fix: support date format with year for cisco asa (#604)

nandinivij · web-flow · commit 876cb806068e · 2022-04-19T09:04:35.000-07:00
* fix: support date format cisco asa
diff --git a/pytest_splunk_addon/standard_lib/requirement_tests/test_generator.py b/pytest_splunk_addon/standard_lib/requirement_tests/test_generator.py
@@ -103,8 +103,10 @@ def strip_syslog_header(self, raw_event):
         if regex_rfc5424:
             stripped_header = regex_rfc5424.group(3)
             return stripped_header
+        #    regex = r"([A-Z][a-z][a-z]\s{1,2}\d{1,2}\s\d{2}[:]\d{2}[:]\d{2})\s+([\w][\w\d\.@-]*)\s\w*:?(.*)$",
+        #   (?:\s\d{4})? Added to support cisco asa date format
         regex_rfc3164 = re.search(
-            r"([A-Z][a-z][a-z]\s{1,2}\d{1,2}\s\d{2}[:]\d{2}[:]\d{2})\s+([\w][\w\d\.@-]*)\s\w*:?(.*)$",
+            r"([A-Z][a-z][a-z]\s{1,2}\d{1,2}(?:\s\d{4})?\s\d{2}[:]\d{2}[:]\d{2})\s+([\w][\w\d\.@-]*)\s\w*:?(.*)$",
             raw_event,
         )
         if regex_rfc3164:
diff --git a/tests/unit/tests_standard_lib/test_requirement_tests/test_test_generator.py b/tests/unit/tests_standard_lib/test_requirement_tests/test_test_generator.py
@@ -191,6 +191,33 @@ def test_extract_params():
                 ),
             ],
         ),
+        (
+            ["requirement_cisco_asa.log"],
+            [True],
+            ["syslog"],
+            {
+                "event": [
+                    "Oct 06 2021 14:44:59 10.10.10.10 : %ASA-4-405001: Received ARP response collision from 1.1.1.1/0050.56b7.52b6 on interface outside with existing ARP entry 1.1.0.1/0011.56b7.7853"
+                ]
+            },
+            [["model_1:dataset_1"]],
+            ["event_name_1"],
+            [{"field1": "value1", "field2": "value2"}, {"field3": "value3"}],
+            [
+                (
+                    # test for cisco event ingestion and escaped event with removed header
+                    {
+                        "model_list": [("model_1", "dataset_1", "")],
+                        "escaped_event": " %ASA-4-405001: Received ARP response collision from 1.1.1.1/0050.56b7.52b6 on interface outside with existing ARP entry 1.1.0.1/0011.56b7.7853",
+                        "exceptions_dict": {"field3": "value3"},
+                        "Key_value_dict": {"field1": "value1", "field2": "value2"},
+                        "modinput_params": None,
+                        "transport_type": "syslog",
+                    },
+                    "model_1:dataset_1::fake_path/requirement_cisco_asa.log::event_no::1::event_name::event_name_1",
+                ),
+            ],
+        ),
     ],
 )
 def test_generate_cim_req_params(
