logstash-codec-cef 6.2.6-java → 6.2.8-java
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/docs/index.asciidoc +8 -0
- data/lib/logstash/codecs/cef.rb +5 -3
- data/logstash-codec-cef.gemspec +1 -1
- data/spec/codecs/cef_spec.rb +20 -0
- metadata +8 -8
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e6bb25740f5ef4da9a3941d006e2d678c2e17ca9ae97b4edfd1260e51f734b9f
|
4
|
+
data.tar.gz: 45f6488d3872b77e6e8dd772340ea26682610fbbe2d40573d7818439a6d201f8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8da96accea3e8be07ea9dc8c26c02efd482f6a761bd00ef6c1988b61d069bc84172648751af79dd78e1dc04d70dcd5351b8b5f5921f0cd16cc57b3109ebac3a0
|
7
|
+
data.tar.gz: d7d27a6b559fecef336fdf6fc25cbc2c0a6c99266d22045dab6e5cc80bfdf12f14dca919af28e25aaecfc9b2d9242506f28789a263bf73fce370b7e711cdc793
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,9 @@
|
|
1
|
+
## 6.2.8
|
2
|
+
- [Doc] Added `raw_data_field` to docs. [#105](https://github.com/logstash-plugins/logstash-codec-cef/pull/105)
|
3
|
+
|
4
|
+
## 6.2.7
|
5
|
+
- Fix: when decoding in an ecs_compatibility mode, timestamp-normalized fields now handle provided-but-empty values [#102](https://github.com/logstash-plugins/logstash-codec-cef/issues/102)
|
6
|
+
|
1
7
|
## 6.2.6
|
2
8
|
- Fix: when decoding, escaped newlines and carriage returns in extension values are now correctly decoded into literal newlines and carriage returns respectively [#98](https://github.com/logstash-plugins/logstash-codec-cef/pull/98)
|
3
9
|
- Fix: when decoding, non-CEF payloads are identified and intercepted to prevent data-loss and corruption. They now cause a descriptive log message to be emitted, and are emitted as their own `_cefparsefailure`-tagged event containing the original bytes in its `message` field [#99](https://github.com/logstash-plugins/logstash-codec-cef/issues/99)
|
data/docs/index.asciidoc
CHANGED
@@ -407,6 +407,7 @@ The following is a mapping between these fields.
|
|
407
407
|
| <<plugins-{type}s-{plugin}-locale>> |<<string,string>>|No
|
408
408
|
| <<plugins-{type}s-{plugin}-name>> |<<string,string>>|No
|
409
409
|
| <<plugins-{type}s-{plugin}-product>> |<<string,string>>|No
|
410
|
+
| <<plugins-{type}s-{plugin}-raw_data_field>> |<<string,string>>|No
|
410
411
|
| <<plugins-{type}s-{plugin}-reverse_mapping>> |<<boolean,boolean>>|No
|
411
412
|
| <<plugins-{type}s-{plugin}-severity>> |<<string,string>>|No
|
412
413
|
| <<plugins-{type}s-{plugin}-signature>> |<<string,string>>|No
|
@@ -535,6 +536,13 @@ When this codec is used in an Output Plugin, this option can be used to specify
|
|
535
536
|
value of the device product field in CEF header. The new value can include `%{foo}` strings
|
536
537
|
to help you build a new value from other parts of the event.
|
537
538
|
|
539
|
+
[id="plugins-{type}s-{plugin}-raw_data_field"]
|
540
|
+
===== `raw_data_field`
|
541
|
+
|
542
|
+
* Value type is <<string,string>>
|
543
|
+
* There is no default value for this setting
|
544
|
+
|
545
|
+
Store the raw data to the field, for example `[event][original]`. Existing target field will be overriden.
|
538
546
|
|
539
547
|
[id="plugins-{type}s-{plugin}-reverse_mapping"]
|
540
548
|
===== `reverse_mapping`
|
data/lib/logstash/codecs/cef.rb
CHANGED
@@ -201,7 +201,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
201
201
|
end
|
202
202
|
|
203
203
|
require_relative 'cef/timestamp_normalizer'
|
204
|
-
@
|
204
|
+
@timestamp_normalizer = TimestampNormalizer.new(locale: @locale, timezone: @default_timezone)
|
205
205
|
|
206
206
|
generate_header_fields!
|
207
207
|
generate_mappings!
|
@@ -604,9 +604,11 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
604
604
|
end
|
605
605
|
|
606
606
|
def normalize_timestamp(value, device_timezone_name)
|
607
|
-
value
|
607
|
+
return nil if value.nil? || value.to_s.strip.empty?
|
608
608
|
|
609
|
-
|
609
|
+
normalized = @timestamp_normalizer.normalize(value, device_timezone_name).iso8601(9)
|
610
|
+
|
611
|
+
LogStash::Timestamp.new(normalized)
|
610
612
|
rescue => e
|
611
613
|
@logger.error("Failed to parse CEF timestamp value `#{value}` (#{e.message})")
|
612
614
|
raise InvalidTimestamp.new("Not a valid CEF timestamp: `#{value}`")
|
data/logstash-codec-cef.gemspec
CHANGED
data/spec/codecs/cef_spec.rb
CHANGED
@@ -721,6 +721,26 @@ describe LogStash::Codecs::CEF do
|
|
721
721
|
end
|
722
722
|
end
|
723
723
|
|
724
|
+
context "timestamp-normalized fields" do
|
725
|
+
context 'empty values' do
|
726
|
+
let(:message_with_empty_start) { %Q{CEF:0|Security|threatmanager|1.0|100|worm successfully stopped|Very-High| eventId=1 msg=Worm successfully stopped start=} }
|
727
|
+
if ecs_select.active_mode == :disabled
|
728
|
+
it 'leaves the empty value in-tact' do
|
729
|
+
decode_one(subject, message_with_empty_start) do |event|
|
730
|
+
expect(event.get('startTime')).to eq('')
|
731
|
+
end
|
732
|
+
end
|
733
|
+
else
|
734
|
+
it 'stores a nil value' do
|
735
|
+
decode_one(subject, message_with_empty_start) do |event|
|
736
|
+
expect(event).to include '[event][start]'
|
737
|
+
expect(event.get('[event][start]')).to be nil
|
738
|
+
end
|
739
|
+
end
|
740
|
+
end
|
741
|
+
end
|
742
|
+
end
|
743
|
+
|
724
744
|
let(:malformed_unescaped_equals_in_extension_value) { %q{CEF:0|FooBar|Web Gateway|1.2.3.45.67|200|Success|2|rt=Sep 07 2018 14:50:39 cat=Access Log dst=1.1.1.1 dhost=foo.example.com suser=redacted src=2.2.2.2 requestMethod=POST request='https://foo.example.com/bar/bingo/1' requestClientApplication='Foo-Bar/2018.1.7; Email:user@example.com; Guid:test=' cs1= cs1Label=Foo Bar} }
|
725
745
|
it 'should split correctly' do
|
726
746
|
decode_one(subject, malformed_unescaped_equals_in_extension_value) do |event|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-codec-cef
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.2.
|
4
|
+
version: 6.2.8
|
5
5
|
platform: java
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2024-10-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
@@ -20,8 +20,8 @@ dependencies:
|
|
20
20
|
- !ruby/object:Gem::Version
|
21
21
|
version: '2.99'
|
22
22
|
name: logstash-core-plugin-api
|
23
|
-
prerelease: false
|
24
23
|
type: :runtime
|
24
|
+
prerelease: false
|
25
25
|
version_requirements: !ruby/object:Gem::Requirement
|
26
26
|
requirements:
|
27
27
|
- - ">="
|
@@ -37,8 +37,8 @@ dependencies:
|
|
37
37
|
- !ruby/object:Gem::Version
|
38
38
|
version: '1.3'
|
39
39
|
name: logstash-mixin-ecs_compatibility_support
|
40
|
-
prerelease: false
|
41
40
|
type: :runtime
|
41
|
+
prerelease: false
|
42
42
|
version_requirements: !ruby/object:Gem::Requirement
|
43
43
|
requirements:
|
44
44
|
- - "~>"
|
@@ -51,8 +51,8 @@ dependencies:
|
|
51
51
|
- !ruby/object:Gem::Version
|
52
52
|
version: '1.0'
|
53
53
|
name: logstash-mixin-event_support
|
54
|
-
prerelease: false
|
55
54
|
type: :runtime
|
55
|
+
prerelease: false
|
56
56
|
version_requirements: !ruby/object:Gem::Requirement
|
57
57
|
requirements:
|
58
58
|
- - "~>"
|
@@ -65,8 +65,8 @@ dependencies:
|
|
65
65
|
- !ruby/object:Gem::Version
|
66
66
|
version: '0'
|
67
67
|
name: logstash-devutils
|
68
|
-
prerelease: false
|
69
68
|
type: :development
|
69
|
+
prerelease: false
|
70
70
|
version_requirements: !ruby/object:Gem::Requirement
|
71
71
|
requirements:
|
72
72
|
- - ">="
|
@@ -79,8 +79,8 @@ dependencies:
|
|
79
79
|
- !ruby/object:Gem::Version
|
80
80
|
version: '0'
|
81
81
|
name: insist
|
82
|
-
prerelease: false
|
83
82
|
type: :development
|
83
|
+
prerelease: false
|
84
84
|
version_requirements: !ruby/object:Gem::Requirement
|
85
85
|
requirements:
|
86
86
|
- - ">="
|
@@ -127,7 +127,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
127
127
|
- !ruby/object:Gem::Version
|
128
128
|
version: '0'
|
129
129
|
requirements: []
|
130
|
-
rubygems_version: 3.
|
130
|
+
rubygems_version: 3.3.26
|
131
131
|
signing_key:
|
132
132
|
specification_version: 4
|
133
133
|
summary: Reads the ArcSight Common Event Format (CEF).
|