hpess-logstash-codec-cef 0.1.5 → 0.1.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gitignore +2 -0
- data/README.md +11 -2
- data/docker-compose.yml +5 -0
- data/lib/logstash/codecs/cef.rb +5 -14
- data/logstash-codec-cef.gemspec +1 -1
- data/spec/codecs/cef_spec.rb +58 -31
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 82aeade6d1d9b90d7989cd8a9e4d949c8a151d73
|
|
4
|
+
data.tar.gz: 9245659333045632c105bb6fd6a59d46a3a8df57
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 14621f3d0cea8d03006f81a4ce453a1adfc7e9e8cff23231090574b4be0da8215f297ab53be0765d1be6bdf123d0fd93ae59a7ca4ffccf537547d414969fca10
|
|
7
|
+
data.tar.gz: ed5045e928c7c15e08b59adaf5ad0f52df9841f8be3a88c3123f5fff77058943b8245ece880d7a7b5f01db923203ad4eb88f359715cc3d026c60befd349e3717
|
data/.gitignore
CHANGED
data/README.md
CHANGED
|
@@ -15,7 +15,16 @@ Logstash provides infrastructure to automatically generate documentation for thi
|
|
|
15
15
|
|
|
16
16
|
Need help? Try #logstash on freenode IRC or the logstash-users@googlegroups.com mailing list.
|
|
17
17
|
|
|
18
|
-
## Developing
|
|
18
|
+
## Developing with Docker
|
|
19
|
+
You can use a docker container with all of the requirements pre installed to save you installing the development environment on your host.
|
|
20
|
+
|
|
21
|
+
### 1. Starting the container
|
|
22
|
+
Simply type `docker-compose run devenv` and you'll be entered into the container. Then you'll need to do `jruby -S bundle install` to get all the dependencies down.
|
|
23
|
+
|
|
24
|
+
### 2. Running tests
|
|
25
|
+
Once you've done #1 above, you can run your tests with `jruby -S bundle exec rspec`
|
|
26
|
+
|
|
27
|
+
## Developing without Docker
|
|
19
28
|
|
|
20
29
|
### 1. Plugin Developement and Testing
|
|
21
30
|
|
|
@@ -83,4 +92,4 @@ Programming is not a required skill. Whatever you've seen about open source and
|
|
|
83
92
|
|
|
84
93
|
It is more important to the community that you are able to contribute.
|
|
85
94
|
|
|
86
|
-
For more information about contributing, see the [CONTRIBUTING](https://github.com/elasticsearch/logstash/blob/master/CONTRIBUTING.md) file.
|
|
95
|
+
For more information about contributing, see the [CONTRIBUTING](https://github.com/elasticsearch/logstash/blob/master/CONTRIBUTING.md) file.
|
data/docker-compose.yml
ADDED
data/lib/logstash/codecs/cef.rb
CHANGED
|
@@ -2,11 +2,7 @@ require "logstash/codecs/base"
|
|
|
2
2
|
|
|
3
3
|
class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
4
4
|
config_name "cef"
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
# Specify if the Syslog header will be expected
|
|
8
5
|
config :syslog, :validate => :boolean, :default => false
|
|
9
|
-
|
|
10
6
|
config :signature, :validate => :string, :default => "Logstash"
|
|
11
7
|
config :name, :validate => :string, :default => "Logstash"
|
|
12
8
|
config :sev, :validate => :number, :default => 6
|
|
@@ -20,7 +16,6 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
|
20
16
|
|
|
21
17
|
public
|
|
22
18
|
def decode(data)
|
|
23
|
-
# Need to break out the headers, then return the headers as individual fields, and the extension to be processed by a filter (ie: KV)
|
|
24
19
|
# %{SYSLOGDATE} %{HOST} CEF:Version|Device Vendor|Device Product|Device Version|SignatureID|Name|Severity|Extension
|
|
25
20
|
event = LogStash::Event.new()
|
|
26
21
|
if @syslog
|
|
@@ -30,17 +25,13 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
|
30
25
|
else
|
|
31
26
|
# We don't have syslog headers, so we just need to remove CEF:
|
|
32
27
|
data.sub! /^CEF:/, ''
|
|
33
|
-
end
|
|
34
|
-
|
|
35
|
-
# Default any CEF unknown fields to unknown
|
|
36
|
-
data.gsub! '||', '|unknown|'
|
|
28
|
+
end
|
|
37
29
|
|
|
38
|
-
#
|
|
39
|
-
event['cef_version'], event['cef_vendor'], event['cef_product'], event['cef_device_version'], event['cef_sigid'], event['cef_name'], event['cef_severity'], event['message'] = data.
|
|
30
|
+
# Get the headers
|
|
31
|
+
event['cef_version'], event['cef_vendor'], event['cef_product'], event['cef_device_version'], event['cef_sigid'], event['cef_name'], event['cef_severity'], event['message'] = data.split /(?<!\\)[\|]/
|
|
40
32
|
|
|
41
|
-
# Strip any
|
|
42
|
-
message=event['message']
|
|
43
|
-
message=message.to_s.strip
|
|
33
|
+
# Strip any whitespace from the message
|
|
34
|
+
message=event['message'].to_s.strip
|
|
44
35
|
event['message']=message
|
|
45
36
|
|
|
46
37
|
# Now, try to break out the Extension Dictionary
|
data/logstash-codec-cef.gemspec
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
|
|
3
3
|
s.name = 'hpess-logstash-codec-cef'
|
|
4
|
-
s.version = '0.1.
|
|
4
|
+
s.version = '0.1.6'
|
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
|
6
6
|
s.summary = "CEF codec to parse CEF formated logs"
|
|
7
7
|
s.description = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
|
data/spec/codecs/cef_spec.rb
CHANGED
|
@@ -5,40 +5,67 @@ require "logstash/codecs/cef"
|
|
|
5
5
|
require "logstash/event"
|
|
6
6
|
|
|
7
7
|
describe LogStash::Codecs::CEF do
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
end
|
|
11
|
-
|
|
12
|
-
context "#encode" do
|
|
13
|
-
it "should assert all header fields are present"
|
|
14
|
-
end
|
|
15
|
-
|
|
16
|
-
context "#decode" do
|
|
17
|
-
let (:message) { "CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|src=10.0.0.192 dst=12.121.122.82 spt=1232" }
|
|
18
|
-
|
|
19
|
-
it "should parse the cef header" do
|
|
20
|
-
subject.decode(message) do |e|
|
|
21
|
-
insist { e.is_a?(LogStash::Event) }
|
|
22
|
-
insist { e["cef_version"] } == "0"
|
|
23
|
-
insist { e["cef_vendor"] } == "security"
|
|
24
|
-
insist { e["cef_product"] } == "threatmanager"
|
|
25
|
-
insist { e["cef_device_version"] } == "1.0"
|
|
26
|
-
insist { e["cef_sigid"] } == "100"
|
|
27
|
-
insist { e["cef_name"] } == "trojan successfully stopped"
|
|
28
|
-
insist { e["cef_severity"] } == "10"
|
|
29
|
-
insist { e["message"] } == "src=10.0.0.192 dst=12.121.122.82 spt=1232"
|
|
30
|
-
end
|
|
8
|
+
subject do
|
|
9
|
+
next LogStash::Codecs::CEF.new
|
|
31
10
|
end
|
|
32
11
|
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
insist { e["cef_ext_src"] } == "10.0.0.192"
|
|
36
|
-
insist { e["cef_ext_dst"] } == "12.121.122.82"
|
|
37
|
-
insist { e["cef_ext_spt"] } == "1232"
|
|
38
|
-
end
|
|
12
|
+
context "#encode" do
|
|
13
|
+
it "should assert all header fields are present"
|
|
39
14
|
end
|
|
40
15
|
|
|
41
|
-
|
|
42
|
-
|
|
16
|
+
context "#decode" do
|
|
17
|
+
let (:message) { "CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|src=10.0.0.192 dst=12.121.122.82 spt=1232" }
|
|
18
|
+
|
|
19
|
+
def validate(e)
|
|
20
|
+
insist { e.is_a?(LogStash::Event) }
|
|
21
|
+
insist { e["cef_version"] } == "0"
|
|
22
|
+
insist { e["cef_device_version"] } == "1.0"
|
|
23
|
+
insist { e["cef_sigid"] } == "100"
|
|
24
|
+
insist { e["cef_name"] } == "trojan successfully stopped"
|
|
25
|
+
insist { e["cef_severity"] } == "10"
|
|
26
|
+
insist { e["message"] } == "src=10.0.0.192 dst=12.121.122.82 spt=1232"
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
it "should parse the cef headers" do
|
|
30
|
+
subject.decode(message) do |e|
|
|
31
|
+
validate(e)
|
|
32
|
+
insist { e["cef_vendor"] } == "security"
|
|
33
|
+
insist { e["cef_product"] } == "threatmanager"
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
it "should parse the cef body" do
|
|
38
|
+
subject.decode(message) do |e|
|
|
39
|
+
insist { e["cef_ext_src"] } == "10.0.0.192"
|
|
40
|
+
insist { e["cef_ext_dst"] } == "12.121.122.82"
|
|
41
|
+
insist { e["cef_ext_spt"] } == "1232"
|
|
42
|
+
end
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
let (:missing_headers) { "CEF:0|||1.0|100|trojan successfully stopped|10|src=10.0.0.192 dst=12.121.122.82 spt=1232" }
|
|
46
|
+
it "should be OK with missing CEF headers (multiple pipes in sequence)" do
|
|
47
|
+
subject.decode(missing_headers) do |e|
|
|
48
|
+
validate(e)
|
|
49
|
+
insist { e["cef_vendor"] } == ""
|
|
50
|
+
insist { e["cef_product"] } == ""
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
let (:leading_whitespace) { "CEF:0|security|threatmaager|1.0|100|trojan successfully stopped|10| src=10.0.0.192 dst=12.121.122.82 spt=1232" }
|
|
55
|
+
it "should strip leading whitespace from the message" do
|
|
56
|
+
subject.decode(leading_whitespace) do |e|
|
|
57
|
+
validate(e)
|
|
58
|
+
end
|
|
59
|
+
end
|
|
60
|
+
|
|
61
|
+
|
|
62
|
+
let (:escaped_pipes) { 'CEF:0|||1.0|100|trojan successfully stopped|10|moo=this\|has an escaped pipe' }
|
|
63
|
+
it "should be OK with escaped pipes in the message" do
|
|
64
|
+
subject.decode(escaped_pipes) do |e|
|
|
65
|
+
insist { e["message"] } == 'moo=this\|has an escaped pipe'
|
|
66
|
+
end
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
end
|
|
43
70
|
|
|
44
71
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: hpess-logstash-codec-cef
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Elasticsearch
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-04-
|
|
11
|
+
date: 2015-04-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: logstash-core
|
|
@@ -58,6 +58,7 @@ files:
|
|
|
58
58
|
- LICENSE
|
|
59
59
|
- README.md
|
|
60
60
|
- Rakefile
|
|
61
|
+
- docker-compose.yml
|
|
61
62
|
- lib/logstash/codecs/cef.rb
|
|
62
63
|
- lib/logstash/version.rb
|
|
63
64
|
- logstash-codec-cef.gemspec
|