RubyGems - hpess-logstash-codec-cef - Versions diffs - 0.2.1 → 0.2.2 - Mend

hpess-logstash-codec-cef 0.2.1 → 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 81a21440a62cb5391b36db282d926053bba698cb
-  data.tar.gz: 6186ee0d447ca21d76e74312b31ff7105be48b8e
+  metadata.gz: 98b63ea410dc61a1a5ca4db98d63a486b48943e6
+  data.tar.gz: 0c6547cb59f0cb22ec04dd79e8709a78649eca3b
 SHA512:
-  metadata.gz: 64823415d3340bff3627b6bd7ee5fd1acc4c5fa0b3baa31b397697d1f976c0f8975c0a6d89d0100060339ce0ff044df6b7155f37ef4bcd1c87d40d0612f0fff0
-  data.tar.gz: 2d308146c252b6ae4decd9a0318a39c6191e7f096f43610551c409633137726082df60df65b9d04210b346fd8a134608da96939a7b1bccd7f2e3d2985458c7c5
+  metadata.gz: 7636b4a371ffcaf5714ec62b441d25ef0f70d87cf838e3551bd4fb1c70fcdfa873ce63fd100cb7cfb30b92f99cc417125bad25e2446668ba0122f8c53cb0bc4b
+  data.tar.gz: 5e171d9917c7c9c6e71524ceafdd4756d43787acaecff7e2468c14b96a77bc467bdb8d64e3c6fd59eae992aa163ceb95a8543e3f4653a01e15d1250fb8f4e82d

data/lib/logstash/codecs/cef.rb CHANGED Viewed

@@ -1,69 +1,80 @@
 require "logstash/codecs/base"
 class LogStash::Codecs::CEF < LogStash::Codecs::Base
-  config_name "cef"
-  config :signature, :validate => :string, :default => "Logstash"
-  config :name, :validate => :string, :default => "Logstash"
-  config :sev, :validate => :number, :default => 6
-  config :fields, :validate => :array
-  public
-  def initialize(params={})
-    super(params)
-  end
-  public
-  def decode(data)
-    # %{SYSLOGDATE} %{HOST} CEF:Version|Device Vendor|Device Product|Device Version|SignatureID|Name|Severity|Extension
-    event = LogStash::Event.new()
-    event['syslog'], data = data.split('CEF:', 2) if not data.index('CEF:') == 0
-    data.sub! /^CEF:/, ''
-    event['cef_version'], event['cef_vendor'], event['cef_product'], event['cef_device_version'], event['cef_sigid'], event['cef_name'], event['cef_severity'], message = data.split /(?<!\\)[\|]/
-    # Strip any whitespace from the message
-    message = message.to_s.strip
-    # Now parse the key value pairs into it
-    extensions = {}
-    if message.length != 0 and message.include? "="
-      message = message.split(/ ([\w\.]+)=/)
-      key, value = message.shift.split('=', 2)
-      extensions[key] = value
-      Hash[*message].each{|k, v|
-        extensions[k] = v
-      }
-      # And save the new has as the extensions
-      event['cef_ext'] = extensions
+    config_name "cef"
+    config :signature, :validate => :string, :default => "Logstash"
+    config :name, :validate => :string, :default => "Logstash"
+    config :sev, :validate => :number, :default => 6
+    config :fields, :validate => :array
+    public
+    def initialize(params={})
+        super(params)
+    end
+    public
+    def decode(data)
+        # Strip any quotations at the start and end, flex connectors seem to send this
+        if data[0] == "\""
+            data = data[0..-2]
+            data.slice!(0)
+        end
+        # Split by the pipes
+        event['cef_version'], event['cef_vendor'], event['cef_product'], event['cef_device_version'], event['cef_sigid'], event['cef_name'], event['cef_severity'], message = data.split /(?<!\\)[\|]/
+        # Try and parse out the syslog header if there is one
+        if event['cef_version'].include? ' '
+            event['syslog'], event['cef_version'] = event['cef_version'].split(' ')
+        end
+        # Get rid of the CEF bit in the version
+        event['cef_version'].sub! /^CEF:/, ''
+        # Strip any whitespace from the message
+        message = message.to_s.strip
+        # Now parse the key value pairs into it
+        extensions = {}
+        if message.length != 0 and message.include? "="
+            message = message.split(/ ([\w\.]+)=/)
+            key, value = message.shift.split('=', 2)
+            extensions[key] = value
+            Hash[*message].each{|k, v|
+                extensions[k] = v
+            }
+            # And save the new has as the extensions
+            event['cef_ext'] = extensions
+        end
+        yield event
+    end
+    public
+    def encode(data)
+        # "CEF:0|Elasticsearch|Logstash|1.0|Signature|Name|Sev|"
+        # TODO: Need to check that fields are set!
+        # Signature, Name, and Sev should be set in the config, with ref to fields
+        # Should also probably set the fields sent
+        header = ["CEF:0", "Elasticsearch", "Logstash", "1.0", @signature, @name, @sev].join("|")
+        values = @fields.map {|name| get_value(name, data)}.join(" ")
+        # values = values.map {|k,v| "#{k}=#{v}"}.join(" ")
+        @on_event.call(header + " " + values + "\n")
     end
-    yield event
-  end
-  public
-  def encode(data)
-    # "CEF:0|Elasticsearch|Logstash|1.0|Signature|Name|Sev|"
-    # TODO: Need to check that fields are set!
-    # Signature, Name, and Sev should be set in the config, with ref to fields
-    # Should also probably set the fields sent
-    header = ["CEF:0", "Elasticsearch", "Logstash", "1.0", @signature, @name, @sev].join("|")
-    values = @fields.map {|name| get_value(name, data)}.join(" ")
-    # values = values.map {|k,v| "#{k}=#{v}"}.join(" ")
-    @on_event.call(header + " " + values + "\n")
-  end
-  private
-  def get_value(name, event)
-    val = event[name]
-    case val
-    when Hash
-      return name + "=" + val.to_json
-    else
-      return name + "=" + val
+    private
+    def get_value(name, event)
+        val = event[name]
+        case val
+        when Hash
+            return name + "=" + val.to_json
+        else
+            return name + "=" + val
+        end
     end
-  end
 end

data/logstash-codec-cef.gemspec CHANGED Viewed

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
   s.name            = 'hpess-logstash-codec-cef'
-  s.version         = '0.2.1'
+  s.version         = '0.2.2'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "CEF codec to parse CEF formated logs"
   s.description     = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: hpess-logstash-codec-cef
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.2.2
 platform: ruby
 authors:
 - Elasticsearch
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-04-06 00:00:00.000000000 Z
+date: 2015-04-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logstash-core