hpess-logstash-codec-cef 0.1.5 → 0.1.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +2 -0
- data/README.md +11 -2
- data/docker-compose.yml +5 -0
- data/lib/logstash/codecs/cef.rb +5 -14
- data/logstash-codec-cef.gemspec +1 -1
- data/spec/codecs/cef_spec.rb +58 -31
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 82aeade6d1d9b90d7989cd8a9e4d949c8a151d73
|
|
4
|
+
data.tar.gz: 9245659333045632c105bb6fd6a59d46a3a8df57
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 14621f3d0cea8d03006f81a4ce453a1adfc7e9e8cff23231090574b4be0da8215f297ab53be0765d1be6bdf123d0fd93ae59a7ca4ffccf537547d414969fca10
|
|
7
|
+
data.tar.gz: ed5045e928c7c15e08b59adaf5ad0f52df9841f8be3a88c3123f5fff77058943b8245ece880d7a7b5f01db923203ad4eb88f359715cc3d026c60befd349e3717
|
data/.gitignore
CHANGED
data/README.md
CHANGED
|
@@ -15,7 +15,16 @@ Logstash provides infrastructure to automatically generate documentation for thi
|
|
|
15
15
|
|
|
16
16
|
Need help? Try #logstash on freenode IRC or the logstash-users@googlegroups.com mailing list.
|
|
17
17
|
|
|
18
|
-
## Developing
|
|
18
|
+
## Developing with Docker
|
|
19
|
+
You can use a docker container with all of the requirements pre installed to save you installing the development environment on your host.
|
|
20
|
+
|
|
21
|
+
### 1. Starting the container
|
|
22
|
+
Simply type `docker-compose run devenv` and you'll be entered into the container. Then you'll need to do `jruby -S bundle install` to get all the dependencies down.
|
|
23
|
+
|
|
24
|
+
### 2. Running tests
|
|
25
|
+
Once you've done #1 above, you can run your tests with `jruby -S bundle exec rspec`
|
|
26
|
+
|
|
27
|
+
## Developing without Docker
|
|
19
28
|
|
|
20
29
|
### 1. Plugin Developement and Testing
|
|
21
30
|
|
|
@@ -83,4 +92,4 @@ Programming is not a required skill. Whatever you've seen about open source and
|
|
|
83
92
|
|
|
84
93
|
It is more important to the community that you are able to contribute.
|
|
85
94
|
|
|
86
|
-
For more information about contributing, see the [CONTRIBUTING](https://github.com/elasticsearch/logstash/blob/master/CONTRIBUTING.md) file.
|
|
95
|
+
For more information about contributing, see the [CONTRIBUTING](https://github.com/elasticsearch/logstash/blob/master/CONTRIBUTING.md) file.
|
data/docker-compose.yml
ADDED
data/lib/logstash/codecs/cef.rb
CHANGED
|
@@ -2,11 +2,7 @@ require "logstash/codecs/base"
|
|
|
2
2
|
|
|
3
3
|
class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
4
4
|
config_name "cef"
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
# Specify if the Syslog header will be expected
|
|
8
5
|
config :syslog, :validate => :boolean, :default => false
|
|
9
|
-
|
|
10
6
|
config :signature, :validate => :string, :default => "Logstash"
|
|
11
7
|
config :name, :validate => :string, :default => "Logstash"
|
|
12
8
|
config :sev, :validate => :number, :default => 6
|
|
@@ -20,7 +16,6 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
|
20
16
|
|
|
21
17
|
public
|
|
22
18
|
def decode(data)
|
|
23
|
-
# Need to break out the headers, then return the headers as individual fields, and the extension to be processed by a filter (ie: KV)
|
|
24
19
|
# %{SYSLOGDATE} %{HOST} CEF:Version|Device Vendor|Device Product|Device Version|SignatureID|Name|Severity|Extension
|
|
25
20
|
event = LogStash::Event.new()
|
|
26
21
|
if @syslog
|
|
@@ -30,17 +25,13 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
|
30
25
|
else
|
|
31
26
|
# We don't have syslog headers, so we just need to remove CEF:
|
|
32
27
|
data.sub! /^CEF:/, ''
|
|
33
|
-
end
|
|
34
|
-
|
|
35
|
-
# Default any CEF unknown fields to unknown
|
|
36
|
-
data.gsub! '||', '|unknown|'
|
|
28
|
+
end
|
|
37
29
|
|
|
38
|
-
#
|
|
39
|
-
event['cef_version'], event['cef_vendor'], event['cef_product'], event['cef_device_version'], event['cef_sigid'], event['cef_name'], event['cef_severity'], event['message'] = data.
|
|
30
|
+
# Get the headers
|
|
31
|
+
event['cef_version'], event['cef_vendor'], event['cef_product'], event['cef_device_version'], event['cef_sigid'], event['cef_name'], event['cef_severity'], event['message'] = data.split /(?<!\\)[\|]/
|
|
40
32
|
|
|
41
|
-
# Strip any
|
|
42
|
-
message=event['message']
|
|
43
|
-
message=message.to_s.strip
|
|
33
|
+
# Strip any whitespace from the message
|
|
34
|
+
message=event['message'].to_s.strip
|
|
44
35
|
event['message']=message
|
|
45
36
|
|
|
46
37
|
# Now, try to break out the Extension Dictionary
|
data/logstash-codec-cef.gemspec
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
|
|
3
3
|
s.name = 'hpess-logstash-codec-cef'
|
|
4
|
-
s.version = '0.1.
|
|
4
|
+
s.version = '0.1.6'
|
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
|
6
6
|
s.summary = "CEF codec to parse CEF formated logs"
|
|
7
7
|
s.description = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
|
data/spec/codecs/cef_spec.rb
CHANGED
|
@@ -5,40 +5,67 @@ require "logstash/codecs/cef"
|
|
|
5
5
|
require "logstash/event"
|
|
6
6
|
|
|
7
7
|
describe LogStash::Codecs::CEF do
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
end
|
|
11
|
-
|
|
12
|
-
context "#encode" do
|
|
13
|
-
it "should assert all header fields are present"
|
|
14
|
-
end
|
|
15
|
-
|
|
16
|
-
context "#decode" do
|
|
17
|
-
let (:message) { "CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|src=10.0.0.192 dst=12.121.122.82 spt=1232" }
|
|
18
|
-
|
|
19
|
-
it "should parse the cef header" do
|
|
20
|
-
subject.decode(message) do |e|
|
|
21
|
-
insist { e.is_a?(LogStash::Event) }
|
|
22
|
-
insist { e["cef_version"] } == "0"
|
|
23
|
-
insist { e["cef_vendor"] } == "security"
|
|
24
|
-
insist { e["cef_product"] } == "threatmanager"
|
|
25
|
-
insist { e["cef_device_version"] } == "1.0"
|
|
26
|
-
insist { e["cef_sigid"] } == "100"
|
|
27
|
-
insist { e["cef_name"] } == "trojan successfully stopped"
|
|
28
|
-
insist { e["cef_severity"] } == "10"
|
|
29
|
-
insist { e["message"] } == "src=10.0.0.192 dst=12.121.122.82 spt=1232"
|
|
30
|
-
end
|
|
8
|
+
subject do
|
|
9
|
+
next LogStash::Codecs::CEF.new
|
|
31
10
|
end
|
|
32
11
|
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
insist { e["cef_ext_src"] } == "10.0.0.192"
|
|
36
|
-
insist { e["cef_ext_dst"] } == "12.121.122.82"
|
|
37
|
-
insist { e["cef_ext_spt"] } == "1232"
|
|
38
|
-
end
|
|
12
|
+
context "#encode" do
|
|
13
|
+
it "should assert all header fields are present"
|
|
39
14
|
end
|
|
40
15
|
|
|
41
|
-
|
|
42
|
-
|
|
16
|
+
context "#decode" do
|
|
17
|
+
let (:message) { "CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|src=10.0.0.192 dst=12.121.122.82 spt=1232" }
|
|
18
|
+
|
|
19
|
+
def validate(e)
|
|
20
|
+
insist { e.is_a?(LogStash::Event) }
|
|
21
|
+
insist { e["cef_version"] } == "0"
|
|
22
|
+
insist { e["cef_device_version"] } == "1.0"
|
|
23
|
+
insist { e["cef_sigid"] } == "100"
|
|
24
|
+
insist { e["cef_name"] } == "trojan successfully stopped"
|
|
25
|
+
insist { e["cef_severity"] } == "10"
|
|
26
|
+
insist { e["message"] } == "src=10.0.0.192 dst=12.121.122.82 spt=1232"
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
it "should parse the cef headers" do
|
|
30
|
+
subject.decode(message) do |e|
|
|
31
|
+
validate(e)
|
|
32
|
+
insist { e["cef_vendor"] } == "security"
|
|
33
|
+
insist { e["cef_product"] } == "threatmanager"
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
it "should parse the cef body" do
|
|
38
|
+
subject.decode(message) do |e|
|
|
39
|
+
insist { e["cef_ext_src"] } == "10.0.0.192"
|
|
40
|
+
insist { e["cef_ext_dst"] } == "12.121.122.82"
|
|
41
|
+
insist { e["cef_ext_spt"] } == "1232"
|
|
42
|
+
end
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
let (:missing_headers) { "CEF:0|||1.0|100|trojan successfully stopped|10|src=10.0.0.192 dst=12.121.122.82 spt=1232" }
|
|
46
|
+
it "should be OK with missing CEF headers (multiple pipes in sequence)" do
|
|
47
|
+
subject.decode(missing_headers) do |e|
|
|
48
|
+
validate(e)
|
|
49
|
+
insist { e["cef_vendor"] } == ""
|
|
50
|
+
insist { e["cef_product"] } == ""
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
let (:leading_whitespace) { "CEF:0|security|threatmaager|1.0|100|trojan successfully stopped|10| src=10.0.0.192 dst=12.121.122.82 spt=1232" }
|
|
55
|
+
it "should strip leading whitespace from the message" do
|
|
56
|
+
subject.decode(leading_whitespace) do |e|
|
|
57
|
+
validate(e)
|
|
58
|
+
end
|
|
59
|
+
end
|
|
60
|
+
|
|
61
|
+
|
|
62
|
+
let (:escaped_pipes) { 'CEF:0|||1.0|100|trojan successfully stopped|10|moo=this\|has an escaped pipe' }
|
|
63
|
+
it "should be OK with escaped pipes in the message" do
|
|
64
|
+
subject.decode(escaped_pipes) do |e|
|
|
65
|
+
insist { e["message"] } == 'moo=this\|has an escaped pipe'
|
|
66
|
+
end
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
end
|
|
43
70
|
|
|
44
71
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: hpess-logstash-codec-cef
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Elasticsearch
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-04-
|
|
11
|
+
date: 2015-04-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: logstash-core
|
|
@@ -58,6 +58,7 @@ files:
|
|
|
58
58
|
- LICENSE
|
|
59
59
|
- README.md
|
|
60
60
|
- Rakefile
|
|
61
|
+
- docker-compose.yml
|
|
61
62
|
- lib/logstash/codecs/cef.rb
|
|
62
63
|
- lib/logstash/version.rb
|
|
63
64
|
- logstash-codec-cef.gemspec
|