logstash-codec-cef 0.1.1 → 0.1.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +4 -0
- data/CONTRIBUTORS +17 -0
- data/Gemfile +1 -2
- data/README.md +12 -21
- data/lib/logstash/codecs/cef.rb +42 -17
- data/logstash-codec-cef.gemspec +2 -2
- data/spec/codecs/cef_spec.rb +8 -1
- metadata +15 -14
- data/DEVELOPER.md +0 -49
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: aff6387623a45295597fec46cc743482346abc96
|
4
|
+
data.tar.gz: 2f33a701cc5dc39ca149a94e781e68956fa0242a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 63891ca7444ab5129cb2d0ac7c374b2be40f50d475fc555791e825d24631e13ee3a9f6add3bf35f2a59a1fdc598bae9239028a820ce74090059120a5db3e34b1
|
7
|
+
data.tar.gz: f8a9479c006edd2385ed9a6b2bf82043c04587b8dce485d7e496bbd01353501415d4539783634206c8d6c89a949c9be249ba84360896f7e615952ce2ce10c7b9
|
data/.gitignore
ADDED
data/CONTRIBUTORS
ADDED
@@ -0,0 +1,17 @@
|
|
1
|
+
The following is a list of people who have contributed ideas, code, bug
|
2
|
+
reports, or in general have helped logstash along its way.
|
3
|
+
|
4
|
+
Contributors:
|
5
|
+
* Aaron Mildenstein (untergeek)
|
6
|
+
* Colin Surprenant (colinsurprenant)
|
7
|
+
* Jason Kendall (coolacid)
|
8
|
+
* Jordan Sissel (jordansissel)
|
9
|
+
* João Duarte (jsvd)
|
10
|
+
* Nick Ethier (nickethier)
|
11
|
+
* Pete Fritchman (fetep)
|
12
|
+
* Pier-Hugues Pellerin (ph)
|
13
|
+
|
14
|
+
Note: If you've sent us patches, bug reports, or otherwise contributed to
|
15
|
+
Logstash, and you aren't on the list above and want to be, please let us know
|
16
|
+
and we'll make sure you're here. Contributions from folks like you are what make
|
17
|
+
open source awesome.
|
data/Gemfile
CHANGED
data/README.md
CHANGED
@@ -22,7 +22,7 @@ Need help? Try #logstash on freenode IRC or the logstash-users@googlegroups.com
|
|
22
22
|
#### Code
|
23
23
|
- To get started, you'll need JRuby with the Bundler gem installed.
|
24
24
|
|
25
|
-
- Create a new plugin or clone and existing from the GitHub [logstash-plugins](https://github.com/logstash-plugins) organization.
|
25
|
+
- Create a new plugin or clone and existing from the GitHub [logstash-plugins](https://github.com/logstash-plugins) organization. We also provide [example plugins](https://github.com/logstash-plugins?query=example).
|
26
26
|
|
27
27
|
- Install dependencies
|
28
28
|
```sh
|
@@ -31,26 +31,15 @@ bundle install
|
|
31
31
|
|
32
32
|
#### Test
|
33
33
|
|
34
|
-
|
35
|
-
bundle exec rspec
|
36
|
-
```
|
34
|
+
- Update your dependencies
|
37
35
|
|
38
|
-
|
39
|
-
|
40
|
-
gem "logstash", :github => "elasticsearch/logstash", :branch => "1.5"
|
41
|
-
```
|
42
|
-
To test against another version or a local Logstash, edit the `Gemfile` to specify an alternative location, for example:
|
43
|
-
```ruby
|
44
|
-
gem "logstash", :github => "elasticsearch/logstash", :ref => "master"
|
45
|
-
```
|
46
|
-
```ruby
|
47
|
-
gem "logstash", :path => "/your/local/logstash"
|
36
|
+
```sh
|
37
|
+
bundle install
|
48
38
|
```
|
49
39
|
|
50
|
-
|
40
|
+
- Run tests
|
51
41
|
|
52
42
|
```sh
|
53
|
-
bundle install
|
54
43
|
bundle exec rspec
|
55
44
|
```
|
56
45
|
|
@@ -58,13 +47,13 @@ bundle exec rspec
|
|
58
47
|
|
59
48
|
#### 2.1 Run in a local Logstash clone
|
60
49
|
|
61
|
-
- Edit Logstash `
|
50
|
+
- Edit Logstash `Gemfile` and add the local plugin path, for example:
|
62
51
|
```ruby
|
63
52
|
gem "logstash-filter-awesome", :path => "/your/local/logstash-filter-awesome"
|
64
53
|
```
|
65
|
-
-
|
54
|
+
- Install plugin
|
66
55
|
```sh
|
67
|
-
|
56
|
+
bin/plugin install --no-verify
|
68
57
|
```
|
69
58
|
- Run Logstash with your plugin
|
70
59
|
```sh
|
@@ -74,6 +63,8 @@ At this point any modifications to the plugin code will be applied to this local
|
|
74
63
|
|
75
64
|
#### 2.2 Run in an installed Logstash
|
76
65
|
|
66
|
+
You can use the same **2.1** method to run your plugin in an installed Logstash by editing its `Gemfile` and pointing the `:path` to your local plugin development directory or you can build the gem and install it using:
|
67
|
+
|
77
68
|
- Build your plugin gem
|
78
69
|
```sh
|
79
70
|
gem build logstash-filter-awesome.gemspec
|
@@ -90,6 +81,6 @@ All contributions are welcome: ideas, patches, documentation, bug reports, compl
|
|
90
81
|
|
91
82
|
Programming is not a required skill. Whatever you've seen about open source and maintainers or community members saying "send patches or die" - you will not see that here.
|
92
83
|
|
93
|
-
It is more important to
|
84
|
+
It is more important to the community that you are able to contribute.
|
94
85
|
|
95
|
-
For more information about contributing, see the [CONTRIBUTING](https://github.com/elasticsearch/logstash/blob/master/CONTRIBUTING.md) file.
|
86
|
+
For more information about contributing, see the [CONTRIBUTING](https://github.com/elasticsearch/logstash/blob/master/CONTRIBUTING.md) file.
|
data/lib/logstash/codecs/cef.rb
CHANGED
@@ -24,40 +24,65 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
24
24
|
# %{SYSLOGDATE} %{HOST} CEF:Version|Device Vendor|Device Product|Device Version|SignatureID|Name|Severity|Extension
|
25
25
|
event = LogStash::Event.new()
|
26
26
|
if @syslog
|
27
|
-
|
28
|
-
|
29
|
-
|
27
|
+
@logger.debug("Expecting SYSLOG headers")
|
28
|
+
event['syslog'], data = data.split('CEF:', 2)
|
29
|
+
# Since we have the syslog headers, lets pull them out first and put them into their own field to be handled
|
30
30
|
else
|
31
|
-
|
32
|
-
|
31
|
+
# We don't have syslog headers, so we just need to remove CEF:
|
32
|
+
data.sub! /^CEF:/, ''
|
33
33
|
end #if @syslog
|
34
34
|
# Now, break out the rest of the headers
|
35
35
|
event['cef_version'], event['cef_vendor'], event['cef_product'], event['cef_device_version'], event['cef_sigid'], event['cef_name'], event['cef_severity'], event['message'] = data.scan /(?:[^\|\\]|\\.)+/
|
36
|
+
# Now, try to break out the Extension Dictionary
|
37
|
+
message=event['message']
|
38
|
+
if message.to_s.strip.length != 0
|
39
|
+
message = message.split(/ ([\w\.]+)=/)
|
40
|
+
|
41
|
+
key, value = message.shift.split('=',2)
|
42
|
+
@logger.debug(message)
|
43
|
+
kv = Hash[*message]
|
44
|
+
@logger.debug(kv)
|
45
|
+
addKey(kv,key,value)
|
46
|
+
event.to_hash.merge!(Hash[kv.map{ |k,v| ["cef_ext_"+k,v] }])
|
47
|
+
end #
|
36
48
|
yield event
|
37
49
|
end
|
38
50
|
|
39
51
|
public
|
40
52
|
def encode(data)
|
41
|
-
|
53
|
+
# "CEF:0|Elasticsearch|Logstash|1.0|Signature|Name|Sev|"
|
42
54
|
|
43
|
-
|
55
|
+
# TODO: Need to check that fields are set!
|
44
56
|
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
57
|
+
# Signature, Name, and Sev should be set in the config, with ref to fields
|
58
|
+
# Should also probably set the fields sent
|
59
|
+
header = ["CEF:0", "Elasticsearch", "Logstash", "1.0", @signature, @name, @sev].join("|")
|
60
|
+
values = @fields.map {|name| get_value(name, data)}.join(" ")
|
61
|
+
# values = values.map {|k,v| "#{k}=#{v}"}.join(" ")
|
62
|
+
@on_event.call(header + " " + values + "\n")
|
51
63
|
end
|
52
64
|
|
65
|
+
private
|
66
|
+
def addKey(kv_keys, key, value)
|
67
|
+
if kv_keys.has_key?(key)
|
68
|
+
if kv_keys[key].is_a? Array
|
69
|
+
kv_keys[key].push(value)
|
70
|
+
else
|
71
|
+
kv_keys[key] = [kv_keys[key], value]
|
72
|
+
end
|
73
|
+
else
|
74
|
+
kv_keys[key] = value
|
75
|
+
end
|
76
|
+
end # addKey
|
77
|
+
|
53
78
|
private
|
54
79
|
def get_value(name, event)
|
55
80
|
val = event[name]
|
56
81
|
case val
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
82
|
+
when Hash
|
83
|
+
return name + "=" + val.to_json
|
84
|
+
else
|
85
|
+
return name + "=" + val
|
61
86
|
end
|
62
87
|
end
|
63
88
|
|
data/logstash-codec-cef.gemspec
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
|
3
3
|
s.name = 'logstash-codec-cef'
|
4
|
-
s.version = '0.1.
|
4
|
+
s.version = '0.1.3'
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
6
6
|
s.summary = "CEF codec to parse CEF formated logs"
|
7
7
|
s.description = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
|
@@ -20,7 +20,7 @@ Gem::Specification.new do |s|
|
|
20
20
|
s.metadata = { "logstash_plugin" => "true", "logstash_group" => "codec" }
|
21
21
|
|
22
22
|
# Gem dependencies
|
23
|
-
s.add_runtime_dependency
|
23
|
+
s.add_runtime_dependency "logstash-core", '>= 1.4.0', '< 2.0.0'
|
24
24
|
|
25
25
|
s.add_development_dependency 'logstash-devutils'
|
26
26
|
end
|
data/spec/codecs/cef_spec.rb
CHANGED
@@ -30,7 +30,14 @@ describe LogStash::Codecs::CEF do
|
|
30
30
|
end
|
31
31
|
end
|
32
32
|
|
33
|
-
it "should parse the cef body"
|
33
|
+
it "should parse the cef body" do
|
34
|
+
subject.decode(message) do |e|
|
35
|
+
insist { e["cef_ext_src"] } == "10.0.0.192"
|
36
|
+
insist { e["cef_ext_dst"] } == "12.121.122.82"
|
37
|
+
insist { e["cef_ext_spt"] } == "1232"
|
38
|
+
end
|
39
|
+
end
|
40
|
+
|
34
41
|
it "should handle values in the body that contain spaces"
|
35
42
|
end
|
36
43
|
|
metadata
CHANGED
@@ -1,18 +1,17 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-codec-cef
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elasticsearch
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2015-
|
11
|
+
date: 2015-02-26 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
|
-
|
15
|
-
version_requirements: !ruby/object:Gem::Requirement
|
14
|
+
requirement: !ruby/object:Gem::Requirement
|
16
15
|
requirements:
|
17
16
|
- - '>='
|
18
17
|
- !ruby/object:Gem::Version
|
@@ -20,7 +19,10 @@ dependencies:
|
|
20
19
|
- - <
|
21
20
|
- !ruby/object:Gem::Version
|
22
21
|
version: 2.0.0
|
23
|
-
|
22
|
+
name: logstash-core
|
23
|
+
prerelease: false
|
24
|
+
type: :runtime
|
25
|
+
version_requirements: !ruby/object:Gem::Requirement
|
24
26
|
requirements:
|
25
27
|
- - '>='
|
26
28
|
- !ruby/object:Gem::Version
|
@@ -28,29 +30,28 @@ dependencies:
|
|
28
30
|
- - <
|
29
31
|
- !ruby/object:Gem::Version
|
30
32
|
version: 2.0.0
|
31
|
-
prerelease: false
|
32
|
-
type: :runtime
|
33
33
|
- !ruby/object:Gem::Dependency
|
34
|
-
|
35
|
-
version_requirements: !ruby/object:Gem::Requirement
|
34
|
+
requirement: !ruby/object:Gem::Requirement
|
36
35
|
requirements:
|
37
36
|
- - '>='
|
38
37
|
- !ruby/object:Gem::Version
|
39
38
|
version: '0'
|
40
|
-
|
39
|
+
name: logstash-devutils
|
40
|
+
prerelease: false
|
41
|
+
type: :development
|
42
|
+
version_requirements: !ruby/object:Gem::Requirement
|
41
43
|
requirements:
|
42
44
|
- - '>='
|
43
45
|
- !ruby/object:Gem::Version
|
44
46
|
version: '0'
|
45
|
-
prerelease: false
|
46
|
-
type: :development
|
47
47
|
description: This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program
|
48
48
|
email: info@elasticsearch.com
|
49
49
|
executables: []
|
50
50
|
extensions: []
|
51
51
|
extra_rdoc_files: []
|
52
52
|
files:
|
53
|
-
-
|
53
|
+
- .gitignore
|
54
|
+
- CONTRIBUTORS
|
54
55
|
- Gemfile
|
55
56
|
- LICENSE
|
56
57
|
- README.md
|
@@ -81,7 +82,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
81
82
|
version: '0'
|
82
83
|
requirements: []
|
83
84
|
rubyforge_project:
|
84
|
-
rubygems_version: 2.
|
85
|
+
rubygems_version: 2.4.5
|
85
86
|
signing_key:
|
86
87
|
specification_version: 4
|
87
88
|
summary: CEF codec to parse CEF formated logs
|
data/DEVELOPER.md
DELETED
@@ -1,49 +0,0 @@
|
|
1
|
-
logstash-CEF
|
2
|
-
============
|
3
|
-
|
4
|
-
Logstash Codec to handle CEF encoded data
|
5
|
-
|
6
|
-
Build
|
7
|
-
=====
|
8
|
-
|
9
|
-
Run 'make tarball' to build the project. A tarball will end up in ./build. Extract the file over top of your logstash directory.
|
10
|
-
(Hint: or, just copy the ./lib and ./vendor directories to your logstash folder)
|
11
|
-
|
12
|
-
|
13
|
-
Config
|
14
|
-
======
|
15
|
-
|
16
|
-
This is an example input config.
|
17
|
-
|
18
|
-
```
|
19
|
-
input {
|
20
|
-
generator {
|
21
|
-
message => "TODO"
|
22
|
-
count => 1
|
23
|
-
codec => cef
|
24
|
-
}
|
25
|
-
}
|
26
|
-
|
27
|
-
output {
|
28
|
-
stdout {
|
29
|
-
codec => "rubydebug"
|
30
|
-
}
|
31
|
-
}
|
32
|
-
```
|
33
|
-
|
34
|
-
This is an example output config.
|
35
|
-
|
36
|
-
```
|
37
|
-
input {
|
38
|
-
generator {
|
39
|
-
message => "TODO"
|
40
|
-
count => 1
|
41
|
-
}
|
42
|
-
}
|
43
|
-
|
44
|
-
output {
|
45
|
-
stdout {
|
46
|
-
codec => cef
|
47
|
-
}
|
48
|
-
}
|
49
|
-
```
|