package org.graylog.integrations.inputs.paloalto9;

import com.google.common.collect.ImmutableMap;
import java.nio.charset.StandardCharsets;
import java.util.List;
import org.graylog.integrations.inputs.paloalto.PaloAltoParser;
import org.graylog2.plugin.Message;
import org.graylog2.plugin.configuration.Configuration;
import org.graylog2.plugin.journal.RawMessage;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.joda.time.DateTime;
import org.joda.time.DateTimeZone;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/graylog/integrations/inputs/paloalto9/PaloAlto9xTemplatesTest.class */
public class PaloAlto9xTemplatesTest {
    private static final String SYSLOG_PREFIX = "<14>1 2020-06-02T14:01:00.000Z PYTHON_TEST_SENDER - - - - ";
    private static final String TIMEZONE_STRING = "America/Phoenix";
    private static final DateTimeZone TIMEZONE = DateTimeZone.forID(TIMEZONE_STRING);
    PaloAlto9xCodec cut;

    @Before
    public void setUp() {
        this.cut = new PaloAlto9xCodec(new Configuration(ImmutableMap.of("store_full_message", true, "timezone", TIMEZONE_STRING)), new PaloAltoParser(), new PaloAlto9xParser());
    }

    @Test
    public void verifyConfigurationMessageParsing() {
        String str = "<14>1 2020-06-02T14:01:00.000Z PYTHON_TEST_SENDER - - - - " + "1,2020/05/26 04:11:09,007000000018919,CONFIG,0,0,2020/05/26 04:11:09,86.181.133.251,,multi-clone,aduncan@paloaltonetworks.com,Web,Succeeded,vsys  vsys1 profiles virus,,default-1  { decoder { http  { action default; wildfire-action default; } http2  { action default; wildfire-action default; } smtp  { action default; wildfire-action default; } imap  { action default; wildfire-action default; } pop3  { action default; wildfire-action default; } ftp  { action default; wildfire-action default; } smb  { action default; wildfire-action default; } } } ,5481,0x8000000000000000,0,0,0,0,,uk1,0,";
        Message decode = this.cut.decode(new RawMessage(str.getBytes(StandardCharsets.UTF_8)));
        MatcherAssert.assertThat(decode, CoreMatchers.notNullValue());
        MatcherAssert.assertThat(decode.getField("full_message"), CoreMatchers.is(str));
        MatcherAssert.assertThat(decode.getField("message"), CoreMatchers.is("1,2020/05/26 04:11:09,007000000018919,CONFIG,0,0,2020/05/26 04:11:09,86.181.133.251,,multi-clone,aduncan@paloaltonetworks.com,Web,Succeeded,vsys  vsys1 profiles virus,,default-1  { decoder { http  { action default; wildfire-action default; } http2  { action default; wildfire-action default; } smtp  { action default; wildfire-action default; } imap  { action default; wildfire-action default; } pop3  { action default; wildfire-action default; } ftp  { action default; wildfire-action default; } smb  { action default; wildfire-action default; } } } ,5481,0x8000000000000000,0,0,0,0,,uk1,0,"));
        MatcherAssert.assertThat(decode.getField("event_source_product"), CoreMatchers.is("PAN"));
        MatcherAssert.assertThat(decode.getField("event_created"), CoreMatchers.is(DateTime.parse("2020-05-26T04:11:09-07:00").withZone(TIMEZONE)));
        MatcherAssert.assertThat(decode.getField("host_id"), CoreMatchers.is("007000000018919"));
        MatcherAssert.assertThat(decode.getField("event_log_name"), CoreMatchers.is("CONFIG"));
        MatcherAssert.assertThat(decode.getField("pan_log_subtype"), CoreMatchers.is("0"));
        MatcherAssert.assertThat(decode.getField("timestamp"), CoreMatchers.is(DateTime.parse("2020-05-26T04:11:09-07:00").withZone(TIMEZONE)));
        MatcherAssert.assertThat(decode.getField("source_reference"), CoreMatchers.is("86.181.133.251"));
        MatcherAssert.assertThat(decode.getField("host_virtfw_id"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("user_command"), CoreMatchers.is("multi-clone"));
        MatcherAssert.assertThat(decode.getField("user_name"), CoreMatchers.is("aduncan@paloaltonetworks.com"));
        MatcherAssert.assertThat(decode.getField("vendor_signin_protocol"), CoreMatchers.is("Web"));
        MatcherAssert.assertThat(decode.getField("vendor_event_outcome"), CoreMatchers.is("Succeeded"));
        MatcherAssert.assertThat(decode.getField("user_command_path"), CoreMatchers.is("vsys  vsys1 profiles virus"));
        MatcherAssert.assertThat(decode.getField("pan_before_change_detail"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_after_change_detail"), CoreMatchers.is("default-1  { decoder { http  { action default; wildfire-action default; } http2  { action default; wildfire-action default; } smtp  { action default; wildfire-action default; } imap  { action default; wildfire-action default; } pop3  { action default; wildfire-action default; } ftp  { action default; wildfire-action default; } smb  { action default; wildfire-action default; } } }"));
        MatcherAssert.assertThat(decode.getField("event_uid"), CoreMatchers.is("5481"));
        MatcherAssert.assertThat(decode.getField("pan_log_panorama"), CoreMatchers.is("0x8000000000000000"));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_1"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_2"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_3"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_4"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("host_virtfw_hostname"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("host_hostname"), CoreMatchers.is("uk1"));
    }

    @Test
    public void verifyCorrelationMessageParsing() {
        String str = "<14>1 2020-06-02T14:01:00.000Z PYTHON_TEST_SENDER - - - - " + "1,2020/05/31 17:19:44,0007SE00209,CORRELATION,,,2020/05/31 17:19:44,10.154.8.125,pancademo\\david.mccoy,,compromised-host,medium,31,40,0,0,,uk1rama,,beacon-heuristics,6005,\"Host has made use of Internet Relay Chat (IRC), a protocol popular with command-and-control activity.\"";
        Message decode = this.cut.decode(new RawMessage(str.getBytes(StandardCharsets.UTF_8)));
        MatcherAssert.assertThat(decode, CoreMatchers.notNullValue());
        MatcherAssert.assertThat(decode.getField("full_message"), CoreMatchers.is(str));
        MatcherAssert.assertThat(decode.getField("message"), CoreMatchers.is("1,2020/05/31 17:19:44,0007SE00209,CORRELATION,,,2020/05/31 17:19:44,10.154.8.125,pancademo\\david.mccoy,,compromised-host,medium,31,40,0,0,,uk1rama,,beacon-heuristics,6005,\"Host has made use of Internet Relay Chat (IRC), a protocol popular with command-and-control activity.\""));
        MatcherAssert.assertThat(decode.getField("event_source_product"), CoreMatchers.is("PAN"));
        MatcherAssert.assertThat(decode.getField("event_created"), CoreMatchers.is(DateTime.parse("2020-05-31T17:19:44-07:00").withZone(TIMEZONE)));
        MatcherAssert.assertThat(decode.getField("host_id"), CoreMatchers.is("0007SE00209"));
        MatcherAssert.assertThat(decode.getField("event_log_name"), CoreMatchers.is("CORRELATION"));
        MatcherAssert.assertThat(decode.getField("pan_log_subtype"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("timestamp"), CoreMatchers.is(DateTime.parse("2020-05-31T17:19:44-07:00").withZone(TIMEZONE)));
        MatcherAssert.assertThat(decode.getField("source_ip"), CoreMatchers.is("10.154.8.125"));
        MatcherAssert.assertThat(decode.getField("user_name"), CoreMatchers.is("pancademo\\david.mccoy"));
        MatcherAssert.assertThat(decode.getField("host_virtfw_id"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("threat_category"), CoreMatchers.is("compromised-host"));
        MatcherAssert.assertThat(decode.getField("event_severity"), CoreMatchers.is("medium"));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_1"), CoreMatchers.is(31L));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_2"), CoreMatchers.is(40L));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_3"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_4"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("host_virtfw_hostname"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("host_hostname"), CoreMatchers.is("uk1rama"));
        MatcherAssert.assertThat(decode.getField("host_virtfw_uid"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_objectname"), CoreMatchers.is("beacon-heuristics"));
        MatcherAssert.assertThat(decode.getField("pan_object_id"), CoreMatchers.is("6005"));
        MatcherAssert.assertThat(decode.getField("pan_evidence"), CoreMatchers.is("Host has made use of Internet Relay Chat (IRC), a protocol popular with command-and-control activity."));
    }

    @Test
    public void verifyGlobalProtectMessageParsing() {
        String str = "<14>1 2020-06-02T14:01:00.000Z PYTHON_TEST_SENDER - - - - " + "1,2020/04/01 10:49:35,015351000040055,11,0x0,GLOBALPROTECT,0,2305,2020/04/01 10:49:35,vsys1,portal-prelogin,before-login,,,,192.168.0.0-192.168.255.255,,192.168.45.33,0.0.0.0,0.0.0.0,0.0.0.0,2c2ec970-de09-444c-b84f-2c0be75e13cd,,Browser,Windows,\"Microsoft Windows 7  Service Pack 1, 64-bit\",1,,,\"\",success,,0,,0,gp-portal";
        Message decode = this.cut.decode(new RawMessage(str.getBytes(StandardCharsets.UTF_8)));
        MatcherAssert.assertThat(decode, CoreMatchers.notNullValue());
        MatcherAssert.assertThat(decode.getField("full_message"), CoreMatchers.is(str));
        MatcherAssert.assertThat(decode.getField("message"), CoreMatchers.is("1,2020/04/01 10:49:35,015351000040055,11,0x0,GLOBALPROTECT,0,2305,2020/04/01 10:49:35,vsys1,portal-prelogin,before-login,,,,192.168.0.0-192.168.255.255,,192.168.45.33,0.0.0.0,0.0.0.0,0.0.0.0,2c2ec970-de09-444c-b84f-2c0be75e13cd,,Browser,Windows,\"Microsoft Windows 7  Service Pack 1, 64-bit\",1,,,\"\",success,,0,,0,gp-portal"));
        MatcherAssert.assertThat(decode.getField("event_source_product"), CoreMatchers.is("PAN"));
        MatcherAssert.assertThat(decode.getField("event_received_time"), CoreMatchers.is(DateTime.parse("2020-04-01T10:49:35-07:00").withZone(TIMEZONE)));
        MatcherAssert.assertThat(decode.getField("host_id"), CoreMatchers.is("015351000040055"));
        MatcherAssert.assertThat(decode.getField("event_uid"), CoreMatchers.is("11"));
        MatcherAssert.assertThat(decode.getField("pan_log_panorama"), CoreMatchers.is("0x0"));
        MatcherAssert.assertThat(decode.getField("event_log_name"), CoreMatchers.is("GLOBALPROTECT"));
        MatcherAssert.assertThat(decode.getField("timestamp"), CoreMatchers.is(DateTime.parse("2020-04-01T10:49:35-07:00").withZone(TIMEZONE)));
        MatcherAssert.assertThat(decode.getField("host_virtfw_id"), CoreMatchers.is("vsys1"));
        MatcherAssert.assertThat(decode.getField("pan_event_name"), CoreMatchers.is("portal-prelogin"));
        MatcherAssert.assertThat(decode.getField("pan_tunnel_stage"), CoreMatchers.is("before-login"));
        MatcherAssert.assertThat(decode.getField("pan_auth_method"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("network_tunnel_type"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("source_user"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_source_region"), CoreMatchers.is("192.168.0.0-192.168.255.255"));
        MatcherAssert.assertThat(decode.getField("source_hostname"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("vendor_public_ip"), CoreMatchers.is("192.168.45.33"));
        MatcherAssert.assertThat(decode.getField("vendor_public_ipv6"), CoreMatchers.is("0.0.0.0"));
        MatcherAssert.assertThat(decode.getField("vendor_private_ip"), CoreMatchers.is("0.0.0.0"));
        MatcherAssert.assertThat(decode.getField("vendor_private_ipv6"), CoreMatchers.is("0.0.0.0"));
        MatcherAssert.assertThat(decode.getField("pan_gp_hostid"), CoreMatchers.is("2c2ec970-de09-444c-b84f-2c0be75e13cd"));
        MatcherAssert.assertThat(decode.getField("pan_gp_client_version"), CoreMatchers.is("Browser"));
        MatcherAssert.assertThat(decode.getField("host_type"), CoreMatchers.is("Windows"));
        MatcherAssert.assertThat(decode.getField("host_type_version"), CoreMatchers.is("Microsoft Windows 7  Service Pack 1, 64-bit"));
        MatcherAssert.assertThat(decode.getField("event_repeat_count"), CoreMatchers.is(1L));
        MatcherAssert.assertThat(decode.getField("pan_gp_reason"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_gp_error"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_gp_error_extended"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("vendor_event_action"), CoreMatchers.is("success"));
        MatcherAssert.assertThat(decode.getField("pan_gp_location_name"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("network_tunnel_duration"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_gp_connect_method"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_gp_error_code"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_gp_hostname"), CoreMatchers.is("gp-portal"));
    }

    @Test
    public void verifyGlobalProtect913MessageParsing() {
        String str = "<14>1 2020-06-02T14:01:00.000Z PYTHON_TEST_SENDER - - - - " + "1,2020/04/01 10:49:35,015351000040055,GLOBALPROTECT,0,2305,2020/04/01 10:49:35,vsys1,portal-prelogin,before-login,,,,192.168.0.0-192.168.255.255,,192.168.45.33,0.0.0.0,0.0.0.0,0.0.0.0,2c2ec970-de09-444c-b84f-2c0be75e13cd,,Browser,Windows,\"Microsoft Windows 7  Service Pack 1, 64-bit\",1,,,\"\",success,,0,,0,gp-portal,11,0x0";
        Message decode = this.cut.decode(new RawMessage(str.getBytes(StandardCharsets.UTF_8)));
        MatcherAssert.assertThat(decode, CoreMatchers.notNullValue());
        MatcherAssert.assertThat(decode.getField("full_message"), CoreMatchers.is(str));
        MatcherAssert.assertThat(decode.getField("message"), CoreMatchers.is("1,2020/04/01 10:49:35,015351000040055,GLOBALPROTECT,0,2305,2020/04/01 10:49:35,vsys1,portal-prelogin,before-login,,,,192.168.0.0-192.168.255.255,,192.168.45.33,0.0.0.0,0.0.0.0,0.0.0.0,2c2ec970-de09-444c-b84f-2c0be75e13cd,,Browser,Windows,\"Microsoft Windows 7  Service Pack 1, 64-bit\",1,,,\"\",success,,0,,0,gp-portal,11,0x0"));
        MatcherAssert.assertThat(decode.getField("event_source_product"), CoreMatchers.is("PAN"));
        MatcherAssert.assertThat(decode.getField("event_received_time"), CoreMatchers.is(DateTime.parse("2020-04-01T10:49:35-07:00").withZone(TIMEZONE)));
        MatcherAssert.assertThat(decode.getField("host_id"), CoreMatchers.is("015351000040055"));
        MatcherAssert.assertThat(decode.getField("event_log_name"), CoreMatchers.is("GLOBALPROTECT"));
        MatcherAssert.assertThat(decode.getField("timestamp"), CoreMatchers.is(DateTime.parse("2020-04-01T10:49:35-07:00").withZone(TIMEZONE)));
        MatcherAssert.assertThat(decode.getField("host_virtfw_id"), CoreMatchers.is("vsys1"));
        MatcherAssert.assertThat(decode.getField("pan_event_name"), CoreMatchers.is("portal-prelogin"));
        MatcherAssert.assertThat(decode.getField("pan_tunnel_stage"), CoreMatchers.is("before-login"));
        MatcherAssert.assertThat(decode.getField("pan_auth_method"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("network_tunnel_type"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("user_name"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_source_region"), CoreMatchers.is("192.168.0.0-192.168.255.255"));
        MatcherAssert.assertThat(decode.getField("source_hostname"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("vendor_public_ip"), CoreMatchers.is("192.168.45.33"));
        MatcherAssert.assertThat(decode.getField("vendor_public_ipv6"), CoreMatchers.is("0.0.0.0"));
        MatcherAssert.assertThat(decode.getField("vendor_private_ip"), CoreMatchers.is("0.0.0.0"));
        MatcherAssert.assertThat(decode.getField("vendor_private_ipv6"), CoreMatchers.is("0.0.0.0"));
        MatcherAssert.assertThat(decode.getField("pan_gp_hostid"), CoreMatchers.is("2c2ec970-de09-444c-b84f-2c0be75e13cd"));
        MatcherAssert.assertThat(decode.getField("source_id"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_gp_client_version"), CoreMatchers.is("Browser"));
        MatcherAssert.assertThat(decode.getField("source_os_name"), CoreMatchers.is("Windows"));
        MatcherAssert.assertThat(decode.getField("source_os_version"), CoreMatchers.is("Microsoft Windows 7  Service Pack 1, 64-bit"));
        MatcherAssert.assertThat(decode.getField("event_repeat_count"), CoreMatchers.is(1L));
        MatcherAssert.assertThat(decode.getField("pan_gp_reason"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("event_error_description"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_gp_error_extended"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("vendor_event_outcome"), CoreMatchers.is("success"));
        MatcherAssert.assertThat(decode.getField("pan_gp_location_name"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("network_tunnel_duration"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_gp_connect_method"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("event_error_code"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("destination_hostname"), CoreMatchers.is("gp-portal"));
        MatcherAssert.assertThat(decode.getField("event_uid"), CoreMatchers.is("11"));
        MatcherAssert.assertThat(decode.getField("pan_log_panorama"), CoreMatchers.is("0x0"));
        MatcherAssert.assertThat(decode.getField("pan_selection_type"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("application_response_time"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_gateway_priority"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_attempted_gateways"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_gateway"), CoreMatchers.nullValue());
    }

    @Test
    public void verifyHipMatchMessageParsing() {
        String str = "<14>1 2020-06-02T14:01:00.000Z PYTHON_TEST_SENDER - - - - " + "0,2020/03/18 04:03:19,,HIPMATCH,0,0,2020/03/18 04:02:55,user1@prismaissase.com,vsys1,DFWMACW12KG8WL,Mac,172.1.19.3,test-Object,1,object,0,0,28,0x8600000000000000,15,18,0,0,,GP cloud service,1,0.0.0.0,4c:32:75:9a:5f:ed,hostId,MAC Address,YYYY-MM-DDThh:ss:sssTZD";
        Message decode = this.cut.decode(new RawMessage(str.getBytes(StandardCharsets.UTF_8)));
        MatcherAssert.assertThat(decode, CoreMatchers.notNullValue());
        MatcherAssert.assertThat(decode.getField("full_message"), CoreMatchers.is(str));
        MatcherAssert.assertThat(decode.getField("message"), CoreMatchers.is("0,2020/03/18 04:03:19,,HIPMATCH,0,0,2020/03/18 04:02:55,user1@prismaissase.com,vsys1,DFWMACW12KG8WL,Mac,172.1.19.3,test-Object,1,object,0,0,28,0x8600000000000000,15,18,0,0,,GP cloud service,1,0.0.0.0,4c:32:75:9a:5f:ed,hostId,MAC Address,YYYY-MM-DDThh:ss:sssTZD"));
        MatcherAssert.assertThat(decode.getField("event_source_product"), CoreMatchers.is("PAN"));
        MatcherAssert.assertThat(decode.getField("event_created"), CoreMatchers.is(DateTime.parse("2020-03-18T04:03:19-07:00").withZone(TIMEZONE)));
        MatcherAssert.assertThat(decode.getField("event_observer_uid"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("event_log_name"), CoreMatchers.is("HIPMATCH"));
        MatcherAssert.assertThat(decode.getField("pan_log_subtype"), CoreMatchers.is("0"));
        MatcherAssert.assertThat(decode.getField("timestamp"), CoreMatchers.is(DateTime.parse("2020-03-18T04:02:55-07:00").withZone(TIMEZONE)));
        MatcherAssert.assertThat(decode.getField("user_name"), CoreMatchers.is("user1@prismaissase.com"));
        MatcherAssert.assertThat(decode.getField("host_virtfw_id"), CoreMatchers.is("vsys1"));
        MatcherAssert.assertThat(decode.getField("host_hostname"), CoreMatchers.is("DFWMACW12KG8WL"));
        MatcherAssert.assertThat(decode.getField("host_type"), CoreMatchers.is("Mac"));
        MatcherAssert.assertThat(decode.getField("host_ip"), CoreMatchers.is("172.1.19.3"));
        MatcherAssert.assertThat(decode.getField("pan_hip"), CoreMatchers.is("test-Object"));
        MatcherAssert.assertThat(decode.getField("event_repeat_count"), CoreMatchers.is(1L));
        MatcherAssert.assertThat(decode.getField("pan_hip_type"), CoreMatchers.is("object"));
        MatcherAssert.assertThat(decode.getField("event_uid"), CoreMatchers.is("28"));
        MatcherAssert.assertThat(decode.getField("pan_log_panorama"), CoreMatchers.is("0x8600000000000000"));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_1"), CoreMatchers.is(15L));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_2"), CoreMatchers.is(18L));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_3"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_4"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("host_virtfw_hostname"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("event_observer_hostname"), CoreMatchers.is("GP cloud service"));
        MatcherAssert.assertThat(decode.getField("host_virtfw_uid"), CoreMatchers.is("1"));
        MatcherAssert.assertThat(decode.getField("host_ipv6"), CoreMatchers.is("0.0.0.0"));
        MatcherAssert.assertThat(decode.getField("pan_gp_hostid"), CoreMatchers.is("4c:32:75:9a:5f:ed"));
        MatcherAssert.assertThat(decode.getField("host_id"), CoreMatchers.is("hostId"));
        MatcherAssert.assertThat(decode.getField("source_mac"), CoreMatchers.is("MAC Address"));
        MatcherAssert.assertThat(decode.getField("pan_high_res_time"), CoreMatchers.is("YYYY-MM-DDThh:ss:sssTZD"));
    }

    @Test
    public void verifySystemMessageParsing() {
        String str = "<14>1 2020-06-02T14:01:00.000Z PYTHON_TEST_SENDER - - - - " + "1,2020/03/19 10:12:57,007000016479,SYSTEM,general,0,2020/03/19 10:12:57,,general,,0,0,general,informational,\"Failed to connect to address: (null) port: 3978, conn id: triallr-(null)-2-192.168.1.232\",21682381,0x8000000000000000,0,0,0,0,,sg2,YYYY-MM-DDThh:ss:sssTZD";
        Message decode = this.cut.decode(new RawMessage(str.getBytes(StandardCharsets.UTF_8)));
        MatcherAssert.assertThat(decode, CoreMatchers.notNullValue());
        MatcherAssert.assertThat(decode.getField("full_message"), CoreMatchers.is(str));
        MatcherAssert.assertThat(decode.getField("message"), CoreMatchers.is("1,2020/03/19 10:12:57,007000016479,SYSTEM,general,0,2020/03/19 10:12:57,,general,,0,0,general,informational,\"Failed to connect to address: (null) port: 3978, conn id: triallr-(null)-2-192.168.1.232\",21682381,0x8000000000000000,0,0,0,0,,sg2,YYYY-MM-DDThh:ss:sssTZD"));
        MatcherAssert.assertThat(decode.getField("event_source_product"), CoreMatchers.is("PAN"));
        MatcherAssert.assertThat(decode.getField("event_created"), CoreMatchers.is(DateTime.parse("2020-03-19T10:12:57-07:00").withZone(TIMEZONE)));
        MatcherAssert.assertThat(decode.getField("host_id"), CoreMatchers.is("007000016479"));
        MatcherAssert.assertThat(decode.getField("event_log_name"), CoreMatchers.is("SYSTEM"));
        MatcherAssert.assertThat(decode.getField("pan_log_subtype"), CoreMatchers.is("general"));
        MatcherAssert.assertThat(decode.getField("timestamp"), CoreMatchers.is(DateTime.parse("2020-03-19T10:12:57-07:00").withZone(TIMEZONE)));
        MatcherAssert.assertThat(decode.getField("host_virtfw_id"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_event_name"), CoreMatchers.is("general"));
        MatcherAssert.assertThat(decode.getField("pan_event_object"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_module"), CoreMatchers.is("general"));
        MatcherAssert.assertThat(decode.getField("event_severity"), CoreMatchers.is("informational"));
        MatcherAssert.assertThat(decode.getField("vendor_event_description"), CoreMatchers.is("Failed to connect to address: (null) port: 3978, conn id: triallr-(null)-2-192.168.1.232"));
        MatcherAssert.assertThat(decode.getField("event_uid"), CoreMatchers.is("21682381"));
        MatcherAssert.assertThat(decode.getField("pan_log_panorama"), CoreMatchers.is("0x8000000000000000"));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_1"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_2"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_3"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_4"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("host_virtfw_hostname"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("host_hostname"), CoreMatchers.is("sg2"));
        MatcherAssert.assertThat(decode.getField("pan_high_res_time"), CoreMatchers.is("YYYY-MM-DDThh:ss:sssTZD"));
    }

    @Test
    public void verifyThreatMessageParsing() {
        String str = "<14>1 2020-06-02T14:01:00.000Z PYTHON_TEST_SENDER - - - - " + "1,2020/05/19 07:37:27,007200002536,THREAT,spyware,2305,2020/05/19 07:37:27,10.154.229.167,190.253.254.254,,,General Business Apps,pancademo\\andy.miller,,unknown-udp,vsys1,L3-TAP,L3-TAP,ethernet1/2,ethernet1/2,,2020/05/19 07:37:27,70860,1,1111,16471,0,0,0x80002000,udp,drop,\"\",ZeroAccess.Gen Command and Control Traffic(13235),any,critical,client-to-server,6241468001,0x2000000000000000,10.0.0.0-10.255.255.255,Colombia,0,,1206236073597030482,,,0,,,,,,,,0,31,12,0,0,,us1,,,,,0,,0,,N/A,botnet,AppThreat-8270-6076,0x0,0,4294967295,,,f0724261-cf8b-479b-8208-fd3c7ac3af0b,0,";
        Message decode = this.cut.decode(new RawMessage(str.getBytes(StandardCharsets.UTF_8)));
        MatcherAssert.assertThat(decode, CoreMatchers.notNullValue());
        MatcherAssert.assertThat(decode.getField("full_message"), CoreMatchers.is(str));
        MatcherAssert.assertThat(decode.getField("message"), CoreMatchers.is("1,2020/05/19 07:37:27,007200002536,THREAT,spyware,2305,2020/05/19 07:37:27,10.154.229.167,190.253.254.254,,,General Business Apps,pancademo\\andy.miller,,unknown-udp,vsys1,L3-TAP,L3-TAP,ethernet1/2,ethernet1/2,,2020/05/19 07:37:27,70860,1,1111,16471,0,0,0x80002000,udp,drop,\"\",ZeroAccess.Gen Command and Control Traffic(13235),any,critical,client-to-server,6241468001,0x2000000000000000,10.0.0.0-10.255.255.255,Colombia,0,,1206236073597030482,,,0,,,,,,,,0,31,12,0,0,,us1,,,,,0,,0,,N/A,botnet,AppThreat-8270-6076,0x0,0,4294967295,,,f0724261-cf8b-479b-8208-fd3c7ac3af0b,0,"));
        MatcherAssert.assertThat(decode.getField("event_source_product"), CoreMatchers.is("PAN"));
        MatcherAssert.assertThat(decode.getField("event_received_time"), CoreMatchers.is(DateTime.parse("2020-05-19T07:37:27-07:00").withZone(TIMEZONE)));
        MatcherAssert.assertThat(decode.getField("event_observer_id"), CoreMatchers.is("007200002536"));
        MatcherAssert.assertThat(decode.getField("event_log_name"), CoreMatchers.is("THREAT"));
        MatcherAssert.assertThat(decode.getField("pan_log_subtype"), CoreMatchers.is("spyware"));
        MatcherAssert.assertThat(decode.getField("timestamp"), CoreMatchers.is(DateTime.parse("2020-05-19T07:37:27-07:00").withZone(TIMEZONE)));
        MatcherAssert.assertThat(decode.getField("source_ip"), CoreMatchers.is("10.154.229.167"));
        MatcherAssert.assertThat(decode.getField("destination_ip"), CoreMatchers.is("190.253.254.254"));
        MatcherAssert.assertThat(decode.getField("source_nat_ip"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("destination_nat_ip"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("rule_name"), CoreMatchers.is("General Business Apps"));
        MatcherAssert.assertThat(decode.getField("source_user_name"), CoreMatchers.is("pancademo\\andy.miller"));
        MatcherAssert.assertThat(decode.getField("destination_user_name"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("application_name"), CoreMatchers.is("unknown-udp"));
        MatcherAssert.assertThat(decode.getField("host_virtfw_id"), CoreMatchers.is("vsys1"));
        MatcherAssert.assertThat(decode.getField("source_zone"), CoreMatchers.is("L3-TAP"));
        MatcherAssert.assertThat(decode.getField("destination_zone"), CoreMatchers.is("L3-TAP"));
        MatcherAssert.assertThat(decode.getField("network_interface_in"), CoreMatchers.is("ethernet1/2"));
        MatcherAssert.assertThat(decode.getField("network_interface_out"), CoreMatchers.is("ethernet1/2"));
        MatcherAssert.assertThat(decode.getField("pan_log_action"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("session_id"), CoreMatchers.is(70860L));
        MatcherAssert.assertThat(decode.getField("event_repeat_count"), CoreMatchers.is(1L));
        MatcherAssert.assertThat(decode.getField("source_port"), CoreMatchers.is(1111L));
        MatcherAssert.assertThat(decode.getField("destination_port"), CoreMatchers.is(16471L));
        MatcherAssert.assertThat(decode.getField("source_nat_port"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("destination_nat_port"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_flags"), CoreMatchers.is("0x80002000"));
        MatcherAssert.assertThat(decode.getField("network_transport"), CoreMatchers.is("udp"));
        MatcherAssert.assertThat(decode.getField("vendor_event_action"), CoreMatchers.is("drop"));
        MatcherAssert.assertThat(decode.getField("alert_indicator"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("alert_signature"), CoreMatchers.is("ZeroAccess.Gen Command and Control Traffic(13235)"));
        MatcherAssert.assertThat(decode.getField("alert_category"), CoreMatchers.notNullValue());
        List list = (List) decode.getField("alert_category");
        MatcherAssert.assertThat(Integer.valueOf(list.size()), CoreMatchers.is(2));
        MatcherAssert.assertThat(list, CoreMatchers.hasItems(new String[]{"any", "botnet"}));
        MatcherAssert.assertThat(decode.getField("vendor_alert_severity"), CoreMatchers.is("critical"));
        MatcherAssert.assertThat(decode.getField("pan_alert_direction"), CoreMatchers.is("client-to-server"));
        MatcherAssert.assertThat(decode.getField("event_uid"), CoreMatchers.is("6241468001"));
        MatcherAssert.assertThat(decode.getField("pan_log_panorama"), CoreMatchers.is("0x2000000000000000"));
        MatcherAssert.assertThat(decode.getField("source_location_name"), CoreMatchers.is("10.0.0.0-10.255.255.255"));
        MatcherAssert.assertThat(decode.getField("destination_location_name"), CoreMatchers.is("Colombia"));
        MatcherAssert.assertThat(decode.getField("http_content_type"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_pcap_id"), CoreMatchers.is("1206236073597030482"));
        MatcherAssert.assertThat(decode.getField("pan_wildfire_hash"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_cloud_hostname"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_url_index"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("http_user_agent_name"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("file_type"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("http_xff"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("http_referrer"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("source_user_email"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("email_subject"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("target_user_email"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_wildfire_report_id"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_1"), CoreMatchers.is(31L));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_2"), CoreMatchers.is(12L));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_3"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_4"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("host_virtfw_hostname"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("event_observer_hostname"), CoreMatchers.is("us1"));
        MatcherAssert.assertThat(decode.getField("source_vsys_uuid"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("destination_vsys_uuid"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("http_method"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_tunnel_id"), CoreMatchers.is("0"));
        MatcherAssert.assertThat(decode.getField("pan_monitor_tag"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_parent_session_id"), CoreMatchers.is("0"));
        MatcherAssert.assertThat(decode.getField("pan_parent_start_time"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("network_tunnel_type"), CoreMatchers.is("N/A"));
        MatcherAssert.assertThat(decode.getField("alert_definitions_version"), CoreMatchers.is("AppThreat-8270-6076"));
        MatcherAssert.assertThat(decode.getField("pan_assoc_id"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_ppid"), CoreMatchers.is(4294967295L));
        MatcherAssert.assertThat(decode.getField("http_headers"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("http_uri_category"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("policy_uid"), CoreMatchers.is("f0724261-cf8b-479b-8208-fd3c7ac3af0b"));
        MatcherAssert.assertThat(decode.getField("pan_http2"), CoreMatchers.is("0"));
        MatcherAssert.assertThat(decode.getField("pan_dynusergroup_name"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("http_xff"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("source_category"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_source_profile"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("source_device_model"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("source_device_vendor"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("source_os_name"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("source_os_version"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("source_hostname"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("source_mac"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("destination_category"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_destination_profile"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("destination_device_model"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("destination_device_vendor"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("destination_os_name"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("destination_os_version"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("destination_hostname"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("destination_mac"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("container_id"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("container_namespace"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("container_name"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_src_edl"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_dst_edl"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_host_id"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_host_sn"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_domain_edl"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_src_dag"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_dst_dag"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_partial_hash"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_high_res_time"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("vendor_event_outcome_reason"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_event_justification"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_nsdsai_sst"), CoreMatchers.nullValue());
    }

    @Test
    public void verifyThreatMessageParsing_withRepeatedSameXFF() {
        String str = "<14>1 2020-06-02T14:01:00.000Z PYTHON_TEST_SENDER - - - - " + "1,2020/05/19 07:37:27,007200002536,THREAT,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,FOO,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,FOO,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,";
        Message decode = this.cut.decode(new RawMessage(str.getBytes(StandardCharsets.UTF_8)));
        MatcherAssert.assertThat(decode, CoreMatchers.notNullValue());
        MatcherAssert.assertThat(decode.getField("full_message"), CoreMatchers.is(str));
        MatcherAssert.assertThat(decode.getField("message"), CoreMatchers.is("1,2020/05/19 07:37:27,007200002536,THREAT,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,FOO,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,FOO,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"));
        MatcherAssert.assertThat(decode.getField("event_source_product"), CoreMatchers.is("PAN"));
        MatcherAssert.assertThat(decode.getField("http_xff"), CoreMatchers.is("FOO"));
    }

    @Test
    public void verifyThreatMessageParsing_withDifferentXFF() {
        String str = "<14>1 2020-06-02T14:01:00.000Z PYTHON_TEST_SENDER - - - - " + "1,2020/05/19 07:37:27,007200002536,THREAT,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,FOO,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,BAR,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,";
        Message decode = this.cut.decode(new RawMessage(str.getBytes(StandardCharsets.UTF_8)));
        MatcherAssert.assertThat(decode, CoreMatchers.notNullValue());
        MatcherAssert.assertThat(decode.getField("full_message"), CoreMatchers.is(str));
        MatcherAssert.assertThat(decode.getField("message"), CoreMatchers.is("1,2020/05/19 07:37:27,007200002536,THREAT,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,FOO,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,BAR,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"));
        MatcherAssert.assertThat(decode.getField("event_source_product"), CoreMatchers.is("PAN"));
        MatcherAssert.assertThat(decode.getField("http_xff"), CoreMatchers.notNullValue());
        List list = (List) decode.getField("http_xff");
        MatcherAssert.assertThat(Integer.valueOf(list.size()), CoreMatchers.is(2));
        MatcherAssert.assertThat(list, CoreMatchers.hasItems(new String[]{"FOO", "BAR"}));
    }

    @Test
    public void verifyTrafficMessageParsing() {
        String str = "<14>1 2020-06-02T14:01:00.000Z PYTHON_TEST_SENDER - - - - " + "1,2020/05/19 07:34:54,007200002536,TRAFFIC,end,2305,2020/05/19 07:34:54,10.154.172.134,151.151.88.132,,,IT Sanctioned SaaS Apps-443,pancademo\\steven.reid,,ssl,vsys1,L3-TAP,L3-TAP,ethernet1/2,ethernet1/2,,2020/05/19 07:34:54,33903,1,57090,443,0,0,0x6c,tcp,allow,6802,3876,2926,26,2020/05/19 07:32:48,97,financial-services,0,18621234943,0x0,10.0.0.0-10.255.255.255,United States,0,17,9,tcp-rst-from-server,31,12,0,0,,us1,from-policy,,,0,,0,,N/A,0,0,0,0,30468339-a760-46b2-b80b-ee873e6d11e4,0,0,,,,,,,";
        Message decode = this.cut.decode(new RawMessage(str.getBytes(StandardCharsets.UTF_8)));
        MatcherAssert.assertThat(decode, CoreMatchers.notNullValue());
        MatcherAssert.assertThat(decode.getField("full_message"), CoreMatchers.is(str));
        MatcherAssert.assertThat(decode.getField("message"), CoreMatchers.is("1,2020/05/19 07:34:54,007200002536,TRAFFIC,end,2305,2020/05/19 07:34:54,10.154.172.134,151.151.88.132,,,IT Sanctioned SaaS Apps-443,pancademo\\steven.reid,,ssl,vsys1,L3-TAP,L3-TAP,ethernet1/2,ethernet1/2,,2020/05/19 07:34:54,33903,1,57090,443,0,0,0x6c,tcp,allow,6802,3876,2926,26,2020/05/19 07:32:48,97,financial-services,0,18621234943,0x0,10.0.0.0-10.255.255.255,United States,0,17,9,tcp-rst-from-server,31,12,0,0,,us1,from-policy,,,0,,0,,N/A,0,0,0,0,30468339-a760-46b2-b80b-ee873e6d11e4,0,0,,,,,,,"));
        MatcherAssert.assertThat(decode.getField("event_source_product"), CoreMatchers.is("PAN"));
        MatcherAssert.assertThat(decode.getField("event_received_time"), CoreMatchers.is(DateTime.parse("2020-05-19T07:34:54-07:00").withZone(TIMEZONE)));
        MatcherAssert.assertThat(decode.getField("event_observer_id"), CoreMatchers.is("007200002536"));
        MatcherAssert.assertThat(decode.getField("event_log_name"), CoreMatchers.is("TRAFFIC"));
        MatcherAssert.assertThat(decode.getField("pan_log_subtype"), CoreMatchers.is("end"));
        MatcherAssert.assertThat(decode.getField("timestamp"), CoreMatchers.is(DateTime.parse("2020-05-19T07:34:54-07:00").withZone(TIMEZONE)));
        MatcherAssert.assertThat(decode.getField("source_ip"), CoreMatchers.is("10.154.172.134"));
        MatcherAssert.assertThat(decode.getField("destination_ip"), CoreMatchers.is("151.151.88.132"));
        MatcherAssert.assertThat(decode.getField("source_nat_ip"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("destination_nat_ip"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("rule_name"), CoreMatchers.is("IT Sanctioned SaaS Apps-443"));
        MatcherAssert.assertThat(decode.getField("source_user_name"), CoreMatchers.is("pancademo\\steven.reid"));
        MatcherAssert.assertThat(decode.getField("destination_user_name"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("application_name"), CoreMatchers.is("ssl"));
        MatcherAssert.assertThat(decode.getField("host_virtfw_id"), CoreMatchers.is("vsys1"));
        MatcherAssert.assertThat(decode.getField("source_zone"), CoreMatchers.is("L3-TAP"));
        MatcherAssert.assertThat(decode.getField("destination_zone"), CoreMatchers.is("L3-TAP"));
        MatcherAssert.assertThat(decode.getField("network_interface_in"), CoreMatchers.is("ethernet1/2"));
        MatcherAssert.assertThat(decode.getField("network_interface_out"), CoreMatchers.is("ethernet1/2"));
        MatcherAssert.assertThat(decode.getField("pan_log_action"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("session_id"), CoreMatchers.is(33903L));
        MatcherAssert.assertThat(decode.getField("event_repeat_count"), CoreMatchers.is(1L));
        MatcherAssert.assertThat(decode.getField("source_port"), CoreMatchers.is(57090L));
        MatcherAssert.assertThat(decode.getField("destination_port"), CoreMatchers.is(443L));
        MatcherAssert.assertThat(decode.getField("source_nat_port"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("destination_nat_port"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_flags"), CoreMatchers.is("0x6c"));
        MatcherAssert.assertThat(decode.getField("network_transport"), CoreMatchers.is("tcp"));
        MatcherAssert.assertThat(decode.getField("vendor_event_action"), CoreMatchers.is("allow"));
        MatcherAssert.assertThat(decode.getField("network_bytes"), CoreMatchers.is(6802L));
        MatcherAssert.assertThat(decode.getField("source_bytes_sent"), CoreMatchers.is(3876L));
        MatcherAssert.assertThat(decode.getField("destination_bytes_sent"), CoreMatchers.is(2926L));
        MatcherAssert.assertThat(decode.getField("network_packets"), CoreMatchers.is(26L));
        MatcherAssert.assertThat(decode.getField("event_start"), CoreMatchers.is(DateTime.parse("2020-05-19T07:32:48-07:00").withZone(TIMEZONE)));
        MatcherAssert.assertThat(decode.getField("event_duration"), CoreMatchers.is(97L));
        MatcherAssert.assertThat(decode.getField("http_uri_category"), CoreMatchers.is("financial-services"));
        MatcherAssert.assertThat(decode.getField("event_uid"), CoreMatchers.is("18621234943"));
        MatcherAssert.assertThat(decode.getField("pan_log_panorama"), CoreMatchers.is("0x0"));
        MatcherAssert.assertThat(decode.getField("source_location_name"), CoreMatchers.is("10.0.0.0-10.255.255.255"));
        MatcherAssert.assertThat(decode.getField("destination_location_name"), CoreMatchers.is("United States"));
        MatcherAssert.assertThat(decode.getField("source_packets_sent"), CoreMatchers.is(17L));
        MatcherAssert.assertThat(decode.getField("destination_packets_sent"), CoreMatchers.is(9L));
        MatcherAssert.assertThat(decode.getField("pan_session_end_reason"), CoreMatchers.is("tcp-rst-from-server"));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_1"), CoreMatchers.is(31L));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_2"), CoreMatchers.is(12L));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_3"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_4"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("host_virtfw_hostname"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("event_observer_hostname"), CoreMatchers.is("us1"));
        MatcherAssert.assertThat(decode.getField("vendor_event_description"), CoreMatchers.is("from-policy"));
        MatcherAssert.assertThat(decode.getField("source_vsys_uuid"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("destination_vsys_uuid"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_tunnel_id"), CoreMatchers.is("0"));
        MatcherAssert.assertThat(decode.getField("pan_monitor_tag"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_parent_session_id"), CoreMatchers.is("0"));
        MatcherAssert.assertThat(decode.getField("pan_parent_start_time"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("network_tunnel_type"), CoreMatchers.is("N/A"));
        MatcherAssert.assertThat(decode.getField("pan_assoc_id"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_sctp_chunks_sum"), CoreMatchers.is("0"));
        MatcherAssert.assertThat(decode.getField("pan_sctp_chunks_tx"), CoreMatchers.is("0"));
        MatcherAssert.assertThat(decode.getField("pan_sctp_chunks_rx"), CoreMatchers.is("0"));
        MatcherAssert.assertThat(decode.getField("policy_uid"), CoreMatchers.is("30468339-a760-46b2-b80b-ee873e6d11e4"));
        MatcherAssert.assertThat(decode.getField("pan_http2"), CoreMatchers.is("0"));
        MatcherAssert.assertThat(decode.getField("pan_link_changes"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_sdwan_policyid"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_link_switches"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_sdwan_cluster"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_sdwan_device_type"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_sdwan_cluster_type"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_sdwan_site_name"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_dynusergroup_name"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("http_xff"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("source_category"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_source_profile"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("source_device_model"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("source_device_vendor"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("source_os_name"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("source_os_version"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("source_hostname"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("source_mac"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("destination_category"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_destination_profile"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("destination_device_model"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("destination_device_vendor"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("destination_os_name"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("destination_os_version"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("destination_hostname"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("destination_mac"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("container_id"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("container_namespace"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("container_name"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_src_edl"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_dst_edl"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_host_id"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_host_sn"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_src_dag"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_dst_dag"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_session_owner"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_high_res_time"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_nsdsai_sst"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_nsdsai_sd"), CoreMatchers.nullValue());
    }

    @Test
    public void verifyUserIdMessageParsing() {
        String str = "<14>1 2020-06-02T14:01:00.000Z PYTHON_TEST_SENDER - - - - " + "1,2021/01/20 08:55:02,012801190281,USERID,login,2304,2021/01/20 08:55:02,vsys1,172.16.100.1,graylog-user1,,0,1,2592000,0,0,vpn-client,globalprotect,1,0x0,0,0,0,0,,PA-220,1,,2021/01/20 08:55:02,1,0x0,graylog-user1";
        Message decode = this.cut.decode(new RawMessage(str.getBytes(StandardCharsets.UTF_8)));
        MatcherAssert.assertThat(decode, CoreMatchers.notNullValue());
        MatcherAssert.assertThat(decode.getField("full_message"), CoreMatchers.is(str));
        MatcherAssert.assertThat(decode.getField("message"), CoreMatchers.is("1,2021/01/20 08:55:02,012801190281,USERID,login,2304,2021/01/20 08:55:02,vsys1,172.16.100.1,graylog-user1,,0,1,2592000,0,0,vpn-client,globalprotect,1,0x0,0,0,0,0,,PA-220,1,,2021/01/20 08:55:02,1,0x0,graylog-user1"));
        MatcherAssert.assertThat(decode.getField("event_source_product"), CoreMatchers.is("PAN"));
        MatcherAssert.assertThat(decode.getField("event_created"), CoreMatchers.is(DateTime.parse("2021-01-20T08:55:02-07:00").withZone(TIMEZONE)));
        MatcherAssert.assertThat(decode.getField("event_observer_uid"), CoreMatchers.is("012801190281"));
        MatcherAssert.assertThat(decode.getField("event_log_name"), CoreMatchers.is("USERID"));
        MatcherAssert.assertThat(decode.getField("pan_log_subtype"), CoreMatchers.is("login"));
        MatcherAssert.assertThat(decode.getField("timestamp"), CoreMatchers.is(DateTime.parse("2021-01-20T08:55:02-07:00").withZone(TIMEZONE)));
        MatcherAssert.assertThat(decode.getField("host_virtfw_id"), CoreMatchers.is("vsys1"));
        MatcherAssert.assertThat(decode.getField("source_ip"), CoreMatchers.is("172.16.100.1"));
        MatcherAssert.assertThat(decode.getField("source_user"), CoreMatchers.is("graylog-user1"));
        MatcherAssert.assertThat(decode.getField("pan_datasource_name"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_event_name"), CoreMatchers.is("0"));
        MatcherAssert.assertThat(decode.getField("event_repeat_count"), CoreMatchers.is(1L));
        MatcherAssert.assertThat(decode.getField("pan_timeout"), CoreMatchers.is(2592000L));
        MatcherAssert.assertThat(decode.getField("source_port"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("destination_port"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_datasource"), CoreMatchers.is("vpn-client"));
        MatcherAssert.assertThat(decode.getField("pan_datasource_type"), CoreMatchers.is("globalprotect"));
        MatcherAssert.assertThat(decode.getField("event_uid"), CoreMatchers.is("1"));
        MatcherAssert.assertThat(decode.getField("pan_log_panorama"), CoreMatchers.is("0x0"));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_1"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_2"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_3"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("pan_dev_group_level_4"), CoreMatchers.is(0L));
        MatcherAssert.assertThat(decode.getField("host_virtfw_hostname"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("event_observer_hostname"), CoreMatchers.is("PA-220"));
        MatcherAssert.assertThat(decode.getField("host_virtfw_uid"), CoreMatchers.is("1"));
        MatcherAssert.assertThat(decode.getField("pan_factor_type"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_factor_completion_time"), CoreMatchers.is(DateTime.parse("2021-01-20T08:55:02-07:00").withZone(TIMEZONE)));
        MatcherAssert.assertThat(decode.getField("pan_factor_number"), CoreMatchers.is(1L));
        MatcherAssert.assertThat(decode.getField("pan_user_group_flags"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_source_user"), CoreMatchers.nullValue());
        MatcherAssert.assertThat(decode.getField("pan_high_res_time"), CoreMatchers.nullValue());
    }
}
