\n");
+			snaremessage = p2parse - pMsg->pszRawMsg + pInst->tabLength + 13;
 		}
-		if(strncasecmp((char*) (p2parse + tablength - 1), "LinuxKAudit", 11) == 0) {
-			snaremessage=11; /* 0 means not a snare message, a number is how long the tag is */
-		}
-		if(snaremessage) {
-			/* replace the tab with a space and if needed move the message portion up by the length of
-			TabRepresentation -2 characters to overwrite the extra : */
-			*p2parse = ' ';
-			lenMsg -=(tablength-2);
-			p2parse++;
-			lenMsg--;
-			memmove(p2parse, p2parse + (tablength-2), lenMsg);
-			*(p2parse + lenMsg) = '\n';
-			*(p2parse + lenMsg + 1)  = '\0';
-			pMsg->iLenRawMsg -=(tablength-2);
-			pMsg->iLenMSG -=(tablength-2);
-			p2parse += snaremessage;
-			lenMsg -= snaremessage;
-			*p2parse = ' ';
-			p2parse++;
-			lenMsg--;
-			lenMsg -=(tablength-2);
-			memmove(p2parse, p2parse + (tablength-2), lenMsg);
-			*(p2parse + lenMsg) = '\n';
-			*(p2parse + lenMsg + 1)  = '\0';
-			pMsg->iLenRawMsg -=(tablength-2);
-			pMsg->iLenMSG -=(tablength-2);
-			dbgprintf("found a Snare message with snare not set to send syslog messages\n");
+		else if(strncasecmp((char*) (p2parse + pInst->tabLength), "LinuxKAudit", 11) == 0) {
+			dbgprintf("Found a non-syslog Linux Snare message.\n");
+			snaremessage = p2parse - pMsg->pszRawMsg + pInst->tabLength + 11;
+		} else {
+			/* Tab-separated but no Snare tag-> can't be Snare! */
+			ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE);
 		}
+		
+		/* This is a non-syslog Snare message. Example:
+		 * other.lab.home	MSWinEventLog	1	Security	606129	Wed May 17 02:25:10 2017
+		 */
+		 
+		/* Remove the tab between the hostname and Snare tag. */
+		*p2parse = ' ';
+		p2parse++;
+		lenMsg--;
+		lenMsg -= (pInst->tabLength-1); /* size of tab goes from tabLength to 1, so shorten the message by the difference */
+		memmove(p2parse, p2parse+(pInst->tabLength-1), lenMsg); /* move the message portion up to overwrite the tab */ 
+		*(p2parse + lenMsg)	= '\0';
+		pMsg->iLenRawMsg -= (pInst->tabLength-1);
+		pMsg->iLenMSG -= (pInst->tabLength-1);
+		snaremessage -= (pInst->tabLength-1);
 	} else {
+		/* The first separator is not a tab. Look for a syslog Snare message. Example:
+		 * <14>May 17 02:25:10 syslog.lab.home MSWinEventLog     1    Security  606129    Wed May 17 02:25:10 2017
+		 */
+
 		/* go back to the beginning of the message */
-		lenMsg = pMsg->iLenRawMsg - pMsg->offAfterPRI;
-		/* note: offAfterPRI is already the number of PRI chars (do not add one!) */
-		p2parse = pMsg->pszRawMsg + pMsg->offAfterPRI; /* point to start of text, after PRI */
-		/* skip over timestamp and space*/
-		lenMsg -=17;
-		p2parse +=17;
-		/* skip over what should be the hostname */
+		lenMsg = pMsg->iLenRawMsg - pMsg->offAfterPRI; /* offAfterPRI is already the number of PRI chars (do not add one!) */
+		p2parse = pMsg->pszRawMsg + pMsg->offAfterPRI;
+
+		/* skip over timestamp and space (15 chars + space). */
+		lenMsg -=16;
+		p2parse +=16;
+		/* skip over what should be the hostname and space */
 		while(lenMsg && *p2parse != ' ') {
 			--lenMsg;
 			++p2parse;
@ -177,36 +366,42 @@ CODESTARTparse
 			--lenMsg;
 			++p2parse;
 		}
-		dbgprintf("pmsnare: separator [%d]'%s'  msg after the timestamp and hostname: [%d]'%s'\n", tablength,
-		TabRepresentation,lenMsg, p2parse);
+		dbgprintf("pmsnare: tab [%d]'%s'	msg after the timestamp and hostname: [%d]'%s'\n",
+				pInst->tabLength,pInst->tabRepresentation,lenMsg, p2parse);
+
+		/* Look for the Snare tag. */
 		if(lenMsg > 13 && strncasecmp((char*) p2parse, "MSWinEventLog", 13) == 0) {
-			snaremessage=13; /* 0 means not a snare message, a number is how long the tag is */
+			dbgprintf("Found a syslog Windows Snare message.\n");
+			snaremessage = p2parse - pMsg->pszRawMsg + 13;
 		}
-		if(lenMsg > 11 && strncasecmp((char*) p2parse, "LinuxKAudit", 11) == 0) {
-			snaremessage=11; /* 0 means not a snare message, a number is how long the tag is */
+		else if(lenMsg > 11 && strncasecmp((char*) p2parse, "LinuxKAudit", 11) == 0) {
+			dbgprintf("pmsnare: Found a syslog Linux Snare message.\n");
+			snaremessage = p2parse - pMsg->pszRawMsg + 11;
 		}
-		if(snaremessage) {
-			p2parse += snaremessage;
-			lenMsg -= snaremessage;
-			*p2parse = ' ';
-			p2parse++;
-			lenMsg--;
-			lenMsg -=(tablength-2);
-			memmove(p2parse, p2parse + (tablength-2), lenMsg);
-			*(p2parse + lenMsg) = '\n';
-			*(p2parse + lenMsg + 1)  = '\0';
-			pMsg->iLenRawMsg -=(tablength-2);
-			pMsg->iLenMSG -=(tablength-2);
-			dbgprintf("found a Snare message with snare set to send syslog messages\n");
-		}
-		
 	}
-	DBGPRINTF("pmsnare: new message: [%d]'%s'\n", lenMsg, pMsg->pszRawMsg + pMsg->offAfterPRI);
+	
+	if(snaremessage) {
+		/* Skip to the end of the tag. */
+		p2parse = pMsg->pszRawMsg + snaremessage;
+		lenMsg = pMsg->iLenRawMsg - snaremessage;
+
+		/* Remove the tab after the tag. */
+		*p2parse = ' ';
+		p2parse++;
+		lenMsg--;
+		lenMsg -= (pInst->tabLength-1); /* size of tab goes from tabLength to 1, so shorten the message by the difference */
+		memmove(p2parse, p2parse+(pInst->tabLength-1), lenMsg); /* move the message portion up to overwrite the tab */ 
+		*(p2parse + lenMsg) = '\0';
+		pMsg->iLenRawMsg -= (pInst->tabLength-1);
+		pMsg->iLenMSG -= (pInst->tabLength-1);
+
+		DBGPRINTF("pmsnare: new message: [%d]'%s'\n", lenMsg, pMsg->pszRawMsg + pMsg->offAfterPRI);
+	}
+	
 	ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE);

 finalize_it:
-ENDparse
-
+ENDparse2

 BEGINmodExit
 CODESTARTmodExit
@ -217,14 +412,15 @@ CODESTARTmodExit
 	objRelease(datetime, CORE_COMPONENT);
 ENDmodExit

-
 BEGINqueryEtryPt
 CODESTARTqueryEtryPt
-CODEqueryEtryPt_STD_PMOD_QUERIES
+CODEqueryEtryPt_STD_MOD_QUERIES
+CODEqueryEtryPt_STD_CONF2_QUERIES
+CODEqueryEtryPt_STD_CONF2_setModCnf_QUERIES
+CODEqueryEtryPt_STD_PMOD2_QUERIES
 CODEqueryEtryPt_IsCompatibleWithFeature_IF_OMOD_QUERIES
 ENDqueryEtryPt

-
 BEGINmodInit()
 CODESTARTmodInit
 	*ipIFVersProvided = CURR_MOD_IF_VERSION; /* we only support the current interface specification */
@ -235,10 +431,8 @@ CODEmodInit_QueryRegCFSLineHdlr
 	CHKiRet(objUse(datetime, CORE_COMPONENT));

 	DBGPRINTF("snare parser init called, compiled with version %s\n", VERSION);
- 	bParseHOSTNAMEandTAG = glbl.GetParseHOSTNAMEandTAG();
+	bParseHOSTNAMEandTAG = glbl.GetParseHOSTNAMEandTAG();
 	/* cache value, is set only during rsyslogd option processing */
-
-
 ENDmodInit

 /* vim:set ai:
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@ -594,6 +594,11 @@ TESTS += \
 	omruleset-queue.sh
 endif

+if ENABLE_PMSNARE
+TESTS += \
+	pmsnare.sh
+endif
+
 if ENABLE_EXTENDED_TESTS
 # random.sh is temporarily disabled as it needs some work
 # to rsyslog core to complete in reasonable time
@ -1529,8 +1534,21 @@ EXTRA_DIST= \
 	testsuites/sndrcv_tls_anon_sender.conf \
 	testsuites/sndrcv_tls_anon_rcvr.conf \
 	omtcl.sh \
-	omtcl.tcl
-
+	omtcl.tcl \
+	pmsnare.sh \
+	testsuites/pmsnare_default.conf \
+	testsuites/pmsnare_ccoff.conf \
+	testsuites/pmsnare_ccdefault.conf \
+	testsuites/pmsnare_cccstyle.conf \
+	testsuites/pmsnare_ccbackslash.conf \
+	testsuites/pmsnare_modoverride.conf \
+	testsuites/sample.pmsnare_default \
+	testsuites/sample.pmsnare_ccoff \
+	testsuites/sample.pmsnare_ccdefault \
+	testsuites/sample.pmsnare_cccstyle \
+	testsuites/sample.pmsnare_ccbackslash \
+	testsuites/sample.pmsnare_modoverride
+	
 ourtail_SOURCES = ourtail.c
 msleep_SOURCES = msleep.c
 omrelp_dflt_port_SOURCES = omrelp_dflt_port.c
@ -1579,4 +1597,3 @@ nettester_LDADD = $(SOL_LIBS)
 #rscript_CPPFLAGS =  -I$(top_srcdir) $(PTHREADS_CFLAGS) $(RSRT_CFLAGS)
 #rscript_LDADD = $(RSRT_LIBS) $(ZLIB_LIBS) $(PTHREADS_LIBS) $(SOL_LIBS)
 #rscript_LDFLAGS = -export-dynamic
-
--- a/tests/pmsnare.sh
+++ b/tests/pmsnare.sh
@ -0,0 +1,45 @@
+#!/bin/bash
+# pmsnare.sh
+# Performs parser testing for the pmsnare module.
+# It's based on rgerhards' parsertest.sh.
+
+echo TEST: \[pmsnare.sh\]: test snare parser module
+. $srcdir/diag.sh init
+
+# first we need to obtain the hostname as rsyslog sees it
+rm -f HOSTNAME
+. $srcdir/diag.sh startup gethostname.conf
+. $srcdir/diag.sh tcpflood -m1 -M "\"<128>\""
+./msleep 100
+. $srcdir/diag.sh shutdown-when-empty # shut down rsyslogd when done processing messages
+. $srcdir/diag.sh wait-shutdown	# we need to wait until rsyslogd is finished!
+
+# now start the real tests
+. $srcdir/diag.sh nettester pmsnare_default udp
+. $srcdir/diag.sh nettester pmsnare_default tcp
+. $srcdir/diag.sh nettester pmsnare_ccoff udp
+. $srcdir/diag.sh nettester pmsnare_ccoff tcp
+. $srcdir/diag.sh nettester pmsnare_ccdefault udp
+. $srcdir/diag.sh nettester pmsnare_ccdefault tcp
+. $srcdir/diag.sh nettester pmsnare_cccstyle udp
+. $srcdir/diag.sh nettester pmsnare_cccstyle tcp
+. $srcdir/diag.sh nettester pmsnare_ccbackslash udp
+. $srcdir/diag.sh nettester pmsnare_ccbackslash tcp
+. $srcdir/diag.sh nettester pmsnare_modoverride udp
+. $srcdir/diag.sh nettester pmsnare_modoverride tcp
+
+echo \[pmsnare.sh]: redoing tests in IPv4-only mode
+. $srcdir/diag.sh nettester pmsnare_default udp
+. $srcdir/diag.sh nettester pmsnare_default tcp
+. $srcdir/diag.sh nettester pmsnare_ccoff udp -4
+. $srcdir/diag.sh nettester pmsnare_ccoff tcp -4
+. $srcdir/diag.sh nettester pmsnare_ccdefault udp -4
+. $srcdir/diag.sh nettester pmsnare_ccdefault tcp -4
+. $srcdir/diag.sh nettester pmsnare_cccstyle udp -4
+. $srcdir/diag.sh nettester pmsnare_cccstyle tcp -4
+. $srcdir/diag.sh nettester pmsnare_ccbackslash udp -4
+. $srcdir/diag.sh nettester pmsnare_ccbackslash tcp -4
+. $srcdir/diag.sh nettester pmsnare_modoverride udp -4
+. $srcdir/diag.sh nettester pmsnare_modoverride tcp -4
+rm -f HOSTNAME
+. $srcdir/diag.sh exit
--- a/tests/testsuites/pmsnare_ccbackslash.conf
+++ b/tests/testsuites/pmsnare_ccbackslash.conf
@ -0,0 +1,24 @@
+# pmsnare_ccbackslash.conf
+# This tests events with the pmsnare module when control characters are escaped with a backslash prefix.
+# It's based on rgerhards' snare_ccdefault_udp.conf.
+# added 2017-05-19 Shane Lawrence
+$EscapeControlCharactersOnReceive on
+$ControlCharacterEscapePrefix \\
+
+$ModLoad ../plugins/omstdout/.libs/omstdout
+$ModLoad ../contrib/pmsnare/.libs/pmsnare
+
+$IncludeConfig nettest.input.conf	# This picks the to be tested input from the test driver!
+
+# Use the pmsnare parser, then  fall through to the default built-in modules.
+$RulesetParser rsyslog.snare
+$RulesetParser rsyslog.rfc5424
+$RulesetParser rsyslog.rfc3164
+
+$ErrorMessagesToStderr off
+
+# use a special format that we can easily check. We do NOT include a timestamp because
+# the malformed snare messages usually do not contain one (and we can not check against
+# the system time in our test cases).
+$template fmt,"%PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%\n"
+*.* :omstdout:;fmt
--- a/tests/testsuites/pmsnare_cccstyle.conf
+++ b/tests/testsuites/pmsnare_cccstyle.conf
@ -0,0 +1,24 @@
+# pmsnare_cccstyle.conf
+# This tests events with the pmsnare module when control characters use C-style escapes.
+# It's based on rgerhards' snare_ccdefault_udp.conf.
+# added 2017-05-19 Shane Lawrence
+$EscapeControlCharactersOnReceive on
+global(
+	parser.escapeControlCharactersCStyle="on"
+)
+$ModLoad ../plugins/omstdout/.libs/omstdout
+$ModLoad ../contrib/pmsnare/.libs/pmsnare
+$IncludeConfig nettest.input.conf	# This picks the to be tested input from the test driver!
+
+# Use the pmsnare parser, then  fall through to the default built-in modules.
+$RulesetParser rsyslog.snare
+$RulesetParser rsyslog.rfc5424
+$RulesetParser rsyslog.rfc3164
+
+$ErrorMessagesToStderr off
+
+# use a special format that we can easily check. We do NOT include a timestamp because
+# the malformed snare messages usually do not contain one (and we can not check against
+# the system time in our test cases).
+$template fmt,"%PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%\n"
+*.* :omstdout:;fmt
--- a/tests/testsuites/pmsnare_ccdefault.conf
+++ b/tests/testsuites/pmsnare_ccdefault.conf
@ -0,0 +1,20 @@
+# pmsnare_ccdefault.conf
+# This tests events with the pmsnare module when control characters are escaped according to default settings.
+# It's based on rgerhards' snare_ccdefault_udp.conf.
+# added 2017-05-19 Shane Lawrence
+$ModLoad ../plugins/omstdout/.libs/omstdout
+$ModLoad ../contrib/pmsnare/.libs/pmsnare
+$IncludeConfig nettest.input.conf	# This picks the to be tested input from the test driver!
+
+# Use the pmsnare parser, then  fall through to the default built-in modules.
+$RulesetParser rsyslog.snare
+$RulesetParser rsyslog.rfc5424
+$RulesetParser rsyslog.rfc3164
+
+$ErrorMessagesToStderr off
+
+# use a special format that we can easily check. We do NOT include a timestamp because
+# the malformed snare messages usually do not contain one (and we can not check against
+# the system time in our test cases).
+$template fmt,"%PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%\n"
+*.* :omstdout:;fmt
--- a/tests/testsuites/pmsnare_ccoff.conf
+++ b/tests/testsuites/pmsnare_ccoff.conf
@ -0,0 +1,21 @@
+# pmsnare_ccoff.conf
+# This tests events with the pmsnare module when control characters are not escaped.
+# It's based on rgerhards' snare_ccoff_udp.conf.
+# added 2017-05-19 Shane Lawrence
+$EscapeControlCharactersOnReceive off
+$ModLoad ../plugins/omstdout/.libs/omstdout
+$ModLoad ../contrib/pmsnare/.libs/pmsnare
+$IncludeConfig nettest.input.conf	# This picks the to be tested input from the test driver!
+
+# Use the pmsnare parser, then  fall through to the default built-in modules.
+$RulesetParser rsyslog.snare
+$RulesetParser rsyslog.rfc5424
+$RulesetParser rsyslog.rfc3164
+
+$ErrorMessagesToStderr off
+
+# use a special format that we can easily check. We do NOT include a timestamp because
+# the malformed snare messages usually do not contain one (and we can not check against
+# the system time in our test cases).
+$template fmt,"%PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%\n"
+*.* :omstdout:;fmt
--- a/tests/testsuites/pmsnare_default.conf
+++ b/tests/testsuites/pmsnare_default.conf
@ -0,0 +1,16 @@
+# pmsnare_default.conf
+# This tests events with the default parser so they can be compared to
+# events parsed by pmsnare.
+# It's based on rgerhards' snare_ccoff_udp.conf.
+# added 2017-05-19 Shane Lawrence
+
+$ModLoad ../plugins/omstdout/.libs/omstdout
+$IncludeConfig nettest.input.conf
+
+$ErrorMessagesToStderr off
+
+# use a special format that we can easily check. We do NOT include a timestamp because
+# the malformed snare messages usually do not contain one (and we can not check against
+# the system time in our test cases).
+$template fmt,"%PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%\n"
+*.* :omstdout:;fmt
--- a/tests/testsuites/pmsnare_modoverride.conf
+++ b/tests/testsuites/pmsnare_modoverride.conf
@ -0,0 +1,36 @@
+# pmsnare_modoverride.conf
+# This tests events with the pmsnare module to ensure global settings can be overridden. 
+# This feature is intended to accommodate cases where input was escaped elsewhere.
+# It's based on rgerhards' snare_ccoff_udp.conf.
+# added 2017-05-29 Shane Lawrence
+global(
+	parser.escapeControlCharactersOnReceive="off"
+	parser.escapeControlCharacterTab="off"
+	parser.escapeControlCharactersCStyle="on"
+	parser.controlCharacterEscapePrefix="#"
+)
+module(load="../plugins/omstdout/.libs/omstdout")
+module(load="../contrib/pmsnare/.libs/pmsnare")
+parser(
+	name="modoverride.snare"
+	type="pmsnare"
+	parser.escapeControlCharactersOnReceive="on"
+	parser.escapeControlCharacterTab="on"
+	parser.escapeControlCharactersCStyle="off"
+	parser.controlCharacterEscapePrefix="\\"
+)
+
+# Use the override parser, then  fall through to the default built-in modules.
+$RulesetParser modoverride.snare
+$RulesetParser rsyslog.rfc5424
+$RulesetParser rsyslog.rfc3164
+
+$IncludeConfig nettest.input.conf	# This picks the to be tested input from the test driver!
+
+$ErrorMessagesToStderr off
+
+# use a special format that we can easily check. We do NOT include a timestamp because
+# the malformed snare messages usually do not contain one (and we can not check against
+# the system time in our test cases).
+$template fmt,"%PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%\n"
+*.* :omstdout:;fmt
--- a/tests/testsuites/sample.pmsnare_ccbackslash
+++ b/tests/testsuites/sample.pmsnare_ccbackslash
@ -0,0 +1,52 @@
+# sample.pmsnare_ccbackslash
+# These are sample events from several source types, and their expected results with the pmsnare module when
+# control characters are escaped with a backslash prefix.
+#
+# Format for expect is:
+# %PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%
+#
+# Citrix NetScaler
+<14> 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 :  SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse    The authenti
+14,user,info,,, 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 :  SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse    The authenti
+#
+# Cisco IOS-XE
+<14>123456789: HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................
+14,user,info,123456789,123456789:, HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................
+#
+# Cisco ASA
+<14>May 21 2017 00:00:00: %ASA-4-102030: Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group "local_in" [0x0, 0x0]
+14,user,info,%ASA-4-102030,%ASA-4-102030:, Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group "local_in" [0x0, 0x0]
+<14>May 21 2017 00:00:00: %ASA-6-102030: SFR requested ASA to bypass further packet redirection and process TCP flow from vlan_1233:192.168.0.11/10469 to vlan_12323:192.168.0.11/443 locally
+14,user,info,%ASA-6-102030,%ASA-6-102030:, SFR requested ASA to bypass further packet redirection and process TCP flow from vlan_1233:192.168.0.11/10469 to vlan_12323:192.168.0.11/443 locally
+#
+# VMware
+<14>2017-05-21T00:00:01.123Z hostname.domain Hostd: verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
+14,user,info,Hostd,Hostd:, verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
+<14>2017-05-21T00:00:01.123Z hostname.domain Rhttpproxy: verbose rhttpproxy[479C1B70] [Originator@6876 sub=Proxy Req 69725] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x00000000] _serverNamespace = /vpxa _isRedirect = false _port = 0000000000
+14,user,info,Rhttpproxy,Rhttpproxy:, verbose rhttpproxy[479C1B70] [Originator@6876 sub=Proxy Req 69725] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x00000000] _serverNamespace = /vpxa _isRedirect = false _port = 0000000000
+#
+# Unix
+<14>May 21 12:00:01 hostname CROND[12393]: pam_unix(crond:session): session closed for user root................
+14,user,info,CROND,CROND[12393]:, pam_unix(crond:session): session closed for user root................
+<14>May 21 12:00:01 vnl992 snmpd[1199]: Connection from UDP: [192.168.0.11]:41763->[192.168.0.11]:161979 to vlan_12323:
+14,user,info,snmpd,snmpd[1199]:, Connection from UDP: [192.168.0.11]:41763->[192.168.0.11]:161979 to vlan_12323:
+#
+# NXLog Snare
+<14>May 21 12:00:01 hostname MSWinEventLog	1	N/A	113977	Sun May 21 12:00:01.123	N/A	nxlog	N/A	N/A	N/A	hostname	N/A		reconnecting to agent manager in 200 seconds	N/A
+14,user,info,MSWinEventLog,MSWinEventLog, 1\\011N/A\\011113977\\011Sun May 21 12:00:01.123\\011N/A\\011nxlog\\011N/A\\011N/A\\011N/A\\011hostname\\011N/A\\011\\011reconnecting to agent manager in 200 seconds\\011N/A
+#
+# Snare
+<14>May 21 12:00:01 hostname.domain MSWinEventLog	1	Security	00000000	Sun May 21 12:00:01.123	4624	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	Logon		An account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+14,user,info,MSWinEventLog,MSWinEventLog, 1\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0114624\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Success Audit\\011hostname.domain\\011Logon\\011\\011An account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+<14>May 21 12:00:01 hostname.domain MSWinEventLog	1	Security	00000000	Sun May 21 12:00:01.123	5061	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	System Integrity		Cryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0	-0000000000
+14,user,info,MSWinEventLog,MSWinEventLog, 1\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0115061\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Success Audit\\011hostname.domain\\011System Integrity\\011\\011Cryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0\\011-0000000000
+<14>May 21 12:00:01 hostname.domain MSWinEventLog	3	Security	00000000	Sun May 21 12:00:01.123	4771	Microsoft-Windows-Security-Auditing	N/A	N/A	Failure Audit	hostname.domain	Kerberos Authentication Service		Kerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.	-0000000000
+14,user,info,MSWinEventLog,MSWinEventLog, 3\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0114771\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Failure Audit\\011hostname.domain\\011Kerberos Authentication Service\\011\\011Kerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.\\011-0000000000
+#
+# Snare (no syslog header)
+hostname.domain	MSWinEventLog	1	Security	00000000	Sun May 21 12:00:01.123	4624	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	Logon		An account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+13,user,notice,MSWinEventLog,MSWinEventLog, 1\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0114624\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Success Audit\\011hostname.domain\\011Logon\\011\\011An account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+hostname.domain	MSWinEventLog	1	Security	00000000	Sun May 21 12:00:01.123	5061	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	System Integrity		Cryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0	-0000000000
+13,user,notice,MSWinEventLog,MSWinEventLog, 1\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0115061\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Success Audit\\011hostname.domain\\011System Integrity\\011\\011Cryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0\\011-0000000000
+hostname.domain	MSWinEventLog	3	Security	00000000	Sun May 21 12:00:01.123	4771	Microsoft-Windows-Security-Auditing	N/A	N/A	Failure Audit	hostname.domain	Kerberos Authentication Service		Kerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.	-0000000000
+13,user,notice,MSWinEventLog,MSWinEventLog, 3\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0114771\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Failure Audit\\011hostname.domain\\011Kerberos Authentication Service\\011\\011Kerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.\\011-0000000000
--- a/tests/testsuites/sample.pmsnare_cccstyle
+++ b/tests/testsuites/sample.pmsnare_cccstyle
@ -0,0 +1,52 @@
+# sample.pmsnare_cccstyle
+# These are sample events from several source types, and their expected results with the default parser.
+# The Snare messages are expected to be malformed because the tabs are not considered separators.
+#
+# Format for expect is:
+# %PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%
+#
+# Citrix NetScaler
+<14> 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 :  SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse    The authenti
+14,user,info,,, 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 :  SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse    The authenti
+#
+# Cisco IOS-XE
+<14>123456789: HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................
+14,user,info,123456789,123456789:, HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................
+#
+# Cisco ASA
+<14>May 21 2017 00:00:00: %ASA-4-102030: Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group "local_in" [0x0, 0x0]
+14,user,info,%ASA-4-102030,%ASA-4-102030:, Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group "local_in" [0x0, 0x0]
+<14>May 21 2017 00:00:00: %ASA-6-102030: SFR requested ASA to bypass further packet redirection and process TCP flow from vlan_1233:192.168.0.11/10469 to vlan_12323:192.168.0.11/443 locally
+14,user,info,%ASA-6-102030,%ASA-6-102030:, SFR requested ASA to bypass further packet redirection and process TCP flow from vlan_1233:192.168.0.11/10469 to vlan_12323:192.168.0.11/443 locally
+#
+# VMware
+<14>2017-05-21T00:00:01.123Z hostname.domain Hostd: verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
+14,user,info,Hostd,Hostd:, verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
+<14>2017-05-21T00:00:01.123Z hostname.domain Rhttpproxy: verbose rhttpproxy[479C1B70] [Originator@6876 sub=Proxy Req 69725] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x00000000] _serverNamespace = /vpxa _isRedirect = false _port = 0000000000
+14,user,info,Rhttpproxy,Rhttpproxy:, verbose rhttpproxy[479C1B70] [Originator@6876 sub=Proxy Req 69725] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x00000000] _serverNamespace = /vpxa _isRedirect = false _port = 0000000000
+#
+# Unix
+<14>May 21 12:00:01 hostname CROND[12393]: pam_unix(crond:session): session closed for user root................
+14,user,info,CROND,CROND[12393]:, pam_unix(crond:session): session closed for user root................
+<14>May 21 12:00:01 vnl992 snmpd[1199]: Connection from UDP: [192.168.0.11]:41763->[192.168.0.11]:161979 to vlan_12323:
+14,user,info,snmpd,snmpd[1199]:, Connection from UDP: [192.168.0.11]:41763->[192.168.0.11]:161979 to vlan_12323:
+#
+# NXLog Snare
+<14>May 21 12:00:01 hostname MSWinEventLog	1	N/A	113977	Sun May 21 12:00:01.123	N/A	nxlog	N/A	N/A	N/A	hostname	N/A		reconnecting to agent manager in 200 seconds	N/A
+14,user,info,MSWinEventLog,MSWinEventLog, 1\\tN/A\\t113977\\tSun May 21 12:00:01.123\\tN/A\\tnxlog\\tN/A\\tN/A\\tN/A\\thostname\\tN/A\\t\\treconnecting to agent manager in 200 seconds\\tN/A
+#
+# Snare
+<14>May 21 12:00:01 hostname.domain MSWinEventLog	1	Security	00000000	Sun May 21 12:00:01.123	4624	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	Logon		An account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+14,user,info,MSWinEventLog,MSWinEventLog, 1\\tSecurity\\t00000000\\tSun May 21 12:00:01.123\\t4624\\tMicrosoft-Windows-Security-Auditing\\tN/A\\tN/A\\tSuccess Audit\\thostname.domain\\tLogon\\t\\tAn account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+<14>May 21 12:00:01 hostname.domain MSWinEventLog	1	Security	00000000	Sun May 21 12:00:01.123	5061	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	System Integrity		Cryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0	-0000000000
+14,user,info,MSWinEventLog,MSWinEventLog, 1\\tSecurity\\t00000000\\tSun May 21 12:00:01.123\\t5061\\tMicrosoft-Windows-Security-Auditing\\tN/A\\tN/A\\tSuccess Audit\\thostname.domain\\tSystem Integrity\\t\\tCryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0\\t-0000000000
+<14>May 21 12:00:01 hostname.domain MSWinEventLog	3	Security	00000000	Sun May 21 12:00:01.123	4771	Microsoft-Windows-Security-Auditing	N/A	N/A	Failure Audit	hostname.domain	Kerberos Authentication Service		Kerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.	-0000000000
+14,user,info,MSWinEventLog,MSWinEventLog, 3\\tSecurity\\t00000000\\tSun May 21 12:00:01.123\\t4771\\tMicrosoft-Windows-Security-Auditing\\tN/A\\tN/A\\tFailure Audit\\thostname.domain\\tKerberos Authentication Service\\t\\tKerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.\\t-0000000000
+#
+# Snare (no syslog header)
+hostname.domain	MSWinEventLog	1	Security	00000000	Sun May 21 12:00:01.123	4624	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	Logon		An account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+13,user,notice,MSWinEventLog,MSWinEventLog, 1\\tSecurity\\t00000000\\tSun May 21 12:00:01.123\\t4624\\tMicrosoft-Windows-Security-Auditing\\tN/A\\tN/A\\tSuccess Audit\\thostname.domain\\tLogon\\t\\tAn account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+hostname.domain	MSWinEventLog	1	Security	00000000	Sun May 21 12:00:01.123	5061	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	System Integrity		Cryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0	-0000000000
+13,user,notice,MSWinEventLog,MSWinEventLog, 1\\tSecurity\\t00000000\\tSun May 21 12:00:01.123\\t5061\\tMicrosoft-Windows-Security-Auditing\\tN/A\\tN/A\\tSuccess Audit\\thostname.domain\\tSystem Integrity\\t\\tCryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0\\t-0000000000
+hostname.domain	MSWinEventLog	3	Security	00000000	Sun May 21 12:00:01.123	4771	Microsoft-Windows-Security-Auditing	N/A	N/A	Failure Audit	hostname.domain	Kerberos Authentication Service		Kerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.	-0000000000
+13,user,notice,MSWinEventLog,MSWinEventLog, 3\\tSecurity\\t00000000\\tSun May 21 12:00:01.123\\t4771\\tMicrosoft-Windows-Security-Auditing\\tN/A\\tN/A\\tFailure Audit\\thostname.domain\\tKerberos Authentication Service\\t\\tKerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.\\t-0000000000
--- a/tests/testsuites/sample.pmsnare_ccdefault
+++ b/tests/testsuites/sample.pmsnare_ccdefault
@ -0,0 +1,52 @@
+# sample.pmsnare_ccdefault
+# These are sample events from several source types, and their expected results with the default parser.
+# The Snare messages are expected to be malformed because the tabs are not considered separators.
+#
+# Format for expect is:
+# %PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%
+#
+# Citrix NetScaler
+<14> 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 :  SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse    The authenti
+14,user,info,,, 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 :  SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse    The authenti
+#
+# Cisco IOS-XE
+<14>123456789: HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................
+14,user,info,123456789,123456789:, HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................
+#
+# Cisco ASA
+<14>May 21 2017 00:00:00: %ASA-4-102030: Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group "local_in" [0x0, 0x0]
+14,user,info,%ASA-4-102030,%ASA-4-102030:, Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group "local_in" [0x0, 0x0]
+<14>May 21 2017 00:00:00: %ASA-6-102030: SFR requested ASA to bypass further packet redirection and process TCP flow from vlan_1233:192.168.0.11/10469 to vlan_12323:192.168.0.11/443 locally
+14,user,info,%ASA-6-102030,%ASA-6-102030:, SFR requested ASA to bypass further packet redirection and process TCP flow from vlan_1233:192.168.0.11/10469 to vlan_12323:192.168.0.11/443 locally
+#
+# VMware
+<14>2017-05-21T00:00:01.123Z hostname.domain Hostd: verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
+14,user,info,Hostd,Hostd:, verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
+<14>2017-05-21T00:00:01.123Z hostname.domain Rhttpproxy: verbose rhttpproxy[479C1B70] [Originator@6876 sub=Proxy Req 69725] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x00000000] _serverNamespace = /vpxa _isRedirect = false _port = 0000000000
+14,user,info,Rhttpproxy,Rhttpproxy:, verbose rhttpproxy[479C1B70] [Originator@6876 sub=Proxy Req 69725] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x00000000] _serverNamespace = /vpxa _isRedirect = false _port = 0000000000
+#
+# Unix
+<14>May 21 12:00:01 hostname CROND[12393]: pam_unix(crond:session): session closed for user root................
+14,user,info,CROND,CROND[12393]:, pam_unix(crond:session): session closed for user root................
+<14>May 21 12:00:01 vnl992 snmpd[1199]: Connection from UDP: [192.168.0.11]:41763->[192.168.0.11]:161979 to vlan_12323:
+14,user,info,snmpd,snmpd[1199]:, Connection from UDP: [192.168.0.11]:41763->[192.168.0.11]:161979 to vlan_12323:
+#
+# NXLog Snare
+<14>May 21 12:00:01 hostname MSWinEventLog	1	N/A	113977	Sun May 21 12:00:01.123	N/A	nxlog	N/A	N/A	N/A	hostname	N/A		reconnecting to agent manager in 200 seconds	N/A
+14,user,info,MSWinEventLog,MSWinEventLog, 1#011N/A#011113977#011Sun May 21 12:00:01.123#011N/A#011nxlog#011N/A#011N/A#011N/A#011hostname#011N/A#011#011reconnecting to agent manager in 200 seconds#011N/A
+#
+# Snare
+<14>May 21 12:00:01 hostname.domain MSWinEventLog	1	Security	00000000	Sun May 21 12:00:01.123	4624	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	Logon		An account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+14,user,info,MSWinEventLog,MSWinEventLog, 1#011Security#01100000000#011Sun May 21 12:00:01.123#0114624#011Microsoft-Windows-Security-Auditing#011N/A#011N/A#011Success Audit#011hostname.domain#011Logon#011#011An account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+<14>May 21 12:00:01 hostname.domain MSWinEventLog	1	Security	00000000	Sun May 21 12:00:01.123	5061	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	System Integrity		Cryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0	-0000000000
+14,user,info,MSWinEventLog,MSWinEventLog, 1#011Security#01100000000#011Sun May 21 12:00:01.123#0115061#011Microsoft-Windows-Security-Auditing#011N/A#011N/A#011Success Audit#011hostname.domain#011System Integrity#011#011Cryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0#011-0000000000
+<14>May 21 12:00:01 hostname.domain MSWinEventLog	3	Security	00000000	Sun May 21 12:00:01.123	4771	Microsoft-Windows-Security-Auditing	N/A	N/A	Failure Audit	hostname.domain	Kerberos Authentication Service		Kerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.	-0000000000
+14,user,info,MSWinEventLog,MSWinEventLog, 3#011Security#01100000000#011Sun May 21 12:00:01.123#0114771#011Microsoft-Windows-Security-Auditing#011N/A#011N/A#011Failure Audit#011hostname.domain#011Kerberos Authentication Service#011#011Kerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.#011-0000000000
+#
+# Snare (no syslog header)
+hostname.domain	MSWinEventLog	1	Security	00000000	Sun May 21 12:00:01.123	4624	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	Logon		An account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+13,user,notice,MSWinEventLog,MSWinEventLog, 1#011Security#01100000000#011Sun May 21 12:00:01.123#0114624#011Microsoft-Windows-Security-Auditing#011N/A#011N/A#011Success Audit#011hostname.domain#011Logon#011#011An account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+hostname.domain	MSWinEventLog	1	Security	00000000	Sun May 21 12:00:01.123	5061	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	System Integrity		Cryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0	-0000000000
+13,user,notice,MSWinEventLog,MSWinEventLog, 1#011Security#01100000000#011Sun May 21 12:00:01.123#0115061#011Microsoft-Windows-Security-Auditing#011N/A#011N/A#011Success Audit#011hostname.domain#011System Integrity#011#011Cryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0#011-0000000000
+hostname.domain	MSWinEventLog	3	Security	00000000	Sun May 21 12:00:01.123	4771	Microsoft-Windows-Security-Auditing	N/A	N/A	Failure Audit	hostname.domain	Kerberos Authentication Service		Kerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.	-0000000000
+13,user,notice,MSWinEventLog,MSWinEventLog, 3#011Security#01100000000#011Sun May 21 12:00:01.123#0114771#011Microsoft-Windows-Security-Auditing#011N/A#011N/A#011Failure Audit#011hostname.domain#011Kerberos Authentication Service#011#011Kerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.#011-0000000000
--- a/tests/testsuites/sample.pmsnare_ccoff
+++ b/tests/testsuites/sample.pmsnare_ccoff
@ -0,0 +1,52 @@
+# sample.pmsnare_ccoff
+# These are sample events from several source types, and their expected results with
+# the pmsnare module when control characters are not escaped.
+#
+# Format for expect is:
+# %PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%
+#
+# Citrix NetScaler
+<14> 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 :  SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse    The authenti
+14,user,info,,, 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 :  SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse    The authenti
+#
+# Cisco IOS-XE
+<14>123456789: HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................
+14,user,info,123456789,123456789:, HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................
+#
+# Cisco ASA
+<14>May 21 2017 00:00:00: %ASA-4-102030: Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group "local_in" [0x0, 0x0]
+14,user,info,%ASA-4-102030,%ASA-4-102030:, Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group "local_in" [0x0, 0x0]
+<14>May 21 2017 00:00:00: %ASA-6-102030: SFR requested ASA to bypass further packet redirection and process TCP flow from vlan_1233:192.168.0.11/10469 to vlan_12323:192.168.0.11/443 locally
+14,user,info,%ASA-6-102030,%ASA-6-102030:, SFR requested ASA to bypass further packet redirection and process TCP flow from vlan_1233:192.168.0.11/10469 to vlan_12323:192.168.0.11/443 locally
+#
+# VMware
+<14>2017-05-21T00:00:01.123Z hostname.domain Hostd: verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
+14,user,info,Hostd,Hostd:, verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
+<14>2017-05-21T00:00:01.123Z hostname.domain Rhttpproxy: verbose rhttpproxy[479C1B70] [Originator@6876 sub=Proxy Req 69725] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x00000000] _serverNamespace = /vpxa _isRedirect = false _port = 0000000000
+14,user,info,Rhttpproxy,Rhttpproxy:, verbose rhttpproxy[479C1B70] [Originator@6876 sub=Proxy Req 69725] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x00000000] _serverNamespace = /vpxa _isRedirect = false _port = 0000000000
+#
+# Unix
+<14>May 21 12:00:01 hostname CROND[12393]: pam_unix(crond:session): session closed for user root................
+14,user,info,CROND,CROND[12393]:, pam_unix(crond:session): session closed for user root................
+<14>May 21 12:00:01 vnl992 snmpd[1199]: Connection from UDP: [192.168.0.11]:41763->[192.168.0.11]:161979 to vlan_12323:
+14,user,info,snmpd,snmpd[1199]:, Connection from UDP: [192.168.0.11]:41763->[192.168.0.11]:161979 to vlan_12323:
+#
+# NXLog Snare
+<14>May 21 12:00:01 hostname MSWinEventLog	1	N/A	113977	Sun May 21 12:00:01.123	N/A	nxlog	N/A	N/A	N/A	hostname	N/A		reconnecting to agent manager in 200 seconds	N/A
+14,user,info,MSWinEventLog,MSWinEventLog, 1	N/A	113977	Sun May 21 12:00:01.123	N/A	nxlog	N/A	N/A	N/A	hostname	N/A		reconnecting to agent manager in 200 seconds	N/A
+#
+# Snare
+<14>May 21 12:00:01 hostname.domain MSWinEventLog	1	Security	00000000	Sun May 21 12:00:01.123	4624	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	Logon		An account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+14,user,info,MSWinEventLog,MSWinEventLog, 1	Security	00000000	Sun May 21 12:00:01.123	4624	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	Logon		An account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+<14>May 21 12:00:01 hostname.domain MSWinEventLog	1	Security	00000000	Sun May 21 12:00:01.123	5061	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	System Integrity		Cryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0	-0000000000
+14,user,info,MSWinEventLog,MSWinEventLog, 1	Security	00000000	Sun May 21 12:00:01.123	5061	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	System Integrity		Cryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0	-0000000000
+<14>May 21 12:00:01 hostname.domain MSWinEventLog	3	Security	00000000	Sun May 21 12:00:01.123	4771	Microsoft-Windows-Security-Auditing	N/A	N/A	Failure Audit	hostname.domain	Kerberos Authentication Service		Kerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.	-0000000000
+14,user,info,MSWinEventLog,MSWinEventLog, 3	Security	00000000	Sun May 21 12:00:01.123	4771	Microsoft-Windows-Security-Auditing	N/A	N/A	Failure Audit	hostname.domain	Kerberos Authentication Service		Kerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.	-0000000000
+#
+# Snare (no syslog header)
+hostname.domain	MSWinEventLog	1	Security	00000000	Sun May 21 12:00:01.123	4624	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	Logon		An account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+13,user,notice,MSWinEventLog,MSWinEventLog, 1	Security	00000000	Sun May 21 12:00:01.123	4624	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	Logon		An account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+hostname.domain	MSWinEventLog	1	Security	00000000	Sun May 21 12:00:01.123	5061	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	System Integrity		Cryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0	-0000000000
+13,user,notice,MSWinEventLog,MSWinEventLog, 1	Security	00000000	Sun May 21 12:00:01.123	5061	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	System Integrity		Cryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0	-0000000000
+hostname.domain	MSWinEventLog	3	Security	00000000	Sun May 21 12:00:01.123	4771	Microsoft-Windows-Security-Auditing	N/A	N/A	Failure Audit	hostname.domain	Kerberos Authentication Service		Kerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.	-0000000000
+13,user,notice,MSWinEventLog,MSWinEventLog, 3	Security	00000000	Sun May 21 12:00:01.123	4771	Microsoft-Windows-Security-Auditing	N/A	N/A	Failure Audit	hostname.domain	Kerberos Authentication Service		Kerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.	-0000000000
--- a/tests/testsuites/sample.pmsnare_default
+++ b/tests/testsuites/sample.pmsnare_default
@ -0,0 +1,52 @@
+# sample.pmsnare_default
+# These are sample events from several source types, and their expected results with the default parser.
+# The Snare messages are expected to be malformed because the tabs are not considered separators.
+#
+# Format for expect is:
+# %PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%
+#
+# Citrix NetScaler
+<14> 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 :  SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse    The authenti
+14,user,info,,, 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 :  SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse    The authenti
+#
+# Cisco IOS-XE
+<14>123456789: HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................
+14,user,info,123456789,123456789:, HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................
+#
+# Cisco ASA
+<14>May 21 2017 00:00:00: %ASA-4-102030: Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group "local_in" [0x0, 0x0]
+14,user,info,%ASA-4-102030,%ASA-4-102030:, Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group "local_in" [0x0, 0x0]
+<14>May 21 2017 00:00:00: %ASA-6-102030: SFR requested ASA to bypass further packet redirection and process TCP flow from vlan_1233:192.168.0.11/10469 to vlan_12323:192.168.0.11/443 locally
+14,user,info,%ASA-6-102030,%ASA-6-102030:, SFR requested ASA to bypass further packet redirection and process TCP flow from vlan_1233:192.168.0.11/10469 to vlan_12323:192.168.0.11/443 locally
+#
+# VMware
+<14>2017-05-21T00:00:01.123Z hostname.domain Hostd: verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
+14,user,info,Hostd,Hostd:, verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
+<14>2017-05-21T00:00:01.123Z hostname.domain Rhttpproxy: verbose rhttpproxy[479C1B70] [Originator@6876 sub=Proxy Req 69725] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x00000000] _serverNamespace = /vpxa _isRedirect = false _port = 0000000000
+14,user,info,Rhttpproxy,Rhttpproxy:, verbose rhttpproxy[479C1B70] [Originator@6876 sub=Proxy Req 69725] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x00000000] _serverNamespace = /vpxa _isRedirect = false _port = 0000000000
+#
+# Unix
+<14>May 21 12:00:01 hostname CROND[12393]: pam_unix(crond:session): session closed for user root................
+14,user,info,CROND,CROND[12393]:, pam_unix(crond:session): session closed for user root................
+<14>May 21 12:00:01 vnl992 snmpd[1199]: Connection from UDP: [192.168.0.11]:41763->[192.168.0.11]:161979 to vlan_12323:
+14,user,info,snmpd,snmpd[1199]:, Connection from UDP: [192.168.0.11]:41763->[192.168.0.11]:161979 to vlan_12323:
+#
+# NXLog Snare
+<14>May 21 12:00:01 hostname MSWinEventLog	1	N/A	113977	Sun May 21 12:00:01.123	N/A	nxlog	N/A	N/A	N/A	hostname	N/A		reconnecting to agent manager in 200 seconds	N/A
+14,user,info,MSWinEventLog#0111#011N,MSWinEventLog#0111#011N/A#011113977#011Sun, May 21 12:00:01.123#011N/A#011nxlog#011N/A#011N/A#011N/A#011hostname#011N/A#011#011reconnecting to agent manager in 200 seconds#011N/A
+#
+# Snare
+<14>May 21 12:00:01 hostname.domain MSWinEventLog	1	Security	00000000	Sun May 21 12:00:01.123	4624	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	Logon		An account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+14,user,info,MSWinEventLog#0111#011Security#01100000000#011Sun,MSWinEventLog#0111#011Security#01100000000#011Sun, May 21 12:00:01.123#0114624#011Microsoft-Windows-Security-Auditing#011N/A#011N/A#011Success Audit#011hostname.domain#011Logon#011#011An account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+<14>May 21 12:00:01 hostname.domain MSWinEventLog	1	Security	00000000	Sun May 21 12:00:01.123	5061	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	System Integrity		Cryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0	-0000000000
+14,user,info,MSWinEventLog#0111#011Security#01100000000#011Sun,MSWinEventLog#0111#011Security#01100000000#011Sun, May 21 12:00:01.123#0115061#011Microsoft-Windows-Security-Auditing#011N/A#011N/A#011Success Audit#011hostname.domain#011System Integrity#011#011Cryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0#011-0000000000
+<14>May 21 12:00:01 hostname.domain MSWinEventLog	3	Security	00000000	Sun May 21 12:00:01.123	4771	Microsoft-Windows-Security-Auditing	N/A	N/A	Failure Audit	hostname.domain	Kerberos Authentication Service		Kerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.	-0000000000
+14,user,info,MSWinEventLog#0113#011Security#01100000000#011Sun,MSWinEventLog#0113#011Security#01100000000#011Sun, May 21 12:00:01.123#0114771#011Microsoft-Windows-Security-Auditing#011N/A#011N/A#011Failure Audit#011hostname.domain#011Kerberos Authentication Service#011#011Kerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.#011-0000000000
+#
+# Snare (no syslog header)
+hostname.domain	MSWinEventLog	1	Security	00000000	Sun May 21 12:00:01.123	4624	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	Logon		An account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+13,user,notice,hostname.domain#011MSWinEventLog#0111#011Security#01100000000#011Sun,hostname.domain#011MSWinEventLog#0111#011Security#01100000000#011Sun, May 21 12:00:01.123#0114624#011Microsoft-Windows-Security-Auditing#011N/A#011N/A#011Success Audit#011hostname.domain#011Logon#011#011An account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+hostname.domain	MSWinEventLog	1	Security	00000000	Sun May 21 12:00:01.123	5061	Microsoft-Windows-Security-Auditing	N/A	N/A	Success Audit	hostname.domain	System Integrity		Cryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0	-0000000000
+13,user,notice,hostname.domain#011MSWinEventLog#0111#011Security#01100000000#011Sun,hostname.domain#011MSWinEventLog#0111#011Security#01100000000#011Sun, May 21 12:00:01.123#0115061#011Microsoft-Windows-Security-Auditing#011N/A#011N/A#011Success Audit#011hostname.domain#011System Integrity#011#011Cryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0#011-0000000000
+hostname.domain	MSWinEventLog	3	Security	00000000	Sun May 21 12:00:01.123	4771	Microsoft-Windows-Security-Auditing	N/A	N/A	Failure Audit	hostname.domain	Kerberos Authentication Service		Kerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.	-0000000000
+13,user,notice,hostname.domain#011MSWinEventLog#0113#011Security#01100000000#011Sun,hostname.domain#011MSWinEventLog#0113#011Security#01100000000#011Sun, May 21 12:00:01.123#0114771#011Microsoft-Windows-Security-Auditing#011N/A#011N/A#011Failure Audit#011hostname.domain#011Kerberos Authentication Service#011#011Kerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.#011-0000000000
--- a/tests/testsuites/sample.pmsnare_modoverride
+++ b/tests/testsuites/sample.pmsnare_modoverride
@ -0,0 +1,53 @@
+# sample.pmsnare_modoverride
+# These are sample events from several source types, and their expected results with the pmsnare module
+# when global settings are overridden. The input has been manipulated, as this feature is intended to 
+# accommodate cases where input was already escaped elsewhere.
+#
+# Format for expect is:
+# %PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%
+#
+# Citrix NetScaler
+<14> 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 :  SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse    The authenti
+14,user,info,,, 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 :  SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse    The authenti
+#
+# Cisco IOS-XE
+<14>123456789: HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................
+14,user,info,123456789,123456789:, HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................
+#
+# Cisco ASA
+<14>May 21 2017 00:00:00: %ASA-4-102030: Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group "local_in" [0x0, 0x0]
+14,user,info,%ASA-4-102030,%ASA-4-102030:, Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group "local_in" [0x0, 0x0]
+<14>May 21 2017 00:00:00: %ASA-6-102030: SFR requested ASA to bypass further packet redirection and process TCP flow from vlan_1233:192.168.0.11/10469 to vlan_12323:192.168.0.11/443 locally
+14,user,info,%ASA-6-102030,%ASA-6-102030:, SFR requested ASA to bypass further packet redirection and process TCP flow from vlan_1233:192.168.0.11/10469 to vlan_12323:192.168.0.11/443 locally
+#
+# VMware
+<14>2017-05-21T00:00:01.123Z hostname.domain Hostd: verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
+14,user,info,Hostd,Hostd:, verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
+<14>2017-05-21T00:00:01.123Z hostname.domain Rhttpproxy: verbose rhttpproxy[479C1B70] [Originator@6876 sub=Proxy Req 69725] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x00000000] _serverNamespace = /vpxa _isRedirect = false _port = 0000000000
+14,user,info,Rhttpproxy,Rhttpproxy:, verbose rhttpproxy[479C1B70] [Originator@6876 sub=Proxy Req 69725] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x00000000] _serverNamespace = /vpxa _isRedirect = false _port = 0000000000
+#
+# Unix
+<14>May 21 12:00:01 hostname CROND[12393]: pam_unix(crond:session): session closed for user root................
+14,user,info,CROND,CROND[12393]:, pam_unix(crond:session): session closed for user root................
+<14>May 21 12:00:01 vnl992 snmpd[1199]: Connection from UDP: [192.168.0.11]:41763->[192.168.0.11]:161979 to vlan_12323:
+14,user,info,snmpd,snmpd[1199]:, Connection from UDP: [192.168.0.11]:41763->[192.168.0.11]:161979 to vlan_12323:
+#
+# NXLog Snare
+<14>May 21 12:00:01 hostname MSWinEventLog\\0111\\011N/A\\011113977\\011Sun May 21 12:00:01.123\\011N/A\\011nxlog\\011N/A\\011N/A\\011N/A\\011hostname\\011N/A\\011\\011reconnecting to agent manager in 200 seconds\\011N/A
+14,user,info,MSWinEventLog,MSWinEventLog, 1\\011N/A\\011113977\\011Sun May 21 12:00:01.123\\011N/A\\011nxlog\\011N/A\\011N/A\\011N/A\\011hostname\\011N/A\\011\\011reconnecting to agent manager in 200 seconds\\011N/A
+#
+# Snare
+<14>May 21 12:00:01 hostname.domain MSWinEventLog\\0111\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0114624\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Success Audit\\011hostname.domain\\011Logon\\011\\011An account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+14,user,info,MSWinEventLog,MSWinEventLog, 1\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0114624\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Success Audit\\011hostname.domain\\011Logon\\011\\011An account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+<14>May 21 12:00:01 hostname.domain MSWinEventLog\\0111\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0115061\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Success Audit\\011hostname.domain\\011System Integrity\\011\\011Cryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0\\011-0000000000
+14,user,info,MSWinEventLog,MSWinEventLog, 1\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0115061\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Success Audit\\011hostname.domain\\011System Integrity\\011\\011Cryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0\\011-0000000000
+<14>May 21 12:00:01 hostname.domain MSWinEventLog\\0113\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0114771\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Failure Audit\\011hostname.domain\\011Kerberos Authentication Service\\011\\011Kerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.\\011-0000000000
+14,user,info,MSWinEventLog,MSWinEventLog, 3\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0114771\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Failure Audit\\011hostname.domain\\011Kerberos Authentication Service\\011\\011Kerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.\\011-0000000000
+#
+# Snare (no syslog header)
+hostname.domain\\011MSWinEventLog\\0111\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0114624\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Success Audit\\011hostname.domain\\011Logon\\011\\011An account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+13,user,notice,MSWinEventLog,MSWinEventLog, 1\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0114624\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Success Audit\\011hostname.domain\\011Logon\\011\\011An account was successfully logged on.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Logon Type:   3    New Logon:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000   Logon GUID:  0x000000000    Process Information:   Process ID:  0x000000000   Process Name:  first.last    Network Information:   Workstation Name:    Source Network Address: 192.168.0.11   Source Port:  51542    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
+hostname.domain\\011MSWinEventLog\\0111\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0115061\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Success Audit\\011hostname.domain\\011System Integrity\\011\\011Cryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0\\011-0000000000
+13,user,notice,MSWinEventLog,MSWinEventLog, 1\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0115061\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Success Audit\\011hostname.domain\\011System Integrity\\011\\011Cryptographic operation.    Subject:   Security ID:  0x000000000   Account Name:  first.last   Account Domain:  domain   Logon ID:  0x000000000    Cryptographic Parameters:   Provider Name: Microsoft Software Key Storage Provider   Algorithm Name: RSA   Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698   Key Type: Machine key.    Cryptographic Operation:   Operation: Open Key.   Return Code: 0x0\\011-0000000000
+hostname.domain\\011MSWinEventLog\\0113\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0114771\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Failure Audit\\011hostname.domain\\011Kerberos Authentication Service\\011\\011Kerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.\\011-0000000000
+13,user,notice,MSWinEventLog,MSWinEventLog, 3\\011Security\\01100000000\\011Sun May 21 12:00:01.123\\0114771\\011Microsoft-Windows-Security-Auditing\\011N/A\\011N/A\\011Failure Audit\\011hostname.domain\\011Kerberos Authentication Service\\011\\011Kerberos pre-authentication failed.    Account Information:   Security ID:  0x000000000   Account Name:  first.last    Service Information:   Service Name:  first.last    Network Information:   Client Address:  ::ffff:192.168.0.11   Client Port:  59355    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.\\011-0000000000