logstash-codec-cef 6.2.1-java → 6.2.4-java
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +12 -2
- data/docs/index.asciidoc +94 -5
- data/lib/logstash/codecs/cef.rb +19 -39
- data/logstash-codec-cef.gemspec +3 -2
- data/spec/codecs/cef_spec.rb +24 -1
- metadata +19 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b204281f8d8ab5b22fc8f75231d3a31dd2ab4c2254c7bd4dca981bc996f5f38d
|
|
4
|
+
data.tar.gz: 8e255e40a7967fcd0326bbbd2db40511faaf55ce55222790feaa1b19b20fe3af
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3be6e9d4a944e9eecf8d75dd8e4880c32f12c89eca25b17d1ba33bc33ed95179d34ff8af373f8d3fbd3d9a5c81d64fb4317f4955b0fd92d81aa752473ff94f0e
|
|
7
|
+
data.tar.gz: a24d876f0aeeafeb1d24f2be62dca556f433bf6945ff88cf5d44d1cf97270127429ec68ed9c964b579a39d167d9e2558ccd3fdf567a8e8104a8bb9dec1db30cf
|
data/CHANGELOG.md
CHANGED
|
@@ -1,12 +1,22 @@
|
|
|
1
|
+
## 6.2.4
|
|
2
|
+
- [DOC] Emphasize importance of delimiter setting for byte stream inputs [#95](https://github.com/logstash-plugins/logstash-codec-cef/pull/95)
|
|
3
|
+
|
|
4
|
+
## 6.2.3
|
|
5
|
+
- Feat: event_factory support [#94](https://github.com/logstash-plugins/logstash-codec-cef/pull/94)
|
|
6
|
+
|
|
7
|
+
## 6.2.2
|
|
8
|
+
- Fixed invalid Field Reference that could occur when ECS mode was enabled and the CEF field `fileHash` was parsed.
|
|
9
|
+
- Added expanded mapping for numbered `deviceCustom*` and `deviceCustom*Label` fields so that all now include numbers 1 through 15. [#89](https://github.com/logstash-plugins/logstash-codec-cef/pull/89).
|
|
10
|
+
|
|
1
11
|
## 6.2.1
|
|
2
12
|
- Added field mapping to docs.
|
|
3
|
-
- Fixed ECS mapping of `deviceMacAddress` field.
|
|
13
|
+
- Fixed ECS mapping of `deviceMacAddress` field. [#88](https://github.com/logstash-plugins/logstash-codec-cef/pull/88).
|
|
4
14
|
|
|
5
15
|
## 6.2.0
|
|
6
16
|
- Introduce ECS Compatibility mode [#83](https://github.com/logstash-plugins/logstash-codec-cef/pull/83).
|
|
7
17
|
|
|
8
18
|
## 6.1.2
|
|
9
|
-
- Added error log with full payload when something bad happens in decoding a message[#84](https://github.com/logstash-plugins/logstash-codec-cef/pull/84)
|
|
19
|
+
- Added error log with full payload when something bad happens in decoding a message [#84](https://github.com/logstash-plugins/logstash-codec-cef/pull/84)
|
|
10
20
|
|
|
11
21
|
## 6.1.1
|
|
12
22
|
- Improved encoding performance, especially when encoding many extension fields [#81](https://github.com/logstash-plugins/logstash-codec-cef/pull/81)
|
data/docs/index.asciidoc
CHANGED
|
@@ -166,6 +166,28 @@ The following is a mapping between these fields.
|
|
|
166
166
|
|`deviceCustomFloatingPoint3Label` (`cfp3Label`)|`[cef][device_custom_floating_point_3][label]`
|
|
167
167
|
|`deviceCustomFloatingPoint4` (`cfp4`) |`[cef][device_custom_floating_point_4][value]`
|
|
168
168
|
|`deviceCustomFloatingPoint4Label` (`cfp4Label`)|`[cef][device_custom_floating_point_4][label]`
|
|
169
|
+
|`deviceCustomFloatingPoint5` (`cfp5`) |`[cef][device_custom_floating_point_5][value]`
|
|
170
|
+
|`deviceCustomFloatingPoint5Label` (`cfp5Label`)|`[cef][device_custom_floating_point_5][label]`
|
|
171
|
+
|`deviceCustomFloatingPoint6` (`cfp6`) |`[cef][device_custom_floating_point_6][value]`
|
|
172
|
+
|`deviceCustomFloatingPoint6Label` (`cfp6Label`)|`[cef][device_custom_floating_point_6][label]`
|
|
173
|
+
|`deviceCustomFloatingPoint7` (`cfp7`) |`[cef][device_custom_floating_point_7][value]`
|
|
174
|
+
|`deviceCustomFloatingPoint7Label` (`cfp7Label`)|`[cef][device_custom_floating_point_7][label]`
|
|
175
|
+
|`deviceCustomFloatingPoint8` (`cfp8`) |`[cef][device_custom_floating_point_8][value]`
|
|
176
|
+
|`deviceCustomFloatingPoint8Label` (`cfp8Label`)|`[cef][device_custom_floating_point_8][label]`
|
|
177
|
+
|`deviceCustomFloatingPoint9` (`cfp9`) |`[cef][device_custom_floating_point_9][value]`
|
|
178
|
+
|`deviceCustomFloatingPoint9Label` (`cfp9Label`)|`[cef][device_custom_floating_point_9][label]`
|
|
179
|
+
|`deviceCustomFloatingPoint10` (`cfp10`) |`[cef][device_custom_floating_point_10][value]`
|
|
180
|
+
|`deviceCustomFloatingPoint10Label` (`cfp10Label`)|`[cef][device_custom_floating_point_10][label]`
|
|
181
|
+
|`deviceCustomFloatingPoint11` (`cfp11`) |`[cef][device_custom_floating_point_11][value]`
|
|
182
|
+
|`deviceCustomFloatingPoint11Label` (`cfp11Label`)|`[cef][device_custom_floating_point_11][label]`
|
|
183
|
+
|`deviceCustomFloatingPoint12` (`cfp12`) |`[cef][device_custom_floating_point_12][value]`
|
|
184
|
+
|`deviceCustomFloatingPoint12Label` (`cfp12Label`)|`[cef][device_custom_floating_point_12][label]`
|
|
185
|
+
|`deviceCustomFloatingPoint13` (`cfp13`) |`[cef][device_custom_floating_point_13][value]`
|
|
186
|
+
|`deviceCustomFloatingPoint13Label` (`cfp13Label`)|`[cef][device_custom_floating_point_13][label]`
|
|
187
|
+
|`deviceCustomFloatingPoint14` (`cfp14`) |`[cef][device_custom_floating_point_14][value]`
|
|
188
|
+
|`deviceCustomFloatingPoint14Label` (`cfp14Label`)|`[cef][device_custom_floating_point_14][label]`
|
|
189
|
+
|`deviceCustomFloatingPoint15` (`cfp15`) |`[cef][device_custom_floating_point_15][value]`
|
|
190
|
+
|`deviceCustomFloatingPoint15Label` (`cfp15Label`)|`[cef][device_custom_floating_point_15][label]`
|
|
169
191
|
|`deviceCustomIPv6Address1` (`c6a1`) |`[cef][device_custom_ipv6_address_1][value]`
|
|
170
192
|
|`deviceCustomIPv6Address1Label` (`c6a1Label`) |`[cef][device_custom_ipv6_address_1][label]`
|
|
171
193
|
|`deviceCustomIPv6Address2` (`c6a2`) |`[cef][device_custom_ipv6_address_2][value]`
|
|
@@ -174,12 +196,58 @@ The following is a mapping between these fields.
|
|
|
174
196
|
|`deviceCustomIPv6Address3Label` (`c6a3Label`) |`[cef][device_custom_ipv6_address_3][label]`
|
|
175
197
|
|`deviceCustomIPv6Address4` (`c6a4`) |`[cef][device_custom_ipv6_address_4][value]`
|
|
176
198
|
|`deviceCustomIPv6Address4Label` (`c6a4Label`) |`[cef][device_custom_ipv6_address_4][label]`
|
|
199
|
+
|`deviceCustomIPv6Address5` (`c6a5`) |`[cef][device_custom_ipv6_address_5][value]`
|
|
200
|
+
|`deviceCustomIPv6Address5Label` (`c6a5Label`) |`[cef][device_custom_ipv6_address_5][label]`
|
|
201
|
+
|`deviceCustomIPv6Address6` (`c6a6`) |`[cef][device_custom_ipv6_address_6][value]`
|
|
202
|
+
|`deviceCustomIPv6Address6Label` (`c6a6Label`) |`[cef][device_custom_ipv6_address_6][label]`
|
|
203
|
+
|`deviceCustomIPv6Address7` (`c6a7`) |`[cef][device_custom_ipv6_address_7][value]`
|
|
204
|
+
|`deviceCustomIPv6Address7Label` (`c6a7Label`) |`[cef][device_custom_ipv6_address_7][label]`
|
|
205
|
+
|`deviceCustomIPv6Address8` (`c6a8`) |`[cef][device_custom_ipv6_address_8][value]`
|
|
206
|
+
|`deviceCustomIPv6Address8Label` (`c6a8Label`) |`[cef][device_custom_ipv6_address_8][label]`
|
|
207
|
+
|`deviceCustomIPv6Address9` (`c6a9`) |`[cef][device_custom_ipv6_address_9][value]`
|
|
208
|
+
|`deviceCustomIPv6Address9Label` (`c6a9Label`) |`[cef][device_custom_ipv6_address_9][label]`
|
|
209
|
+
|`deviceCustomIPv6Address10` (`c6a10`) |`[cef][device_custom_ipv6_address_10][value]`
|
|
210
|
+
|`deviceCustomIPv6Address10Label` (`c6a10Label`)|`[cef][device_custom_ipv6_address_10][label]`
|
|
211
|
+
|`deviceCustomIPv6Address11` (`c6a11`) |`[cef][device_custom_ipv6_address_11][value]`
|
|
212
|
+
|`deviceCustomIPv6Address11Label` (`c6a11Label`)|`[cef][device_custom_ipv6_address_11][label]`
|
|
213
|
+
|`deviceCustomIPv6Address12` (`c6a12`) |`[cef][device_custom_ipv6_address_12][value]`
|
|
214
|
+
|`deviceCustomIPv6Address12Label` (`c6a12Label`)|`[cef][device_custom_ipv6_address_12][label]`
|
|
215
|
+
|`deviceCustomIPv6Address13` (`c6a13`) |`[cef][device_custom_ipv6_address_13][value]`
|
|
216
|
+
|`deviceCustomIPv6Address13Label` (`c6a13Label`)|`[cef][device_custom_ipv6_address_13][label]`
|
|
217
|
+
|`deviceCustomIPv6Address14` (`c6a14`) |`[cef][device_custom_ipv6_address_14][value]`
|
|
218
|
+
|`deviceCustomIPv6Address14Label` (`c6a14Label`)|`[cef][device_custom_ipv6_address_14][label]`
|
|
219
|
+
|`deviceCustomIPv6Address15` (`c6a15`) |`[cef][device_custom_ipv6_address_15][value]`
|
|
220
|
+
|`deviceCustomIPv6Address15Label` (`c6a15Label`)|`[cef][device_custom_ipv6_address_15][label]`
|
|
177
221
|
|`deviceCustomNumber1` (`cn1`) |`[cef][device_custom_number_1][value]`
|
|
178
222
|
|`deviceCustomNumber1Label` (`cn1Label`) |`[cef][device_custom_number_1][label]`
|
|
179
223
|
|`deviceCustomNumber2` (`cn2`) |`[cef][device_custom_number_2][value]`
|
|
180
224
|
|`deviceCustomNumber2Label` (`cn2Label`) |`[cef][device_custom_number_2][label]`
|
|
181
225
|
|`deviceCustomNumber3` (`cn3`) |`[cef][device_custom_number_3][value]`
|
|
182
226
|
|`deviceCustomNumber3Label` (`cn3Label`) |`[cef][device_custom_number_3][label]`
|
|
227
|
+
|`deviceCustomNumber4` (`cn4`) |`[cef][device_custom_number_4][value]`
|
|
228
|
+
|`deviceCustomNumber4Label` (`cn4Label`) |`[cef][device_custom_number_4][label]`
|
|
229
|
+
|`deviceCustomNumber5` (`cn5`) |`[cef][device_custom_number_5][value]`
|
|
230
|
+
|`deviceCustomNumber5Label` (`cn5Label`) |`[cef][device_custom_number_5][label]`
|
|
231
|
+
|`deviceCustomNumber6` (`cn6`) |`[cef][device_custom_number_6][value]`
|
|
232
|
+
|`deviceCustomNumber6Label` (`cn6Label`) |`[cef][device_custom_number_6][label]`
|
|
233
|
+
|`deviceCustomNumber7` (`cn7`) |`[cef][device_custom_number_7][value]`
|
|
234
|
+
|`deviceCustomNumber7Label` (`cn7Label`) |`[cef][device_custom_number_7][label]`
|
|
235
|
+
|`deviceCustomNumber8` (`cn8`) |`[cef][device_custom_number_8][value]`
|
|
236
|
+
|`deviceCustomNumber8Label` (`cn8Label`) |`[cef][device_custom_number_8][label]`
|
|
237
|
+
|`deviceCustomNumber9` (`cn9`) |`[cef][device_custom_number_9][value]`
|
|
238
|
+
|`deviceCustomNumber9Label` (`cn9Label`) |`[cef][device_custom_number_9][label]`
|
|
239
|
+
|`deviceCustomNumber10` (`cn10`) |`[cef][device_custom_number_10][value]`
|
|
240
|
+
|`deviceCustomNumber10Label` (`cn10Label`) |`[cef][device_custom_number_10][label]`
|
|
241
|
+
|`deviceCustomNumber11` (`cn11`) |`[cef][device_custom_number_11][value]`
|
|
242
|
+
|`deviceCustomNumber11Label` (`cn11Label`) |`[cef][device_custom_number_11][label]`
|
|
243
|
+
|`deviceCustomNumber12` (`cn12`) |`[cef][device_custom_number_12][value]`
|
|
244
|
+
|`deviceCustomNumber12Label` (`cn12Label`) |`[cef][device_custom_number_12][label]`
|
|
245
|
+
|`deviceCustomNumber13` (`cn13`) |`[cef][device_custom_number_13][value]`
|
|
246
|
+
|`deviceCustomNumber13Label` (`cn13Label`) |`[cef][device_custom_number_13][label]`
|
|
247
|
+
|`deviceCustomNumber14` (`cn14`) |`[cef][device_custom_number_14][value]`
|
|
248
|
+
|`deviceCustomNumber14Label` (`cn14Label`) |`[cef][device_custom_number_14][label]`
|
|
249
|
+
|`deviceCustomNumber15` (`cn15`) |`[cef][device_custom_number_15][value]`
|
|
250
|
+
|`deviceCustomNumber15Label` (`cn15Label`) |`[cef][device_custom_number_15][label]`
|
|
183
251
|
|`deviceCustomString1` (`cs1`) |`[cef][device_custom_string_1][value]`
|
|
184
252
|
|`deviceCustomString1Label` (`cs1Label`) |`[cef][device_custom_string_1][label]`
|
|
185
253
|
|`deviceCustomString2` (`cs2`) |`[cef][device_custom_string_2][value]`
|
|
@@ -192,6 +260,24 @@ The following is a mapping between these fields.
|
|
|
192
260
|
|`deviceCustomString5Label` (`cs5Label`) |`[cef][device_custom_string_5][label]`
|
|
193
261
|
|`deviceCustomString6` (`cs6`) |`[cef][device_custom_string_6][value]`
|
|
194
262
|
|`deviceCustomString6Label` (`cs6Label`) |`[cef][device_custom_string_6][label]`
|
|
263
|
+
|`deviceCustomString7` (`cs7`) |`[cef][device_custom_string_7][value]`
|
|
264
|
+
|`deviceCustomString7Label` (`cs7Label`) |`[cef][device_custom_string_7][label]`
|
|
265
|
+
|`deviceCustomString8` (`cs8`) |`[cef][device_custom_string_8][value]`
|
|
266
|
+
|`deviceCustomString8Label` (`cs8Label`) |`[cef][device_custom_string_8][label]`
|
|
267
|
+
|`deviceCustomString9` (`cs9`) |`[cef][device_custom_string_9][value]`
|
|
268
|
+
|`deviceCustomString9Label` (`cs9Label`) |`[cef][device_custom_string_9][label]`
|
|
269
|
+
|`deviceCustomString10` (`cs10`) |`[cef][device_custom_string_10][value]`
|
|
270
|
+
|`deviceCustomString10Label` (`cs10Label`) |`[cef][device_custom_string_10][label]`
|
|
271
|
+
|`deviceCustomString11` (`cs11`) |`[cef][device_custom_string_11][value]`
|
|
272
|
+
|`deviceCustomString11Label` (`cs11Label`) |`[cef][device_custom_string_11][label]`
|
|
273
|
+
|`deviceCustomString12` (`cs12`) |`[cef][device_custom_string_12][value]`
|
|
274
|
+
|`deviceCustomString12Label` (`cs12Label`) |`[cef][device_custom_string_12][label]`
|
|
275
|
+
|`deviceCustomString13` (`cs13`) |`[cef][device_custom_string_13][value]`
|
|
276
|
+
|`deviceCustomString13Label` (`cs13Label`) |`[cef][device_custom_string_13][label]`
|
|
277
|
+
|`deviceCustomString14` (`cs14`) |`[cef][device_custom_string_14][value]`
|
|
278
|
+
|`deviceCustomString14Label` (`cs14Label`) |`[cef][device_custom_string_14][label]`
|
|
279
|
+
|`deviceCustomString15` (`cs15`) |`[cef][device_custom_string_15][value]`
|
|
280
|
+
|`deviceCustomString15Label` (`cs15Label`) |`[cef][device_custom_string_15][label]`
|
|
195
281
|
|`deviceDirection` |`[network][direction]`
|
|
196
282
|
.2+|`deviceDnsDomain` |`[observer][registered_domain]`
|
|
197
283
|
|
|
@@ -242,7 +328,7 @@ The following is a mapping between these fields.
|
|
|
242
328
|
|`eventOutcome` (`outcome`) |`[event][outcome]`
|
|
243
329
|
|`externalId` |`[cef][external_id]`
|
|
244
330
|
|`fileCreateTime` |`[file][created]`
|
|
245
|
-
|`fileHash` |`[file][hash]
|
|
331
|
+
|`fileHash` |`[file][hash]`
|
|
246
332
|
|`fileId` |`[file][inode]`
|
|
247
333
|
|`fileModificationTime` |`[file][mtime]`
|
|
248
334
|
|
|
@@ -355,14 +441,19 @@ not include timezone information, this `default_timezone` is used instead.
|
|
|
355
441
|
If your input puts a delimiter between each CEF event, you'll want to set
|
|
356
442
|
this to be that delimiter.
|
|
357
443
|
|
|
358
|
-
|
|
444
|
+
NOTE: Byte stream inputs such as TCP require delimiter to be specified. Otherwise input can be truncated or incorrectly split.
|
|
359
445
|
|
|
446
|
+
**Example**
|
|
447
|
+
|
|
448
|
+
[source,ruby]
|
|
449
|
+
-----
|
|
360
450
|
input {
|
|
361
451
|
tcp {
|
|
362
452
|
codec => cef { delimiter => "\r\n" }
|
|
363
453
|
# ...
|
|
364
454
|
}
|
|
365
455
|
}
|
|
456
|
+
-----
|
|
366
457
|
|
|
367
458
|
This setting allows the following character sequences to have special meaning:
|
|
368
459
|
|
|
@@ -398,9 +489,7 @@ If the codec handles data from a variety of sources, the ECS recommendation is t
|
|
|
398
489
|
** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
|
|
399
490
|
** Otherwise, the default value is `disabled`.
|
|
400
491
|
|
|
401
|
-
Controls this plugin's compatibility with the
|
|
402
|
-
{ecs-ref}[Elastic Common Schema (ECS)]
|
|
403
|
-
(ECS)].
|
|
492
|
+
Controls this plugin's compatibility with the {ecs-ref}[Elastic Common Schema (ECS)].
|
|
404
493
|
|
|
405
494
|
[id="plugins-{type}s-{plugin}-fields"]
|
|
406
495
|
===== `fields`
|
data/lib/logstash/codecs/cef.rb
CHANGED
|
@@ -6,6 +6,7 @@ require "json"
|
|
|
6
6
|
require "time"
|
|
7
7
|
|
|
8
8
|
require 'logstash/plugin_mixins/ecs_compatibility_support'
|
|
9
|
+
require 'logstash/plugin_mixins/event_support/event_factory_adapter'
|
|
9
10
|
|
|
10
11
|
# Implementation of a Logstash codec for the ArcSight Common Event Format (CEF)
|
|
11
12
|
# Based on Revision 20 of Implementing ArcSight CEF, dated from June 05, 2013
|
|
@@ -16,7 +17,8 @@ require 'logstash/plugin_mixins/ecs_compatibility_support'
|
|
|
16
17
|
class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
17
18
|
config_name "cef"
|
|
18
19
|
|
|
19
|
-
include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1)
|
|
20
|
+
include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1, :v8 => :v1)
|
|
21
|
+
include LogStash::PluginMixins::EventSupport::EventFactoryAdapter
|
|
20
22
|
|
|
21
23
|
InvalidTimestamp = Class.new(StandardError)
|
|
22
24
|
|
|
@@ -201,7 +203,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
|
201
203
|
|
|
202
204
|
def handle(data, &block)
|
|
203
205
|
original_data = data.dup
|
|
204
|
-
event =
|
|
206
|
+
event = event_factory.new_event
|
|
205
207
|
event.set(raw_data_field, data) unless raw_data_field.nil?
|
|
206
208
|
|
|
207
209
|
@utf8_charset.convert(data)
|
|
@@ -282,7 +284,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
|
282
284
|
rescue => e
|
|
283
285
|
@logger.error("Failed to decode CEF payload. Generating failure event with payload in message field.",
|
|
284
286
|
:exception => e.class, :message => e.message, :backtrace => e.backtrace, :original_data => original_data)
|
|
285
|
-
yield
|
|
287
|
+
yield event_factory.new_event("message" => data, "tags" => ["_cefparsefailure"])
|
|
286
288
|
end
|
|
287
289
|
|
|
288
290
|
public
|
|
@@ -408,40 +410,18 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
|
408
410
|
CEFField.new("destinationZoneURI", ecs_field: "[cef][destination][zone][uri]"),
|
|
409
411
|
CEFField.new("deviceAction", key: "act", ecs_field: "[event][action]"),
|
|
410
412
|
CEFField.new("deviceAddress", key: "dvc", ecs_field: "[#{@device}][ip]"),
|
|
411
|
-
|
|
412
|
-
|
|
413
|
-
|
|
414
|
-
|
|
415
|
-
|
|
416
|
-
|
|
417
|
-
|
|
418
|
-
|
|
419
|
-
|
|
420
|
-
|
|
421
|
-
|
|
422
|
-
|
|
423
|
-
CEFField.new("deviceCustomIPv6Address3", key: "c6a3", ecs_field: "[cef][device_custom_ipv6_address_3][value]"),
|
|
424
|
-
CEFField.new("deviceCustomIPv6Address3Label", key: "c6a3Label", ecs_field: "[cef][device_custom_ipv6_address_3][label]"),
|
|
425
|
-
CEFField.new("deviceCustomIPv6Address4", key: "c6a4", ecs_field: "[cef][device_custom_ipv6_address_4][value]"),
|
|
426
|
-
CEFField.new("deviceCustomIPv6Address4Label", key: "c6a4Label", ecs_field: "[cef][device_custom_ipv6_address_4][label]"),
|
|
427
|
-
CEFField.new("deviceCustomNumber1", key: "cn1", ecs_field: "[cef][device_custom_number_1][value]"),
|
|
428
|
-
CEFField.new("deviceCustomNumber1Label", key: "cn1Label", ecs_field: "[cef][device_custom_number_1][label]"),
|
|
429
|
-
CEFField.new("deviceCustomNumber2", key: "cn2", ecs_field: "[cef][device_custom_number_2][value]"),
|
|
430
|
-
CEFField.new("deviceCustomNumber2Label", key: "cn2Label", ecs_field: "[cef][device_custom_number_2][label]"),
|
|
431
|
-
CEFField.new("deviceCustomNumber3", key: "cn3", ecs_field: "[cef][device_custom_number_3][value]"),
|
|
432
|
-
CEFField.new("deviceCustomNumber3Label", key: "cn3Label", ecs_field: "[cef][device_custom_number_3][label]"),
|
|
433
|
-
CEFField.new("deviceCustomString1", key: "cs1", ecs_field: "[cef][device_custom_string_1][value]"),
|
|
434
|
-
CEFField.new("deviceCustomString1Label", key: "cs1Label", ecs_field: "[cef][device_custom_string_1][label]"),
|
|
435
|
-
CEFField.new("deviceCustomString2", key: "cs2", ecs_field: "[cef][device_custom_string_2][value]"),
|
|
436
|
-
CEFField.new("deviceCustomString2Label", key: "cs2Label", ecs_field: "[cef][device_custom_string_2][label]"),
|
|
437
|
-
CEFField.new("deviceCustomString3", key: "cs3", ecs_field: "[cef][device_custom_string_3][value]"),
|
|
438
|
-
CEFField.new("deviceCustomString3Label", key: "cs3Label", ecs_field: "[cef][device_custom_string_3][label]"),
|
|
439
|
-
CEFField.new("deviceCustomString4", key: "cs4", ecs_field: "[cef][device_custom_string_4][value]"),
|
|
440
|
-
CEFField.new("deviceCustomString4Label", key: "cs4Label", ecs_field: "[cef][device_custom_string_4][label]"),
|
|
441
|
-
CEFField.new("deviceCustomString5", key: "cs5", ecs_field: "[cef][device_custom_string_5][value]"),
|
|
442
|
-
CEFField.new("deviceCustomString5Label", key: "cs5Label", ecs_field: "[cef][device_custom_string_5][label]"),
|
|
443
|
-
CEFField.new("deviceCustomString6", key: "cs6", ecs_field: "[cef][device_custom_string_6][value]"),
|
|
444
|
-
CEFField.new("deviceCustomString6Label", key: "cs6Label", ecs_field: "[cef][device_custom_string_6][label]"),
|
|
413
|
+
(1..15).map do |idx|
|
|
414
|
+
[
|
|
415
|
+
CEFField.new("deviceCustomFloatingPoint#{idx}", key: "cfp#{idx}", ecs_field: "[cef][device_custom_floating_point_#{idx}][value]"),
|
|
416
|
+
CEFField.new("deviceCustomFloatingPoint#{idx}Label", key: "cfp#{idx}Label", ecs_field: "[cef][device_custom_floating_point_#{idx}][label]"),
|
|
417
|
+
CEFField.new("deviceCustomIPv6Address#{idx}", key: "c6a#{idx}", ecs_field: "[cef][device_custom_ipv6_address_#{idx}][value]"),
|
|
418
|
+
CEFField.new("deviceCustomIPv6Address#{idx}Label", key: "c6a#{idx}Label", ecs_field: "[cef][device_custom_ipv6_address_#{idx}][label]"),
|
|
419
|
+
CEFField.new("deviceCustomNumber#{idx}", key: "cn#{idx}", ecs_field: "[cef][device_custom_number_#{idx}][value]"),
|
|
420
|
+
CEFField.new("deviceCustomNumber#{idx}Label", key: "cn#{idx}Label", ecs_field: "[cef][device_custom_number_#{idx}][label]"),
|
|
421
|
+
CEFField.new("deviceCustomString#{idx}", key: "cs#{idx}", ecs_field: "[cef][device_custom_string_#{idx}][value]"),
|
|
422
|
+
CEFField.new("deviceCustomString#{idx}Label", key: "cs#{idx}Label", ecs_field: "[cef][device_custom_string_#{idx}][label]"),
|
|
423
|
+
]
|
|
424
|
+
end,
|
|
445
425
|
CEFField.new("deviceDirection", ecs_field: "[network][direction]"),
|
|
446
426
|
CEFField.new("deviceDnsDomain", ecs_field: "[#{@device}][registered_domain]", priority: 10),
|
|
447
427
|
CEFField.new("deviceEventCategory", key: "cat", ecs_field: "[cef][category]"),
|
|
@@ -468,7 +448,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
|
468
448
|
CEFField.new("eventOutcome", key: "outcome", ecs_field: "[event][outcome]"),
|
|
469
449
|
CEFField.new("externalId", ecs_field: "[cef][external_id]"),
|
|
470
450
|
CEFField.new("fileCreateTime", ecs_field: "[file][created]"),
|
|
471
|
-
CEFField.new("fileHash", ecs_field: "[file][hash]
|
|
451
|
+
CEFField.new("fileHash", ecs_field: "[file][hash]"),
|
|
472
452
|
CEFField.new("fileId", ecs_field: "[file][inode]"),
|
|
473
453
|
CEFField.new("fileModificationTime", ecs_field: "[file][mtime]", normalize: :timestamp),
|
|
474
454
|
CEFField.new("fileName", key: "fname", ecs_field: "[file][name]"),
|
|
@@ -517,7 +497,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
|
517
497
|
CEFField.new("startTime", key: "start", ecs_field: "[event][start]", normalize: :timestamp),
|
|
518
498
|
CEFField.new("transportProtocol", key: "proto", ecs_field: "[network][transport]"),
|
|
519
499
|
CEFField.new("type", ecs_field: "[cef][type]"),
|
|
520
|
-
].sort_by(&:priority).each do |cef|
|
|
500
|
+
].flatten.sort_by(&:priority).each do |cef|
|
|
521
501
|
field_name = ecs_select[disabled:cef.name, v1:cef.ecs_field]
|
|
522
502
|
|
|
523
503
|
# whether the source is a cef_key or cef_name, normalize to field_name
|
data/logstash-codec-cef.gemspec
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
|
|
3
3
|
s.name = 'logstash-codec-cef'
|
|
4
|
-
s.version = '6.2.
|
|
4
|
+
s.version = '6.2.4'
|
|
5
5
|
s.platform = 'java'
|
|
6
6
|
s.licenses = ['Apache License (2.0)']
|
|
7
7
|
s.summary = "Reads the ArcSight Common Event Format (CEF)."
|
|
@@ -22,7 +22,8 @@ Gem::Specification.new do |s|
|
|
|
22
22
|
|
|
23
23
|
# Gem dependencies
|
|
24
24
|
s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
|
|
25
|
-
s.add_runtime_dependency
|
|
25
|
+
s.add_runtime_dependency "logstash-mixin-ecs_compatibility_support", '~> 1.3'
|
|
26
|
+
s.add_runtime_dependency "logstash-mixin-event_support", '~> 1.0'
|
|
26
27
|
|
|
27
28
|
s.add_development_dependency 'logstash-devutils'
|
|
28
29
|
s.add_development_dependency 'insist'
|
data/spec/codecs/cef_spec.rb
CHANGED
|
@@ -780,6 +780,29 @@ describe LogStash::Codecs::CEF do
|
|
|
780
780
|
end
|
|
781
781
|
end
|
|
782
782
|
|
|
783
|
+
let(:log_with_fileHash) { "Syslogdate Sysloghost CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|fileHash=1bad1dea" }
|
|
784
|
+
it 'decodes fileHash to [file][hash]' do
|
|
785
|
+
decode_one(subject, log_with_fileHash) do |e|
|
|
786
|
+
validate(e)
|
|
787
|
+
insist { e.get(ecs_select[disabled:"fileHash", v1:"[file][hash]"]) } == "1bad1dea"
|
|
788
|
+
end
|
|
789
|
+
end
|
|
790
|
+
|
|
791
|
+
let(:log_with_custom_typed_fields) { "Syslogdate Sysloghost CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|cfp15=3.1415926 cfp15Label=pi c6a12=::1 c6a12Label=localhost cn7=8191 cn7Label=mersenne cs4=silly cs4Label=theory" }
|
|
792
|
+
it 'decodes to mapped numbered fields' do
|
|
793
|
+
decode_one(subject, log_with_custom_typed_fields) do |e|
|
|
794
|
+
validate(e)
|
|
795
|
+
insist { e.get(ecs_select[disabled: "deviceCustomFloatingPoint15", v1: "[cef][device_custom_floating_point_15][value]"]) } == "3.1415926"
|
|
796
|
+
insist { e.get(ecs_select[disabled: "deviceCustomFloatingPoint15Label", v1: "[cef][device_custom_floating_point_15][label]"]) } == "pi"
|
|
797
|
+
insist { e.get(ecs_select[disabled: "deviceCustomIPv6Address12", v1: "[cef][device_custom_ipv6_address_12][value]"]) } == "::1"
|
|
798
|
+
insist { e.get(ecs_select[disabled: "deviceCustomIPv6Address12Label", v1: "[cef][device_custom_ipv6_address_12][label]"]) } == "localhost"
|
|
799
|
+
insist { e.get(ecs_select[disabled: "deviceCustomNumber7", v1: "[cef][device_custom_number_7][value]"]) } == "8191"
|
|
800
|
+
insist { e.get(ecs_select[disabled: "deviceCustomNumber7Label", v1: "[cef][device_custom_number_7][label]"]) } == "mersenne"
|
|
801
|
+
insist { e.get(ecs_select[disabled: "deviceCustomString4", v1: "[cef][device_custom_string_4][value]"]) } == "silly"
|
|
802
|
+
insist { e.get(ecs_select[disabled: "deviceCustomString4Label", v1: "[cef][device_custom_string_4][label]"]) } == "theory"
|
|
803
|
+
end
|
|
804
|
+
end
|
|
805
|
+
|
|
783
806
|
context 'with UTF-8 message' do
|
|
784
807
|
let(:message) { 'CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|src=192.168.1.11 target=aaaaaああああaaaa msg=Description Omitted' }
|
|
785
808
|
|
|
@@ -850,7 +873,7 @@ describe LogStash::Codecs::CEF do
|
|
|
850
873
|
|
|
851
874
|
let(:results) { [] }
|
|
852
875
|
|
|
853
|
-
ecs_compatibility_matrix(:disabled
|
|
876
|
+
ecs_compatibility_matrix(:disabled, :v1, :v8 => :v1) do |ecs_select|
|
|
854
877
|
before(:each) do
|
|
855
878
|
allow_any_instance_of(described_class).to receive(:ecs_compatibility).and_return(ecs_compatibility)
|
|
856
879
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-codec-cef
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.2.
|
|
4
|
+
version: 6.2.4
|
|
5
5
|
platform: java
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-03-15 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -35,7 +35,7 @@ dependencies:
|
|
|
35
35
|
requirements:
|
|
36
36
|
- - "~>"
|
|
37
37
|
- !ruby/object:Gem::Version
|
|
38
|
-
version: '1.
|
|
38
|
+
version: '1.3'
|
|
39
39
|
name: logstash-mixin-ecs_compatibility_support
|
|
40
40
|
prerelease: false
|
|
41
41
|
type: :runtime
|
|
@@ -43,7 +43,21 @@ dependencies:
|
|
|
43
43
|
requirements:
|
|
44
44
|
- - "~>"
|
|
45
45
|
- !ruby/object:Gem::Version
|
|
46
|
-
version: '1.
|
|
46
|
+
version: '1.3'
|
|
47
|
+
- !ruby/object:Gem::Dependency
|
|
48
|
+
requirement: !ruby/object:Gem::Requirement
|
|
49
|
+
requirements:
|
|
50
|
+
- - "~>"
|
|
51
|
+
- !ruby/object:Gem::Version
|
|
52
|
+
version: '1.0'
|
|
53
|
+
name: logstash-mixin-event_support
|
|
54
|
+
prerelease: false
|
|
55
|
+
type: :runtime
|
|
56
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
57
|
+
requirements:
|
|
58
|
+
- - "~>"
|
|
59
|
+
- !ruby/object:Gem::Version
|
|
60
|
+
version: '1.0'
|
|
47
61
|
- !ruby/object:Gem::Dependency
|
|
48
62
|
requirement: !ruby/object:Gem::Requirement
|
|
49
63
|
requirements:
|
|
@@ -113,8 +127,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
113
127
|
- !ruby/object:Gem::Version
|
|
114
128
|
version: '0'
|
|
115
129
|
requirements: []
|
|
116
|
-
|
|
117
|
-
rubygems_version: 2.6.13
|
|
130
|
+
rubygems_version: 3.1.6
|
|
118
131
|
signing_key:
|
|
119
132
|
specification_version: 4
|
|
120
133
|
summary: Reads the ArcSight Common Event Format (CEF).
|