hpess-logstash-codec-cef 0.1.5 → 0.1.6

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 2aa574df0f3ca9ed883f4baf424f9e1813ab4042
4
- data.tar.gz: 1fa77dc3ea0a1bec0f49164484e00208bd952ee7
3
+ metadata.gz: 82aeade6d1d9b90d7989cd8a9e4d949c8a151d73
4
+ data.tar.gz: 9245659333045632c105bb6fd6a59d46a3a8df57
5
5
  SHA512:
6
- metadata.gz: 6f2fe997e0a0ef22f9e74c01e5899e3bf1faa156455e6ec0cb127e56208b5ebed0a38fa06895b9c155f521cdb1565d0e80e4c17ae00ce055fb5169f9d11cbf79
7
- data.tar.gz: 1bbe77325063c8804924e1bd49c7a7bccb5a9f819de417cd3be1842c87ab1d3eec09632f5b4becbc9a6b9d446f37e0b81b0b1a6eb0f026989be5514bd0ba9566
6
+ metadata.gz: 14621f3d0cea8d03006f81a4ce453a1adfc7e9e8cff23231090574b4be0da8215f297ab53be0765d1be6bdf123d0fd93ae59a7ca4ffccf537547d414969fca10
7
+ data.tar.gz: ed5045e928c7c15e08b59adaf5ad0f52df9841f8be3a88c3123f5fff77058943b8245ece880d7a7b5f01db923203ad4eb88f359715cc3d026c60befd349e3717
data/.gitignore CHANGED
@@ -3,3 +3,5 @@ vendor
3
3
  tools
4
4
  .VERSION.mk
5
5
  *.gem
6
+ *.lock
7
+ *.swp
data/README.md CHANGED
@@ -15,7 +15,16 @@ Logstash provides infrastructure to automatically generate documentation for thi
15
15
 
16
16
  Need help? Try #logstash on freenode IRC or the logstash-users@googlegroups.com mailing list.
17
17
 
18
- ## Developing
18
+ ## Developing with Docker
19
+ You can use a docker container with all of the requirements pre installed to save you installing the development environment on your host.
20
+
21
+ ### 1. Starting the container
22
+ Simply type `docker-compose run devenv` and you'll be entered into the container. Then you'll need to do `jruby -S bundle install` to get all the dependencies down.
23
+
24
+ ### 2. Running tests
25
+ Once you've done #1 above, you can run your tests with `jruby -S bundle exec rspec`
26
+
27
+ ## Developing without Docker
19
28
 
20
29
  ### 1. Plugin Developement and Testing
21
30
 
@@ -83,4 +92,4 @@ Programming is not a required skill. Whatever you've seen about open source and
83
92
 
84
93
  It is more important to the community that you are able to contribute.
85
94
 
86
- For more information about contributing, see the [CONTRIBUTING](https://github.com/elasticsearch/logstash/blob/master/CONTRIBUTING.md) file.
95
+ For more information about contributing, see the [CONTRIBUTING](https://github.com/elasticsearch/logstash/blob/master/CONTRIBUTING.md) file.
@@ -0,0 +1,5 @@
1
+ devenv:
2
+ image: hpess/devenv-jruby:master
3
+ entrypoint: /bin/bash
4
+ volumes:
5
+ - ./:/storage
@@ -2,11 +2,7 @@ require "logstash/codecs/base"
2
2
 
3
3
  class LogStash::Codecs::CEF < LogStash::Codecs::Base
4
4
  config_name "cef"
5
-
6
-
7
- # Specify if the Syslog header will be expected
8
5
  config :syslog, :validate => :boolean, :default => false
9
-
10
6
  config :signature, :validate => :string, :default => "Logstash"
11
7
  config :name, :validate => :string, :default => "Logstash"
12
8
  config :sev, :validate => :number, :default => 6
@@ -20,7 +16,6 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
20
16
 
21
17
  public
22
18
  def decode(data)
23
- # Need to break out the headers, then return the headers as individual fields, and the extension to be processed by a filter (ie: KV)
24
19
  # %{SYSLOGDATE} %{HOST} CEF:Version|Device Vendor|Device Product|Device Version|SignatureID|Name|Severity|Extension
25
20
  event = LogStash::Event.new()
26
21
  if @syslog
@@ -30,17 +25,13 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
30
25
  else
31
26
  # We don't have syslog headers, so we just need to remove CEF:
32
27
  data.sub! /^CEF:/, ''
33
- end #if @syslog
34
-
35
- # Default any CEF unknown fields to unknown
36
- data.gsub! '||', '|unknown|'
28
+ end
37
29
 
38
- # Now, break out the rest of the headers
39
- event['cef_version'], event['cef_vendor'], event['cef_product'], event['cef_device_version'], event['cef_sigid'], event['cef_name'], event['cef_severity'], event['message'] = data.scan /(?:[^\|\\]|\\.)+/
30
+ # Get the headers
31
+ event['cef_version'], event['cef_vendor'], event['cef_product'], event['cef_device_version'], event['cef_sigid'], event['cef_name'], event['cef_severity'], event['message'] = data.split /(?<!\\)[\|]/
40
32
 
41
- # Strip any leading or trailing spaces
42
- message=event['message']
43
- message=message.to_s.strip
33
+ # Strip any whitespace from the message
34
+ message=event['message'].to_s.strip
44
35
  event['message']=message
45
36
 
46
37
  # Now, try to break out the Extension Dictionary
@@ -1,7 +1,7 @@
1
1
  Gem::Specification.new do |s|
2
2
 
3
3
  s.name = 'hpess-logstash-codec-cef'
4
- s.version = '0.1.5'
4
+ s.version = '0.1.6'
5
5
  s.licenses = ['Apache License (2.0)']
6
6
  s.summary = "CEF codec to parse CEF formated logs"
7
7
  s.description = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
@@ -5,40 +5,67 @@ require "logstash/codecs/cef"
5
5
  require "logstash/event"
6
6
 
7
7
  describe LogStash::Codecs::CEF do
8
- subject do
9
- next LogStash::Codecs::CEF.new
10
- end
11
-
12
- context "#encode" do
13
- it "should assert all header fields are present"
14
- end
15
-
16
- context "#decode" do
17
- let (:message) { "CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|src=10.0.0.192 dst=12.121.122.82 spt=1232" }
18
-
19
- it "should parse the cef header" do
20
- subject.decode(message) do |e|
21
- insist { e.is_a?(LogStash::Event) }
22
- insist { e["cef_version"] } == "0"
23
- insist { e["cef_vendor"] } == "security"
24
- insist { e["cef_product"] } == "threatmanager"
25
- insist { e["cef_device_version"] } == "1.0"
26
- insist { e["cef_sigid"] } == "100"
27
- insist { e["cef_name"] } == "trojan successfully stopped"
28
- insist { e["cef_severity"] } == "10"
29
- insist { e["message"] } == "src=10.0.0.192 dst=12.121.122.82 spt=1232"
30
- end
8
+ subject do
9
+ next LogStash::Codecs::CEF.new
31
10
  end
32
11
 
33
- it "should parse the cef body" do
34
- subject.decode(message) do |e|
35
- insist { e["cef_ext_src"] } == "10.0.0.192"
36
- insist { e["cef_ext_dst"] } == "12.121.122.82"
37
- insist { e["cef_ext_spt"] } == "1232"
38
- end
12
+ context "#encode" do
13
+ it "should assert all header fields are present"
39
14
  end
40
15
 
41
- it "should handle values in the body that contain spaces"
42
- end
16
+ context "#decode" do
17
+ let (:message) { "CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|src=10.0.0.192 dst=12.121.122.82 spt=1232" }
18
+
19
+ def validate(e)
20
+ insist { e.is_a?(LogStash::Event) }
21
+ insist { e["cef_version"] } == "0"
22
+ insist { e["cef_device_version"] } == "1.0"
23
+ insist { e["cef_sigid"] } == "100"
24
+ insist { e["cef_name"] } == "trojan successfully stopped"
25
+ insist { e["cef_severity"] } == "10"
26
+ insist { e["message"] } == "src=10.0.0.192 dst=12.121.122.82 spt=1232"
27
+ end
28
+
29
+ it "should parse the cef headers" do
30
+ subject.decode(message) do |e|
31
+ validate(e)
32
+ insist { e["cef_vendor"] } == "security"
33
+ insist { e["cef_product"] } == "threatmanager"
34
+ end
35
+ end
36
+
37
+ it "should parse the cef body" do
38
+ subject.decode(message) do |e|
39
+ insist { e["cef_ext_src"] } == "10.0.0.192"
40
+ insist { e["cef_ext_dst"] } == "12.121.122.82"
41
+ insist { e["cef_ext_spt"] } == "1232"
42
+ end
43
+ end
44
+
45
+ let (:missing_headers) { "CEF:0|||1.0|100|trojan successfully stopped|10|src=10.0.0.192 dst=12.121.122.82 spt=1232" }
46
+ it "should be OK with missing CEF headers (multiple pipes in sequence)" do
47
+ subject.decode(missing_headers) do |e|
48
+ validate(e)
49
+ insist { e["cef_vendor"] } == ""
50
+ insist { e["cef_product"] } == ""
51
+ end
52
+ end
53
+
54
+ let (:leading_whitespace) { "CEF:0|security|threatmaager|1.0|100|trojan successfully stopped|10| src=10.0.0.192 dst=12.121.122.82 spt=1232" }
55
+ it "should strip leading whitespace from the message" do
56
+ subject.decode(leading_whitespace) do |e|
57
+ validate(e)
58
+ end
59
+ end
60
+
61
+
62
+ let (:escaped_pipes) { 'CEF:0|||1.0|100|trojan successfully stopped|10|moo=this\|has an escaped pipe' }
63
+ it "should be OK with escaped pipes in the message" do
64
+ subject.decode(escaped_pipes) do |e|
65
+ insist { e["message"] } == 'moo=this\|has an escaped pipe'
66
+ end
67
+ end
68
+
69
+ end
43
70
 
44
71
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: hpess-logstash-codec-cef
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.5
4
+ version: 0.1.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - Elasticsearch
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-04-02 00:00:00.000000000 Z
11
+ date: 2015-04-06 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: logstash-core
@@ -58,6 +58,7 @@ files:
58
58
  - LICENSE
59
59
  - README.md
60
60
  - Rakefile
61
+ - docker-compose.yml
61
62
  - lib/logstash/codecs/cef.rb
62
63
  - lib/logstash/version.rb
63
64
  - logstash-codec-cef.gemspec