RubyGems - logstash-codec-cef - Versions diffs - 2.0.3 → 2.1.0 - Mend

logstash-codec-cef 2.0.3 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +4 -0
data/CONTRIBUTORS +1 -0
data/lib/logstash/codecs/cef.rb +145 -14
data/logstash-codec-cef.gemspec +2 -2
data/spec/codecs/cef_spec.rb +295 -1
metadata +14 -14

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b07e21611300d4682e481db32cb96f37e5f8b659
-  data.tar.gz: 52ca214b4b2e0623bf45902113d02f1986cbb235
+  metadata.gz: 8d9084e0831538c85ddcabe642a00db46b22e08d
+  data.tar.gz: 9de28cadc061797c5b65b0107ef46ccf1b2868a0
 SHA512:
-  metadata.gz: 77353440739c5fda71c5cc410457a37ab40f5d5a00ceb48d690f11ea605a44741b4b38b75bffa23badb42b05316cd2fb9d721da3c4d117e582d6f7c333629884
-  data.tar.gz: 927f654424f3f19ca954fd465573b7c26170e2195f562c52338a3e737a788078c6ea7b71bd67644ea83001c00824ea63de9e1b9f1c8210d21ea07e8d7c4bfc3e
+  metadata.gz: b7a357ac86677710e8da105eabe837498595a58d4e75867447f85e0e0a8fe1144d60735a8edd1ca3c2484624c1d3aeb2fa9a5b82b686044a4b16b44ca6aeeb4f
+  data.tar.gz: bdb89985dd333aa2e1fa82eba3fdc22026a8d1e06404d2ba74b54f05b2ec1e142a7610971fe1473463735133e5dbdacd17e3b0762ae97a293087fd058b1bd329

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,7 @@
+## 2.1.0
+ - Implements `encode` with escaping according to the [CEF specification](https://protect724.hp.com/docs/DOC-1072).
+ - Config option `sev` is deprecated, use `severity` instead.
 ## 2.0.0
  - Plugins were updated to follow the new shutdown semantic, this mainly allows Logstash to instruct input plugins to terminate gracefully,
    instead of using Thread.raise on the plugins' threads. Ref: https://github.com/elastic/logstash/pull/3895

data/CONTRIBUTORS CHANGED Viewed

@@ -11,6 +11,7 @@ Contributors:
 * Pete Fritchman (fetep)
 * Pier-Hugues Pellerin (ph)
 * Karl Stoney (Stono)
+* Lucas Bremgartner (breml)
 Note: If you've sent us patches, bug reports, or otherwise contributed to
 Logstash, and you aren't on the list above and want to be, please let us know

data/lib/logstash/codecs/cef.rb CHANGED Viewed

@@ -1,12 +1,53 @@
+# encoding: utf-8
 require "logstash/codecs/base"
+require "json"
 class LogStash::Codecs::CEF < LogStash::Codecs::Base
+  # Implementation of a Logstash codec for the ArcSight Common Event Format (CEF)
+  # Based on Revision 20 of Implementing ArcSight CEF, dated from June 05, 2013
+  # https://protect724.hp.com/servlet/JiveServlet/downloadBody/1072-102-6-4697/CommonEventFormat.pdf
   config_name "cef"
+  # Device vendor field in CEF header. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
+  config :vendor, :validate => :string, :default => "Elasticsearch"
+  # Device product field in CEF header. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
+  config :product, :validate => :string, :default => "Logstash"
+  # Device version field in CEF header. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
+  config :version, :validate => :string, :default => "1.0"
+  # Signature ID field in CEF header. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
   config :signature, :validate => :string, :default => "Logstash"
+  # Name field in CEF header. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
   config :name, :validate => :string, :default => "Logstash"
-  config :sev, :validate => :number, :default => 6
-  config :fields, :validate => :array
+  # Deprecated severity field for CEF header. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
+  #
+  # This field is used only if :severity is unchanged set to the default value.
+  #
+  # Defined as field of type string to allow sprintf. The value will be validated
+  # to be an integer in the range from 0 to 10 (including).
+  # All invalid values will be mapped to the default of 6.
+  config :sev, :validate => :string, :default => "6", :deprecated => "This setting is being deprecated, use :severity instead."
+  # Severity field in CEF header. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
+  #
+  # Defined as field of type string to allow sprintf. The value will be validated
+  # to be an integer in the range from 0 to 10 (including).
+  # All invalid values will be mapped to the default of 6.
+  config :severity, :validate => :string, :default => "6"
+  # Fields to be included in CEV extension part as key/value pairs
+  config :fields, :validate => :array, :default => []
   public
   def initialize(params={})
@@ -57,28 +98,118 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
   end
   public
-  def encode(data)
+  def encode(event)
     # "CEF:0|Elasticsearch|Logstash|1.0|Signature|Name|Sev|"
-    # TODO: Need to check that fields are set!
+    vendor = sanitize_header_field(event.sprintf(@vendor))
+    vendor = self.class.get_config["vendor"][:default] if vendor == ""
+    product = sanitize_header_field(event.sprintf(@product))
+    product = self.class.get_config["product"][:default] if product == ""
+    version = sanitize_header_field(event.sprintf(@version))
+    version = self.class.get_config["version"][:default] if version == ""
+    signature = sanitize_header_field(event.sprintf(@signature))
+    signature = self.class.get_config["signature"][:default] if signature == ""
+    name = sanitize_header_field(event.sprintf(@name))
+    name = self.class.get_config["name"][:default] if name == ""
+    # :sev is deprecated and therefore only considered if :severity equals the default setting or is invalid
+    severity = sanitize_severity(event, @severity)
+    if severity == self.class.get_config["severity"][:default]
+      # Use deprecated setting sev
+      severity = sanitize_severity(event, @sev)
+    end
-    # Signature, Name, and Sev should be set in the config, with ref to fields
     # Should also probably set the fields sent
-    header = ["CEF:0", "Elasticsearch", "Logstash", "1.0", @signature, @name, @sev].join("|")
-    values = @fields.map {|name| get_value(name, data)}.join(" ")
-    # values = values.map {|k,v| "#{k}=#{v}"}.join(" ")
-    @on_event.call(header + " " + values + "\n")
+    header = ["CEF:0", vendor, product, version, signature, name, severity].join("|")
+    values = @fields.map {|fieldname| get_value(fieldname, event)}.compact.join(" ")
+    @on_event.call(event, "#{header}|#{values}\n")
   end
   private
-  def get_value(name, event)
-    val = event[name]
+  # Escape pipes and backslashes in the header. Equal signs are ok.
+  # Newlines are forbidden.
+  def sanitize_header_field(value)
+    output = ""
+    value = value.to_s.gsub(/\r\n/, "\n")
+    value.each_char{|c|
+      case c
+      when "\\", "|"
+        output += "\\" + c
+      when "\n", "\r"
+        output += " "
+      else
+        output += c
+      end
+    }
+    return output
+  end
+  # Keys must be made up of a single word, with no spaces
+  # must be alphanumeric
+  def sanitize_extension_key(value)
+    value = value.to_s.gsub(/[^a-zA-Z0-9]/, "")
+    return value
+  end
+  # Escape equal signs in the extensions. Canonicalize newlines.
+  # CEF spec leaves it up to us to choose \r or \n for newline.
+  # We choose \n as the default.
+  def sanitize_extension_val(value)
+    output = ""
+    value = value.to_s.gsub(/\r\n/, "\n")
+    value.each_char{|c|
+      case c
+      when "\\", "="
+        output += "\\" + c
+      when "\n", "\r"
+        output += "\\n"
+      else
+        output += c
+      end
+    }
+    return output
+  end
+  def get_value(fieldname, event)
+    val = event[fieldname]
+    return nil if val.nil?
     case val
-    when Hash
-      return name + "=" + val.to_json
+    when Array, Hash
+      return "#{sanitize_extension_key(fieldname)}=#{sanitize_extension_val(val.to_json)}"
+    when LogStash::Timestamp
+      return "#{sanitize_extension_key(fieldname)}=#{val.to_s}"
     else
-      return name + "=" + val
+      return "#{sanitize_extension_key(fieldname)}=#{sanitize_extension_val(val)}"
     end
   end
+  def sanitize_severity(event, severity)
+    severity = sanitize_header_field(event.sprintf(severity)).strip
+    severity = self.class.get_config["severity"][:default] unless valid_severity?(severity)
+    severity = severity.to_i.to_s
+  end
+  def valid_severity?(sev)
+    f = Float(sev)
+    # check if it's an integer or a float with no remainder
+    # and if the value is between 0 and 10 (inclusive)
+    (f % 1 == 0) && f.between?(0,10)
+  rescue TypeError, ArgumentError
+    false
+  end
 end

data/logstash-codec-cef.gemspec CHANGED Viewed

@@ -1,9 +1,9 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-codec-cef'
-  s.version         = '2.0.3'
+  s.version         = '2.1.0'
   s.licenses        = ['Apache License (2.0)']
-  s.summary         = "CEF codec to parse CEF formated logs"
+  s.summary         = "CEF codec to parse and encode CEF formated logs"
   s.description     = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
   s.authors         = ["Elastic"]
   s.email           = 'info@elastic.co'

data/spec/codecs/cef_spec.rb CHANGED Viewed

@@ -10,7 +10,301 @@ describe LogStash::Codecs::CEF do
   end
   context "#encode" do
-    it "should assert all header fields are present"
+    subject(:codec) { LogStash::Codecs::CEF.new }
+    let(:results)   { [] }
+    it "should not fail if fields is nil" do
+      codec.on_event{|data, newdata| results << newdata}
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|$/m)
+    end
+    it "should assert all header fields are present" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|$/m)
+    end
+    it "should use default values for empty header fields" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.vendor = ""
+      codec.product = ""
+      codec.version = ""
+      codec.signature = ""
+      codec.name = ""
+      codec.severity = ""
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|$/m)
+    end
+    it "should use configured values for header fields" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.vendor = "vendor"
+      codec.product = "product"
+      codec.version = "2.0"
+      codec.signature = "signature"
+      codec.name = "name"
+      codec.severity = "1"
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|vendor\|product\|2.0\|signature\|name\|1\|$/m)
+    end
+    it "should use sprintf for header fields" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.vendor = "%{vendor}"
+      codec.product = "%{product}"
+      codec.version = "%{version}"
+      codec.signature = "%{signature}"
+      codec.name = "%{name}"
+      codec.severity = "%{severity}"
+      codec.fields = []
+      event = LogStash::Event.new("vendor" => "vendor", "product" => "product", "version" => "2.0", "signature" => "signature", "name" => "name", "severity" => "1")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|vendor\|product\|2.0\|signature\|name\|1\|$/m)
+    end
+    it "should use default, if severity is not numeric" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.severity = "foo"
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|$/m)
+    end
+    it "should use default, if severity is > 10" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.severity = "11"
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|$/m)
+    end
+    it "should use default, if severity is < 0" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.severity = "-1"
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|$/m)
+    end
+    it "should use default, if severity is float with decimal part" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.severity = "5.4"
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|$/m)
+    end
+    it "should append fields as key/value pairs in cef extension part" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.fields = [ "foo", "bar" ]
+      event = LogStash::Event.new("foo" => "foo value", "bar" => "bar value")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|foo=foo value bar=bar value$/m)
+    end
+    it "should ignore fields in fields if not present in event" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.fields = [ "foo", "bar", "baz" ]
+      event = LogStash::Event.new("foo" => "foo value", "baz" => "baz value")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|foo=foo value baz=baz value$/m)
+    end
+    it "should sanitize header fields" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.vendor = "ven\ndor"
+      codec.product = "pro|duct"
+      codec.version = "ver\\sion"
+      codec.signature = "sig\r\nnature"
+      codec.name = "na\rme"
+      codec.severity = "4\n"
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|ven dor\|pro\\\|duct\|ver\\\\sion\|sig nature\|na me\|4\|$/m)
+    end
+    it "should sanitize extension keys" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.fields = [ "f o\no", "@b-a_r" ]
+      event = LogStash::Event.new("f o\no" => "foo value", "@b-a_r" => "bar value")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|foo=foo value bar=bar value$/m)
+    end
+    it "should sanitize extension values" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.fields = [ "foo", "bar", "baz" ]
+      event = LogStash::Event.new("foo" => "foo\\value\n", "bar" => "bar=value\r")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|foo=foo\\\\value\\n bar=bar\\=value\\n$/m)
+    end
+    it "should encode a hash value" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.fields = [ "foo" ]
+      event = LogStash::Event.new("foo" => { "bar" => "bar value", "baz" => "baz value" })
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|foo=\{\"bar\":\"bar value\",\"baz\":\"baz value\"\}$/m)
+    end
+    it "should encode an array value" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.fields = [ "foo" ]
+      event = LogStash::Event.new("foo" => [ "bar", "baz" ])
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|foo=\[\"bar\",\"baz\"\]$/m)
+    end
+    it "should encode a hash in an array value" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.fields = [ "foo" ]
+      event = LogStash::Event.new("foo" => [ { "bar" => "bar value" }, "baz" ])
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|foo=\[\{\"bar\":\"bar value\"\},\"baz\"\]$/m)
+    end
+    it "should encode a LogStash::Timestamp" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.fields = [ "foo" ]
+      event = LogStash::Event.new("foo" => LogStash::Timestamp.new)
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|foo=[0-9TZ.:-]+$/m)
+    end
+    it "should use severity (instead of depricated sev), if severity is set)" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.sev = "4"
+      codec.severity = "5"
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|5\|$/m)
+    end
+    it "should use deprecated sev, if severity is not set (equals default value)" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.sev = "4"
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|4\|$/m)
+    end
+    it "should use deprecated sev, if severity is explicitly set to default value)" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.sev = "4"
+      codec.severity = "6"
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|4\|$/m)
+    end
+    it "should use deprecated sev, if severity is invalid" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.sev = "4"
+      codec.severity = ""
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|4\|$/m)
+    end
+    it "should use default value, if severity is not set and sev is invalid" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.sev = ""
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|$/m)
+    end
+  end
+  context "sanitize header field" do
+    subject(:codec) { LogStash::Codecs::CEF.new }
+    it "should sanitize" do
+      expect(codec.send(:sanitize_header_field, "foo")).to be == "foo"
+      expect(codec.send(:sanitize_header_field, "foo\nbar")).to be == "foo bar"
+      expect(codec.send(:sanitize_header_field, "foo\rbar")).to be == "foo bar"
+      expect(codec.send(:sanitize_header_field, "foo\r\nbar")).to be == "foo bar"
+      expect(codec.send(:sanitize_header_field, "foo\r\nbar\r\nbaz")).to be == "foo bar baz"
+      expect(codec.send(:sanitize_header_field, "foo\\bar")).to be == "foo\\\\bar"
+      expect(codec.send(:sanitize_header_field, "foo|bar")).to be == "foo\\|bar"
+      expect(codec.send(:sanitize_header_field, "foo=bar")).to be == "foo=bar"
+      expect(codec.send(:sanitize_header_field, 123)).to be == "123" # Input value is a Fixnum
+      expect(codec.send(:sanitize_header_field, 123.123)).to be == "123.123" # Input value is a Float
+      expect(codec.send(:sanitize_header_field, [])).to be == "[]" # Input value is an Array
+      expect(codec.send(:sanitize_header_field, {})).to be == "{}" # Input value is a Hash
+    end
+  end
+  context "sanitize extension key" do
+    subject(:codec) { LogStash::Codecs::CEF.new }
+    it "should sanitize" do
+      expect(codec.send(:sanitize_extension_key, " foo ")).to be == "foo"
+      expect(codec.send(:sanitize_extension_key, " FOO 123 ")).to be == "FOO123"
+      expect(codec.send(:sanitize_extension_key, "foo\nbar\rbaz")).to be == "foobarbaz"
+      expect(codec.send(:sanitize_extension_key, "Foo_Bar\r\nBaz")).to be == "FooBarBaz"
+      expect(codec.send(:sanitize_extension_key, "foo-@bar=baz")).to be == "foobarbaz"
+      expect(codec.send(:sanitize_extension_key, "[foo]|bar.baz")).to be == "foobarbaz"
+      expect(codec.send(:sanitize_extension_key, 123)).to be == "123" # Input value is a Fixnum
+      expect(codec.send(:sanitize_extension_key, 123.123)).to be == "123123" # Input value is a Float, "." is not allowed and therefore removed
+      expect(codec.send(:sanitize_extension_key, [])).to be == "" # Input value is an Array, "[" and "]" are not allowed and therefore removed
+      expect(codec.send(:sanitize_extension_key, {})).to be == "" # Input value is a Hash, "{" and "}" are not allowed and therefore removed
+    end
+  end
+  context "sanitize extension value" do
+    subject(:codec) { LogStash::Codecs::CEF.new }
+    it "should sanitize" do
+      expect(codec.send(:sanitize_extension_val, "foo")).to be == "foo"
+      expect(codec.send(:sanitize_extension_val, "foo\nbar")).to be == "foo\\nbar"
+      expect(codec.send(:sanitize_extension_val, "foo\rbar")).to be == "foo\\nbar"
+      expect(codec.send(:sanitize_extension_val, "foo\r\nbar")).to be == "foo\\nbar"
+      expect(codec.send(:sanitize_extension_val, "foo\r\nbar\r\nbaz")).to be == "foo\\nbar\\nbaz"
+      expect(codec.send(:sanitize_extension_val, "foo\\bar")).to be == "foo\\\\bar"
+      expect(codec.send(:sanitize_extension_val, "foo|bar")).to be == "foo|bar"
+      expect(codec.send(:sanitize_extension_val, "foo=bar")).to be == "foo\\=bar"
+      expect(codec.send(:sanitize_extension_val, 123)).to be == "123" # Input value is a Fixnum
+      expect(codec.send(:sanitize_extension_val, 123.123)).to be == "123.123" # Input value is a Float
+      expect(codec.send(:sanitize_extension_val, [])).to be == "[]" # Input value is an Array
+      expect(codec.send(:sanitize_extension_val, {})).to be == "{}" # Input value is a Hash
+    end
+  end
+  context "valid_severity?" do
+    subject(:codec) { LogStash::Codecs::CEF.new }
+    it "should validate severity" do
+      expect(codec.send(:valid_severity?, nil)).to be == false
+      expect(codec.send(:valid_severity?, "")).to be == false
+      expect(codec.send(:valid_severity?, "foo")).to be == false
+      expect(codec.send(:valid_severity?, "1.5")).to be == false
+      expect(codec.send(:valid_severity?, "-1")).to be == false
+      expect(codec.send(:valid_severity?, "11")).to be == false
+      expect(codec.send(:valid_severity?, "0")).to be == true
+      expect(codec.send(:valid_severity?, "10")).to be == true
+      expect(codec.send(:valid_severity?, "1.0")).to be == true
+      expect(codec.send(:valid_severity?, 1)).to be == true
+      expect(codec.send(:valid_severity?, 1.0)).to be == true
+    end
   end
   context "#decode" do

metadata CHANGED Viewed

@@ -1,18 +1,17 @@
 --- !ruby/object:Gem::Specification
 name: logstash-codec-cef
 version: !ruby/object:Gem::Version
-  version: 2.0.3
+  version: 2.1.0
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-11-19 00:00:00.000000000 Z
+date: 2016-01-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: logstash-core
-  version_requirements: !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
@@ -20,7 +19,10 @@ dependencies:
     - - <
       - !ruby/object:Gem::Version
         version: 3.0.0
-  requirement: !ruby/object:Gem::Requirement
+  name: logstash-core
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
@@ -28,22 +30,20 @@ dependencies:
     - - <
       - !ruby/object:Gem::Version
         version: 3.0.0
-  prerelease: false
-  type: :runtime
 - !ruby/object:Gem::Dependency
-  name: logstash-devutils
-  version_requirements: !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
-  requirement: !ruby/object:Gem::Requirement
+  name: logstash-devutils
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
-  prerelease: false
-  type: :development
 description: This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program
 email: info@elastic.co
 executables: []
@@ -81,9 +81,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.4.8
+rubygems_version: 2.4.5
 signing_key:
 specification_version: 4
-summary: CEF codec to parse CEF formated logs
+summary: CEF codec to parse and encode CEF formated logs
 test_files:
 - spec/codecs/cef_spec.rb