logstash-codec-cef 0.1.1 → 0.1.3

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 87b1c006ad2c6b9f408a1916584c8395aaa1055e
4
- data.tar.gz: 3be4bfb1d8b3b2ef05cb22a35adb2f734bfe57a4
3
+ metadata.gz: aff6387623a45295597fec46cc743482346abc96
4
+ data.tar.gz: 2f33a701cc5dc39ca149a94e781e68956fa0242a
5
5
  SHA512:
6
- metadata.gz: cdde709159e93287bdfa22bb4b233d2e5d044132ea29c1a4610e260f3cc5b9a3c6b3b6095bffb8a82cba4dead39eba9553106b2da1d22dbe0ed97da482238697
7
- data.tar.gz: cc9f48c5c29e2f922fbe291b50e0ec907e96fcbe47ec32bd8f5e82c3b597e63c4419a3f2dfb9ffef0a81baa003e6aa737c2583cb16b0486749e47f894d8b1e7b
6
+ metadata.gz: 63891ca7444ab5129cb2d0ac7c374b2be40f50d475fc555791e825d24631e13ee3a9f6add3bf35f2a59a1fdc598bae9239028a820ce74090059120a5db3e34b1
7
+ data.tar.gz: f8a9479c006edd2385ed9a6b2bf82043c04587b8dce485d7e496bbd01353501415d4539783634206c8d6c89a949c9be249ba84360896f7e615952ce2ce10c7b9
data/.gitignore ADDED
@@ -0,0 +1,4 @@
1
+ build
2
+ vendor
3
+ tools
4
+ .VERSION.mk
data/CONTRIBUTORS ADDED
@@ -0,0 +1,17 @@
1
+ The following is a list of people who have contributed ideas, code, bug
2
+ reports, or in general have helped logstash along its way.
3
+
4
+ Contributors:
5
+ * Aaron Mildenstein (untergeek)
6
+ * Colin Surprenant (colinsurprenant)
7
+ * Jason Kendall (coolacid)
8
+ * Jordan Sissel (jordansissel)
9
+ * João Duarte (jsvd)
10
+ * Nick Ethier (nickethier)
11
+ * Pete Fritchman (fetep)
12
+ * Pier-Hugues Pellerin (ph)
13
+
14
+ Note: If you've sent us patches, bug reports, or otherwise contributed to
15
+ Logstash, and you aren't on the list above and want to be, please let us know
16
+ and we'll make sure you're here. Contributions from folks like you are what make
17
+ open source awesome.
data/Gemfile CHANGED
@@ -1,3 +1,2 @@
1
1
  source 'https://rubygems.org'
2
- gemspec
3
- gem "logstash", :github => "elasticsearch/logstash", :branch => "1.5"
2
+ gemspec
data/README.md CHANGED
@@ -22,7 +22,7 @@ Need help? Try #logstash on freenode IRC or the logstash-users@googlegroups.com
22
22
  #### Code
23
23
  - To get started, you'll need JRuby with the Bundler gem installed.
24
24
 
25
- - Create a new plugin or clone and existing from the GitHub [logstash-plugins](https://github.com/logstash-plugins) organization.
25
+ - Create a new plugin or clone and existing from the GitHub [logstash-plugins](https://github.com/logstash-plugins) organization. We also provide [example plugins](https://github.com/logstash-plugins?query=example).
26
26
 
27
27
  - Install dependencies
28
28
  ```sh
@@ -31,26 +31,15 @@ bundle install
31
31
 
32
32
  #### Test
33
33
 
34
- ```sh
35
- bundle exec rspec
36
- ```
34
+ - Update your dependencies
37
35
 
38
- The Logstash code required to run the tests/specs is specified in the `Gemfile` by the line similar to:
39
- ```ruby
40
- gem "logstash", :github => "elasticsearch/logstash", :branch => "1.5"
41
- ```
42
- To test against another version or a local Logstash, edit the `Gemfile` to specify an alternative location, for example:
43
- ```ruby
44
- gem "logstash", :github => "elasticsearch/logstash", :ref => "master"
45
- ```
46
- ```ruby
47
- gem "logstash", :path => "/your/local/logstash"
36
+ ```sh
37
+ bundle install
48
38
  ```
49
39
 
50
- Then update your dependencies and run your tests:
40
+ - Run tests
51
41
 
52
42
  ```sh
53
- bundle install
54
43
  bundle exec rspec
55
44
  ```
56
45
 
@@ -58,13 +47,13 @@ bundle exec rspec
58
47
 
59
48
  #### 2.1 Run in a local Logstash clone
60
49
 
61
- - Edit Logstash `tools/Gemfile` and add the local plugin path, for example:
50
+ - Edit Logstash `Gemfile` and add the local plugin path, for example:
62
51
  ```ruby
63
52
  gem "logstash-filter-awesome", :path => "/your/local/logstash-filter-awesome"
64
53
  ```
65
- - Update Logstash dependencies
54
+ - Install plugin
66
55
  ```sh
67
- rake vendor:gems
56
+ bin/plugin install --no-verify
68
57
  ```
69
58
  - Run Logstash with your plugin
70
59
  ```sh
@@ -74,6 +63,8 @@ At this point any modifications to the plugin code will be applied to this local
74
63
 
75
64
  #### 2.2 Run in an installed Logstash
76
65
 
66
+ You can use the same **2.1** method to run your plugin in an installed Logstash by editing its `Gemfile` and pointing the `:path` to your local plugin development directory or you can build the gem and install it using:
67
+
77
68
  - Build your plugin gem
78
69
  ```sh
79
70
  gem build logstash-filter-awesome.gemspec
@@ -90,6 +81,6 @@ All contributions are welcome: ideas, patches, documentation, bug reports, compl
90
81
 
91
82
  Programming is not a required skill. Whatever you've seen about open source and maintainers or community members saying "send patches or die" - you will not see that here.
92
83
 
93
- It is more important to me that you are able to contribute.
84
+ It is more important to the community that you are able to contribute.
94
85
 
95
- For more information about contributing, see the [CONTRIBUTING](https://github.com/elasticsearch/logstash/blob/master/CONTRIBUTING.md) file.
86
+ For more information about contributing, see the [CONTRIBUTING](https://github.com/elasticsearch/logstash/blob/master/CONTRIBUTING.md) file.
@@ -24,40 +24,65 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
24
24
  # %{SYSLOGDATE} %{HOST} CEF:Version|Device Vendor|Device Product|Device Version|SignatureID|Name|Severity|Extension
25
25
  event = LogStash::Event.new()
26
26
  if @syslog
27
- @logger.debug("Expecting SYSLOG headers")
28
- event['syslog'], data = data.split('CEF:', 1)
29
- # Since we have the syslog headers, lets pull them out first and put them into their own field to be handled
27
+ @logger.debug("Expecting SYSLOG headers")
28
+ event['syslog'], data = data.split('CEF:', 2)
29
+ # Since we have the syslog headers, lets pull them out first and put them into their own field to be handled
30
30
  else
31
- # We don't have syslog headers, so we just need to remove CEF:
32
- data.sub! /^CEF:/, ''
31
+ # We don't have syslog headers, so we just need to remove CEF:
32
+ data.sub! /^CEF:/, ''
33
33
  end #if @syslog
34
34
  # Now, break out the rest of the headers
35
35
  event['cef_version'], event['cef_vendor'], event['cef_product'], event['cef_device_version'], event['cef_sigid'], event['cef_name'], event['cef_severity'], event['message'] = data.scan /(?:[^\|\\]|\\.)+/
36
+ # Now, try to break out the Extension Dictionary
37
+ message=event['message']
38
+ if message.to_s.strip.length != 0
39
+ message = message.split(/ ([\w\.]+)=/)
40
+
41
+ key, value = message.shift.split('=',2)
42
+ @logger.debug(message)
43
+ kv = Hash[*message]
44
+ @logger.debug(kv)
45
+ addKey(kv,key,value)
46
+ event.to_hash.merge!(Hash[kv.map{ |k,v| ["cef_ext_"+k,v] }])
47
+ end #
36
48
  yield event
37
49
  end
38
50
 
39
51
  public
40
52
  def encode(data)
41
- # "CEF:0|Elasticsearch|Logstash|1.0|Signature|Name|Sev|"
53
+ # "CEF:0|Elasticsearch|Logstash|1.0|Signature|Name|Sev|"
42
54
 
43
- # TODO: Need to check that fields are set!
55
+ # TODO: Need to check that fields are set!
44
56
 
45
- # Signature, Name, and Sev should be set in the config, with ref to fields
46
- # Should also probably set the fields sent
47
- header = ["CEF:0", "Elasticsearch", "Logstash", "1.0", @signature, @name, @sev].join("|")
48
- values = @fields.map {|name| get_value(name, data)}.join(" ")
49
- # values = values.map {|k,v| "#{k}=#{v}"}.join(" ")
50
- @on_event.call(header + " " + values + "\n")
57
+ # Signature, Name, and Sev should be set in the config, with ref to fields
58
+ # Should also probably set the fields sent
59
+ header = ["CEF:0", "Elasticsearch", "Logstash", "1.0", @signature, @name, @sev].join("|")
60
+ values = @fields.map {|name| get_value(name, data)}.join(" ")
61
+ # values = values.map {|k,v| "#{k}=#{v}"}.join(" ")
62
+ @on_event.call(header + " " + values + "\n")
51
63
  end
52
64
 
65
+ private
66
+ def addKey(kv_keys, key, value)
67
+ if kv_keys.has_key?(key)
68
+ if kv_keys[key].is_a? Array
69
+ kv_keys[key].push(value)
70
+ else
71
+ kv_keys[key] = [kv_keys[key], value]
72
+ end
73
+ else
74
+ kv_keys[key] = value
75
+ end
76
+ end # addKey
77
+
53
78
  private
54
79
  def get_value(name, event)
55
80
  val = event[name]
56
81
  case val
57
- when Hash
58
- return name + "=" + val.to_json
59
- else
60
- return name + "=" + val
82
+ when Hash
83
+ return name + "=" + val.to_json
84
+ else
85
+ return name + "=" + val
61
86
  end
62
87
  end
63
88
 
@@ -1,7 +1,7 @@
1
1
  Gem::Specification.new do |s|
2
2
 
3
3
  s.name = 'logstash-codec-cef'
4
- s.version = '0.1.1'
4
+ s.version = '0.1.3'
5
5
  s.licenses = ['Apache License (2.0)']
6
6
  s.summary = "CEF codec to parse CEF formated logs"
7
7
  s.description = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
@@ -20,7 +20,7 @@ Gem::Specification.new do |s|
20
20
  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "codec" }
21
21
 
22
22
  # Gem dependencies
23
- s.add_runtime_dependency 'logstash', '>= 1.4.0', '< 2.0.0'
23
+ s.add_runtime_dependency "logstash-core", '>= 1.4.0', '< 2.0.0'
24
24
 
25
25
  s.add_development_dependency 'logstash-devutils'
26
26
  end
@@ -30,7 +30,14 @@ describe LogStash::Codecs::CEF do
30
30
  end
31
31
  end
32
32
 
33
- it "should parse the cef body"
33
+ it "should parse the cef body" do
34
+ subject.decode(message) do |e|
35
+ insist { e["cef_ext_src"] } == "10.0.0.192"
36
+ insist { e["cef_ext_dst"] } == "12.121.122.82"
37
+ insist { e["cef_ext_spt"] } == "1232"
38
+ end
39
+ end
40
+
34
41
  it "should handle values in the body that contain spaces"
35
42
  end
36
43
 
metadata CHANGED
@@ -1,18 +1,17 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-codec-cef
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.1
4
+ version: 0.1.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Elasticsearch
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-01-22 00:00:00.000000000 Z
11
+ date: 2015-02-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
- name: logstash
15
- version_requirements: !ruby/object:Gem::Requirement
14
+ requirement: !ruby/object:Gem::Requirement
16
15
  requirements:
17
16
  - - '>='
18
17
  - !ruby/object:Gem::Version
@@ -20,7 +19,10 @@ dependencies:
20
19
  - - <
21
20
  - !ruby/object:Gem::Version
22
21
  version: 2.0.0
23
- requirement: !ruby/object:Gem::Requirement
22
+ name: logstash-core
23
+ prerelease: false
24
+ type: :runtime
25
+ version_requirements: !ruby/object:Gem::Requirement
24
26
  requirements:
25
27
  - - '>='
26
28
  - !ruby/object:Gem::Version
@@ -28,29 +30,28 @@ dependencies:
28
30
  - - <
29
31
  - !ruby/object:Gem::Version
30
32
  version: 2.0.0
31
- prerelease: false
32
- type: :runtime
33
33
  - !ruby/object:Gem::Dependency
34
- name: logstash-devutils
35
- version_requirements: !ruby/object:Gem::Requirement
34
+ requirement: !ruby/object:Gem::Requirement
36
35
  requirements:
37
36
  - - '>='
38
37
  - !ruby/object:Gem::Version
39
38
  version: '0'
40
- requirement: !ruby/object:Gem::Requirement
39
+ name: logstash-devutils
40
+ prerelease: false
41
+ type: :development
42
+ version_requirements: !ruby/object:Gem::Requirement
41
43
  requirements:
42
44
  - - '>='
43
45
  - !ruby/object:Gem::Version
44
46
  version: '0'
45
- prerelease: false
46
- type: :development
47
47
  description: This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program
48
48
  email: info@elasticsearch.com
49
49
  executables: []
50
50
  extensions: []
51
51
  extra_rdoc_files: []
52
52
  files:
53
- - DEVELOPER.md
53
+ - .gitignore
54
+ - CONTRIBUTORS
54
55
  - Gemfile
55
56
  - LICENSE
56
57
  - README.md
@@ -81,7 +82,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
81
82
  version: '0'
82
83
  requirements: []
83
84
  rubyforge_project:
84
- rubygems_version: 2.1.9
85
+ rubygems_version: 2.4.5
85
86
  signing_key:
86
87
  specification_version: 4
87
88
  summary: CEF codec to parse CEF formated logs
data/DEVELOPER.md DELETED
@@ -1,49 +0,0 @@
1
- logstash-CEF
2
- ============
3
-
4
- Logstash Codec to handle CEF encoded data
5
-
6
- Build
7
- =====
8
-
9
- Run 'make tarball' to build the project. A tarball will end up in ./build. Extract the file over top of your logstash directory.
10
- (Hint: or, just copy the ./lib and ./vendor directories to your logstash folder)
11
-
12
-
13
- Config
14
- ======
15
-
16
- This is an example input config.
17
-
18
- ```
19
- input {
20
- generator {
21
- message => "TODO"
22
- count => 1
23
- codec => cef
24
- }
25
- }
26
-
27
- output {
28
- stdout {
29
- codec => "rubydebug"
30
- }
31
- }
32
- ```
33
-
34
- This is an example output config.
35
-
36
- ```
37
- input {
38
- generator {
39
- message => "TODO"
40
- count => 1
41
- }
42
- }
43
-
44
- output {
45
- stdout {
46
- codec => cef
47
- }
48
- }
49
- ```