RubyGems - logstash-codec-cef - Versions diffs - 2.0.3 → 2.1.0 - Mend

logstash-codec-cef 2.0.3 → 2.1.0

Files changed (7) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +4 -0
data/CONTRIBUTORS +1 -0
data/lib/logstash/codecs/cef.rb +145 -14
data/logstash-codec-cef.gemspec +2 -2
data/spec/codecs/cef_spec.rb +295 -1
metadata +14 -14

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b07e21611300d4682e481db32cb96f37e5f8b659
-  data.tar.gz: 52ca214b4b2e0623bf45902113d02f1986cbb235
+  metadata.gz: 8d9084e0831538c85ddcabe642a00db46b22e08d
+  data.tar.gz: 9de28cadc061797c5b65b0107ef46ccf1b2868a0
 SHA512:
-  metadata.gz: 77353440739c5fda71c5cc410457a37ab40f5d5a00ceb48d690f11ea605a44741b4b38b75bffa23badb42b05316cd2fb9d721da3c4d117e582d6f7c333629884
-  data.tar.gz: 927f654424f3f19ca954fd465573b7c26170e2195f562c52338a3e737a788078c6ea7b71bd67644ea83001c00824ea63de9e1b9f1c8210d21ea07e8d7c4bfc3e
+  metadata.gz: b7a357ac86677710e8da105eabe837498595a58d4e75867447f85e0e0a8fe1144d60735a8edd1ca3c2484624c1d3aeb2fa9a5b82b686044a4b16b44ca6aeeb4f
+  data.tar.gz: bdb89985dd333aa2e1fa82eba3fdc22026a8d1e06404d2ba74b54f05b2ec1e142a7610971fe1473463735133e5dbdacd17e3b0762ae97a293087fd058b1bd329

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,7 @@
+## 2.1.0
+ - Implements `encode` with escaping according to the [CEF specification](https://protect724.hp.com/docs/DOC-1072).
+ - Config option `sev` is deprecated, use `severity` instead.
 ## 2.0.0
  - Plugins were updated to follow the new shutdown semantic, this mainly allows Logstash to instruct input plugins to terminate gracefully,
    instead of using Thread.raise on the plugins' threads. Ref: https://github.com/elastic/logstash/pull/3895

data/CONTRIBUTORS CHANGED Viewed

@@ -11,6 +11,7 @@ Contributors:
 * Pete Fritchman (fetep)
 * Pier-Hugues Pellerin (ph)
 * Karl Stoney (Stono)
+* Lucas Bremgartner (breml)
 Note: If you've sent us patches, bug reports, or otherwise contributed to
 Logstash, and you aren't on the list above and want to be, please let us know

data/lib/logstash/codecs/cef.rb CHANGED Viewed

@@ -1,12 +1,53 @@
+# encoding: utf-8
 require "logstash/codecs/base"
+require "json"
 class LogStash::Codecs::CEF < LogStash::Codecs::Base
+  # Implementation of a Logstash codec for the ArcSight Common Event Format (CEF)
+  # Based on Revision 20 of Implementing ArcSight CEF, dated from June 05, 2013
+  # https://protect724.hp.com/servlet/JiveServlet/downloadBody/1072-102-6-4697/CommonEventFormat.pdf
   config_name "cef"
+  # Device vendor field in CEF header. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
+  config :vendor, :validate => :string, :default => "Elasticsearch"
+  # Device product field in CEF header. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
+  config :product, :validate => :string, :default => "Logstash"
+  # Device version field in CEF header. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
+  config :version, :validate => :string, :default => "1.0"
+  # Signature ID field in CEF header. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
   config :signature, :validate => :string, :default => "Logstash"
+  # Name field in CEF header. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
   config :name, :validate => :string, :default => "Logstash"
-  config :sev, :validate => :number, :default => 6
-  config :fields, :validate => :array
+  # Deprecated severity field for CEF header. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
+  #
+  # This field is used only if :severity is unchanged set to the default value.
+  #
+  # Defined as field of type string to allow sprintf. The value will be validated
+  # to be an integer in the range from 0 to 10 (including).
+  # All invalid values will be mapped to the default of 6.
+  config :sev, :validate => :string, :default => "6", :deprecated => "This setting is being deprecated, use :severity instead."
+  # Severity field in CEF header. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
+  #
+  # Defined as field of type string to allow sprintf. The value will be validated
+  # to be an integer in the range from 0 to 10 (including).
+  # All invalid values will be mapped to the default of 6.
+  config :severity, :validate => :string, :default => "6"
+  # Fields to be included in CEV extension part as key/value pairs
+  config :fields, :validate => :array, :default => []
   public
   def initialize(params={})
@@ -57,28 +98,118 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
   end
   public
-  def encode(data)
+  def encode(event)
     # "CEF:0|Elasticsearch|Logstash|1.0|Signature|Name|Sev|"
-    # TODO: Need to check that fields are set!
+    vendor = sanitize_header_field(event.sprintf(@vendor))
+    vendor = self.class.get_config["vendor"][:default] if vendor == ""
+    product = sanitize_header_field(event.sprintf(@product))
+    product = self.class.get_config["product"][:default] if product == ""
+    version = sanitize_header_field(event.sprintf(@version))
+    version = self.class.get_config["version"][:default] if version == ""
+    signature = sanitize_header_field(event.sprintf(@signature))
+    signature = self.class.get_config["signature"][:default] if signature == ""
+    name = sanitize_header_field(event.sprintf(@name))
+    name = self.class.get_config["name"][:default] if name == ""
+    # :sev is deprecated and therefore only considered if :severity equals the default setting or is invalid
+    severity = sanitize_severity(event, @severity)
+    if severity == self.class.get_config["severity"][:default]
+      # Use deprecated setting sev
+      severity = sanitize_severity(event, @sev)
+    end
-    # Signature, Name, and Sev should be set in the config, with ref to fields
     # Should also probably set the fields sent
-    header = ["CEF:0", "Elasticsearch", "Logstash", "1.0", @signature, @name, @sev].join("|")
-    values = @fields.map {|name| get_value(name, data)}.join(" ")
-    # values = values.map {|k,v| "#{k}=#{v}"}.join(" ")
-    @on_event.call(header + " " + values + "\n")
+    header = ["CEF:0", vendor, product, version, signature, name, severity].join("|")
+    values = @fields.map {|fieldname| get_value(fieldname, event)}.compact.join(" ")
+    @on_event.call(event, "#{header}|#{values}\n")
   end
   private
-  def get_value(name, event)
-    val = event[name]
+  # Escape pipes and backslashes in the header. Equal signs are ok.
+  # Newlines are forbidden.
+  def sanitize_header_field(value)
+    output = ""
+    value = value.to_s.gsub(/\r\n/, "\n")
+    value.each_char{|c|
+      case c
+      when "\\", "|"
+        output += "\\" + c
+      when "\n", "\r"
+        output += " "
+      else
+        output += c
+      end
+    }
+    return output
+  end
+  # Keys must be made up of a single word, with no spaces
+  # must be alphanumeric
+  def sanitize_extension_key(value)
+    value = value.to_s.gsub(/[^a-zA-Z0-9]/, "")
+    return value
+  end
+  # Escape equal signs in the extensions. Canonicalize newlines.
+  # CEF spec leaves it up to us to choose \r or \n for newline.
+  # We choose \n as the default.
+  def sanitize_extension_val(value)
+    output = ""
+    value = value.to_s.gsub(/\r\n/, "\n")
+    value.each_char{|c|
+      case c
+      when "\\", "="
+        output += "\\" + c
+      when "\n", "\r"
+        output += "\\n"
+      else
+        output += c
+      end
+    }
+    return output
+  end
+  def get_value(fieldname, event)
+    val = event[fieldname]
+    return nil if val.nil?
     case val
-    when Hash
-      return name + "=" + val.to_json
+    when Array, Hash
+      return "#{sanitize_extension_key(fieldname)}=#{sanitize_extension_val(val.to_json)}"
+    when LogStash::Timestamp
+      return "#{sanitize_extension_key(fieldname)}=#{val.to_s}"
     else
-      return name + "=" + val
+      return "#{sanitize_extension_key(fieldname)}=#{sanitize_extension_val(val)}"
     end
   end
+  def sanitize_severity(event, severity)
+    severity = sanitize_header_field(event.sprintf(severity)).strip
+    severity = self.class.get_config["severity"][:default] unless valid_severity?(severity)
+    severity = severity.to_i.to_s
+  end
+  def valid_severity?(sev)
+    f = Float(sev)
+    # check if it's an integer or a float with no remainder
+    # and if the value is between 0 and 10 (inclusive)
+    (f % 1 == 0) && f.between?(0,10)
+  rescue TypeError, ArgumentError
+    false
+  end
 end

data/logstash-codec-cef.gemspec CHANGED Viewed

@@ -1,9 +1,9 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-codec-cef'
-  s.version         = '2.0.3'
+  s.version         = '2.1.0'
   s.licenses        = ['Apache License (2.0)']
-  s.summary         = "CEF codec to parse CEF formated logs"
+  s.summary         = "CEF codec to parse and encode CEF formated logs"
   s.description     = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
   s.authors         = ["Elastic"]
   s.email           = 'info@elastic.co'

data/spec/codecs/cef_spec.rb CHANGED Viewed

@@ -10,7 +10,301 @@ describe LogStash::Codecs::CEF do
   end
   context "#encode" do
-    it "should assert all header fields are present"
+    subject(:codec) { LogStash::Codecs::CEF.new }
+    let(:results)   { [] }
+    it "should not fail if fields is nil" do
+      codec.on_event{|data, newdata| results << newdata}
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|$/m)
+    end
+    it "should assert all header fields are present" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|$/m)
+    end
+    it "should use default values for empty header fields" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.vendor = ""
+      codec.product = ""
+      codec.version = ""
+      codec.signature = ""
+      codec.name = ""
+      codec.severity = ""
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|$/m)
+    end
+    it "should use configured values for header fields" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.vendor = "vendor"
+      codec.product = "product"
+      codec.version = "2.0"
+      codec.signature = "signature"
+      codec.name = "name"
+      codec.severity = "1"
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|vendor\|product\|2.0\|signature\|name\|1\|$/m)
+    end
+    it "should use sprintf for header fields" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.vendor = "%{vendor}"
+      codec.product = "%{product}"
+      codec.version = "%{version}"
+      codec.signature = "%{signature}"
+      codec.name = "%{name}"
+      codec.severity = "%{severity}"
+      codec.fields = []
+      event = LogStash::Event.new("vendor" => "vendor", "product" => "product", "version" => "2.0", "signature" => "signature", "name" => "name", "severity" => "1")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|vendor\|product\|2.0\|signature\|name\|1\|$/m)
+    end
+    it "should use default, if severity is not numeric" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.severity = "foo"
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|$/m)
+    end
+    it "should use default, if severity is > 10" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.severity = "11"
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|$/m)
+    end
+    it "should use default, if severity is < 0" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.severity = "-1"
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|$/m)
+    end
+    it "should use default, if severity is float with decimal part" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.severity = "5.4"
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|$/m)
+    end
+    it "should append fields as key/value pairs in cef extension part" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.fields = [ "foo", "bar" ]
+      event = LogStash::Event.new("foo" => "foo value", "bar" => "bar value")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|foo=foo value bar=bar value$/m)
+    end
+    it "should ignore fields in fields if not present in event" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.fields = [ "foo", "bar", "baz" ]
+      event = LogStash::Event.new("foo" => "foo value", "baz" => "baz value")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|foo=foo value baz=baz value$/m)
+    end
+    it "should sanitize header fields" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.vendor = "ven\ndor"
+      codec.product = "pro|duct"
+      codec.version = "ver\\sion"
+      codec.signature = "sig\r\nnature"
+      codec.name = "na\rme"
+      codec.severity = "4\n"
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|ven dor\|pro\\\|duct\|ver\\\\sion\|sig nature\|na me\|4\|$/m)
+    end
+    it "should sanitize extension keys" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.fields = [ "f o\no", "@b-a_r" ]
+      event = LogStash::Event.new("f o\no" => "foo value", "@b-a_r" => "bar value")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|foo=foo value bar=bar value$/m)
+    end
+    it "should sanitize extension values" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.fields = [ "foo", "bar", "baz" ]
+      event = LogStash::Event.new("foo" => "foo\\value\n", "bar" => "bar=value\r")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|foo=foo\\\\value\\n bar=bar\\=value\\n$/m)
+    end
+    it "should encode a hash value" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.fields = [ "foo" ]
+      event = LogStash::Event.new("foo" => { "bar" => "bar value", "baz" => "baz value" })
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|foo=\{\"bar\":\"bar value\",\"baz\":\"baz value\"\}$/m)
+    end
+    it "should encode an array value" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.fields = [ "foo" ]
+      event = LogStash::Event.new("foo" => [ "bar", "baz" ])
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|foo=\[\"bar\",\"baz\"\]$/m)
+    end
+    it "should encode a hash in an array value" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.fields = [ "foo" ]
+      event = LogStash::Event.new("foo" => [ { "bar" => "bar value" }, "baz" ])
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|foo=\[\{\"bar\":\"bar value\"\},\"baz\"\]$/m)
+    end
+    it "should encode a LogStash::Timestamp" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.fields = [ "foo" ]
+      event = LogStash::Event.new("foo" => LogStash::Timestamp.new)
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|foo=[0-9TZ.:-]+$/m)
+    end
+    it "should use severity (instead of depricated sev), if severity is set)" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.sev = "4"
+      codec.severity = "5"
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|5\|$/m)
+    end
+    it "should use deprecated sev, if severity is not set (equals default value)" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.sev = "4"
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|4\|$/m)
+    end
+    it "should use deprecated sev, if severity is explicitly set to default value)" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.sev = "4"
+      codec.severity = "6"
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|4\|$/m)
+    end
+    it "should use deprecated sev, if severity is invalid" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.sev = "4"
+      codec.severity = ""
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|4\|$/m)
+    end
+    it "should use default value, if severity is not set and sev is invalid" do
+      codec.on_event{|data, newdata| results << newdata}
+      codec.sev = ""
+      codec.fields = []
+      event = LogStash::Event.new("foo" => "bar")
+      codec.encode(event)
+      expect(results.first).to match(/^CEF:0\|Elasticsearch\|Logstash\|1.0\|Logstash\|Logstash\|6\|$/m)
+    end
+  end
+  context "sanitize header field" do
+    subject(:codec) { LogStash::Codecs::CEF.new }
+    it "should sanitize" do
+      expect(codec.send(:sanitize_header_field, "foo")).to be == "foo"
+      expect(codec.send(:sanitize_header_field, "foo\nbar")).to be == "foo bar"
+      expect(codec.send(:sanitize_header_field, "foo\rbar")).to be == "foo bar"
+      expect(codec.send(:sanitize_header_field, "foo\r\nbar")).to be == "foo bar"
+      expect(codec.send(:sanitize_header_field, "foo\r\nbar\r\nbaz")).to be == "foo bar baz"
+      expect(codec.send(:sanitize_header_field, "foo\\bar")).to be == "foo\\\\bar"
+      expect(codec.send(:sanitize_header_field, "foo|bar")).to be == "foo\\|bar"
+      expect(codec.send(:sanitize_header_field, "foo=bar")).to be == "foo=bar"
+      expect(codec.send(:sanitize_header_field, 123)).to be == "123" # Input value is a Fixnum
+      expect(codec.send(:sanitize_header_field, 123.123)).to be == "123.123" # Input value is a Float
+      expect(codec.send(:sanitize_header_field, [])).to be == "[]" # Input value is an Array
+      expect(codec.send(:sanitize_header_field, {})).to be == "{}" # Input value is a Hash
+    end
+  end
+  context "sanitize extension key" do
+    subject(:codec) { LogStash::Codecs::CEF.new }
+    it "should sanitize" do
+      expect(codec.send(:sanitize_extension_key, " foo ")).to be == "foo"
+      expect(codec.send(:sanitize_extension_key, " FOO 123 ")).to be == "FOO123"
+      expect(codec.send(:sanitize_extension_key, "foo\nbar\rbaz")).to be == "foobarbaz"
+      expect(codec.send(:sanitize_extension_key, "Foo_Bar\r\nBaz")).to be == "FooBarBaz"
+      expect(codec.send(:sanitize_extension_key, "foo-@bar=baz")).to be == "foobarbaz"
+      expect(codec.send(:sanitize_extension_key, "[foo]|bar.baz")).to be == "foobarbaz"
+      expect(codec.send(:sanitize_extension_key, 123)).to be == "123" # Input value is a Fixnum
+      expect(codec.send(:sanitize_extension_key, 123.123)).to be == "123123" # Input value is a Float, "." is not allowed and therefore removed
+      expect(codec.send(:sanitize_extension_key, [])).to be == "" # Input value is an Array, "[" and "]" are not allowed and therefore removed
+      expect(codec.send(:sanitize_extension_key, {})).to be == "" # Input value is a Hash, "{" and "}" are not allowed and therefore removed
+    end
+  end
+  context "sanitize extension value" do
+    subject(:codec) { LogStash::Codecs::CEF.new }
+    it "should sanitize" do
+      expect(codec.send(:sanitize_extension_val, "foo")).to be == "foo"
+      expect(codec.send(:sanitize_extension_val, "foo\nbar")).to be == "foo\\nbar"
+      expect(codec.send(:sanitize_extension_val, "foo\rbar")).to be == "foo\\nbar"
+      expect(codec.send(:sanitize_extension_val, "foo\r\nbar")).to be == "foo\\nbar"
+      expect(codec.send(:sanitize_extension_val, "foo\r\nbar\r\nbaz")).to be == "foo\\nbar\\nbaz"
+      expect(codec.send(:sanitize_extension_val, "foo\\bar")).to be == "foo\\\\bar"
+      expect(codec.send(:sanitize_extension_val, "foo|bar")).to be == "foo|bar"
+      expect(codec.send(:sanitize_extension_val, "foo=bar")).to be == "foo\\=bar"
+      expect(codec.send(:sanitize_extension_val, 123)).to be == "123" # Input value is a Fixnum
+      expect(codec.send(:sanitize_extension_val, 123.123)).to be == "123.123" # Input value is a Float
+      expect(codec.send(:sanitize_extension_val, [])).to be == "[]" # Input value is an Array
+      expect(codec.send(:sanitize_extension_val, {})).to be == "{}" # Input value is a Hash
+    end
+  end
+  context "valid_severity?" do
+    subject(:codec) { LogStash::Codecs::CEF.new }
+    it "should validate severity" do
+      expect(codec.send(:valid_severity?, nil)).to be == false
+      expect(codec.send(:valid_severity?, "")).to be == false
+      expect(codec.send(:valid_severity?, "foo")).to be == false
+      expect(codec.send(:valid_severity?, "1.5")).to be == false
+      expect(codec.send(:valid_severity?, "-1")).to be == false
+      expect(codec.send(:valid_severity?, "11")).to be == false
+      expect(codec.send(:valid_severity?, "0")).to be == true
+      expect(codec.send(:valid_severity?, "10")).to be == true
+      expect(codec.send(:valid_severity?, "1.0")).to be == true
+      expect(codec.send(:valid_severity?, 1)).to be == true
+      expect(codec.send(:valid_severity?, 1.0)).to be == true
+    end
   end
   context "#decode" do

metadata CHANGED Viewed

@@ -1,18 +1,17 @@
 --- !ruby/object:Gem::Specification
 name: logstash-codec-cef
 version: !ruby/object:Gem::Version
-  version: 2.0.3
+  version: 2.1.0
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-11-19 00:00:00.000000000 Z
+date: 2016-01-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: logstash-core
-  version_requirements: !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
@@ -20,7 +19,10 @@ dependencies:
     - - <
       - !ruby/object:Gem::Version
         version: 3.0.0
-  requirement: !ruby/object:Gem::Requirement
+  name: logstash-core
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
@@ -28,22 +30,20 @@ dependencies:
     - - <
       - !ruby/object:Gem::Version
         version: 3.0.0
-  prerelease: false
-  type: :runtime
 - !ruby/object:Gem::Dependency
-  name: logstash-devutils
-  version_requirements: !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
-  requirement: !ruby/object:Gem::Requirement
+  name: logstash-devutils
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
-  prerelease: false
-  type: :development
 description: This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program
 email: info@elastic.co
 executables: []
@@ -81,9 +81,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.4.8
+rubygems_version: 2.4.5
 signing_key:
 specification_version: 4
-summary: CEF codec to parse CEF formated logs
+summary: CEF codec to parse and encode CEF formated logs
 test_files:
 - spec/codecs/cef_spec.rb