logstash-codec-cef 6.2.6-java → 6.2.8-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 344660a8caa1f5fbdde48422db80b287e6afff7e8c1d3ebdeb5f70269431a514
-  data.tar.gz: 9f061964eae0cdcd46fcefe9b5feefc05c72074935c44d83a8f35c5e54564a6c
+  metadata.gz: e6bb25740f5ef4da9a3941d006e2d678c2e17ca9ae97b4edfd1260e51f734b9f
+  data.tar.gz: 45f6488d3872b77e6e8dd772340ea26682610fbbe2d40573d7818439a6d201f8
 SHA512:
-  metadata.gz: 791c750b7085fbefec2e71537d4452174e851bfa28a7d6f046f67d07a543148ebceb51acbc8356b42c90fb2f0fcac28c29ce5f95624ac598070f5389e3f95f72
-  data.tar.gz: c995d8153001929fad98c0dab84664f6af1c6c7b4b873f1be2277d5b0f64e45531178c73fc8fa339ee7c4644c118cf2cfce37c812a4ea6cd6f9d2221d543a470
+  metadata.gz: 8da96accea3e8be07ea9dc8c26c02efd482f6a761bd00ef6c1988b61d069bc84172648751af79dd78e1dc04d70dcd5351b8b5f5921f0cd16cc57b3109ebac3a0
+  data.tar.gz: d7d27a6b559fecef336fdf6fc25cbc2c0a6c99266d22045dab6e5cc80bfdf12f14dca919af28e25aaecfc9b2d9242506f28789a263bf73fce370b7e711cdc793

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 6.2.8
+ - [Doc] Added `raw_data_field` to docs. [#105](https://github.com/logstash-plugins/logstash-codec-cef/pull/105)
+
+## 6.2.7
+ - Fix: when decoding in an ecs_compatibility mode, timestamp-normalized fields now handle provided-but-empty values [#102](https://github.com/logstash-plugins/logstash-codec-cef/issues/102)
+
 ## 6.2.6
  - Fix: when decoding, escaped newlines and carriage returns in extension values are now correctly decoded into literal newlines and carriage returns respectively [#98](https://github.com/logstash-plugins/logstash-codec-cef/pull/98)
  - Fix: when decoding, non-CEF payloads are identified and intercepted to prevent data-loss and corruption. They now cause a descriptive log message to be emitted, and are emitted as their own `_cefparsefailure`-tagged event containing the original bytes in its `message` field [#99](https://github.com/logstash-plugins/logstash-codec-cef/issues/99)

data/docs/index.asciidoc

@@ -407,6 +407,7 @@ The following is a mapping between these fields.
 | <<plugins-{type}s-{plugin}-locale>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-name>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-product>> |<<string,string>>|No
+| <<plugins-{type}s-{plugin}-raw_data_field>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-reverse_mapping>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-severity>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-signature>> |<<string,string>>|No
@@ -535,6 +536,13 @@ When this codec is used in an Output Plugin, this option can be used to specify
 value of the device product field in CEF header. The new value can include `%{foo}` strings
 to help you build a new value from other parts of the event.
 
+[id="plugins-{type}s-{plugin}-raw_data_field"]
+===== `raw_data_field` 
+
+  * Value type is <<string,string>>
+  * There is no default value for this setting
+
+Store the raw data to the field, for example `[event][original]`. Existing target field will be overriden.
 
 [id="plugins-{type}s-{plugin}-reverse_mapping"]
 ===== `reverse_mapping`

data/lib/logstash/codecs/cef.rb

@@ -201,7 +201,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
     end
 
     require_relative 'cef/timestamp_normalizer'
-    @timestamp_normalzer = TimestampNormalizer.new(locale: @locale, timezone: @default_timezone)
+    @timestamp_normalizer = TimestampNormalizer.new(locale: @locale, timezone: @default_timezone)
 
     generate_header_fields!
     generate_mappings!
@@ -604,9 +604,11 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
   end
 
   def normalize_timestamp(value, device_timezone_name)
-    value = @timestamp_normalzer.normalize(value, device_timezone_name).iso8601(9)
+    return nil if value.nil? || value.to_s.strip.empty?
 
-    LogStash::Timestamp.new(value)
+    normalized = @timestamp_normalizer.normalize(value, device_timezone_name).iso8601(9)
+
+    LogStash::Timestamp.new(normalized)
   rescue => e
     @logger.error("Failed to parse CEF timestamp value `#{value}` (#{e.message})")
     raise InvalidTimestamp.new("Not a valid CEF timestamp: `#{value}`")

data/logstash-codec-cef.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-codec-cef'
-  s.version         = '6.2.6'
+  s.version         = '6.2.8'
   s.platform        = 'java'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Reads the ArcSight Common Event Format (CEF)."

data/spec/codecs/cef_spec.rb

@@ -721,6 +721,26 @@ describe LogStash::Codecs::CEF do
         end
       end
 
+      context "timestamp-normalized fields" do
+        context 'empty values' do
+          let(:message_with_empty_start) { %Q{CEF:0|Security|threatmanager|1.0|100|worm successfully stopped|Very-High| eventId=1 msg=Worm successfully stopped start=} }
+          if ecs_select.active_mode == :disabled
+            it 'leaves the empty value in-tact' do
+              decode_one(subject, message_with_empty_start) do |event|
+                expect(event.get('startTime')).to eq('')
+              end
+            end
+          else
+            it 'stores a nil value' do
+              decode_one(subject, message_with_empty_start) do |event|
+                expect(event).to include '[event][start]'
+                expect(event.get('[event][start]')).to be nil
+              end
+            end
+          end
+        end
+      end
+
       let(:malformed_unescaped_equals_in_extension_value) { %q{CEF:0|FooBar|Web Gateway|1.2.3.45.67|200|Success|2|rt=Sep 07 2018 14:50:39 cat=Access Log dst=1.1.1.1 dhost=foo.example.com suser=redacted src=2.2.2.2 requestMethod=POST request='https://foo.example.com/bar/bingo/1' requestClientApplication='Foo-Bar/2018.1.7; Email:user@example.com; Guid:test=' cs1= cs1Label=Foo Bar} }
       it 'should split correctly' do
         decode_one(subject, malformed_unescaped_equals_in_extension_value) do |event|

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-codec-cef
 version: !ruby/object:Gem::Version
-  version: 6.2.6
+  version: 6.2.8
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-10-26 00:00:00.000000000 Z
+date: 2024-10-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -20,8 +20,8 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '2.99'
   name: logstash-core-plugin-api
-  prerelease: false
   type: :runtime
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -37,8 +37,8 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '1.3'
   name: logstash-mixin-ecs_compatibility_support
-  prerelease: false
   type: :runtime
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
@@ -51,8 +51,8 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '1.0'
   name: logstash-mixin-event_support
-  prerelease: false
   type: :runtime
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
@@ -65,8 +65,8 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
   name: logstash-devutils
-  prerelease: false
   type: :development
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -79,8 +79,8 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
   name: insist
-  prerelease: false
   type: :development
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -127,7 +127,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.3.26
 signing_key:
 specification_version: 4
 summary: Reads the ArcSight Common Event Format (CEF).