Skip to content

PoC for new Audiocodes filter #238

Open
@gedia

Description

@gedia

Hello all,

I'm uploading here an attempt at creating a more robust (for my use case) filter for audiocodes. The one available in the next branch doesn't seem to work with the Audiocodes SBC version I have access to (7.20A.256.721), and it wasn't reliable when I tweaked it a bit to overcome some obvious parsing issues.

Compared to the existing filter, this PoC

  • Doesn't handle all cases yet (e.g. media reports)
  • Doesn't support autodiscovery of IPs (but it's trivial to add)
  • Has only been tested/developed for version 7.20A.256.721
  • Regexes may need to be adjusted for other versions
  • Uses older newline replacement of \n instead of \r\n (pre-commit b5af708)
  • Assumes no packet loss, messages arriving in order, but other than that the holding/merging/dissecting syslog messages logic seems more robust now

To anyone interested in working on this, here's the logic behind it. Syslog messages from Audiocodes SBC are expected to conform to the following structure:

____________________________
[S= xxxxxxxxxx](always) [SID= xxxxxxxxxx](optional) [BID= xxxxxxxxxx](optional) (N  xxxxxxxxxx)(optional) msg1

(N  xxxxxxxxxx) S= is unique to each syslog msg, may contain multiple N

(N  xxxxxxxxxx) Beginning of SIP message is indicated immediately after an N (instead of this text) and is indicated by a preamble similar to ` ---- Incoming SIP Message from IP:PORT to SIPInterface #0 (ALIAS) UDP TO(#0) ---- `
____________________________
[S= xxxxxxxxxx](always) [SID= xxxxxxxxxx](optional) [BID= xxxxxxxxxx](optional) (N  xxxxxxxxxx)(optional) msg2: SIP message preamble may be found in the first syslog line (this one, instead of this text as well). In this case, the N parameter is not optional.

(N  xxxxxxxxxx) Presence of a new N occurence following the SIP message preamble in last N can be assumed to be a delimiter for the SIP message: this is a new syslog entry

(N  xxxxxxxxxx) ---- Incoming SIP Message from IP:PORT to SIPInterface #0 (ALIAS) UDP TO(#0) ---- preamble may be found at the end of a syslog message ([S= xxxxxxxxxx] entry). In this case the message itself will be carried in the next syslog msg.
____________________________
[S= xxxxxxxxxx](always) [SID= xxxxxxxxxx] same rules apply, until we find a new (N xxxxxxxxxx) entry, consider this a part of the SIP message preambled by the last ---- Incoming/Outgoing occurence
____________________________
[S= xxxxxxxxxx](always) [SID= xxxxxxxxxx] still no N found, so this text may be part of the same SIP message introduced two syslog messages ago

(N  xxxxxxxxxx) ---- New N line, this is a new syslog entry. If is carries SIP, it should include the preamble.
____________________________

filter_app_audiocodes_new.txt

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions