logstash-codec-cef 6.2.2-java → 6.2.5-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d6769d2631f2bd27a0e5d4efebcdf5522eb2e1e843fef3d195ca804d4e68e1cb
-  data.tar.gz: 97a5acd21e5041dbb91129819ed13b4989f269acaccbc134a26be5c6a83535e6
+  metadata.gz: 03b13f5507c5f1bdb5f09668a2bcb445dd5d93014b91cb9c17272b7445a787ff
+  data.tar.gz: a25d40bf2ccd77baacc58dd4d49b69da9c7e0b616537d306b937807915d36115
 SHA512:
-  metadata.gz: 7a1021a17d1c87f07bf61f5583acda25f69e69c7946191056d93f0c8c0e9f1ad3aea6489b14fb78754c92507114d588ba36513d7ba9d39e861550d02aeaa7cab
-  data.tar.gz: ff9ce9b27c9c4ae1cc5440cecd9e6113989507e030bf609683de344645536eb1a713149e70da2f87638dd553e493145c750f54e5e560d5b938829b8d0b6404e8
+  metadata.gz: d600beff671cd1d1a287c153bf4dac27922ea8ca109fc92d3b43c18ea69fdbf645b53067d36cd859604e8013a14010397bd6b0640b4173977ff95a6800f563be
+  data.tar.gz: 4ef42b63bf2c8fdf535c6c7106149dcf7df4e269fd1299708ed3a290d9ceedace58eaf46c002eaa18afb174a2670edf6abea392c120e7eea606de5bb9f8d3bec

data/CHANGELOG.md

@@ -1,16 +1,25 @@
+## 6.2.5
+  - [DOC] Update link to CEF implementation guide [#97](https://github.com/logstash-plugins/logstash-codec-cef/pull/97)
+
+## 6.2.4
+  - [DOC] Emphasize importance of delimiter setting for byte stream inputs [#95](https://github.com/logstash-plugins/logstash-codec-cef/pull/95)
+
+## 6.2.3
+  - Feat: event_factory support [#94](https://github.com/logstash-plugins/logstash-codec-cef/pull/94)
+
 ## 6.2.2
  - Fixed invalid Field Reference that could occur when ECS mode was enabled and the CEF field `fileHash` was parsed.
- - Added expanded mapping for numbered `deviceCustom*` and `deviceCustom*Label` fields so that all now include numbers 1 through 15.
+ - Added expanded mapping for numbered `deviceCustom*` and `deviceCustom*Label` fields so that all now include numbers 1 through 15. [#89](https://github.com/logstash-plugins/logstash-codec-cef/pull/89).
 
 ## 6.2.1
  - Added field mapping to docs.
- - Fixed ECS mapping of `deviceMacAddress` field.
+ - Fixed ECS mapping of `deviceMacAddress` field. [#88](https://github.com/logstash-plugins/logstash-codec-cef/pull/88).
 
 ## 6.2.0
  - Introduce ECS Compatibility mode [#83](https://github.com/logstash-plugins/logstash-codec-cef/pull/83).
 
 ## 6.1.2
- - Added error log with full payload when something bad happens in decoding a message[#84](https://github.com/logstash-plugins/logstash-codec-cef/pull/84)
+ - Added error log with full payload when something bad happens in decoding a message [#84](https://github.com/logstash-plugins/logstash-codec-cef/pull/84)
 
 ## 6.1.1
  - Improved encoding performance, especially when encoding many extension fields [#81](https://github.com/logstash-plugins/logstash-codec-cef/pull/81)

data/docs/index.asciidoc

@@ -20,12 +20,11 @@ include::{include_path}/plugin_header.asciidoc[]
 
 ==== Description
 
-Implementation of a Logstash codec for the ArcSight Common Event Format (CEF)
-Based on Revision 20 of Implementing ArcSight CEF, dated from June 05, 2013
-https://community.saas.hpe.com/dcvta86296/attachments/dcvta86296/connector-documentation/1116/1/CommonEventFormatv23.pdf
+Implementation of a Logstash codec for the ArcSight Common Event Format (CEF).
+It is based on https://www.microfocus.com/documentation/arcsight/arcsight-smartconnectors/pdfdoc/common-event-format-v25/common-event-format-v25.pdf[Implementing ArcSight CEF Revision 25, September 2017].
 
-If this codec receives a payload from an input that is not a valid CEF message, then it will
-produce an event with the payload as the 'message' field and a '_cefparsefailure' tag.
+If this codec receives a payload from an input that is not a valid CEF message, then it
+produces an event with the payload as the 'message' field and a '_cefparsefailure' tag.
 
 ==== Compatibility with the Elastic Common Schema (ECS)
 
@@ -441,14 +440,19 @@ not include timezone information, this `default_timezone` is used instead.
 If your input puts a delimiter between each CEF event, you'll want to set
 this to be that delimiter.
 
-For example, with the TCP input, you probably want to put this:
+NOTE: Byte stream inputs such as TCP require delimiter to be specified. Otherwise input can be truncated or incorrectly split.
 
+**Example**
+
+[source,ruby]
+-----
     input {
       tcp {
         codec => cef { delimiter => "\r\n" }
         # ...
       }
     }
+-----
 
 This setting allows the following character sequences to have special meaning:
 
@@ -484,9 +488,7 @@ If the codec handles data from a variety of sources, the ECS recommendation is t
 ** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
 ** Otherwise, the default value is `disabled`.
 
-Controls this plugin's compatibility with the
-{ecs-ref}[Elastic Common Schema (ECS)]
-(ECS)].
+Controls this plugin's compatibility with the {ecs-ref}[Elastic Common Schema (ECS)].
 
 [id="plugins-{type}s-{plugin}-fields"]
 ===== `fields` 

data/lib/logstash/codecs/cef.rb

@@ -6,6 +6,7 @@ require "json"
 require "time"
 
 require 'logstash/plugin_mixins/ecs_compatibility_support'
+require 'logstash/plugin_mixins/event_support/event_factory_adapter'
 
 # Implementation of a Logstash codec for the ArcSight Common Event Format (CEF)
 # Based on Revision 20 of Implementing ArcSight CEF, dated from June 05, 2013
@@ -16,7 +17,8 @@ require 'logstash/plugin_mixins/ecs_compatibility_support'
 class LogStash::Codecs::CEF < LogStash::Codecs::Base
   config_name "cef"
 
-  include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1)
+  include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1, :v8 => :v1)
+  include LogStash::PluginMixins::EventSupport::EventFactoryAdapter
 
   InvalidTimestamp = Class.new(StandardError)
 
@@ -201,7 +203,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
 
   def handle(data, &block)
     original_data = data.dup
-    event = LogStash::Event.new
+    event = event_factory.new_event
     event.set(raw_data_field, data) unless raw_data_field.nil?
 
     @utf8_charset.convert(data)
@@ -282,7 +284,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
   rescue => e
     @logger.error("Failed to decode CEF payload. Generating failure event with payload in message field.",
                   :exception => e.class, :message => e.message, :backtrace => e.backtrace, :original_data => original_data)
-    yield LogStash::Event.new("message" => data, "tags" => ["_cefparsefailure"])
+    yield event_factory.new_event("message" => data, "tags" => ["_cefparsefailure"])
   end
 
   public

data/logstash-codec-cef.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-codec-cef'
-  s.version         = '6.2.2'
+  s.version         = '6.2.5'
   s.platform        = 'java'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Reads the ArcSight Common Event Format (CEF)."
@@ -22,7 +22,8 @@ Gem::Specification.new do |s|
 
   # Gem dependencies
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
-  s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~>1.1'
+  s.add_runtime_dependency "logstash-mixin-ecs_compatibility_support", '~> 1.3'
+  s.add_runtime_dependency "logstash-mixin-event_support", '~> 1.0'
 
   s.add_development_dependency 'logstash-devutils'
   s.add_development_dependency 'insist'

data/spec/codecs/cef_spec.rb

@@ -873,7 +873,7 @@ describe LogStash::Codecs::CEF do
 
     let(:results)   { [] }
 
-    ecs_compatibility_matrix(:disabled,:v1) do |ecs_select|
+    ecs_compatibility_matrix(:disabled, :v1, :v8 => :v1) do |ecs_select|
       before(:each) do
         allow_any_instance_of(described_class).to receive(:ecs_compatibility).and_return(ecs_compatibility)
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-codec-cef
 version: !ruby/object:Gem::Version
-  version: 6.2.2
+  version: 6.2.5
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-06-22 00:00:00.000000000 Z
+date: 2022-04-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -35,7 +35,7 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.3'
   name: logstash-mixin-ecs_compatibility_support
   prerelease: false
   type: :runtime
@@ -43,7 +43,21 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  name: logstash-mixin-event_support
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -113,8 +127,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.6.13
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: Reads the ArcSight Common Event Format (CEF).