logstash-codec-cef 6.2.0-java → 6.2.1-java

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -0
  3. data/docs/index.asciidoc +248 -3
  4. data/lib/logstash/codecs/cef.rb +1 -1
  5. data/logstash-codec-cef.gemspec +1 -1
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 25264d450cdfa027ac9758a05972c0c87119a635238b9bacfc746e4daec40dff
4
- data.tar.gz: 63dbd8558c231e61c9e55962484042a52c28177cba5b4adcf4d49291aace491a
3
+ metadata.gz: f530caa2c56a19a914e3482cb063a998b8e43807975e1523b2c73156aa7e2fbe
4
+ data.tar.gz: d8cada7fc621d62b5ec0ccc3e8e8c8c6dfc401fbbecfa7a5b70c43eed9cd0cea
5
5
  SHA512:
6
- metadata.gz: 62ac45d798abaf3008f99357b578506237bddc024904951cab64bdb36fd61f1c91894e4e70f2ce6a911fde46c4d1a15c69a1368b2a0dd69a6f509e09e8ee8192
7
- data.tar.gz: 46dd75f39b72ae788dfcd29f21810be7086bb16cb1984f81f50a786682d66f06f7e6a2ee543f3e88a3e8951da5680f99fdcd45d28e606c16171d34bc30ceb4a4
6
+ metadata.gz: 9aff57924314652538bcfb860bbded217955dbfede94f523069b2525e514d44711db5c7884dede93c38723b9b3eb5d5d5782b82bc5e7f0a624f97a664f601f26
7
+ data.tar.gz: a53cece29e66a40be33b49e0abaf898519bca82d611d56f0bfa3db034cece00d368741c3cd3afab3ccab888ab2c138ba97cca232d8a49ac1c28477459fdfc3ef
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## 6.2.1
2
+ - Added field mapping to docs.
3
+ - Fixed ECS mapping of `deviceMacAddress` field.
4
+
1
5
  ## 6.2.0
2
6
  - Introduce ECS Compatibility mode [#83](https://github.com/logstash-plugins/logstash-codec-cef/pull/83).
3
7
 
data/docs/index.asciidoc CHANGED
@@ -48,9 +48,9 @@ The ECS Compatibility mode for a specific plugin instance can be controlled by s
48
48
 
49
49
  If left unspecified, the value of the `pipeline.ecs_compatibility` setting is used.
50
50
 
51
- ===== Timestamps and ECS Compatiblity
51
+ ===== Timestamps and ECS compatiblity
52
52
 
53
- When running in ECS Compatibility Mode, timestamp-type fields are parsed and normalized
53
+ When decoding in ECS Compatibility Mode, timestamp-type fields are parsed and normalized
54
54
  to specific points on the timeline.
55
55
 
56
56
  Because the CEF format allows ambiguous timestamp formats, some reasonable assumptions are made:
@@ -62,6 +62,252 @@ Because the CEF format allows ambiguous timestamp formats, some reasonable assum
62
62
  <<plugins-{type}s-{plugin}-default_timezone>>.
63
63
  - Localized timestamps are parsed using the provided <<plugins-{type}s-{plugin}-locale>>.
64
64
 
65
+ [id="plugins-{type}s-{plugin}-field-mapping"]
66
+ ===== Field mapping
67
+
68
+ The header fields from each CEF payload is expanded to the following fields, depending on whether ECS is enabled.
69
+
70
+ [id="plugins-{type}s-{plugin}-header-field"]
71
+ ====== Header field mapping
72
+ |=====
73
+ |ECS Disabled | ECS Field
74
+
75
+ |`cefVersion` |`[cef][version]`
76
+ |`deviceVendor` |`[observer][vendor]`
77
+ |`deviceProduct` |`[observer][product]`
78
+ |`deviceVersion` |`[observer][version]`
79
+ |`deviceEventClassId`|`[event][code]`
80
+ |`name` |`[cef][name]`
81
+ |`severity` |`[event][severity]`
82
+ |=====
83
+
84
+ When decoding CEF payloads with `ecs_compatibility => disabled`, the abbreviated CEF Keys found in extensions are expanded, and CEF Field Names are inserted at the root level of the event.
85
+
86
+ When decoding in an ECS Compatibility mode, the ECS Fields are populated from the corresponding CEF Field Names _or_ CEF Keys found in the payload's extensions.
87
+
88
+ The following is a mapping between these fields.
89
+
90
+ // Templates for short-hand notes in the table below
91
+ :cef-ambiguous-higher: pass:quotes[Multiple possible CEF fields map to this ECS Field. When decoding, the last entry encountered wins. When encoding, this field has _higher_ priority.]
92
+ :cef-ambiguous-lower: pass:quotes[Multiple possible CEF fields map to this ECS Field. When decoding, the last entry encountered wins. When encoding, this field has _lower_ priority.]
93
+ :cef-normalize-timestamp: pass:quotes[This field contains a timestamp. In ECS Compatibility Mode, it is parsed to a specific point in time.]
94
+ :cef-plugin-config-condition: pass:quotes[When plugin configured with]
95
+
96
+
97
+ [id="plugins-{type}s-{plugin}-ext-field"]
98
+ ====== Extension field mapping
99
+ |=======================================================================================================================
100
+ |CEF Field Name (optional CEF Key) |ECS Field
101
+
102
+ |`agentAddress` (`agt`) |`[agent][ip]`
103
+ |`agentDnsDomain` |`[cef][agent][registered_domain]`
104
+
105
+ {cef-ambiguous-higher}
106
+ |`agentHostName` (`ahost`) |`[agent][name]`
107
+ |`agentId` (`aid`) |`[agent][id]`
108
+ |`agentMacAddress` (`amac`) |`[agent][mac]`
109
+ |`agentNtDomain` |`[cef][agent][registered_domain]`
110
+
111
+ {cef-ambiguous-lower}
112
+ |`agentReceiptTime` (`art`) |`[event][created]`
113
+
114
+ {cef-normalize-timestamp}
115
+ |`agentTimeZone` (`atz`) |`[cef][agent][timezone]`
116
+ |`agentTranslatedAddress` |`[cef][agent][nat][ip]`
117
+ |`agentTranslatedZoneExternalID` |`[cef][agent][translated_zone][external_id]`
118
+ |`agentTranslatedZoneURI` |`[cef][agent][translated_zone][uri]`
119
+ |`agentType` (`at`) |`[agent][type]`
120
+ |`agentVersion` (`av`) |`[agent][version]`
121
+ |`agentZoneExternalID` |`[cef][agent][zone][external_id]`
122
+ |`agentZoneURI` |`[cef][agent][zone][uri]`
123
+ |`applicationProtocol` (`app`) |`[network][protocol]`
124
+ |`baseEventCount` (`cnt`) |`[cef][base_event_count]`
125
+ |`bytesIn` (`in`) |`[source][bytes]`
126
+ |`bytesOut` (`out`) |`[destination][bytes]`
127
+ |`categoryDeviceType` (`catdt`) |`[cef][device_type]`
128
+ |`customerExternalID` |`[organization][id]`
129
+ |`customerURI` |`[organization][name]`
130
+ |`destinationAddress` (`dst`) |`[destination][ip]`
131
+ |`destinationDnsDomain` |`[destination][registered_domain]`
132
+
133
+ {cef-ambiguous-higher}
134
+ |`destinationGeoLatitude` (`dlat`) |`[destination][geo][location][lat]`
135
+ |`destinationGeoLongitude` (`dlong`) |`[destination][geo][location][lon]`
136
+ |`destinationHostName` (`dhost`) |`[destination][domain]`
137
+ |`destinationMacAddress` (`dmac`) |`[destination][mac]`
138
+ |`destinationNtDomain` (`dntdom`) |`[destination][registered_domain]`
139
+
140
+ {cef-ambiguous-lower}
141
+ |`destinationPort` (`dpt`) |`[destination][port]`
142
+ |`destinationProcessId` (`dpid`) |`[destination][process][pid]`
143
+ |`destinationProcessName` (`dproc`) |`[destination][process][name]`
144
+ |`destinationServiceName` |`[destination][service][name]`
145
+ |`destinationTranslatedAddress` |`[destination][nat][ip]`
146
+ |`destinationTranslatedPort` |`[destination][nat][port]`
147
+ |`destinationTranslatedZoneExternalID` |`[cef][destination][translated_zone][external_id]`
148
+ |`destinationTranslatedZoneURI` |`[cef][destination][translated_zone][uri]`
149
+ |`destinationUserId` (`duid`) |`[destination][user][id]`
150
+ |`destinationUserName` (`duser`) |`[destination][user][name]`
151
+ |`destinationUserPrivileges` (`dpriv`) |`[destination][user][group][name]`
152
+ |`destinationZoneExternalID` |`[cef][destination][zone][external_id]`
153
+ |`destinationZoneURI` |`[cef][destination][zone][uri]`
154
+ |`deviceAction` (`act`) |`[event][action]`
155
+ .2+|`deviceAddress` (`dvc`) |`[observer][ip]`
156
+
157
+ {cef-plugin-config-condition} `device => observer`
158
+ |`[host][ip]`
159
+
160
+ {cef-plugin-config-condition} `device => host`
161
+ |`deviceCustomFloatingPoint1` (`cfp1`) |`[cef][device_custom_floating_point_1][value]`
162
+ |`deviceCustomFloatingPoint1Label` (`cfp1Label`)|`[cef][device_custom_floating_point_1][label]`
163
+ |`deviceCustomFloatingPoint2` (`cfp2`) |`[cef][device_custom_floating_point_2][value]`
164
+ |`deviceCustomFloatingPoint2Label` (`cfp2Label`)|`[cef][device_custom_floating_point_2][label]`
165
+ |`deviceCustomFloatingPoint3` (`cfp3`) |`[cef][device_custom_floating_point_3][value]`
166
+ |`deviceCustomFloatingPoint3Label` (`cfp3Label`)|`[cef][device_custom_floating_point_3][label]`
167
+ |`deviceCustomFloatingPoint4` (`cfp4`) |`[cef][device_custom_floating_point_4][value]`
168
+ |`deviceCustomFloatingPoint4Label` (`cfp4Label`)|`[cef][device_custom_floating_point_4][label]`
169
+ |`deviceCustomIPv6Address1` (`c6a1`) |`[cef][device_custom_ipv6_address_1][value]`
170
+ |`deviceCustomIPv6Address1Label` (`c6a1Label`) |`[cef][device_custom_ipv6_address_1][label]`
171
+ |`deviceCustomIPv6Address2` (`c6a2`) |`[cef][device_custom_ipv6_address_2][value]`
172
+ |`deviceCustomIPv6Address2Label` (`c6a2Label`) |`[cef][device_custom_ipv6_address_2][label]`
173
+ |`deviceCustomIPv6Address3` (`c6a3`) |`[cef][device_custom_ipv6_address_3][value]`
174
+ |`deviceCustomIPv6Address3Label` (`c6a3Label`) |`[cef][device_custom_ipv6_address_3][label]`
175
+ |`deviceCustomIPv6Address4` (`c6a4`) |`[cef][device_custom_ipv6_address_4][value]`
176
+ |`deviceCustomIPv6Address4Label` (`c6a4Label`) |`[cef][device_custom_ipv6_address_4][label]`
177
+ |`deviceCustomNumber1` (`cn1`) |`[cef][device_custom_number_1][value]`
178
+ |`deviceCustomNumber1Label` (`cn1Label`) |`[cef][device_custom_number_1][label]`
179
+ |`deviceCustomNumber2` (`cn2`) |`[cef][device_custom_number_2][value]`
180
+ |`deviceCustomNumber2Label` (`cn2Label`) |`[cef][device_custom_number_2][label]`
181
+ |`deviceCustomNumber3` (`cn3`) |`[cef][device_custom_number_3][value]`
182
+ |`deviceCustomNumber3Label` (`cn3Label`) |`[cef][device_custom_number_3][label]`
183
+ |`deviceCustomString1` (`cs1`) |`[cef][device_custom_string_1][value]`
184
+ |`deviceCustomString1Label` (`cs1Label`) |`[cef][device_custom_string_1][label]`
185
+ |`deviceCustomString2` (`cs2`) |`[cef][device_custom_string_2][value]`
186
+ |`deviceCustomString2Label` (`cs2Label`) |`[cef][device_custom_string_2][label]`
187
+ |`deviceCustomString3` (`cs3`) |`[cef][device_custom_string_3][value]`
188
+ |`deviceCustomString3Label` (`cs3Label`) |`[cef][device_custom_string_3][label]`
189
+ |`deviceCustomString4` (`cs4`) |`[cef][device_custom_string_4][value]`
190
+ |`deviceCustomString4Label` (`cs4Label`) |`[cef][device_custom_string_4][label]`
191
+ |`deviceCustomString5` (`cs5`) |`[cef][device_custom_string_5][value]`
192
+ |`deviceCustomString5Label` (`cs5Label`) |`[cef][device_custom_string_5][label]`
193
+ |`deviceCustomString6` (`cs6`) |`[cef][device_custom_string_6][value]`
194
+ |`deviceCustomString6Label` (`cs6Label`) |`[cef][device_custom_string_6][label]`
195
+ |`deviceDirection` |`[network][direction]`
196
+ .2+|`deviceDnsDomain` |`[observer][registered_domain]`
197
+
198
+ {cef-plugin-config-condition} `device => observer`.
199
+ |`[host][registered_domain]`
200
+
201
+ {cef-plugin-config-condition} `device => host`.
202
+ |`deviceEventCategory` (`cat`) |`[cef][category]`
203
+ .2+|`deviceExternalId` |`[observer][name]`
204
+
205
+ {cef-plugin-config-condition} `device => observer`.
206
+ |`[host][id]`
207
+
208
+ {cef-plugin-config-condition} `device => host`.
209
+ |`deviceFacility` |`[log][syslog][facility][code]`
210
+ .2+|`deviceHostName` (`dvchost`) |`[observer][hostname]`
211
+
212
+ {cef-plugin-config-condition} `device => observer`.
213
+ |`[host][name]`
214
+
215
+ {cef-plugin-config-condition} `device => host`.
216
+ |`deviceInboundInterface` |`[observer][ingress][interface][name]`
217
+ .2+|`deviceMacAddress` (`dvcmac`) |`[observer][mac]`
218
+
219
+ {cef-plugin-config-condition} `device => observer`.
220
+ |`[host][mac]`
221
+
222
+ {cef-plugin-config-condition} `device => host`.
223
+ |`deviceNtDomain` |`[cef][nt_domain]`
224
+ |`deviceOutboundInterface` |`[observer][egress][interface][name]`
225
+ |`devicePayloadId` |`[cef][payload_id]`
226
+ |`deviceProcessId` (`dvcpid`) |`[process][pid]`
227
+ |`deviceProcessName` |`[process][name]`
228
+ |`deviceReceiptTime` (`rt`) |`@timestamp`
229
+
230
+ {cef-normalize-timestamp}
231
+ |`deviceTimeZone` (`dtz`) |`[event][timezone]`
232
+ |`deviceTranslatedAddress` |`[host][nat][ip]`
233
+ |`deviceTranslatedZoneExternalID` |`[cef][translated_zone][external_id]`
234
+ |`deviceTranslatedZoneURI` |`[cef][translated_zone][uri]`
235
+ |`deviceVersion` |`[observer][version]`
236
+ |`deviceZoneExternalID` |`[cef][zone][external_id]`
237
+ |`deviceZoneURI` |`[cef][zone][uri]`
238
+ |`endTime` (`end`) |`[event][end]`
239
+
240
+ {cef-normalize-timestamp}
241
+ |`eventId` |`[event][id]`
242
+ |`eventOutcome` (`outcome`) |`[event][outcome]`
243
+ |`externalId` |`[cef][external_id]`
244
+ |`fileCreateTime` |`[file][created]`
245
+ |`fileHash` |`[file][hash]]`
246
+ |`fileId` |`[file][inode]`
247
+ |`fileModificationTime` |`[file][mtime]`
248
+
249
+ {cef-normalize-timestamp}
250
+ |`fileName` (`fname`) |`[file][name]`
251
+ |`filePath` |`[file][path]`
252
+ |`filePermission` |`[file][group]`
253
+ |`fileSize` (`fsize`) |`[file][size]`
254
+ |`fileType` |`[file][extension]`
255
+ |`managerReceiptTime` (`mrt`) |`[event][ingested]`
256
+
257
+ {cef-normalize-timestamp}
258
+ |`message` (`msg`) |`[message]`
259
+ |`oldFileCreateTime` |`[cef][old_file][created]`
260
+
261
+ {cef-normalize-timestamp}
262
+ |`oldFileHash` |`[cef][old_file][hash]`
263
+ |`oldFileId` |`[cef][old_file][inode]`
264
+ |`oldFileModificationTime` |`[cef][old_file][mtime]`
265
+
266
+ {cef-normalize-timestamp}
267
+ |`oldFileName` |`[cef][old_file][name]`
268
+ |`oldFilePath` |`[cef][old_file][path]`
269
+ |`oldFilePermission` |`[cef][old_file][group]`
270
+ |`oldFileSize` |`[cef][old_file][size]`
271
+ |`oldFileType` |`[cef][old_file][extension]`
272
+ |`rawEvent` |`[event][original]`
273
+ |`Reason` (`reason`) |`[event][reason]`
274
+ |`requestClientApplication` |`[user_agent][original]`
275
+ |`requestContext` |`[http][request][referrer]`
276
+ |`requestCookies` |`[cef][request][cookies]`
277
+ |`requestMethod` |`[http][request][method]`
278
+ |`requestUrl` (`request`) |`[url][original]`
279
+ |`sourceAddress` (`src`) |`[source][ip]`
280
+ |`sourceDnsDomain` |`[source][registered_domain]`
281
+
282
+ {cef-ambiguous-higher}
283
+ |`sourceGeoLatitude` (`slat`) |`[source][geo][location][lat]`
284
+ |`sourceGeoLongitude` (`slong`) |`[source][geo][location][lon]`
285
+ |`sourceHostName` (`shost`) |`[source][domain]`
286
+ |`sourceMacAddress` (`smac`) |`[source][mac]`
287
+ |`sourceNtDomain` (`sntdom`) |`[source][registered_domain]`
288
+
289
+ {cef-ambiguous-lower}
290
+ |`sourcePort` (`spt`) |`[source][port]`
291
+ |`sourceProcessId` (`spid`) |`[source][process][pid]`
292
+ |`sourceProcessName` (`sproc`) |`[source][process][name]`
293
+ |`sourceServiceName` |`[source][service][name]`
294
+ |`sourceTranslatedAddress` |`[source][nat][ip]`
295
+ |`sourceTranslatedPort` |`[source][nat][port]`
296
+ |`sourceTranslatedZoneExternalID` |`[cef][source][translated_zone][external_id]`
297
+ |`sourceTranslatedZoneURI` |`[cef][source][translated_zone][uri]`
298
+ |`sourceUserId` (`suid`) |`[source][user][id]`
299
+ |`sourceUserName` (`suser`) |`[source][user][name]`
300
+ |`sourceUserPrivileges` (`spriv`) |`[source][user][group][name]`
301
+ |`sourceZoneExternalID` |`[cef][source][zone][external_id]`
302
+ |`sourceZoneURI` |`[cef][source][zone][uri]`
303
+ |`startTime` (`start`) |`[event][start]`
304
+
305
+ {cef-normalize-timestamp}
306
+ |`transportProtocol` (`proto`) |`[network][transport]`
307
+ |`type` |`[cef][type]`
308
+ |=======================================================================================================================
309
+
310
+
65
311
  [id="plugins-{type}s-{plugin}-options"]
66
312
  ==== Cef Codec Configuration Options
67
313
 
@@ -258,4 +504,3 @@ to help you build a new value from other parts of the event.
258
504
  When this codec is used in an Output Plugin, this option can be used to specify the
259
505
  value of the device version field in CEF header. The new value can include `%{foo}` strings
260
506
  to help you build a new value from other parts of the event.
261
-
data/lib/logstash/codecs/cef.rb CHANGED
@@ -449,7 +449,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
449
449
  CEFField.new("deviceFacility", ecs_field: "[log][syslog][facility][code]"),
450
450
  CEFField.new("deviceHostName", key: "dvchost", ecs_field: (@device == 'host' ? '[host][name]' : '[observer][hostname]')),
451
451
  CEFField.new("deviceInboundInterface", ecs_field: "[observer][ingress][interface][name]"),
452
- CEFField.new("deviceMacAddress", key: "dvcmac", ecs_field: "[@device][mac]"),
452
+ CEFField.new("deviceMacAddress", key: "dvcmac", ecs_field: "[#{@device}][mac]"),
453
453
  CEFField.new("deviceNtDomain", ecs_field: "[cef][nt_domain]"),
454
454
  CEFField.new("deviceOutboundInterface", ecs_field: "[observer][egress][interface][name]"),
455
455
  CEFField.new("devicePayloadId", ecs_field: "[cef][payload_id]"),
data/logstash-codec-cef.gemspec CHANGED
@@ -1,7 +1,7 @@
1
1
  Gem::Specification.new do |s|
2
2
 
3
3
  s.name = 'logstash-codec-cef'
4
- s.version = '6.2.0'
4
+ s.version = '6.2.1'
5
5
  s.platform = 'java'
6
6
  s.licenses = ['Apache License (2.0)']
7
7
  s.summary = "Reads the ArcSight Common Event Format (CEF)."
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-codec-cef
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.2.0
4
+ version: 6.2.1
5
5
  platform: java
6
6
  authors:
7
7
  - Elastic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-04-06 00:00:00.000000000 Z
11
+ date: 2021-04-28 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement