Refactor to support all Syslog variants

- Move all Syslog variants into their own files, with root elements to
  support parsing only a single variant
- Modify the Syslog root so it supports all variants instead of just
  RFC5424
- Copy Solarwinds tests to Sylog tests with modifications to remove
  Solarwinds specific parts to ensure the Syslog element supports all
  variants
- Removes portability. PriorityValue is now referenced from multiple
  schemas so it is difficult to have a single "portable" schema.
  Instead, instructions and documentation are added to describe how make
  the schema portable.
- Resolve all XSAT findings

src/main/resources/com/owlcyberdefense/syslog/xsd/syslog-cisco.dfdl.xsd

@@ -0,0 +1,133 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+Copyright (c) 2017-2023 Owl Cyber Defense. All rights reserved.
+
+Developed by: Owl Cyber Defense (formerly Tresys Technology) LLC
+              http://www.owlcyberdefense.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal with
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+    this list of conditions and the following disclaimers.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimers in the
+    documentation and/or other materials provided with the distribution.
+
+ 3. Neither the names of Owl Cyber Defense, nor the names of its contributors
+    may be used to endorse or promote products derived from this Software
+    without specific prior written permission.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+CONTRIBUTORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS WITH THE
+SOFTWARE.
+-->
+
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns:dfdl="http://www.ogf.org/dfdl/dfdl-1.0/"
+           xmlns:sl="urn:syslog"
+           targetNamespace="urn:syslog">
+
+  <xs:include schemaLocation="common.dfdl.xsd"/>
+
+  <xs:annotation>
+    <xs:appinfo source="http://www.ogf.org/dfdl/">
+      <dfdl:format ref="sl:common"/>
+    </xs:appinfo>
+  </xs:annotation>
+
+  <xs:element name="SyslogCisco">
+    <xs:annotation>
+      <xs:documentation>
+        Defines a single syslog message of the Cisco format, including the
+        facility and severity. This should be used as the root element if the
+        goal is to only support Cisco messages.
+      </xs:documentation>
+    </xs:annotation>
+    <xs:complexType>
+      <xs:sequence>
+        <xs:group ref="sl:PriorityValue" />
+        <xs:group ref="sl:Cisco" />
+      </xs:sequence>
+    </xs:complexType>
+  </xs:element>
+
+  <xs:complexType name="Cisco">
+    <xs:annotation>
+      <xs:documentation>
+        Defines a type containing the content of a Cisco syslog message,
+        excluding the facility and severity. This should be used when the
+        faciliy/severity are already parsed.
+      </xs:documentation>
+    </xs:annotation>
+    <xs:sequence>
+      <xs:group ref="sl:Cisco" />
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:group name="Cisco">
+    <xs:annotation>
+      <xs:documentation>
+        Defines all content of a Cisco syslog message that appears immediately
+        affter the severify/facility part of a syslog message.
+      </xs:documentation>
+    </xs:annotation>
+    <xs:sequence>
+      <xs:element name="Header">
+        <xs:complexType>
+          <xs:sequence dfdl:separator="%SP;" dfdl:separatorPosition="postfix">
+            <xs:element name="SequenceNumber" type="xs:int" dfdl:textNumberPattern="0" dfdl:terminator=":" />
+            <xs:element name="TimestampMonth" type="sl:month3" />
+            <xs:element name="TimestampDay" dfdl:lengthKind="explicit" dfdl:length="2" dfdl:textNumberPattern="* 00">
+              <xs:simpleType>
+                <xs:restriction base="xs:int">
+                  <xs:minInclusive value="1" />
+                  <xs:maxInclusive value="31" />
+                </xs:restriction>
+              </xs:simpleType>
+            </xs:element>
+            <xs:element name="TimestampTime" type="xs:time" dfdl:calendarPattern="HH:mm:ss" dfdl:lengthKind="explicit" dfdl:length="8" dfdl:terminator=":" />
+            <xs:sequence dfdl:initiator="%%" dfdl:separator="-" dfdl:terminator=":">
+              <xs:element name="Facility">
+                <xs:simpleType>
+                  <xs:restriction base="xs:string">
+                    <xs:minLength value="1" />
+                    <xs:maxLength value="32" />
+                  </xs:restriction>
+                </xs:simpleType>
+              </xs:element>
+              <xs:element name="Severity" dfdl:textNumberPattern="0">
+                <xs:simpleType>
+                  <xs:restriction base="xs:int">
+                    <xs:minInclusive value="0" />
+                    <xs:maxInclusive value="7" />
+                  </xs:restriction>
+                </xs:simpleType>
+              </xs:element>
+              <xs:element name="Mnemonic">
+                <xs:simpleType>
+                  <xs:restriction base="xs:string">
+                    <xs:minLength value="1" />
+                    <xs:maxLength value="32" />
+                  </xs:restriction>
+                </xs:simpleType>
+              </xs:element>
+            </xs:sequence>
+          </xs:sequence>
+        </xs:complexType>
+      </xs:element>
+      <xs:element name="Message" type="sl:msgStr" dfdl:encoding="UTF-8" />
+    </xs:sequence>
+  </xs:group>
+
+</xs:schema>

src/main/resources/com/owlcyberdefense/syslog/xsd/syslog-esxi.dfdl.xsd

@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+Copyright (c) 2017-2023 Owl Cyber Defense. All rights reserved.
+
+Developed by: Owl Cyber Defense (formerly Tresys Technology) LLC
+              http://www.owlcyberdefense.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal with
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+    this list of conditions and the following disclaimers.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimers in the
+    documentation and/or other materials provided with the distribution.
+
+ 3. Neither the names of Owl Cyber Defense, nor the names of its contributors
+    may be used to endorse or promote products derived from this Software
+    without specific prior written permission.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+CONTRIBUTORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS WITH THE
+SOFTWARE.
+-->
+
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns:dfdl="http://www.ogf.org/dfdl/dfdl-1.0/"
+           xmlns:sl="urn:syslog"
+           targetNamespace="urn:syslog">
+
+  <xs:include schemaLocation="common.dfdl.xsd"/>
+
+  <xs:annotation>
+    <xs:appinfo source="http://www.ogf.org/dfdl/">
+      <dfdl:format ref="sl:common"/>
+    </xs:appinfo>
+  </xs:annotation>
+
+  <xs:element name="SyslogESXi">
+    <xs:annotation>
+      <xs:documentation>
+        Defines a single syslog message of the ESXi format, including the
+        facility and severity. This should be used as the root element if the
+        goal is to only support ESXi messages.
+      </xs:documentation>
+    </xs:annotation>
+    <xs:complexType>
+      <xs:sequence>
+        <xs:group ref="sl:PriorityValue" />
+        <xs:group ref="sl:ESXi" />
+      </xs:sequence>
+    </xs:complexType>
+  </xs:element>
+
+  <xs:complexType name="ESXi">
+    <xs:annotation>
+      <xs:documentation>
+        Defines a type containing the content of a ESXi syslog message,
+        excluding the facility and severity. This should be used when the
+        faciliy/severity are already parsed.
+      </xs:documentation>
+    </xs:annotation>
+    <xs:sequence>
+      <xs:group ref="sl:ESXi" />
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:group name="ESXi">
+    <xs:annotation>
+      <xs:documentation>
+        Defines all content of a ESXi syslog message that appears immediately
+        affter the severify/facility part of a syslog message.
+      </xs:documentation>
+    </xs:annotation>
+    <xs:sequence>
+      <xs:element name="Header">
+        <xs:complexType>
+          <xs:sequence>
+            <xs:sequence dfdl:separator="%SP;" dfdl:separatorPosition="postfix">
+              <xs:choice>
+                <xs:element name="Timestamp" type="xs:dateTime" dfdl:calendarPattern="yyyy-MM-dd'T'HH:mm:ssXXX" />
+                <xs:element name="TimestampNano" type="xs:dateTime" dfdl:calendarPattern="yyyy-MM-dd'T'HH:mm:ss.SSSXXX" />
+              </xs:choice>
+              <xs:element name="Hostname">
+                <xs:simpleType>
+                  <xs:restriction base="xs:string">
+                    <xs:minLength value="1" />
+                    <xs:maxLength value="255" />
+                  </xs:restriction>
+                </xs:simpleType>
+              </xs:element>
+              <xs:element name="AppName" dfdl:terminator=":">
+                <xs:simpleType>
+                  <xs:restriction base="xs:string">
+                    <xs:minLength value="1" />
+                    <xs:maxLength value="48" />
+                    <xs:pattern value="[!-~]{1,48}" />
+                  </xs:restriction>
+                </xs:simpleType>
+              </xs:element>
+            </xs:sequence>
+          </xs:sequence>
+        </xs:complexType>
+      </xs:element>
+      <xs:element name="Message" type="sl:msgStr" dfdl:encoding="UTF-8" />
+    </xs:sequence>
+  </xs:group>
+
+</xs:schema>

src/main/resources/com/owlcyberdefense/syslog/xsd/syslog-rfc3164.dfdl.xsd

@@ -0,0 +1,114 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+Copyright (c) 2017-2023 Owl Cyber Defense. All rights reserved.
+
+Developed by: Owl Cyber Defense (formerly Tresys Technology) LLC
+              http://www.owlcyberdefense.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal with
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+    this list of conditions and the following disclaimers.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimers in the
+    documentation and/or other materials provided with the distribution.
+
+ 3. Neither the names of Owl Cyber Defense, nor the names of its contributors
+    may be used to endorse or promote products derived from this Software
+    without specific prior written permission.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+CONTRIBUTORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS WITH THE
+SOFTWARE.
+-->
+
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns:dfdl="http://www.ogf.org/dfdl/dfdl-1.0/"
+           xmlns:sl="urn:syslog"
+           targetNamespace="urn:syslog">
+
+  <xs:include schemaLocation="common.dfdl.xsd"/>
+
+  <xs:annotation>
+    <xs:appinfo source="http://www.ogf.org/dfdl/">
+      <dfdl:format ref="sl:common"/>
+    </xs:appinfo>
+  </xs:annotation>
+
+  <xs:element name="SyslogRFC3164">
+    <xs:annotation>
+      <xs:documentation>
+        Defines a single syslog message of the RFC3164 format, including the
+        facility and severity. This should be used as the root element if the
+        goal is to only support RFC3164 messages.
+      </xs:documentation>
+    </xs:annotation>
+    <xs:complexType>
+      <xs:sequence>
+        <xs:group ref="sl:PriorityValue" />
+        <xs:group ref="sl:RFC3164" />
+      </xs:sequence>
+    </xs:complexType>
+  </xs:element>
+
+  <xs:complexType name="RFC3164">
+    <xs:annotation>
+      <xs:documentation>
+        Defines a type containing the content of a RFC3164 syslog message,
+        excluding the facility and severity. This should be used when the
+        faciliy/severity are already parsed.
+      </xs:documentation>
+    </xs:annotation>
+    <xs:sequence>
+      <xs:group ref="sl:RFC3164" />
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:group name="RFC3164">
+    <xs:annotation>
+      <xs:documentation>
+        Defines all content of a RFC3164 syslog message that appears immediately
+        affter the severify/facility part of a syslog message.
+      </xs:documentation>
+    </xs:annotation>
+    <xs:sequence>
+      <xs:element name="Header">
+        <xs:complexType>
+          <xs:sequence dfdl:separator="%SP;" dfdl:separatorPosition="postfix">
+            <xs:element name="TimestampMonth" type="sl:month3" />
+            <xs:element name="TimestampDay" dfdl:lengthKind="explicit" dfdl:length="2" dfdl:textNumberPattern="* 00">
+              <xs:simpleType>
+                <xs:restriction base="xs:int">
+                  <xs:minInclusive value="1" />
+                  <xs:maxInclusive value="31" />
+                </xs:restriction>
+              </xs:simpleType>
+            </xs:element>
+            <xs:element name="TimestampTime" type="xs:time" dfdl:calendarPattern="HH:mm:ss" dfdl:lengthKind="explicit" dfdl:length="8" />
+            <xs:element name="Hostname">
+              <xs:simpleType>
+                <xs:restriction base="xs:string">
+                  <xs:minLength value="1" />
+                  <xs:maxLength value="255" />
+                </xs:restriction>
+              </xs:simpleType>
+            </xs:element>
+          </xs:sequence>
+        </xs:complexType>
+      </xs:element>
+      <xs:element name="Message" type="sl:msgStr" dfdl:encoding="UTF-8" />
+    </xs:sequence>
+  </xs:group>
+
+</xs:schema>