logstash-codec-cef 4.0.0-java → 4.1.0-java

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: c46dcaf722e0c1935b66dfcf7a7d71e3bcc51844
4
- data.tar.gz: 160e4b282a46867cbdcada9e3ca1f674ade9343f
3
+ metadata.gz: f01e9a10dba1242f1db5e742622aa2b919a4e611
4
+ data.tar.gz: 0381084bd82fe355d71ee4b09da90042cc5d35b4
5
5
  SHA512:
6
- metadata.gz: b0f028820eb77468b5cb98c2e9a7ebad5205119b9da6fd43b2bd0b193ede44279593cc901a35713c1cf1e7c264e9d2c5bf601cbfe82d79c5a51b4d8086c44a59
7
- data.tar.gz: bb86b4781182b84949b29bdcd5659b52f5e3a11c0211a5f2a984051ff182d9cd84c2879ba671bbcf18ab529fc2086399d35cb87e334de6827277f88c65fb2773
6
+ metadata.gz: 8eb490d24e26857673c34e6deb1b99a8b3be90ed168b015024aa4ad80d9f2565f1cd2b7f99fd761b5a300cf3de616af8d1fb75f2fb5c620930b7136ede4542d4
7
+ data.tar.gz: 3d64f1093864b14fc3a58f15cc19a3e5ab1942b286d7f35dda70071efd1a992db5a362595bad6fa1345a92bda367e3a43b812dc4af16b4012d2d639bdb534a70
data/CHANGELOG.md CHANGED
@@ -1,3 +1,6 @@
1
+ ## 4.1.0
2
+ - Add `delimiter` setting. This allows the decoder to be used with inputs like the TCP input where event delimiters are used.
3
+
1
4
  ## 4.0.0
2
5
  - Implements the dictionary translation for abbreviated CEF field names from chapter Chapter 2: ArcSight Extension Dictionary page 3 of 39 [CEF specification](https://protect724.hp.com/docs/DOC-1072).
3
6
  - add `_cefparsefailure` tag on failed decode
@@ -1,4 +1,5 @@
1
1
  # encoding: utf-8
2
+ require "logstash/util/buftok"
2
3
  require "logstash/codecs/base"
3
4
  require "json"
4
5
 
@@ -39,7 +40,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
39
40
  # Defined as field of type string to allow sprintf. The value will be validated
40
41
  # to be an integer in the range from 0 to 10 (including).
41
42
  # All invalid values will be mapped to the default of 6.
42
- config :sev, :validate => :string, :default => "6", :deprecated => "This setting is being deprecated, use :severity instead."
43
+ config :sev, :validate => :string, :deprecated => "This setting is being deprecated, use :severity instead."
43
44
 
44
45
  # Severity field in CEF header. The new value can include `%{foo}` strings
45
46
  # to help you build a new value from other parts of the event.
@@ -55,7 +56,25 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
55
56
  # Set this flag if you want to have both v1 and v2 fields indexed at the same time. Note that this option will increase
56
57
  # the index size and data stored in outputs like Elasticsearch
57
58
  # This option is available to ease transition to new schema
58
- config :deprecated_v1_fields, :validate => :boolean, :default => false, :deprecated => "This setting is being deprecated"
59
+ config :deprecated_v1_fields, :validate => :boolean, :deprecated => "This setting is being deprecated"
60
+
61
+ # If your input puts a delimiter between each CEF event, you'll want to set
62
+ # this to be that delimiter.
63
+ #
64
+ # For example, with the TCP input, you probably want to put this:
65
+ #
66
+ # input {
67
+ # tcp {
68
+ # codec => cef { delimiter => "\r\n" }
69
+ # # ...
70
+ # }
71
+ # }
72
+ #
73
+ # This setting allows the following character sequences to have special meaning:
74
+ #
75
+ # * `\\r` (backslash "r") - means carriage return (ASCII 0x0D)
76
+ # * `\\n` (backslash "n") - means newline (ASCII 0x0A)
77
+ config :delimiter, :validate => :string
59
78
 
60
79
  HEADER_FIELDS = ['cefVersion','deviceVendor','deviceProduct','deviceVersion','deviceEventClassId','name','severity']
61
80
 
@@ -67,6 +86,13 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
67
86
  public
68
87
  def initialize(params={})
69
88
  super(params)
89
+ if @delimiter
90
+ # Logstash configuration doesn't have built-in support for escaping,
91
+ # so we implement it here. Feature discussion for escaping is here:
92
+ # https://github.com/elastic/logstash/issues/1645
93
+ @delimiter = @delimiter.gsub("\\r", "\r").gsub("\\n", "\n")
94
+ @buffer = FileWatch::BufferedTokenizer.new(@delimiter)
95
+ end
70
96
  end
71
97
 
72
98
  private
@@ -76,7 +102,17 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
76
102
  end
77
103
 
78
104
  public
79
- def decode(data)
105
+ def decode(data, &block)
106
+ if @delimiter
107
+ @buffer.extract(data).each do |line|
108
+ handle(line, &block)
109
+ end
110
+ else
111
+ handle(data, &block)
112
+ end
113
+ end
114
+
115
+ def handle(data, &block)
80
116
  # Strip any quotations at the start and end, flex connectors seem to send this
81
117
  if data[0] == "\""
82
118
  data = data[1..-2]
@@ -172,7 +208,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
172
208
 
173
209
  # :sev is deprecated and therefore only considered if :severity equals the default setting or is invalid
174
210
  severity = sanitize_severity(event, @severity)
175
- if severity == self.class.get_config["severity"][:default]
211
+ if severity == self.class.get_config["severity"][:default] && @sev
176
212
  # Use deprecated setting sev
177
213
  severity = sanitize_severity(event, @sev)
178
214
  end
@@ -181,7 +217,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
181
217
  header = ["CEF:0", vendor, product, version, signature, name, severity].join("|")
182
218
  values = @fields.map {|fieldname| get_value(fieldname, event)}.compact.join(" ")
183
219
 
184
- @on_event.call(event, "#{header}|#{values}\n")
220
+ @on_event.call(event, "#{header}|#{values}#{@delimiter}")
185
221
  end
186
222
 
187
223
  private
@@ -1,7 +1,7 @@
1
1
  Gem::Specification.new do |s|
2
2
 
3
3
  s.name = 'logstash-codec-cef'
4
- s.version = '4.0.0'
4
+ s.version = '4.1.0'
5
5
  s.platform = 'java'
6
6
  s.licenses = ['Apache License (2.0)']
7
7
  s.summary = "CEF codec to parse and encode CEF formated logs"
@@ -14,6 +14,22 @@ describe LogStash::Codecs::CEF do
14
14
 
15
15
  let(:results) { [] }
16
16
 
17
+ context "with delimiter set" do
18
+ # '\r\n' in single quotes to simulate the real input from a config
19
+ # containing \r\n as 4-character sequence in the config:
20
+ #
21
+ # delimiter => "\r\n"
22
+ #
23
+ # Related: https://github.com/elastic/logstash/issues/1645
24
+ subject(:codec) { LogStash::Codecs::CEF.new("delimiter" => '\r\n') }
25
+
26
+ it "should append the delimiter to the result" do
27
+ codec.on_event { |data, newdata| results << newdata }
28
+ codec.encode(LogStash::Event.new({}))
29
+ expect(results.first).to end_with("\r\n")
30
+ end
31
+ end
32
+
17
33
  it "should not fail if fields is nil" do
18
34
  codec.on_event{|data, newdata| results << newdata}
19
35
  event = LogStash::Event.new("foo" => "bar")
@@ -328,6 +344,32 @@ describe LogStash::Codecs::CEF do
328
344
  insist { e.get('severity') } == "10"
329
345
  end
330
346
 
347
+ context "with delimiter set" do
348
+ # '\r\n' in single quotes to simulate the real input from a config
349
+ # containing \r\n as 4-character sequence in the config:
350
+ #
351
+ # delimiter => "\r\n"
352
+ #
353
+ # Related: https://github.com/elastic/logstash/issues/1645
354
+ subject(:codec) { LogStash::Codecs::CEF.new("delimiter" => '\r\n') }
355
+
356
+ it "should parse on the delimiter " do
357
+ subject.decode(message) do |e|
358
+ raise Exception.new("Should not get here. If we do, it means the decoder emitted an event before the delimiter was seen?")
359
+ end
360
+
361
+ event = false;
362
+ subject.decode("\r\n") do |e|
363
+ validate(e)
364
+ insist { e.get("deviceVendor") } == "security"
365
+ insist { e.get("deviceProduct") } == "threatmanager"
366
+ event = true
367
+ end
368
+
369
+ expect(event).to be_truthy
370
+ end
371
+ end
372
+
331
373
  it "should parse the cef headers" do
332
374
  subject.decode(message) do |e|
333
375
  validate(e)
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-codec-cef
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.0.0
4
+ version: 4.1.0
5
5
  platform: java
6
6
  authors:
7
7
  - Elastic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2016-11-17 00:00:00.000000000 Z
11
+ date: 2016-12-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement