logstash-codec-cef 4.1.4-java → 5.0.0-java
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +2 -2
- data/docs/index.asciidoc +5 -16
- data/lib/logstash/codecs/cef.rb +3 -21
- data/logstash-codec-cef.gemspec +1 -1
- data/spec/codecs/cef_spec.rb +0 -222
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d1f1473b38fb8a8dd74bf9752a88b78bb2809924
|
4
|
+
data.tar.gz: d6f2c65ee856b9a7964daeaaaefb32616082d3a0
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 853445c04e7d15c39442f962c568d442ca3588389478860b5fbe9156c37504a31d9565ed2f7a48681add52703941548460f4a2be31fc8a2e9082744ffac4e267
|
7
|
+
data.tar.gz: 446bcdce376fd7cf78417b247834c68955f5b057deba3d7b59e18c9feffe0db80cc723a3b68f84246a6cc6ab1eab4ab32dc0586b6e5a19d730344b8d1039f820
|
data/CHANGELOG.md
CHANGED
data/docs/index.asciidoc
CHANGED
@@ -69,16 +69,12 @@ This setting allows the following character sequences to have special meaning:
|
|
69
69
|
* `\\n` (backslash "n") - means newline (ASCII 0x0A)
|
70
70
|
|
71
71
|
[id="plugins-{type}s-{plugin}-deprecated_v1_fields"]
|
72
|
-
===== `deprecated_v1_fields` (
|
72
|
+
===== `deprecated_v1_fields` (OBSOLETE)
|
73
73
|
|
74
|
-
*
|
74
|
+
* OBSOLETE WARNING: This configuration item is obsolete and will prevent the pipeline from starting if used
|
75
75
|
* Value type is <<boolean,boolean>>
|
76
76
|
* There is no default value for this setting.
|
77
77
|
|
78
|
-
Set this flag if you want to have both v1 and v2 fields indexed at the same time. Note that this option will increase
|
79
|
-
the index size and data stored in outputs like Elasticsearch
|
80
|
-
This option is available to ease transition to new schema
|
81
|
-
|
82
78
|
[id="plugins-{type}s-{plugin}-fields"]
|
83
79
|
===== `fields`
|
84
80
|
|
@@ -106,20 +102,13 @@ Device product field in CEF header. The new value can include `%{foo}` strings
|
|
106
102
|
to help you build a new value from other parts of the event.
|
107
103
|
|
108
104
|
[id="plugins-{type}s-{plugin}-sev"]
|
109
|
-
===== `sev` (
|
105
|
+
===== `sev` (OBSOLETE)
|
110
106
|
|
111
|
-
*
|
107
|
+
* OBSOLETE WARNING: This configuration item is obsolete and will prevent the pipeline from starting.
|
112
108
|
* Value type is <<string,string>>
|
113
109
|
* There is no default value for this setting.
|
114
110
|
|
115
|
-
|
116
|
-
to help you build a new value from other parts of the event.
|
117
|
-
|
118
|
-
This field is used only if :severity is unchanged set to the default value.
|
119
|
-
|
120
|
-
Defined as field of type string to allow sprintf. The value will be validated
|
121
|
-
to be an integer in the range from 0 to 10 (including).
|
122
|
-
All invalid values will be mapped to the default of 6.
|
111
|
+
Obsolete severity field for CEF header use :severity instead.
|
123
112
|
|
124
113
|
[id="plugins-{type}s-{plugin}-severity"]
|
125
114
|
===== `severity`
|
data/lib/logstash/codecs/cef.rb
CHANGED
@@ -32,15 +32,8 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
32
32
|
# to help you build a new value from other parts of the event.
|
33
33
|
config :name, :validate => :string, :default => "Logstash"
|
34
34
|
|
35
|
-
#
|
36
|
-
|
37
|
-
#
|
38
|
-
# This field is used only if :severity is unchanged set to the default value.
|
39
|
-
#
|
40
|
-
# Defined as field of type string to allow sprintf. The value will be validated
|
41
|
-
# to be an integer in the range from 0 to 10 (including).
|
42
|
-
# All invalid values will be mapped to the default of 6.
|
43
|
-
config :sev, :validate => :string, :deprecated => "This setting is being deprecated, use :severity instead."
|
35
|
+
# Obsolete severity field for CEF header
|
36
|
+
config :sev, :validate => :string, :obsolete => "This setting is obsolete, use :severity instead."
|
44
37
|
|
45
38
|
# Severity field in CEF header. The new value can include `%{foo}` strings
|
46
39
|
# to help you build a new value from other parts of the event.
|
@@ -53,10 +46,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
53
46
|
# Fields to be included in CEV extension part as key/value pairs
|
54
47
|
config :fields, :validate => :array, :default => []
|
55
48
|
|
56
|
-
|
57
|
-
# the index size and data stored in outputs like Elasticsearch
|
58
|
-
# This option is available to ease transition to new schema
|
59
|
-
config :deprecated_v1_fields, :validate => :boolean, :deprecated => "This setting is being deprecated"
|
49
|
+
config :deprecated_v1_fields, :validate => :boolean, :obsolete => "This setting is obsolete"
|
60
50
|
|
61
51
|
# If your input puts a delimiter between each CEF event, you'll want to set
|
62
52
|
# this to be that delimiter.
|
@@ -133,9 +123,6 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
133
123
|
split_data = data.split /(?<=[^\\]\\\\)[\|]|(?<!\\)[\|]/
|
134
124
|
|
135
125
|
# To be invoked when config settings is set to TRUE for V1 field names (cef_ext.<fieldname>) the following code might be removed in upcoming Codec revision
|
136
|
-
if deprecated_v1_fields
|
137
|
-
handle_v1_fields(event, split_data)
|
138
|
-
end
|
139
126
|
|
140
127
|
# To be invoked with default config settings to utilise the new field name formatting and flatten out the JSON document
|
141
128
|
# Store header fields
|
@@ -213,12 +200,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
213
200
|
name = sanitize_header_field(event.sprintf(@name))
|
214
201
|
name = self.class.get_config["name"][:default] if name == ""
|
215
202
|
|
216
|
-
# :sev is deprecated and therefore only considered if :severity equals the default setting or is invalid
|
217
203
|
severity = sanitize_severity(event, @severity)
|
218
|
-
if severity == self.class.get_config["severity"][:default] && @sev
|
219
|
-
# Use deprecated setting sev
|
220
|
-
severity = sanitize_severity(event, @sev)
|
221
|
-
end
|
222
204
|
|
223
205
|
# Should also probably set the fields sent
|
224
206
|
header = ["CEF:0", vendor, product, version, signature, name, severity].join("|")
|
data/logstash-codec-cef.gemspec
CHANGED
data/spec/codecs/cef_spec.rb
CHANGED
@@ -209,54 +209,6 @@ describe LogStash::Codecs::CEF do
|
|
209
209
|
codec.encode(event)
|
210
210
|
expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|foo=[0-9TZ.:-]+$/m)
|
211
211
|
end
|
212
|
-
|
213
|
-
it "should use severity (instead of depricated sev), if severity is set)" do
|
214
|
-
codec.on_event{|data, newdata| results << newdata}
|
215
|
-
codec.sev = "4"
|
216
|
-
codec.severity = "5"
|
217
|
-
codec.fields = []
|
218
|
-
event = LogStash::Event.new("foo" => "bar")
|
219
|
-
codec.encode(event)
|
220
|
-
expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|5\|$/m)
|
221
|
-
end
|
222
|
-
|
223
|
-
it "should use deprecated sev, if severity is not set (equals default value)" do
|
224
|
-
codec.on_event{|data, newdata| results << newdata}
|
225
|
-
codec.sev = "4"
|
226
|
-
codec.fields = []
|
227
|
-
event = LogStash::Event.new("foo" => "bar")
|
228
|
-
codec.encode(event)
|
229
|
-
expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|4\|$/m)
|
230
|
-
end
|
231
|
-
|
232
|
-
it "should use deprecated sev, if severity is explicitly set to default value)" do
|
233
|
-
codec.on_event{|data, newdata| results << newdata}
|
234
|
-
codec.sev = "4"
|
235
|
-
codec.severity = "6"
|
236
|
-
codec.fields = []
|
237
|
-
event = LogStash::Event.new("foo" => "bar")
|
238
|
-
codec.encode(event)
|
239
|
-
expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|4\|$/m)
|
240
|
-
end
|
241
|
-
|
242
|
-
it "should use deprecated sev, if severity is invalid" do
|
243
|
-
codec.on_event{|data, newdata| results << newdata}
|
244
|
-
codec.sev = "4"
|
245
|
-
codec.severity = ""
|
246
|
-
codec.fields = []
|
247
|
-
event = LogStash::Event.new("foo" => "bar")
|
248
|
-
codec.encode(event)
|
249
|
-
expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|4\|$/m)
|
250
|
-
end
|
251
|
-
|
252
|
-
it "should use default value, if severity is not set and sev is invalid" do
|
253
|
-
codec.on_event{|data, newdata| results << newdata}
|
254
|
-
codec.sev = ""
|
255
|
-
codec.fields = []
|
256
|
-
event = LogStash::Event.new("foo" => "bar")
|
257
|
-
codec.encode(event)
|
258
|
-
expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|$/m)
|
259
|
-
end
|
260
212
|
end
|
261
213
|
|
262
214
|
context "sanitize header field" do
|
@@ -567,180 +519,6 @@ describe LogStash::Codecs::CEF do
|
|
567
519
|
end
|
568
520
|
end
|
569
521
|
end
|
570
|
-
|
571
|
-
end
|
572
|
-
|
573
|
-
context "decode with deprecated version option" do
|
574
|
-
let (:message) { "CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|src=10.0.0.192 dst=12.121.122.82 spt=1232" }
|
575
|
-
let(:options) {
|
576
|
-
{
|
577
|
-
"deprecated_v1_fields" => true
|
578
|
-
}
|
579
|
-
}
|
580
|
-
|
581
|
-
subject(:codec) { LogStash::Codecs::CEF.new(options) }
|
582
|
-
|
583
|
-
def validate(e)
|
584
|
-
insist { e.is_a?(LogStash::Event) }
|
585
|
-
insist { e.get('cef_version') } == "0"
|
586
|
-
insist { e.get('cef_device_version') } == "1.0"
|
587
|
-
insist { e.get('cef_sigid') } == "100"
|
588
|
-
insist { e.get('cef_name') } == "trojan successfully stopped"
|
589
|
-
insist { e.get('cef_severity') } == "10"
|
590
|
-
insist { e.get('cefVersion') } == "0"
|
591
|
-
insist { e.get('deviceVersion') } == "1.0"
|
592
|
-
insist { e.get('deviceEventClassId') } == "100"
|
593
|
-
insist { e.get('name') } == "trojan successfully stopped"
|
594
|
-
insist { e.get('severity') } == "10"
|
595
|
-
end
|
596
|
-
|
597
|
-
it "should parse the cef headers" do
|
598
|
-
subject.decode(message) do |e|
|
599
|
-
validate(e)
|
600
|
-
ext = e.get('cef_ext')
|
601
|
-
insist { e.get("cef_vendor") } == "security"
|
602
|
-
insist { e.get("cef_product") } == "threatmanager"
|
603
|
-
insist { e.get("deviceVendor") } == "security"
|
604
|
-
insist { e.get("deviceProduct") } == "threatmanager"
|
605
|
-
end
|
606
|
-
end
|
607
|
-
|
608
|
-
it "should parse the cef body" do
|
609
|
-
subject.decode(message) do |e|
|
610
|
-
ext = e.get('cef_ext')
|
611
|
-
insist { ext['src'] } == "10.0.0.192"
|
612
|
-
insist { ext['dst'] } == "12.121.122.82"
|
613
|
-
insist { ext['spt'] } == "1232"
|
614
|
-
insist { e.get("sourceAddress")} == "10.0.0.192"
|
615
|
-
insist { e.get("destinationAddress") } == "12.121.122.82"
|
616
|
-
insist { e.get("sourcePort") } == "1232"
|
617
|
-
end
|
618
|
-
end
|
619
|
-
|
620
|
-
let (:no_ext) { "CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|" }
|
621
|
-
it "should be OK with no extension dictionary" do
|
622
|
-
subject.decode(no_ext) do |e|
|
623
|
-
validate(e)
|
624
|
-
insist { e.get("cef_ext") } == nil
|
625
|
-
end
|
626
|
-
end
|
627
|
-
|
628
|
-
let (:missing_headers) { "CEF:0|||1.0|100|trojan successfully stopped|10|src=10.0.0.192 dst=12.121.122.82 spt=1232" }
|
629
|
-
it "should be OK with missing CEF headers (multiple pipes in sequence)" do
|
630
|
-
subject.decode(missing_headers) do |e|
|
631
|
-
validate(e)
|
632
|
-
insist { e.get("cef_vendor") } == ""
|
633
|
-
insist { e.get("cef_product") } == ""
|
634
|
-
insist { e.get("deviceVendor") } == ""
|
635
|
-
insist { e.get("deviceProduct") } == ""
|
636
|
-
end
|
637
|
-
end
|
638
|
-
|
639
|
-
let (:leading_whitespace) { "CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10| src=10.0.0.192 dst=12.121.122.82 spt=1232" }
|
640
|
-
it "should strip leading whitespace from the message" do
|
641
|
-
subject.decode(leading_whitespace) do |e|
|
642
|
-
validate(e)
|
643
|
-
end
|
644
|
-
end
|
645
|
-
|
646
|
-
let (:escaped_pipes) { 'CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|moo=this\|has an escaped pipe' }
|
647
|
-
it "should be OK with escaped pipes in the message" do
|
648
|
-
subject.decode(escaped_pipes) do |e|
|
649
|
-
ext = e.get('cef_ext')
|
650
|
-
insist { ext['moo'] } == 'this\|has an escaped pipe'
|
651
|
-
end
|
652
|
-
end
|
653
|
-
|
654
|
-
let (:pipes_in_message) {'CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|moo=this|has an pipe'}
|
655
|
-
it "should be OK with not escaped pipes in the message" do
|
656
|
-
subject.decode(pipes_in_message) do |e|
|
657
|
-
ext = e.get('cef_ext')
|
658
|
-
insist { ext['moo'] } == 'this|has an pipe'
|
659
|
-
end
|
660
|
-
end
|
661
|
-
|
662
|
-
let (:escaped_equal_in_message) {'CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|moo=this \=has escaped \= equals\='}
|
663
|
-
it "should be OK with escaped equal in the message" do
|
664
|
-
subject.decode(escaped_equal_in_message) do |e|
|
665
|
-
ext = e.get('cef_ext')
|
666
|
-
insist { ext['moo'] } == 'this =has escaped = equals='
|
667
|
-
end
|
668
|
-
end
|
669
|
-
|
670
|
-
let (:escaped_backslash_in_header) {'CEF:0|secu\\\\rity|threat\\\\manager|1.\\\\0|10\\\\0|tro\\\\jan successfully stopped|\\\\10|'}
|
671
|
-
it "should be OK with escaped backslash in the headers" do
|
672
|
-
subject.decode(escaped_backslash_in_header) do |e|
|
673
|
-
insist { e.get("cef_version") } == '0'
|
674
|
-
insist { e.get("cef_vendor") } == 'secu\\rity'
|
675
|
-
insist { e.get("cef_product") } == 'threat\\manager'
|
676
|
-
insist { e.get("cef_device_version") } == '1.\\0'
|
677
|
-
insist { e.get("cef_sigid") } == '10\\0'
|
678
|
-
insist { e.get("cef_name") } == 'tro\\jan successfully stopped'
|
679
|
-
insist { e.get("cef_severity") } == '\\10'
|
680
|
-
end
|
681
|
-
end
|
682
|
-
|
683
|
-
let (:escaped_backslash_in_header_edge_case) {'CEF:0|security\\\\\\||threatmanager\\\\|1.0|100|trojan successfully stopped|10|'}
|
684
|
-
it "should be OK with escaped backslash in the headers (edge case: escaped slash in front of pipe)" do
|
685
|
-
subject.decode(escaped_backslash_in_header_edge_case) do |e|
|
686
|
-
validate(e)
|
687
|
-
insist { e.get("cef_vendor") } == 'security\\|'
|
688
|
-
insist { e.get("cef_product") } == 'threatmanager\\'
|
689
|
-
end
|
690
|
-
end
|
691
|
-
|
692
|
-
let (:escaped_pipes_in_header) {'CEF:0|secu\\|rity|threatmanager\\||1.\\|0|10\\|0|tro\\|jan successfully stopped|\\|10|'}
|
693
|
-
it "should be OK with escaped pipes in the headers" do
|
694
|
-
subject.decode(escaped_pipes_in_header) do |e|
|
695
|
-
insist { e.get("cef_version") } == '0'
|
696
|
-
insist { e.get("cef_vendor") } == 'secu|rity'
|
697
|
-
insist { e.get("cef_product") } == 'threatmanager|'
|
698
|
-
insist { e.get("cef_device_version") } == '1.|0'
|
699
|
-
insist { e.get("cef_sigid") } == '10|0'
|
700
|
-
insist { e.get("cef_name") } == 'tro|jan successfully stopped'
|
701
|
-
insist { e.get("cef_severity") } == '|10'
|
702
|
-
insist { e.get("cefVersion") } == '0'
|
703
|
-
insist { e.get("deviceVendor") } == 'secu|rity'
|
704
|
-
insist { e.get("deviceProduct") } == 'threatmanager|'
|
705
|
-
insist { e.get("deviceVersion") } == '1.|0'
|
706
|
-
insist { e.get("deviceEventClassId") } == '10|0'
|
707
|
-
insist { e.get("name") } == 'tro|jan successfully stopped'
|
708
|
-
insist { e.get("severity") } == '|10'
|
709
|
-
end
|
710
|
-
end
|
711
|
-
|
712
|
-
let (:escaped_backslash_in_message) {'CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|moo=this \\\\has escaped \\\\ backslashs\\\\'}
|
713
|
-
it "should be OK with escaped backslashs in the message" do
|
714
|
-
subject.decode(escaped_backslash_in_message) do |e|
|
715
|
-
ext = e.get('cef_ext')
|
716
|
-
insist { ext['moo'] } == 'this \\has escaped \\ backslashs\\'
|
717
|
-
end
|
718
|
-
end
|
719
|
-
|
720
|
-
let (:equal_in_header) {'CEF:0|security|threatmanager=equal|1.0|100|trojan successfully stopped|10|'}
|
721
|
-
it "should be OK with equal in the headers" do
|
722
|
-
subject.decode(equal_in_header) do |e|
|
723
|
-
validate(e)
|
724
|
-
insist { e.get("cef_product") } == "threatmanager=equal"
|
725
|
-
end
|
726
|
-
end
|
727
|
-
|
728
|
-
let (:syslog) { "Syslogdate Sysloghost CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|src=10.0.0.192 dst=12.121.122.82 spt=1232" }
|
729
|
-
it "Should detect headers before CEF starts" do
|
730
|
-
subject.decode(syslog) do |e|
|
731
|
-
validate(e)
|
732
|
-
insist { e.get('syslog') } == 'Syslogdate Sysloghost'
|
733
|
-
end
|
734
|
-
end
|
735
|
-
|
736
|
-
context "when payload is not in CEF" do
|
737
|
-
let (:message) { "potatoes" }
|
738
|
-
it "Should detect headers before CEF starts" do
|
739
|
-
subject.decode(message) do |e|
|
740
|
-
insist { e.get('tags') } == ['_cefparsefailure']
|
741
|
-
end
|
742
|
-
end
|
743
|
-
end
|
744
522
|
end
|
745
523
|
|
746
524
|
context "encode and decode" do
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-codec-cef
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 5.0.0
|
5
5
|
platform: java
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-08-
|
11
|
+
date: 2017-08-01 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|