hpess-logstash-codec-cef 0.2.1 → 0.2.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/logstash/codecs/cef.rb +73 -62
  3. data/logstash-codec-cef.gemspec +1 -1
  4. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 81a21440a62cb5391b36db282d926053bba698cb
4
- data.tar.gz: 6186ee0d447ca21d76e74312b31ff7105be48b8e
3
+ metadata.gz: 98b63ea410dc61a1a5ca4db98d63a486b48943e6
4
+ data.tar.gz: 0c6547cb59f0cb22ec04dd79e8709a78649eca3b
5
5
  SHA512:
6
- metadata.gz: 64823415d3340bff3627b6bd7ee5fd1acc4c5fa0b3baa31b397697d1f976c0f8975c0a6d89d0100060339ce0ff044df6b7155f37ef4bcd1c87d40d0612f0fff0
7
- data.tar.gz: 2d308146c252b6ae4decd9a0318a39c6191e7f096f43610551c409633137726082df60df65b9d04210b346fd8a134608da96939a7b1bccd7f2e3d2985458c7c5
6
+ metadata.gz: 7636b4a371ffcaf5714ec62b441d25ef0f70d87cf838e3551bd4fb1c70fcdfa873ce63fd100cb7cfb30b92f99cc417125bad25e2446668ba0122f8c53cb0bc4b
7
+ data.tar.gz: 5e171d9917c7c9c6e71524ceafdd4756d43787acaecff7e2468c14b96a77bc467bdb8d64e3c6fd59eae992aa163ceb95a8543e3f4653a01e15d1250fb8f4e82d
data/lib/logstash/codecs/cef.rb CHANGED
@@ -1,69 +1,80 @@
1
1
  require "logstash/codecs/base"
2
2
 
3
3
  class LogStash::Codecs::CEF < LogStash::Codecs::Base
4
- config_name "cef"
5
- config :signature, :validate => :string, :default => "Logstash"
6
- config :name, :validate => :string, :default => "Logstash"
7
- config :sev, :validate => :number, :default => 6
8
-
9
- config :fields, :validate => :array
10
-
11
- public
12
- def initialize(params={})
13
- super(params)
14
- end
15
-
16
- public
17
- def decode(data)
18
- # %{SYSLOGDATE} %{HOST} CEF:Version|Device Vendor|Device Product|Device Version|SignatureID|Name|Severity|Extension
19
- event = LogStash::Event.new()
20
- event['syslog'], data = data.split('CEF:', 2) if not data.index('CEF:') == 0
21
- data.sub! /^CEF:/, ''
22
- event['cef_version'], event['cef_vendor'], event['cef_product'], event['cef_device_version'], event['cef_sigid'], event['cef_name'], event['cef_severity'], message = data.split /(?<!\\)[\|]/
23
-
24
- # Strip any whitespace from the message
25
- message = message.to_s.strip
26
-
27
- # Now parse the key value pairs into it
28
- extensions = {}
29
- if message.length != 0 and message.include? "="
30
- message = message.split(/ ([\w\.]+)=/)
31
- key, value = message.shift.split('=', 2)
32
- extensions[key] = value
33
-
34
- Hash[*message].each{|k, v|
35
- extensions[k] = v
36
- }
37
-
38
- # And save the new has as the extensions
39
- event['cef_ext'] = extensions
4
+ config_name "cef"
5
+ config :signature, :validate => :string, :default => "Logstash"
6
+ config :name, :validate => :string, :default => "Logstash"
7
+ config :sev, :validate => :number, :default => 6
8
+
9
+ config :fields, :validate => :array
10
+
11
+ public
12
+ def initialize(params={})
13
+ super(params)
14
+ end
15
+
16
+ public
17
+ def decode(data)
18
+ # Strip any quotations at the start and end, flex connectors seem to send this
19
+ if data[0] == "\""
20
+ data = data[0..-2]
21
+ data.slice!(0)
22
+ end
23
+
24
+ # Split by the pipes
25
+ event['cef_version'], event['cef_vendor'], event['cef_product'], event['cef_device_version'], event['cef_sigid'], event['cef_name'], event['cef_severity'], message = data.split /(?<!\\)[\|]/
26
+
27
+ # Try and parse out the syslog header if there is one
28
+ if event['cef_version'].include? ' '
29
+ event['syslog'], event['cef_version'] = event['cef_version'].split(' ')
30
+ end
31
+
32
+ # Get rid of the CEF bit in the version
33
+ event['cef_version'].sub! /^CEF:/, ''
34
+
35
+ # Strip any whitespace from the message
36
+ message = message.to_s.strip
37
+
38
+ # Now parse the key value pairs into it
39
+ extensions = {}
40
+ if message.length != 0 and message.include? "="
41
+ message = message.split(/ ([\w\.]+)=/)
42
+ key, value = message.shift.split('=', 2)
43
+ extensions[key] = value
44
+
45
+ Hash[*message].each{|k, v|
46
+ extensions[k] = v
47
+ }
48
+
49
+ # And save the new has as the extensions
50
+ event['cef_ext'] = extensions
51
+ end
52
+ yield event
53
+ end
54
+
55
+ public
56
+ def encode(data)
57
+ # "CEF:0|Elasticsearch|Logstash|1.0|Signature|Name|Sev|"
58
+
59
+ # TODO: Need to check that fields are set!
60
+
61
+ # Signature, Name, and Sev should be set in the config, with ref to fields
62
+ # Should also probably set the fields sent
63
+ header = ["CEF:0", "Elasticsearch", "Logstash", "1.0", @signature, @name, @sev].join("|")
64
+ values = @fields.map {|name| get_value(name, data)}.join(" ")
65
+ # values = values.map {|k,v| "#{k}=#{v}"}.join(" ")
66
+ @on_event.call(header + " " + values + "\n")
40
67
  end
41
- yield event
42
- end
43
-
44
- public
45
- def encode(data)
46
- # "CEF:0|Elasticsearch|Logstash|1.0|Signature|Name|Sev|"
47
-
48
- # TODO: Need to check that fields are set!
49
-
50
- # Signature, Name, and Sev should be set in the config, with ref to fields
51
- # Should also probably set the fields sent
52
- header = ["CEF:0", "Elasticsearch", "Logstash", "1.0", @signature, @name, @sev].join("|")
53
- values = @fields.map {|name| get_value(name, data)}.join(" ")
54
- # values = values.map {|k,v| "#{k}=#{v}"}.join(" ")
55
- @on_event.call(header + " " + values + "\n")
56
- end
57
-
58
- private
59
- def get_value(name, event)
60
- val = event[name]
61
- case val
62
- when Hash
63
- return name + "=" + val.to_json
64
- else
65
- return name + "=" + val
68
+
69
+ private
70
+ def get_value(name, event)
71
+ val = event[name]
72
+ case val
73
+ when Hash
74
+ return name + "=" + val.to_json
75
+ else
76
+ return name + "=" + val
77
+ end
66
78
  end
67
- end
68
79
 
69
80
  end
data/logstash-codec-cef.gemspec CHANGED
@@ -1,7 +1,7 @@
1
1
  Gem::Specification.new do |s|
2
2
 
3
3
  s.name = 'hpess-logstash-codec-cef'
4
- s.version = '0.2.1'
4
+ s.version = '0.2.2'
5
5
  s.licenses = ['Apache License (2.0)']
6
6
  s.summary = "CEF codec to parse CEF formated logs"
7
7
  s.description = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: hpess-logstash-codec-cef
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.1
4
+ version: 0.2.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Elasticsearch
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-04-06 00:00:00.000000000 Z
11
+ date: 2015-04-15 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: logstash-core