logstash-codec-cef 6.2.6-java → 6.2.7-java
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/lib/logstash/codecs/cef.rb +5 -3
- data/logstash-codec-cef.gemspec +1 -1
- data/spec/codecs/cef_spec.rb +20 -0
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 01a376239bfb11df166dda071f0227e6f2d9765f51683771728c98b586a5fd7e
|
|
4
|
+
data.tar.gz: 1d3fd32cb4e91a8a90d1711aa680d9af0960a50fde8766da8b1d58227850698f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: e020603736e15555195a08e450e3507bb20ede46d4577d28ad1d9af1972983c74fed1b8367ff85125515466392854e87fb65d8be9968eba61766ca76eb70d391
|
|
7
|
+
data.tar.gz: 1fa60af07dabf0482c6ca8fcf0431c2358503042f8a6ade62824a4e638dcac831b293b47f2b93c933deb2a5cac995fb278623bfa0c547f3987c46e32ae28836c
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,6 @@
|
|
|
1
|
+
## 6.2.7
|
|
2
|
+
- Fix: when decoding in an ecs_compatibility mode, timestamp-normalized fields now handle provided-but-empty values [#102](https://github.com/logstash-plugins/logstash-codec-cef/issues/102)
|
|
3
|
+
|
|
1
4
|
## 6.2.6
|
|
2
5
|
- Fix: when decoding, escaped newlines and carriage returns in extension values are now correctly decoded into literal newlines and carriage returns respectively [#98](https://github.com/logstash-plugins/logstash-codec-cef/pull/98)
|
|
3
6
|
- Fix: when decoding, non-CEF payloads are identified and intercepted to prevent data-loss and corruption. They now cause a descriptive log message to be emitted, and are emitted as their own `_cefparsefailure`-tagged event containing the original bytes in its `message` field [#99](https://github.com/logstash-plugins/logstash-codec-cef/issues/99)
|
data/lib/logstash/codecs/cef.rb
CHANGED
|
@@ -201,7 +201,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
|
201
201
|
end
|
|
202
202
|
|
|
203
203
|
require_relative 'cef/timestamp_normalizer'
|
|
204
|
-
@
|
|
204
|
+
@timestamp_normalizer = TimestampNormalizer.new(locale: @locale, timezone: @default_timezone)
|
|
205
205
|
|
|
206
206
|
generate_header_fields!
|
|
207
207
|
generate_mappings!
|
|
@@ -604,9 +604,11 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
|
604
604
|
end
|
|
605
605
|
|
|
606
606
|
def normalize_timestamp(value, device_timezone_name)
|
|
607
|
-
value
|
|
607
|
+
return nil if value.nil? || value.to_s.strip.empty?
|
|
608
608
|
|
|
609
|
-
|
|
609
|
+
normalized = @timestamp_normalizer.normalize(value, device_timezone_name).iso8601(9)
|
|
610
|
+
|
|
611
|
+
LogStash::Timestamp.new(normalized)
|
|
610
612
|
rescue => e
|
|
611
613
|
@logger.error("Failed to parse CEF timestamp value `#{value}` (#{e.message})")
|
|
612
614
|
raise InvalidTimestamp.new("Not a valid CEF timestamp: `#{value}`")
|
data/logstash-codec-cef.gemspec
CHANGED
data/spec/codecs/cef_spec.rb
CHANGED
|
@@ -721,6 +721,26 @@ describe LogStash::Codecs::CEF do
|
|
|
721
721
|
end
|
|
722
722
|
end
|
|
723
723
|
|
|
724
|
+
context "timestamp-normalized fields" do
|
|
725
|
+
context 'empty values' do
|
|
726
|
+
let(:message_with_empty_start) { %Q{CEF:0|Security|threatmanager|1.0|100|worm successfully stopped|Very-High| eventId=1 msg=Worm successfully stopped start=} }
|
|
727
|
+
if ecs_select.active_mode == :disabled
|
|
728
|
+
it 'leaves the empty value in-tact' do
|
|
729
|
+
decode_one(subject, message_with_empty_start) do |event|
|
|
730
|
+
expect(event.get('startTime')).to eq('')
|
|
731
|
+
end
|
|
732
|
+
end
|
|
733
|
+
else
|
|
734
|
+
it 'stores a nil value' do
|
|
735
|
+
decode_one(subject, message_with_empty_start) do |event|
|
|
736
|
+
expect(event).to include '[event][start]'
|
|
737
|
+
expect(event.get('[event][start]')).to be nil
|
|
738
|
+
end
|
|
739
|
+
end
|
|
740
|
+
end
|
|
741
|
+
end
|
|
742
|
+
end
|
|
743
|
+
|
|
724
744
|
let(:malformed_unescaped_equals_in_extension_value) { %q{CEF:0|FooBar|Web Gateway|1.2.3.45.67|200|Success|2|rt=Sep 07 2018 14:50:39 cat=Access Log dst=1.1.1.1 dhost=foo.example.com suser=redacted src=2.2.2.2 requestMethod=POST request='https://foo.example.com/bar/bingo/1' requestClientApplication='Foo-Bar/2018.1.7; Email:user@example.com; Guid:test=' cs1= cs1Label=Foo Bar} }
|
|
725
745
|
it 'should split correctly' do
|
|
726
746
|
decode_one(subject, malformed_unescaped_equals_in_extension_value) do |event|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-codec-cef
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.2.
|
|
4
|
+
version: 6.2.7
|
|
5
5
|
platform: java
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2023-05-12 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -127,7 +127,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
127
127
|
- !ruby/object:Gem::Version
|
|
128
128
|
version: '0'
|
|
129
129
|
requirements: []
|
|
130
|
-
rubygems_version: 3.
|
|
130
|
+
rubygems_version: 3.2.33
|
|
131
131
|
signing_key:
|
|
132
132
|
specification_version: 4
|
|
133
133
|
summary: Reads the ArcSight Common Event Format (CEF).
|