logstash-codec-cef 4.1.4-java → 5.0.0-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 60a1f06f80aba88a18a75c268ab561ca02b4dbd9
4
- data.tar.gz: 1d29379cfd3e66a08433a06eedd4020ddba3e225
3
+ metadata.gz: d1f1473b38fb8a8dd74bf9752a88b78bb2809924
4
+ data.tar.gz: d6f2c65ee856b9a7964daeaaaefb32616082d3a0
5
5
  SHA512:
6
- metadata.gz: c82cfd294d1b7e2bc670b91ec73922e525c33d49970b0381031773b97af00607314ea0a3970d7350c58c5b8db2f94f07a6543a85fc9851c341a7c959afa40739
7
- data.tar.gz: 6e20dbddc21c81b9218f6697fed01c5da856a975e54ce651ad9637e1a04318885fb5a29f643d7560afb5df6cb270ad8fb90ee47be69d2f988ff9ddbdd5e641b9
6
+ metadata.gz: 853445c04e7d15c39442f962c568d442ca3588389478860b5fbe9156c37504a31d9565ed2f7a48681add52703941548460f4a2be31fc8a2e9082744ffac4e267
7
+ data.tar.gz: 446bcdce376fd7cf78417b247834c68955f5b057deba3d7b59e18c9feffe0db80cc723a3b68f84246a6cc6ab1eab4ab32dc0586b6e5a19d730344b8d1039f820
data/CHANGELOG.md CHANGED
@@ -1,5 +1,5 @@
1
- ## 4.1.4
2
- - Some documentation changes
1
+ ## 5.0.0
2
+ - move `sev` and `deprecated_v1_fields` fields from deprecated to obsolete
3
3
 
4
4
  ## 4.1.2
5
5
  - added mapping for outcome = eventOutcome from CEF whitepaper (ref:p26/39)
data/docs/index.asciidoc CHANGED
@@ -69,16 +69,12 @@ This setting allows the following character sequences to have special meaning:
69
69
  * `\\n` (backslash "n") - means newline (ASCII 0x0A)
70
70
 
71
71
  [id="plugins-{type}s-{plugin}-deprecated_v1_fields"]
72
- ===== `deprecated_v1_fields` (DEPRECATED)
72
+ ===== `deprecated_v1_fields` (OBSOLETE)
73
73
 
74
- * DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
74
+ * OBSOLETE WARNING: This configuration item is obsolete and will prevent the pipeline from starting if used
75
75
  * Value type is <<boolean,boolean>>
76
76
  * There is no default value for this setting.
77
77
 
78
- Set this flag if you want to have both v1 and v2 fields indexed at the same time. Note that this option will increase
79
- the index size and data stored in outputs like Elasticsearch
80
- This option is available to ease transition to new schema
81
-
82
78
  [id="plugins-{type}s-{plugin}-fields"]
83
79
  ===== `fields`
84
80
 
@@ -106,20 +102,13 @@ Device product field in CEF header. The new value can include `%{foo}` strings
106
102
  to help you build a new value from other parts of the event.
107
103
 
108
104
  [id="plugins-{type}s-{plugin}-sev"]
109
- ===== `sev` (DEPRECATED)
105
+ ===== `sev` (OBSOLETE)
110
106
 
111
- * DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
107
+ * OBSOLETE WARNING: This configuration item is obsolete and will prevent the pipeline from starting.
112
108
  * Value type is <<string,string>>
113
109
  * There is no default value for this setting.
114
110
 
115
- Deprecated severity field for CEF header. The new value can include `%{foo}` strings
116
- to help you build a new value from other parts of the event.
117
-
118
- This field is used only if :severity is unchanged set to the default value.
119
-
120
- Defined as field of type string to allow sprintf. The value will be validated
121
- to be an integer in the range from 0 to 10 (including).
122
- All invalid values will be mapped to the default of 6.
111
+ Obsolete severity field for CEF header use :severity instead.
123
112
 
124
113
  [id="plugins-{type}s-{plugin}-severity"]
125
114
  ===== `severity`
@@ -32,15 +32,8 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
32
32
  # to help you build a new value from other parts of the event.
33
33
  config :name, :validate => :string, :default => "Logstash"
34
34
 
35
- # Deprecated severity field for CEF header. The new value can include `%{foo}` strings
36
- # to help you build a new value from other parts of the event.
37
- #
38
- # This field is used only if :severity is unchanged set to the default value.
39
- #
40
- # Defined as field of type string to allow sprintf. The value will be validated
41
- # to be an integer in the range from 0 to 10 (including).
42
- # All invalid values will be mapped to the default of 6.
43
- config :sev, :validate => :string, :deprecated => "This setting is being deprecated, use :severity instead."
35
+ # Obsolete severity field for CEF header
36
+ config :sev, :validate => :string, :obsolete => "This setting is obsolete, use :severity instead."
44
37
 
45
38
  # Severity field in CEF header. The new value can include `%{foo}` strings
46
39
  # to help you build a new value from other parts of the event.
@@ -53,10 +46,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
53
46
  # Fields to be included in CEV extension part as key/value pairs
54
47
  config :fields, :validate => :array, :default => []
55
48
 
56
- # Set this flag if you want to have both v1 and v2 fields indexed at the same time. Note that this option will increase
57
- # the index size and data stored in outputs like Elasticsearch
58
- # This option is available to ease transition to new schema
59
- config :deprecated_v1_fields, :validate => :boolean, :deprecated => "This setting is being deprecated"
49
+ config :deprecated_v1_fields, :validate => :boolean, :obsolete => "This setting is obsolete"
60
50
 
61
51
  # If your input puts a delimiter between each CEF event, you'll want to set
62
52
  # this to be that delimiter.
@@ -133,9 +123,6 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
133
123
  split_data = data.split /(?<=[^\\]\\\\)[\|]|(?<!\\)[\|]/
134
124
 
135
125
  # To be invoked when config settings is set to TRUE for V1 field names (cef_ext.<fieldname>) the following code might be removed in upcoming Codec revision
136
- if deprecated_v1_fields
137
- handle_v1_fields(event, split_data)
138
- end
139
126
 
140
127
  # To be invoked with default config settings to utilise the new field name formatting and flatten out the JSON document
141
128
  # Store header fields
@@ -213,12 +200,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
213
200
  name = sanitize_header_field(event.sprintf(@name))
214
201
  name = self.class.get_config["name"][:default] if name == ""
215
202
 
216
- # :sev is deprecated and therefore only considered if :severity equals the default setting or is invalid
217
203
  severity = sanitize_severity(event, @severity)
218
- if severity == self.class.get_config["severity"][:default] && @sev
219
- # Use deprecated setting sev
220
- severity = sanitize_severity(event, @sev)
221
- end
222
204
 
223
205
  # Should also probably set the fields sent
224
206
  header = ["CEF:0", vendor, product, version, signature, name, severity].join("|")
@@ -1,7 +1,7 @@
1
1
  Gem::Specification.new do |s|
2
2
 
3
3
  s.name = 'logstash-codec-cef'
4
- s.version = '4.1.4'
4
+ s.version = '5.0.0'
5
5
  s.platform = 'java'
6
6
  s.licenses = ['Apache License (2.0)']
7
7
  s.summary = "CEF codec to parse and encode CEF formated logs"
@@ -209,54 +209,6 @@ describe LogStash::Codecs::CEF do
209
209
  codec.encode(event)
210
210
  expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|foo=[0-9TZ.:-]+$/m)
211
211
  end
212
-
213
- it "should use severity (instead of depricated sev), if severity is set)" do
214
- codec.on_event{|data, newdata| results << newdata}
215
- codec.sev = "4"
216
- codec.severity = "5"
217
- codec.fields = []
218
- event = LogStash::Event.new("foo" => "bar")
219
- codec.encode(event)
220
- expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|5\|$/m)
221
- end
222
-
223
- it "should use deprecated sev, if severity is not set (equals default value)" do
224
- codec.on_event{|data, newdata| results << newdata}
225
- codec.sev = "4"
226
- codec.fields = []
227
- event = LogStash::Event.new("foo" => "bar")
228
- codec.encode(event)
229
- expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|4\|$/m)
230
- end
231
-
232
- it "should use deprecated sev, if severity is explicitly set to default value)" do
233
- codec.on_event{|data, newdata| results << newdata}
234
- codec.sev = "4"
235
- codec.severity = "6"
236
- codec.fields = []
237
- event = LogStash::Event.new("foo" => "bar")
238
- codec.encode(event)
239
- expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|4\|$/m)
240
- end
241
-
242
- it "should use deprecated sev, if severity is invalid" do
243
- codec.on_event{|data, newdata| results << newdata}
244
- codec.sev = "4"
245
- codec.severity = ""
246
- codec.fields = []
247
- event = LogStash::Event.new("foo" => "bar")
248
- codec.encode(event)
249
- expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|4\|$/m)
250
- end
251
-
252
- it "should use default value, if severity is not set and sev is invalid" do
253
- codec.on_event{|data, newdata| results << newdata}
254
- codec.sev = ""
255
- codec.fields = []
256
- event = LogStash::Event.new("foo" => "bar")
257
- codec.encode(event)
258
- expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|$/m)
259
- end
260
212
  end
261
213
 
262
214
  context "sanitize header field" do
@@ -567,180 +519,6 @@ describe LogStash::Codecs::CEF do
567
519
  end
568
520
  end
569
521
  end
570
-
571
- end
572
-
573
- context "decode with deprecated version option" do
574
- let (:message) { "CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|src=10.0.0.192 dst=12.121.122.82 spt=1232" }
575
- let(:options) {
576
- {
577
- "deprecated_v1_fields" => true
578
- }
579
- }
580
-
581
- subject(:codec) { LogStash::Codecs::CEF.new(options) }
582
-
583
- def validate(e)
584
- insist { e.is_a?(LogStash::Event) }
585
- insist { e.get('cef_version') } == "0"
586
- insist { e.get('cef_device_version') } == "1.0"
587
- insist { e.get('cef_sigid') } == "100"
588
- insist { e.get('cef_name') } == "trojan successfully stopped"
589
- insist { e.get('cef_severity') } == "10"
590
- insist { e.get('cefVersion') } == "0"
591
- insist { e.get('deviceVersion') } == "1.0"
592
- insist { e.get('deviceEventClassId') } == "100"
593
- insist { e.get('name') } == "trojan successfully stopped"
594
- insist { e.get('severity') } == "10"
595
- end
596
-
597
- it "should parse the cef headers" do
598
- subject.decode(message) do |e|
599
- validate(e)
600
- ext = e.get('cef_ext')
601
- insist { e.get("cef_vendor") } == "security"
602
- insist { e.get("cef_product") } == "threatmanager"
603
- insist { e.get("deviceVendor") } == "security"
604
- insist { e.get("deviceProduct") } == "threatmanager"
605
- end
606
- end
607
-
608
- it "should parse the cef body" do
609
- subject.decode(message) do |e|
610
- ext = e.get('cef_ext')
611
- insist { ext['src'] } == "10.0.0.192"
612
- insist { ext['dst'] } == "12.121.122.82"
613
- insist { ext['spt'] } == "1232"
614
- insist { e.get("sourceAddress")} == "10.0.0.192"
615
- insist { e.get("destinationAddress") } == "12.121.122.82"
616
- insist { e.get("sourcePort") } == "1232"
617
- end
618
- end
619
-
620
- let (:no_ext) { "CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|" }
621
- it "should be OK with no extension dictionary" do
622
- subject.decode(no_ext) do |e|
623
- validate(e)
624
- insist { e.get("cef_ext") } == nil
625
- end
626
- end
627
-
628
- let (:missing_headers) { "CEF:0|||1.0|100|trojan successfully stopped|10|src=10.0.0.192 dst=12.121.122.82 spt=1232" }
629
- it "should be OK with missing CEF headers (multiple pipes in sequence)" do
630
- subject.decode(missing_headers) do |e|
631
- validate(e)
632
- insist { e.get("cef_vendor") } == ""
633
- insist { e.get("cef_product") } == ""
634
- insist { e.get("deviceVendor") } == ""
635
- insist { e.get("deviceProduct") } == ""
636
- end
637
- end
638
-
639
- let (:leading_whitespace) { "CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10| src=10.0.0.192 dst=12.121.122.82 spt=1232" }
640
- it "should strip leading whitespace from the message" do
641
- subject.decode(leading_whitespace) do |e|
642
- validate(e)
643
- end
644
- end
645
-
646
- let (:escaped_pipes) { 'CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|moo=this\|has an escaped pipe' }
647
- it "should be OK with escaped pipes in the message" do
648
- subject.decode(escaped_pipes) do |e|
649
- ext = e.get('cef_ext')
650
- insist { ext['moo'] } == 'this\|has an escaped pipe'
651
- end
652
- end
653
-
654
- let (:pipes_in_message) {'CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|moo=this|has an pipe'}
655
- it "should be OK with not escaped pipes in the message" do
656
- subject.decode(pipes_in_message) do |e|
657
- ext = e.get('cef_ext')
658
- insist { ext['moo'] } == 'this|has an pipe'
659
- end
660
- end
661
-
662
- let (:escaped_equal_in_message) {'CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|moo=this \=has escaped \= equals\='}
663
- it "should be OK with escaped equal in the message" do
664
- subject.decode(escaped_equal_in_message) do |e|
665
- ext = e.get('cef_ext')
666
- insist { ext['moo'] } == 'this =has escaped = equals='
667
- end
668
- end
669
-
670
- let (:escaped_backslash_in_header) {'CEF:0|secu\\\\rity|threat\\\\manager|1.\\\\0|10\\\\0|tro\\\\jan successfully stopped|\\\\10|'}
671
- it "should be OK with escaped backslash in the headers" do
672
- subject.decode(escaped_backslash_in_header) do |e|
673
- insist { e.get("cef_version") } == '0'
674
- insist { e.get("cef_vendor") } == 'secu\\rity'
675
- insist { e.get("cef_product") } == 'threat\\manager'
676
- insist { e.get("cef_device_version") } == '1.\\0'
677
- insist { e.get("cef_sigid") } == '10\\0'
678
- insist { e.get("cef_name") } == 'tro\\jan successfully stopped'
679
- insist { e.get("cef_severity") } == '\\10'
680
- end
681
- end
682
-
683
- let (:escaped_backslash_in_header_edge_case) {'CEF:0|security\\\\\\||threatmanager\\\\|1.0|100|trojan successfully stopped|10|'}
684
- it "should be OK with escaped backslash in the headers (edge case: escaped slash in front of pipe)" do
685
- subject.decode(escaped_backslash_in_header_edge_case) do |e|
686
- validate(e)
687
- insist { e.get("cef_vendor") } == 'security\\|'
688
- insist { e.get("cef_product") } == 'threatmanager\\'
689
- end
690
- end
691
-
692
- let (:escaped_pipes_in_header) {'CEF:0|secu\\|rity|threatmanager\\||1.\\|0|10\\|0|tro\\|jan successfully stopped|\\|10|'}
693
- it "should be OK with escaped pipes in the headers" do
694
- subject.decode(escaped_pipes_in_header) do |e|
695
- insist { e.get("cef_version") } == '0'
696
- insist { e.get("cef_vendor") } == 'secu|rity'
697
- insist { e.get("cef_product") } == 'threatmanager|'
698
- insist { e.get("cef_device_version") } == '1.|0'
699
- insist { e.get("cef_sigid") } == '10|0'
700
- insist { e.get("cef_name") } == 'tro|jan successfully stopped'
701
- insist { e.get("cef_severity") } == '|10'
702
- insist { e.get("cefVersion") } == '0'
703
- insist { e.get("deviceVendor") } == 'secu|rity'
704
- insist { e.get("deviceProduct") } == 'threatmanager|'
705
- insist { e.get("deviceVersion") } == '1.|0'
706
- insist { e.get("deviceEventClassId") } == '10|0'
707
- insist { e.get("name") } == 'tro|jan successfully stopped'
708
- insist { e.get("severity") } == '|10'
709
- end
710
- end
711
-
712
- let (:escaped_backslash_in_message) {'CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|moo=this \\\\has escaped \\\\ backslashs\\\\'}
713
- it "should be OK with escaped backslashs in the message" do
714
- subject.decode(escaped_backslash_in_message) do |e|
715
- ext = e.get('cef_ext')
716
- insist { ext['moo'] } == 'this \\has escaped \\ backslashs\\'
717
- end
718
- end
719
-
720
- let (:equal_in_header) {'CEF:0|security|threatmanager=equal|1.0|100|trojan successfully stopped|10|'}
721
- it "should be OK with equal in the headers" do
722
- subject.decode(equal_in_header) do |e|
723
- validate(e)
724
- insist { e.get("cef_product") } == "threatmanager=equal"
725
- end
726
- end
727
-
728
- let (:syslog) { "Syslogdate Sysloghost CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|src=10.0.0.192 dst=12.121.122.82 spt=1232" }
729
- it "Should detect headers before CEF starts" do
730
- subject.decode(syslog) do |e|
731
- validate(e)
732
- insist { e.get('syslog') } == 'Syslogdate Sysloghost'
733
- end
734
- end
735
-
736
- context "when payload is not in CEF" do
737
- let (:message) { "potatoes" }
738
- it "Should detect headers before CEF starts" do
739
- subject.decode(message) do |e|
740
- insist { e.get('tags') } == ['_cefparsefailure']
741
- end
742
- end
743
- end
744
522
  end
745
523
 
746
524
  context "encode and decode" do
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-codec-cef
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.1.4
4
+ version: 5.0.0
5
5
  platform: java
6
6
  authors:
7
7
  - Elastic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-08-18 00:00:00.000000000 Z
11
+ date: 2017-08-01 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement