logstash-codec-cef 6.2.1-java → 6.2.4-java
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +12 -2
- data/docs/index.asciidoc +94 -5
- data/lib/logstash/codecs/cef.rb +19 -39
- data/logstash-codec-cef.gemspec +3 -2
- data/spec/codecs/cef_spec.rb +24 -1
- metadata +19 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b204281f8d8ab5b22fc8f75231d3a31dd2ab4c2254c7bd4dca981bc996f5f38d
|
|
4
|
+
data.tar.gz: 8e255e40a7967fcd0326bbbd2db40511faaf55ce55222790feaa1b19b20fe3af
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3be6e9d4a944e9eecf8d75dd8e4880c32f12c89eca25b17d1ba33bc33ed95179d34ff8af373f8d3fbd3d9a5c81d64fb4317f4955b0fd92d81aa752473ff94f0e
|
|
7
|
+
data.tar.gz: a24d876f0aeeafeb1d24f2be62dca556f433bf6945ff88cf5d44d1cf97270127429ec68ed9c964b579a39d167d9e2558ccd3fdf567a8e8104a8bb9dec1db30cf
|
data/CHANGELOG.md
CHANGED
|
@@ -1,12 +1,22 @@
|
|
|
1
|
+
## 6.2.4
|
|
2
|
+
- [DOC] Emphasize importance of delimiter setting for byte stream inputs [#95](https://github.com/logstash-plugins/logstash-codec-cef/pull/95)
|
|
3
|
+
|
|
4
|
+
## 6.2.3
|
|
5
|
+
- Feat: event_factory support [#94](https://github.com/logstash-plugins/logstash-codec-cef/pull/94)
|
|
6
|
+
|
|
7
|
+
## 6.2.2
|
|
8
|
+
- Fixed invalid Field Reference that could occur when ECS mode was enabled and the CEF field `fileHash` was parsed.
|
|
9
|
+
- Added expanded mapping for numbered `deviceCustom*` and `deviceCustom*Label` fields so that all now include numbers 1 through 15. [#89](https://github.com/logstash-plugins/logstash-codec-cef/pull/89).
|
|
10
|
+
|
|
1
11
|
## 6.2.1
|
|
2
12
|
- Added field mapping to docs.
|
|
3
|
-
- Fixed ECS mapping of `deviceMacAddress` field.
|
|
13
|
+
- Fixed ECS mapping of `deviceMacAddress` field. [#88](https://github.com/logstash-plugins/logstash-codec-cef/pull/88).
|
|
4
14
|
|
|
5
15
|
## 6.2.0
|
|
6
16
|
- Introduce ECS Compatibility mode [#83](https://github.com/logstash-plugins/logstash-codec-cef/pull/83).
|
|
7
17
|
|
|
8
18
|
## 6.1.2
|
|
9
|
-
- Added error log with full payload when something bad happens in decoding a message[#84](https://github.com/logstash-plugins/logstash-codec-cef/pull/84)
|
|
19
|
+
- Added error log with full payload when something bad happens in decoding a message [#84](https://github.com/logstash-plugins/logstash-codec-cef/pull/84)
|
|
10
20
|
|
|
11
21
|
## 6.1.1
|
|
12
22
|
- Improved encoding performance, especially when encoding many extension fields [#81](https://github.com/logstash-plugins/logstash-codec-cef/pull/81)
|
data/docs/index.asciidoc
CHANGED
|
@@ -166,6 +166,28 @@ The following is a mapping between these fields.
|
|
|
166
166
|
|`deviceCustomFloatingPoint3Label` (`cfp3Label`)|`[cef][device_custom_floating_point_3][label]`
|
|
167
167
|
|`deviceCustomFloatingPoint4` (`cfp4`) |`[cef][device_custom_floating_point_4][value]`
|
|
168
168
|
|`deviceCustomFloatingPoint4Label` (`cfp4Label`)|`[cef][device_custom_floating_point_4][label]`
|
|
169
|
+
|`deviceCustomFloatingPoint5` (`cfp5`) |`[cef][device_custom_floating_point_5][value]`
|
|
170
|
+
|`deviceCustomFloatingPoint5Label` (`cfp5Label`)|`[cef][device_custom_floating_point_5][label]`
|
|
171
|
+
|`deviceCustomFloatingPoint6` (`cfp6`) |`[cef][device_custom_floating_point_6][value]`
|
|
172
|
+
|`deviceCustomFloatingPoint6Label` (`cfp6Label`)|`[cef][device_custom_floating_point_6][label]`
|
|
173
|
+
|`deviceCustomFloatingPoint7` (`cfp7`) |`[cef][device_custom_floating_point_7][value]`
|
|
174
|
+
|`deviceCustomFloatingPoint7Label` (`cfp7Label`)|`[cef][device_custom_floating_point_7][label]`
|
|
175
|
+
|`deviceCustomFloatingPoint8` (`cfp8`) |`[cef][device_custom_floating_point_8][value]`
|
|
176
|
+
|`deviceCustomFloatingPoint8Label` (`cfp8Label`)|`[cef][device_custom_floating_point_8][label]`
|
|
177
|
+
|`deviceCustomFloatingPoint9` (`cfp9`) |`[cef][device_custom_floating_point_9][value]`
|
|
178
|
+
|`deviceCustomFloatingPoint9Label` (`cfp9Label`)|`[cef][device_custom_floating_point_9][label]`
|
|
179
|
+
|`deviceCustomFloatingPoint10` (`cfp10`) |`[cef][device_custom_floating_point_10][value]`
|
|
180
|
+
|`deviceCustomFloatingPoint10Label` (`cfp10Label`)|`[cef][device_custom_floating_point_10][label]`
|
|
181
|
+
|`deviceCustomFloatingPoint11` (`cfp11`) |`[cef][device_custom_floating_point_11][value]`
|
|
182
|
+
|`deviceCustomFloatingPoint11Label` (`cfp11Label`)|`[cef][device_custom_floating_point_11][label]`
|
|
183
|
+
|`deviceCustomFloatingPoint12` (`cfp12`) |`[cef][device_custom_floating_point_12][value]`
|
|
184
|
+
|`deviceCustomFloatingPoint12Label` (`cfp12Label`)|`[cef][device_custom_floating_point_12][label]`
|
|
185
|
+
|`deviceCustomFloatingPoint13` (`cfp13`) |`[cef][device_custom_floating_point_13][value]`
|
|
186
|
+
|`deviceCustomFloatingPoint13Label` (`cfp13Label`)|`[cef][device_custom_floating_point_13][label]`
|
|
187
|
+
|`deviceCustomFloatingPoint14` (`cfp14`) |`[cef][device_custom_floating_point_14][value]`
|
|
188
|
+
|`deviceCustomFloatingPoint14Label` (`cfp14Label`)|`[cef][device_custom_floating_point_14][label]`
|
|
189
|
+
|`deviceCustomFloatingPoint15` (`cfp15`) |`[cef][device_custom_floating_point_15][value]`
|
|
190
|
+
|`deviceCustomFloatingPoint15Label` (`cfp15Label`)|`[cef][device_custom_floating_point_15][label]`
|
|
169
191
|
|`deviceCustomIPv6Address1` (`c6a1`) |`[cef][device_custom_ipv6_address_1][value]`
|
|
170
192
|
|`deviceCustomIPv6Address1Label` (`c6a1Label`) |`[cef][device_custom_ipv6_address_1][label]`
|
|
171
193
|
|`deviceCustomIPv6Address2` (`c6a2`) |`[cef][device_custom_ipv6_address_2][value]`
|
|
@@ -174,12 +196,58 @@ The following is a mapping between these fields.
|
|
|
174
196
|
|`deviceCustomIPv6Address3Label` (`c6a3Label`) |`[cef][device_custom_ipv6_address_3][label]`
|
|
175
197
|
|`deviceCustomIPv6Address4` (`c6a4`) |`[cef][device_custom_ipv6_address_4][value]`
|
|
176
198
|
|`deviceCustomIPv6Address4Label` (`c6a4Label`) |`[cef][device_custom_ipv6_address_4][label]`
|
|
199
|
+
|`deviceCustomIPv6Address5` (`c6a5`) |`[cef][device_custom_ipv6_address_5][value]`
|
|
200
|
+
|`deviceCustomIPv6Address5Label` (`c6a5Label`) |`[cef][device_custom_ipv6_address_5][label]`
|
|
201
|
+
|`deviceCustomIPv6Address6` (`c6a6`) |`[cef][device_custom_ipv6_address_6][value]`
|
|
202
|
+
|`deviceCustomIPv6Address6Label` (`c6a6Label`) |`[cef][device_custom_ipv6_address_6][label]`
|
|
203
|
+
|`deviceCustomIPv6Address7` (`c6a7`) |`[cef][device_custom_ipv6_address_7][value]`
|
|
204
|
+
|`deviceCustomIPv6Address7Label` (`c6a7Label`) |`[cef][device_custom_ipv6_address_7][label]`
|
|
205
|
+
|`deviceCustomIPv6Address8` (`c6a8`) |`[cef][device_custom_ipv6_address_8][value]`
|
|
206
|
+
|`deviceCustomIPv6Address8Label` (`c6a8Label`) |`[cef][device_custom_ipv6_address_8][label]`
|
|
207
|
+
|`deviceCustomIPv6Address9` (`c6a9`) |`[cef][device_custom_ipv6_address_9][value]`
|
|
208
|
+
|`deviceCustomIPv6Address9Label` (`c6a9Label`) |`[cef][device_custom_ipv6_address_9][label]`
|
|
209
|
+
|`deviceCustomIPv6Address10` (`c6a10`) |`[cef][device_custom_ipv6_address_10][value]`
|
|
210
|
+
|`deviceCustomIPv6Address10Label` (`c6a10Label`)|`[cef][device_custom_ipv6_address_10][label]`
|
|
211
|
+
|`deviceCustomIPv6Address11` (`c6a11`) |`[cef][device_custom_ipv6_address_11][value]`
|
|
212
|
+
|`deviceCustomIPv6Address11Label` (`c6a11Label`)|`[cef][device_custom_ipv6_address_11][label]`
|
|
213
|
+
|`deviceCustomIPv6Address12` (`c6a12`) |`[cef][device_custom_ipv6_address_12][value]`
|
|
214
|
+
|`deviceCustomIPv6Address12Label` (`c6a12Label`)|`[cef][device_custom_ipv6_address_12][label]`
|
|
215
|
+
|`deviceCustomIPv6Address13` (`c6a13`) |`[cef][device_custom_ipv6_address_13][value]`
|
|
216
|
+
|`deviceCustomIPv6Address13Label` (`c6a13Label`)|`[cef][device_custom_ipv6_address_13][label]`
|
|
217
|
+
|`deviceCustomIPv6Address14` (`c6a14`) |`[cef][device_custom_ipv6_address_14][value]`
|
|
218
|
+
|`deviceCustomIPv6Address14Label` (`c6a14Label`)|`[cef][device_custom_ipv6_address_14][label]`
|
|
219
|
+
|`deviceCustomIPv6Address15` (`c6a15`) |`[cef][device_custom_ipv6_address_15][value]`
|
|
220
|
+
|`deviceCustomIPv6Address15Label` (`c6a15Label`)|`[cef][device_custom_ipv6_address_15][label]`
|
|
177
221
|
|`deviceCustomNumber1` (`cn1`) |`[cef][device_custom_number_1][value]`
|
|
178
222
|
|`deviceCustomNumber1Label` (`cn1Label`) |`[cef][device_custom_number_1][label]`
|
|
179
223
|
|`deviceCustomNumber2` (`cn2`) |`[cef][device_custom_number_2][value]`
|
|
180
224
|
|`deviceCustomNumber2Label` (`cn2Label`) |`[cef][device_custom_number_2][label]`
|
|
181
225
|
|`deviceCustomNumber3` (`cn3`) |`[cef][device_custom_number_3][value]`
|
|
182
226
|
|`deviceCustomNumber3Label` (`cn3Label`) |`[cef][device_custom_number_3][label]`
|
|
227
|
+
|`deviceCustomNumber4` (`cn4`) |`[cef][device_custom_number_4][value]`
|
|
228
|
+
|`deviceCustomNumber4Label` (`cn4Label`) |`[cef][device_custom_number_4][label]`
|
|
229
|
+
|`deviceCustomNumber5` (`cn5`) |`[cef][device_custom_number_5][value]`
|
|
230
|
+
|`deviceCustomNumber5Label` (`cn5Label`) |`[cef][device_custom_number_5][label]`
|
|
231
|
+
|`deviceCustomNumber6` (`cn6`) |`[cef][device_custom_number_6][value]`
|
|
232
|
+
|`deviceCustomNumber6Label` (`cn6Label`) |`[cef][device_custom_number_6][label]`
|
|
233
|
+
|`deviceCustomNumber7` (`cn7`) |`[cef][device_custom_number_7][value]`
|
|
234
|
+
|`deviceCustomNumber7Label` (`cn7Label`) |`[cef][device_custom_number_7][label]`
|
|
235
|
+
|`deviceCustomNumber8` (`cn8`) |`[cef][device_custom_number_8][value]`
|
|
236
|
+
|`deviceCustomNumber8Label` (`cn8Label`) |`[cef][device_custom_number_8][label]`
|
|
237
|
+
|`deviceCustomNumber9` (`cn9`) |`[cef][device_custom_number_9][value]`
|
|
238
|
+
|`deviceCustomNumber9Label` (`cn9Label`) |`[cef][device_custom_number_9][label]`
|
|
239
|
+
|`deviceCustomNumber10` (`cn10`) |`[cef][device_custom_number_10][value]`
|
|
240
|
+
|`deviceCustomNumber10Label` (`cn10Label`) |`[cef][device_custom_number_10][label]`
|
|
241
|
+
|`deviceCustomNumber11` (`cn11`) |`[cef][device_custom_number_11][value]`
|
|
242
|
+
|`deviceCustomNumber11Label` (`cn11Label`) |`[cef][device_custom_number_11][label]`
|
|
243
|
+
|`deviceCustomNumber12` (`cn12`) |`[cef][device_custom_number_12][value]`
|
|
244
|
+
|`deviceCustomNumber12Label` (`cn12Label`) |`[cef][device_custom_number_12][label]`
|
|
245
|
+
|`deviceCustomNumber13` (`cn13`) |`[cef][device_custom_number_13][value]`
|
|
246
|
+
|`deviceCustomNumber13Label` (`cn13Label`) |`[cef][device_custom_number_13][label]`
|
|
247
|
+
|`deviceCustomNumber14` (`cn14`) |`[cef][device_custom_number_14][value]`
|
|
248
|
+
|`deviceCustomNumber14Label` (`cn14Label`) |`[cef][device_custom_number_14][label]`
|
|
249
|
+
|`deviceCustomNumber15` (`cn15`) |`[cef][device_custom_number_15][value]`
|
|
250
|
+
|`deviceCustomNumber15Label` (`cn15Label`) |`[cef][device_custom_number_15][label]`
|
|
183
251
|
|`deviceCustomString1` (`cs1`) |`[cef][device_custom_string_1][value]`
|
|
184
252
|
|`deviceCustomString1Label` (`cs1Label`) |`[cef][device_custom_string_1][label]`
|
|
185
253
|
|`deviceCustomString2` (`cs2`) |`[cef][device_custom_string_2][value]`
|
|
@@ -192,6 +260,24 @@ The following is a mapping between these fields.
|
|
|
192
260
|
|`deviceCustomString5Label` (`cs5Label`) |`[cef][device_custom_string_5][label]`
|
|
193
261
|
|`deviceCustomString6` (`cs6`) |`[cef][device_custom_string_6][value]`
|
|
194
262
|
|`deviceCustomString6Label` (`cs6Label`) |`[cef][device_custom_string_6][label]`
|
|
263
|
+
|`deviceCustomString7` (`cs7`) |`[cef][device_custom_string_7][value]`
|
|
264
|
+
|`deviceCustomString7Label` (`cs7Label`) |`[cef][device_custom_string_7][label]`
|
|
265
|
+
|`deviceCustomString8` (`cs8`) |`[cef][device_custom_string_8][value]`
|
|
266
|
+
|`deviceCustomString8Label` (`cs8Label`) |`[cef][device_custom_string_8][label]`
|
|
267
|
+
|`deviceCustomString9` (`cs9`) |`[cef][device_custom_string_9][value]`
|
|
268
|
+
|`deviceCustomString9Label` (`cs9Label`) |`[cef][device_custom_string_9][label]`
|
|
269
|
+
|`deviceCustomString10` (`cs10`) |`[cef][device_custom_string_10][value]`
|
|
270
|
+
|`deviceCustomString10Label` (`cs10Label`) |`[cef][device_custom_string_10][label]`
|
|
271
|
+
|`deviceCustomString11` (`cs11`) |`[cef][device_custom_string_11][value]`
|
|
272
|
+
|`deviceCustomString11Label` (`cs11Label`) |`[cef][device_custom_string_11][label]`
|
|
273
|
+
|`deviceCustomString12` (`cs12`) |`[cef][device_custom_string_12][value]`
|
|
274
|
+
|`deviceCustomString12Label` (`cs12Label`) |`[cef][device_custom_string_12][label]`
|
|
275
|
+
|`deviceCustomString13` (`cs13`) |`[cef][device_custom_string_13][value]`
|
|
276
|
+
|`deviceCustomString13Label` (`cs13Label`) |`[cef][device_custom_string_13][label]`
|
|
277
|
+
|`deviceCustomString14` (`cs14`) |`[cef][device_custom_string_14][value]`
|
|
278
|
+
|`deviceCustomString14Label` (`cs14Label`) |`[cef][device_custom_string_14][label]`
|
|
279
|
+
|`deviceCustomString15` (`cs15`) |`[cef][device_custom_string_15][value]`
|
|
280
|
+
|`deviceCustomString15Label` (`cs15Label`) |`[cef][device_custom_string_15][label]`
|
|
195
281
|
|`deviceDirection` |`[network][direction]`
|
|
196
282
|
.2+|`deviceDnsDomain` |`[observer][registered_domain]`
|
|
197
283
|
|
|
@@ -242,7 +328,7 @@ The following is a mapping between these fields.
|
|
|
242
328
|
|`eventOutcome` (`outcome`) |`[event][outcome]`
|
|
243
329
|
|`externalId` |`[cef][external_id]`
|
|
244
330
|
|`fileCreateTime` |`[file][created]`
|
|
245
|
-
|`fileHash` |`[file][hash]
|
|
331
|
+
|`fileHash` |`[file][hash]`
|
|
246
332
|
|`fileId` |`[file][inode]`
|
|
247
333
|
|`fileModificationTime` |`[file][mtime]`
|
|
248
334
|
|
|
@@ -355,14 +441,19 @@ not include timezone information, this `default_timezone` is used instead.
|
|
|
355
441
|
If your input puts a delimiter between each CEF event, you'll want to set
|
|
356
442
|
this to be that delimiter.
|
|
357
443
|
|
|
358
|
-
|
|
444
|
+
NOTE: Byte stream inputs such as TCP require delimiter to be specified. Otherwise input can be truncated or incorrectly split.
|
|
359
445
|
|
|
446
|
+
**Example**
|
|
447
|
+
|
|
448
|
+
[source,ruby]
|
|
449
|
+
-----
|
|
360
450
|
input {
|
|
361
451
|
tcp {
|
|
362
452
|
codec => cef { delimiter => "\r\n" }
|
|
363
453
|
# ...
|
|
364
454
|
}
|
|
365
455
|
}
|
|
456
|
+
-----
|
|
366
457
|
|
|
367
458
|
This setting allows the following character sequences to have special meaning:
|
|
368
459
|
|
|
@@ -398,9 +489,7 @@ If the codec handles data from a variety of sources, the ECS recommendation is t
|
|
|
398
489
|
** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
|
|
399
490
|
** Otherwise, the default value is `disabled`.
|
|
400
491
|
|
|
401
|
-
Controls this plugin's compatibility with the
|
|
402
|
-
{ecs-ref}[Elastic Common Schema (ECS)]
|
|
403
|
-
(ECS)].
|
|
492
|
+
Controls this plugin's compatibility with the {ecs-ref}[Elastic Common Schema (ECS)].
|
|
404
493
|
|
|
405
494
|
[id="plugins-{type}s-{plugin}-fields"]
|
|
406
495
|
===== `fields`
|
data/lib/logstash/codecs/cef.rb
CHANGED
|
@@ -6,6 +6,7 @@ require "json"
|
|
|
6
6
|
require "time"
|
|
7
7
|
|
|
8
8
|
require 'logstash/plugin_mixins/ecs_compatibility_support'
|
|
9
|
+
require 'logstash/plugin_mixins/event_support/event_factory_adapter'
|
|
9
10
|
|
|
10
11
|
# Implementation of a Logstash codec for the ArcSight Common Event Format (CEF)
|
|
11
12
|
# Based on Revision 20 of Implementing ArcSight CEF, dated from June 05, 2013
|
|
@@ -16,7 +17,8 @@ require 'logstash/plugin_mixins/ecs_compatibility_support'
|
|
|
16
17
|
class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
17
18
|
config_name "cef"
|
|
18
19
|
|
|
19
|
-
include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1)
|
|
20
|
+
include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1, :v8 => :v1)
|
|
21
|
+
include LogStash::PluginMixins::EventSupport::EventFactoryAdapter
|
|
20
22
|
|
|
21
23
|
InvalidTimestamp = Class.new(StandardError)
|
|
22
24
|
|
|
@@ -201,7 +203,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
|
201
203
|
|
|
202
204
|
def handle(data, &block)
|
|
203
205
|
original_data = data.dup
|
|
204
|
-
event =
|
|
206
|
+
event = event_factory.new_event
|
|
205
207
|
event.set(raw_data_field, data) unless raw_data_field.nil?
|
|
206
208
|
|
|
207
209
|
@utf8_charset.convert(data)
|
|
@@ -282,7 +284,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
|
282
284
|
rescue => e
|
|
283
285
|
@logger.error("Failed to decode CEF payload. Generating failure event with payload in message field.",
|
|
284
286
|
:exception => e.class, :message => e.message, :backtrace => e.backtrace, :original_data => original_data)
|
|
285
|
-
yield
|
|
287
|
+
yield event_factory.new_event("message" => data, "tags" => ["_cefparsefailure"])
|
|
286
288
|
end
|
|
287
289
|
|
|
288
290
|
public
|
|
@@ -408,40 +410,18 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
|
408
410
|
CEFField.new("destinationZoneURI", ecs_field: "[cef][destination][zone][uri]"),
|
|
409
411
|
CEFField.new("deviceAction", key: "act", ecs_field: "[event][action]"),
|
|
410
412
|
CEFField.new("deviceAddress", key: "dvc", ecs_field: "[#{@device}][ip]"),
|
|
411
|
-
|
|
412
|
-
|
|
413
|
-
|
|
414
|
-
|
|
415
|
-
|
|
416
|
-
|
|
417
|
-
|
|
418
|
-
|
|
419
|
-
|
|
420
|
-
|
|
421
|
-
|
|
422
|
-
|
|
423
|
-
CEFField.new("deviceCustomIPv6Address3", key: "c6a3", ecs_field: "[cef][device_custom_ipv6_address_3][value]"),
|
|
424
|
-
CEFField.new("deviceCustomIPv6Address3Label", key: "c6a3Label", ecs_field: "[cef][device_custom_ipv6_address_3][label]"),
|
|
425
|
-
CEFField.new("deviceCustomIPv6Address4", key: "c6a4", ecs_field: "[cef][device_custom_ipv6_address_4][value]"),
|
|
426
|
-
CEFField.new("deviceCustomIPv6Address4Label", key: "c6a4Label", ecs_field: "[cef][device_custom_ipv6_address_4][label]"),
|
|
427
|
-
CEFField.new("deviceCustomNumber1", key: "cn1", ecs_field: "[cef][device_custom_number_1][value]"),
|
|
428
|
-
CEFField.new("deviceCustomNumber1Label", key: "cn1Label", ecs_field: "[cef][device_custom_number_1][label]"),
|
|
429
|
-
CEFField.new("deviceCustomNumber2", key: "cn2", ecs_field: "[cef][device_custom_number_2][value]"),
|
|
430
|
-
CEFField.new("deviceCustomNumber2Label", key: "cn2Label", ecs_field: "[cef][device_custom_number_2][label]"),
|
|
431
|
-
CEFField.new("deviceCustomNumber3", key: "cn3", ecs_field: "[cef][device_custom_number_3][value]"),
|
|
432
|
-
CEFField.new("deviceCustomNumber3Label", key: "cn3Label", ecs_field: "[cef][device_custom_number_3][label]"),
|
|
433
|
-
CEFField.new("deviceCustomString1", key: "cs1", ecs_field: "[cef][device_custom_string_1][value]"),
|
|
434
|
-
CEFField.new("deviceCustomString1Label", key: "cs1Label", ecs_field: "[cef][device_custom_string_1][label]"),
|
|
435
|
-
CEFField.new("deviceCustomString2", key: "cs2", ecs_field: "[cef][device_custom_string_2][value]"),
|
|
436
|
-
CEFField.new("deviceCustomString2Label", key: "cs2Label", ecs_field: "[cef][device_custom_string_2][label]"),
|
|
437
|
-
CEFField.new("deviceCustomString3", key: "cs3", ecs_field: "[cef][device_custom_string_3][value]"),
|
|
438
|
-
CEFField.new("deviceCustomString3Label", key: "cs3Label", ecs_field: "[cef][device_custom_string_3][label]"),
|
|
439
|
-
CEFField.new("deviceCustomString4", key: "cs4", ecs_field: "[cef][device_custom_string_4][value]"),
|
|
440
|
-
CEFField.new("deviceCustomString4Label", key: "cs4Label", ecs_field: "[cef][device_custom_string_4][label]"),
|
|
441
|
-
CEFField.new("deviceCustomString5", key: "cs5", ecs_field: "[cef][device_custom_string_5][value]"),
|
|
442
|
-
CEFField.new("deviceCustomString5Label", key: "cs5Label", ecs_field: "[cef][device_custom_string_5][label]"),
|
|
443
|
-
CEFField.new("deviceCustomString6", key: "cs6", ecs_field: "[cef][device_custom_string_6][value]"),
|
|
444
|
-
CEFField.new("deviceCustomString6Label", key: "cs6Label", ecs_field: "[cef][device_custom_string_6][label]"),
|
|
413
|
+
(1..15).map do |idx|
|
|
414
|
+
[
|
|
415
|
+
CEFField.new("deviceCustomFloatingPoint#{idx}", key: "cfp#{idx}", ecs_field: "[cef][device_custom_floating_point_#{idx}][value]"),
|
|
416
|
+
CEFField.new("deviceCustomFloatingPoint#{idx}Label", key: "cfp#{idx}Label", ecs_field: "[cef][device_custom_floating_point_#{idx}][label]"),
|
|
417
|
+
CEFField.new("deviceCustomIPv6Address#{idx}", key: "c6a#{idx}", ecs_field: "[cef][device_custom_ipv6_address_#{idx}][value]"),
|
|
418
|
+
CEFField.new("deviceCustomIPv6Address#{idx}Label", key: "c6a#{idx}Label", ecs_field: "[cef][device_custom_ipv6_address_#{idx}][label]"),
|
|
419
|
+
CEFField.new("deviceCustomNumber#{idx}", key: "cn#{idx}", ecs_field: "[cef][device_custom_number_#{idx}][value]"),
|
|
420
|
+
CEFField.new("deviceCustomNumber#{idx}Label", key: "cn#{idx}Label", ecs_field: "[cef][device_custom_number_#{idx}][label]"),
|
|
421
|
+
CEFField.new("deviceCustomString#{idx}", key: "cs#{idx}", ecs_field: "[cef][device_custom_string_#{idx}][value]"),
|
|
422
|
+
CEFField.new("deviceCustomString#{idx}Label", key: "cs#{idx}Label", ecs_field: "[cef][device_custom_string_#{idx}][label]"),
|
|
423
|
+
]
|
|
424
|
+
end,
|
|
445
425
|
CEFField.new("deviceDirection", ecs_field: "[network][direction]"),
|
|
446
426
|
CEFField.new("deviceDnsDomain", ecs_field: "[#{@device}][registered_domain]", priority: 10),
|
|
447
427
|
CEFField.new("deviceEventCategory", key: "cat", ecs_field: "[cef][category]"),
|
|
@@ -468,7 +448,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
|
468
448
|
CEFField.new("eventOutcome", key: "outcome", ecs_field: "[event][outcome]"),
|
|
469
449
|
CEFField.new("externalId", ecs_field: "[cef][external_id]"),
|
|
470
450
|
CEFField.new("fileCreateTime", ecs_field: "[file][created]"),
|
|
471
|
-
CEFField.new("fileHash", ecs_field: "[file][hash]
|
|
451
|
+
CEFField.new("fileHash", ecs_field: "[file][hash]"),
|
|
472
452
|
CEFField.new("fileId", ecs_field: "[file][inode]"),
|
|
473
453
|
CEFField.new("fileModificationTime", ecs_field: "[file][mtime]", normalize: :timestamp),
|
|
474
454
|
CEFField.new("fileName", key: "fname", ecs_field: "[file][name]"),
|
|
@@ -517,7 +497,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
|
517
497
|
CEFField.new("startTime", key: "start", ecs_field: "[event][start]", normalize: :timestamp),
|
|
518
498
|
CEFField.new("transportProtocol", key: "proto", ecs_field: "[network][transport]"),
|
|
519
499
|
CEFField.new("type", ecs_field: "[cef][type]"),
|
|
520
|
-
].sort_by(&:priority).each do |cef|
|
|
500
|
+
].flatten.sort_by(&:priority).each do |cef|
|
|
521
501
|
field_name = ecs_select[disabled:cef.name, v1:cef.ecs_field]
|
|
522
502
|
|
|
523
503
|
# whether the source is a cef_key or cef_name, normalize to field_name
|
data/logstash-codec-cef.gemspec
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
|
|
3
3
|
s.name = 'logstash-codec-cef'
|
|
4
|
-
s.version = '6.2.
|
|
4
|
+
s.version = '6.2.4'
|
|
5
5
|
s.platform = 'java'
|
|
6
6
|
s.licenses = ['Apache License (2.0)']
|
|
7
7
|
s.summary = "Reads the ArcSight Common Event Format (CEF)."
|
|
@@ -22,7 +22,8 @@ Gem::Specification.new do |s|
|
|
|
22
22
|
|
|
23
23
|
# Gem dependencies
|
|
24
24
|
s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
|
|
25
|
-
s.add_runtime_dependency
|
|
25
|
+
s.add_runtime_dependency "logstash-mixin-ecs_compatibility_support", '~> 1.3'
|
|
26
|
+
s.add_runtime_dependency "logstash-mixin-event_support", '~> 1.0'
|
|
26
27
|
|
|
27
28
|
s.add_development_dependency 'logstash-devutils'
|
|
28
29
|
s.add_development_dependency 'insist'
|
data/spec/codecs/cef_spec.rb
CHANGED
|
@@ -780,6 +780,29 @@ describe LogStash::Codecs::CEF do
|
|
|
780
780
|
end
|
|
781
781
|
end
|
|
782
782
|
|
|
783
|
+
let(:log_with_fileHash) { "Syslogdate Sysloghost CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|fileHash=1bad1dea" }
|
|
784
|
+
it 'decodes fileHash to [file][hash]' do
|
|
785
|
+
decode_one(subject, log_with_fileHash) do |e|
|
|
786
|
+
validate(e)
|
|
787
|
+
insist { e.get(ecs_select[disabled:"fileHash", v1:"[file][hash]"]) } == "1bad1dea"
|
|
788
|
+
end
|
|
789
|
+
end
|
|
790
|
+
|
|
791
|
+
let(:log_with_custom_typed_fields) { "Syslogdate Sysloghost CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|cfp15=3.1415926 cfp15Label=pi c6a12=::1 c6a12Label=localhost cn7=8191 cn7Label=mersenne cs4=silly cs4Label=theory" }
|
|
792
|
+
it 'decodes to mapped numbered fields' do
|
|
793
|
+
decode_one(subject, log_with_custom_typed_fields) do |e|
|
|
794
|
+
validate(e)
|
|
795
|
+
insist { e.get(ecs_select[disabled: "deviceCustomFloatingPoint15", v1: "[cef][device_custom_floating_point_15][value]"]) } == "3.1415926"
|
|
796
|
+
insist { e.get(ecs_select[disabled: "deviceCustomFloatingPoint15Label", v1: "[cef][device_custom_floating_point_15][label]"]) } == "pi"
|
|
797
|
+
insist { e.get(ecs_select[disabled: "deviceCustomIPv6Address12", v1: "[cef][device_custom_ipv6_address_12][value]"]) } == "::1"
|
|
798
|
+
insist { e.get(ecs_select[disabled: "deviceCustomIPv6Address12Label", v1: "[cef][device_custom_ipv6_address_12][label]"]) } == "localhost"
|
|
799
|
+
insist { e.get(ecs_select[disabled: "deviceCustomNumber7", v1: "[cef][device_custom_number_7][value]"]) } == "8191"
|
|
800
|
+
insist { e.get(ecs_select[disabled: "deviceCustomNumber7Label", v1: "[cef][device_custom_number_7][label]"]) } == "mersenne"
|
|
801
|
+
insist { e.get(ecs_select[disabled: "deviceCustomString4", v1: "[cef][device_custom_string_4][value]"]) } == "silly"
|
|
802
|
+
insist { e.get(ecs_select[disabled: "deviceCustomString4Label", v1: "[cef][device_custom_string_4][label]"]) } == "theory"
|
|
803
|
+
end
|
|
804
|
+
end
|
|
805
|
+
|
|
783
806
|
context 'with UTF-8 message' do
|
|
784
807
|
let(:message) { 'CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|src=192.168.1.11 target=aaaaaああああaaaa msg=Description Omitted' }
|
|
785
808
|
|
|
@@ -850,7 +873,7 @@ describe LogStash::Codecs::CEF do
|
|
|
850
873
|
|
|
851
874
|
let(:results) { [] }
|
|
852
875
|
|
|
853
|
-
ecs_compatibility_matrix(:disabled
|
|
876
|
+
ecs_compatibility_matrix(:disabled, :v1, :v8 => :v1) do |ecs_select|
|
|
854
877
|
before(:each) do
|
|
855
878
|
allow_any_instance_of(described_class).to receive(:ecs_compatibility).and_return(ecs_compatibility)
|
|
856
879
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-codec-cef
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.2.
|
|
4
|
+
version: 6.2.4
|
|
5
5
|
platform: java
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-03-15 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -35,7 +35,7 @@ dependencies:
|
|
|
35
35
|
requirements:
|
|
36
36
|
- - "~>"
|
|
37
37
|
- !ruby/object:Gem::Version
|
|
38
|
-
version: '1.
|
|
38
|
+
version: '1.3'
|
|
39
39
|
name: logstash-mixin-ecs_compatibility_support
|
|
40
40
|
prerelease: false
|
|
41
41
|
type: :runtime
|
|
@@ -43,7 +43,21 @@ dependencies:
|
|
|
43
43
|
requirements:
|
|
44
44
|
- - "~>"
|
|
45
45
|
- !ruby/object:Gem::Version
|
|
46
|
-
version: '1.
|
|
46
|
+
version: '1.3'
|
|
47
|
+
- !ruby/object:Gem::Dependency
|
|
48
|
+
requirement: !ruby/object:Gem::Requirement
|
|
49
|
+
requirements:
|
|
50
|
+
- - "~>"
|
|
51
|
+
- !ruby/object:Gem::Version
|
|
52
|
+
version: '1.0'
|
|
53
|
+
name: logstash-mixin-event_support
|
|
54
|
+
prerelease: false
|
|
55
|
+
type: :runtime
|
|
56
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
57
|
+
requirements:
|
|
58
|
+
- - "~>"
|
|
59
|
+
- !ruby/object:Gem::Version
|
|
60
|
+
version: '1.0'
|
|
47
61
|
- !ruby/object:Gem::Dependency
|
|
48
62
|
requirement: !ruby/object:Gem::Requirement
|
|
49
63
|
requirements:
|
|
@@ -113,8 +127,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
113
127
|
- !ruby/object:Gem::Version
|
|
114
128
|
version: '0'
|
|
115
129
|
requirements: []
|
|
116
|
-
|
|
117
|
-
rubygems_version: 2.6.13
|
|
130
|
+
rubygems_version: 3.1.6
|
|
118
131
|
signing_key:
|
|
119
132
|
specification_version: 4
|
|
120
133
|
summary: Reads the ArcSight Common Event Format (CEF).
|