logstash-codec-cef 6.2.1-java → 6.2.2-java
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/docs/index.asciidoc +87 -1
- data/lib/logstash/codecs/cef.rb +14 -36
- data/logstash-codec-cef.gemspec +1 -1
- data/spec/codecs/cef_spec.rb +23 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d6769d2631f2bd27a0e5d4efebcdf5522eb2e1e843fef3d195ca804d4e68e1cb
|
|
4
|
+
data.tar.gz: 97a5acd21e5041dbb91129819ed13b4989f269acaccbc134a26be5c6a83535e6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7a1021a17d1c87f07bf61f5583acda25f69e69c7946191056d93f0c8c0e9f1ad3aea6489b14fb78754c92507114d588ba36513d7ba9d39e861550d02aeaa7cab
|
|
7
|
+
data.tar.gz: ff9ce9b27c9c4ae1cc5440cecd9e6113989507e030bf609683de344645536eb1a713149e70da2f87638dd553e493145c750f54e5e560d5b938829b8d0b6404e8
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,7 @@
|
|
|
1
|
+
## 6.2.2
|
|
2
|
+
- Fixed invalid Field Reference that could occur when ECS mode was enabled and the CEF field `fileHash` was parsed.
|
|
3
|
+
- Added expanded mapping for numbered `deviceCustom*` and `deviceCustom*Label` fields so that all now include numbers 1 through 15.
|
|
4
|
+
|
|
1
5
|
## 6.2.1
|
|
2
6
|
- Added field mapping to docs.
|
|
3
7
|
- Fixed ECS mapping of `deviceMacAddress` field.
|
data/docs/index.asciidoc
CHANGED
|
@@ -166,6 +166,28 @@ The following is a mapping between these fields.
|
|
|
166
166
|
|`deviceCustomFloatingPoint3Label` (`cfp3Label`)|`[cef][device_custom_floating_point_3][label]`
|
|
167
167
|
|`deviceCustomFloatingPoint4` (`cfp4`) |`[cef][device_custom_floating_point_4][value]`
|
|
168
168
|
|`deviceCustomFloatingPoint4Label` (`cfp4Label`)|`[cef][device_custom_floating_point_4][label]`
|
|
169
|
+
|`deviceCustomFloatingPoint5` (`cfp5`) |`[cef][device_custom_floating_point_5][value]`
|
|
170
|
+
|`deviceCustomFloatingPoint5Label` (`cfp5Label`)|`[cef][device_custom_floating_point_5][label]`
|
|
171
|
+
|`deviceCustomFloatingPoint6` (`cfp6`) |`[cef][device_custom_floating_point_6][value]`
|
|
172
|
+
|`deviceCustomFloatingPoint6Label` (`cfp6Label`)|`[cef][device_custom_floating_point_6][label]`
|
|
173
|
+
|`deviceCustomFloatingPoint7` (`cfp7`) |`[cef][device_custom_floating_point_7][value]`
|
|
174
|
+
|`deviceCustomFloatingPoint7Label` (`cfp7Label`)|`[cef][device_custom_floating_point_7][label]`
|
|
175
|
+
|`deviceCustomFloatingPoint8` (`cfp8`) |`[cef][device_custom_floating_point_8][value]`
|
|
176
|
+
|`deviceCustomFloatingPoint8Label` (`cfp8Label`)|`[cef][device_custom_floating_point_8][label]`
|
|
177
|
+
|`deviceCustomFloatingPoint9` (`cfp9`) |`[cef][device_custom_floating_point_9][value]`
|
|
178
|
+
|`deviceCustomFloatingPoint9Label` (`cfp9Label`)|`[cef][device_custom_floating_point_9][label]`
|
|
179
|
+
|`deviceCustomFloatingPoint10` (`cfp10`) |`[cef][device_custom_floating_point_10][value]`
|
|
180
|
+
|`deviceCustomFloatingPoint10Label` (`cfp10Label`)|`[cef][device_custom_floating_point_10][label]`
|
|
181
|
+
|`deviceCustomFloatingPoint11` (`cfp11`) |`[cef][device_custom_floating_point_11][value]`
|
|
182
|
+
|`deviceCustomFloatingPoint11Label` (`cfp11Label`)|`[cef][device_custom_floating_point_11][label]`
|
|
183
|
+
|`deviceCustomFloatingPoint12` (`cfp12`) |`[cef][device_custom_floating_point_12][value]`
|
|
184
|
+
|`deviceCustomFloatingPoint12Label` (`cfp12Label`)|`[cef][device_custom_floating_point_12][label]`
|
|
185
|
+
|`deviceCustomFloatingPoint13` (`cfp13`) |`[cef][device_custom_floating_point_13][value]`
|
|
186
|
+
|`deviceCustomFloatingPoint13Label` (`cfp13Label`)|`[cef][device_custom_floating_point_13][label]`
|
|
187
|
+
|`deviceCustomFloatingPoint14` (`cfp14`) |`[cef][device_custom_floating_point_14][value]`
|
|
188
|
+
|`deviceCustomFloatingPoint14Label` (`cfp14Label`)|`[cef][device_custom_floating_point_14][label]`
|
|
189
|
+
|`deviceCustomFloatingPoint15` (`cfp15`) |`[cef][device_custom_floating_point_15][value]`
|
|
190
|
+
|`deviceCustomFloatingPoint15Label` (`cfp15Label`)|`[cef][device_custom_floating_point_15][label]`
|
|
169
191
|
|`deviceCustomIPv6Address1` (`c6a1`) |`[cef][device_custom_ipv6_address_1][value]`
|
|
170
192
|
|`deviceCustomIPv6Address1Label` (`c6a1Label`) |`[cef][device_custom_ipv6_address_1][label]`
|
|
171
193
|
|`deviceCustomIPv6Address2` (`c6a2`) |`[cef][device_custom_ipv6_address_2][value]`
|
|
@@ -174,12 +196,58 @@ The following is a mapping between these fields.
|
|
|
174
196
|
|`deviceCustomIPv6Address3Label` (`c6a3Label`) |`[cef][device_custom_ipv6_address_3][label]`
|
|
175
197
|
|`deviceCustomIPv6Address4` (`c6a4`) |`[cef][device_custom_ipv6_address_4][value]`
|
|
176
198
|
|`deviceCustomIPv6Address4Label` (`c6a4Label`) |`[cef][device_custom_ipv6_address_4][label]`
|
|
199
|
+
|`deviceCustomIPv6Address5` (`c6a5`) |`[cef][device_custom_ipv6_address_5][value]`
|
|
200
|
+
|`deviceCustomIPv6Address5Label` (`c6a5Label`) |`[cef][device_custom_ipv6_address_5][label]`
|
|
201
|
+
|`deviceCustomIPv6Address6` (`c6a6`) |`[cef][device_custom_ipv6_address_6][value]`
|
|
202
|
+
|`deviceCustomIPv6Address6Label` (`c6a6Label`) |`[cef][device_custom_ipv6_address_6][label]`
|
|
203
|
+
|`deviceCustomIPv6Address7` (`c6a7`) |`[cef][device_custom_ipv6_address_7][value]`
|
|
204
|
+
|`deviceCustomIPv6Address7Label` (`c6a7Label`) |`[cef][device_custom_ipv6_address_7][label]`
|
|
205
|
+
|`deviceCustomIPv6Address8` (`c6a8`) |`[cef][device_custom_ipv6_address_8][value]`
|
|
206
|
+
|`deviceCustomIPv6Address8Label` (`c6a8Label`) |`[cef][device_custom_ipv6_address_8][label]`
|
|
207
|
+
|`deviceCustomIPv6Address9` (`c6a9`) |`[cef][device_custom_ipv6_address_9][value]`
|
|
208
|
+
|`deviceCustomIPv6Address9Label` (`c6a9Label`) |`[cef][device_custom_ipv6_address_9][label]`
|
|
209
|
+
|`deviceCustomIPv6Address10` (`c6a10`) |`[cef][device_custom_ipv6_address_10][value]`
|
|
210
|
+
|`deviceCustomIPv6Address10Label` (`c6a10Label`)|`[cef][device_custom_ipv6_address_10][label]`
|
|
211
|
+
|`deviceCustomIPv6Address11` (`c6a11`) |`[cef][device_custom_ipv6_address_11][value]`
|
|
212
|
+
|`deviceCustomIPv6Address11Label` (`c6a11Label`)|`[cef][device_custom_ipv6_address_11][label]`
|
|
213
|
+
|`deviceCustomIPv6Address12` (`c6a12`) |`[cef][device_custom_ipv6_address_12][value]`
|
|
214
|
+
|`deviceCustomIPv6Address12Label` (`c6a12Label`)|`[cef][device_custom_ipv6_address_12][label]`
|
|
215
|
+
|`deviceCustomIPv6Address13` (`c6a13`) |`[cef][device_custom_ipv6_address_13][value]`
|
|
216
|
+
|`deviceCustomIPv6Address13Label` (`c6a13Label`)|`[cef][device_custom_ipv6_address_13][label]`
|
|
217
|
+
|`deviceCustomIPv6Address14` (`c6a14`) |`[cef][device_custom_ipv6_address_14][value]`
|
|
218
|
+
|`deviceCustomIPv6Address14Label` (`c6a14Label`)|`[cef][device_custom_ipv6_address_14][label]`
|
|
219
|
+
|`deviceCustomIPv6Address15` (`c6a15`) |`[cef][device_custom_ipv6_address_15][value]`
|
|
220
|
+
|`deviceCustomIPv6Address15Label` (`c6a15Label`)|`[cef][device_custom_ipv6_address_15][label]`
|
|
177
221
|
|`deviceCustomNumber1` (`cn1`) |`[cef][device_custom_number_1][value]`
|
|
178
222
|
|`deviceCustomNumber1Label` (`cn1Label`) |`[cef][device_custom_number_1][label]`
|
|
179
223
|
|`deviceCustomNumber2` (`cn2`) |`[cef][device_custom_number_2][value]`
|
|
180
224
|
|`deviceCustomNumber2Label` (`cn2Label`) |`[cef][device_custom_number_2][label]`
|
|
181
225
|
|`deviceCustomNumber3` (`cn3`) |`[cef][device_custom_number_3][value]`
|
|
182
226
|
|`deviceCustomNumber3Label` (`cn3Label`) |`[cef][device_custom_number_3][label]`
|
|
227
|
+
|`deviceCustomNumber4` (`cn4`) |`[cef][device_custom_number_4][value]`
|
|
228
|
+
|`deviceCustomNumber4Label` (`cn4Label`) |`[cef][device_custom_number_4][label]`
|
|
229
|
+
|`deviceCustomNumber5` (`cn5`) |`[cef][device_custom_number_5][value]`
|
|
230
|
+
|`deviceCustomNumber5Label` (`cn5Label`) |`[cef][device_custom_number_5][label]`
|
|
231
|
+
|`deviceCustomNumber6` (`cn6`) |`[cef][device_custom_number_6][value]`
|
|
232
|
+
|`deviceCustomNumber6Label` (`cn6Label`) |`[cef][device_custom_number_6][label]`
|
|
233
|
+
|`deviceCustomNumber7` (`cn7`) |`[cef][device_custom_number_7][value]`
|
|
234
|
+
|`deviceCustomNumber7Label` (`cn7Label`) |`[cef][device_custom_number_7][label]`
|
|
235
|
+
|`deviceCustomNumber8` (`cn8`) |`[cef][device_custom_number_8][value]`
|
|
236
|
+
|`deviceCustomNumber8Label` (`cn8Label`) |`[cef][device_custom_number_8][label]`
|
|
237
|
+
|`deviceCustomNumber9` (`cn9`) |`[cef][device_custom_number_9][value]`
|
|
238
|
+
|`deviceCustomNumber9Label` (`cn9Label`) |`[cef][device_custom_number_9][label]`
|
|
239
|
+
|`deviceCustomNumber10` (`cn10`) |`[cef][device_custom_number_10][value]`
|
|
240
|
+
|`deviceCustomNumber10Label` (`cn10Label`) |`[cef][device_custom_number_10][label]`
|
|
241
|
+
|`deviceCustomNumber11` (`cn11`) |`[cef][device_custom_number_11][value]`
|
|
242
|
+
|`deviceCustomNumber11Label` (`cn11Label`) |`[cef][device_custom_number_11][label]`
|
|
243
|
+
|`deviceCustomNumber12` (`cn12`) |`[cef][device_custom_number_12][value]`
|
|
244
|
+
|`deviceCustomNumber12Label` (`cn12Label`) |`[cef][device_custom_number_12][label]`
|
|
245
|
+
|`deviceCustomNumber13` (`cn13`) |`[cef][device_custom_number_13][value]`
|
|
246
|
+
|`deviceCustomNumber13Label` (`cn13Label`) |`[cef][device_custom_number_13][label]`
|
|
247
|
+
|`deviceCustomNumber14` (`cn14`) |`[cef][device_custom_number_14][value]`
|
|
248
|
+
|`deviceCustomNumber14Label` (`cn14Label`) |`[cef][device_custom_number_14][label]`
|
|
249
|
+
|`deviceCustomNumber15` (`cn15`) |`[cef][device_custom_number_15][value]`
|
|
250
|
+
|`deviceCustomNumber15Label` (`cn15Label`) |`[cef][device_custom_number_15][label]`
|
|
183
251
|
|`deviceCustomString1` (`cs1`) |`[cef][device_custom_string_1][value]`
|
|
184
252
|
|`deviceCustomString1Label` (`cs1Label`) |`[cef][device_custom_string_1][label]`
|
|
185
253
|
|`deviceCustomString2` (`cs2`) |`[cef][device_custom_string_2][value]`
|
|
@@ -192,6 +260,24 @@ The following is a mapping between these fields.
|
|
|
192
260
|
|`deviceCustomString5Label` (`cs5Label`) |`[cef][device_custom_string_5][label]`
|
|
193
261
|
|`deviceCustomString6` (`cs6`) |`[cef][device_custom_string_6][value]`
|
|
194
262
|
|`deviceCustomString6Label` (`cs6Label`) |`[cef][device_custom_string_6][label]`
|
|
263
|
+
|`deviceCustomString7` (`cs7`) |`[cef][device_custom_string_7][value]`
|
|
264
|
+
|`deviceCustomString7Label` (`cs7Label`) |`[cef][device_custom_string_7][label]`
|
|
265
|
+
|`deviceCustomString8` (`cs8`) |`[cef][device_custom_string_8][value]`
|
|
266
|
+
|`deviceCustomString8Label` (`cs8Label`) |`[cef][device_custom_string_8][label]`
|
|
267
|
+
|`deviceCustomString9` (`cs9`) |`[cef][device_custom_string_9][value]`
|
|
268
|
+
|`deviceCustomString9Label` (`cs9Label`) |`[cef][device_custom_string_9][label]`
|
|
269
|
+
|`deviceCustomString10` (`cs10`) |`[cef][device_custom_string_10][value]`
|
|
270
|
+
|`deviceCustomString10Label` (`cs10Label`) |`[cef][device_custom_string_10][label]`
|
|
271
|
+
|`deviceCustomString11` (`cs11`) |`[cef][device_custom_string_11][value]`
|
|
272
|
+
|`deviceCustomString11Label` (`cs11Label`) |`[cef][device_custom_string_11][label]`
|
|
273
|
+
|`deviceCustomString12` (`cs12`) |`[cef][device_custom_string_12][value]`
|
|
274
|
+
|`deviceCustomString12Label` (`cs12Label`) |`[cef][device_custom_string_12][label]`
|
|
275
|
+
|`deviceCustomString13` (`cs13`) |`[cef][device_custom_string_13][value]`
|
|
276
|
+
|`deviceCustomString13Label` (`cs13Label`) |`[cef][device_custom_string_13][label]`
|
|
277
|
+
|`deviceCustomString14` (`cs14`) |`[cef][device_custom_string_14][value]`
|
|
278
|
+
|`deviceCustomString14Label` (`cs14Label`) |`[cef][device_custom_string_14][label]`
|
|
279
|
+
|`deviceCustomString15` (`cs15`) |`[cef][device_custom_string_15][value]`
|
|
280
|
+
|`deviceCustomString15Label` (`cs15Label`) |`[cef][device_custom_string_15][label]`
|
|
195
281
|
|`deviceDirection` |`[network][direction]`
|
|
196
282
|
.2+|`deviceDnsDomain` |`[observer][registered_domain]`
|
|
197
283
|
|
|
@@ -242,7 +328,7 @@ The following is a mapping between these fields.
|
|
|
242
328
|
|`eventOutcome` (`outcome`) |`[event][outcome]`
|
|
243
329
|
|`externalId` |`[cef][external_id]`
|
|
244
330
|
|`fileCreateTime` |`[file][created]`
|
|
245
|
-
|`fileHash` |`[file][hash]
|
|
331
|
+
|`fileHash` |`[file][hash]`
|
|
246
332
|
|`fileId` |`[file][inode]`
|
|
247
333
|
|`fileModificationTime` |`[file][mtime]`
|
|
248
334
|
|
data/lib/logstash/codecs/cef.rb
CHANGED
|
@@ -408,40 +408,18 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
|
408
408
|
CEFField.new("destinationZoneURI", ecs_field: "[cef][destination][zone][uri]"),
|
|
409
409
|
CEFField.new("deviceAction", key: "act", ecs_field: "[event][action]"),
|
|
410
410
|
CEFField.new("deviceAddress", key: "dvc", ecs_field: "[#{@device}][ip]"),
|
|
411
|
-
|
|
412
|
-
|
|
413
|
-
|
|
414
|
-
|
|
415
|
-
|
|
416
|
-
|
|
417
|
-
|
|
418
|
-
|
|
419
|
-
|
|
420
|
-
|
|
421
|
-
|
|
422
|
-
|
|
423
|
-
CEFField.new("deviceCustomIPv6Address3", key: "c6a3", ecs_field: "[cef][device_custom_ipv6_address_3][value]"),
|
|
424
|
-
CEFField.new("deviceCustomIPv6Address3Label", key: "c6a3Label", ecs_field: "[cef][device_custom_ipv6_address_3][label]"),
|
|
425
|
-
CEFField.new("deviceCustomIPv6Address4", key: "c6a4", ecs_field: "[cef][device_custom_ipv6_address_4][value]"),
|
|
426
|
-
CEFField.new("deviceCustomIPv6Address4Label", key: "c6a4Label", ecs_field: "[cef][device_custom_ipv6_address_4][label]"),
|
|
427
|
-
CEFField.new("deviceCustomNumber1", key: "cn1", ecs_field: "[cef][device_custom_number_1][value]"),
|
|
428
|
-
CEFField.new("deviceCustomNumber1Label", key: "cn1Label", ecs_field: "[cef][device_custom_number_1][label]"),
|
|
429
|
-
CEFField.new("deviceCustomNumber2", key: "cn2", ecs_field: "[cef][device_custom_number_2][value]"),
|
|
430
|
-
CEFField.new("deviceCustomNumber2Label", key: "cn2Label", ecs_field: "[cef][device_custom_number_2][label]"),
|
|
431
|
-
CEFField.new("deviceCustomNumber3", key: "cn3", ecs_field: "[cef][device_custom_number_3][value]"),
|
|
432
|
-
CEFField.new("deviceCustomNumber3Label", key: "cn3Label", ecs_field: "[cef][device_custom_number_3][label]"),
|
|
433
|
-
CEFField.new("deviceCustomString1", key: "cs1", ecs_field: "[cef][device_custom_string_1][value]"),
|
|
434
|
-
CEFField.new("deviceCustomString1Label", key: "cs1Label", ecs_field: "[cef][device_custom_string_1][label]"),
|
|
435
|
-
CEFField.new("deviceCustomString2", key: "cs2", ecs_field: "[cef][device_custom_string_2][value]"),
|
|
436
|
-
CEFField.new("deviceCustomString2Label", key: "cs2Label", ecs_field: "[cef][device_custom_string_2][label]"),
|
|
437
|
-
CEFField.new("deviceCustomString3", key: "cs3", ecs_field: "[cef][device_custom_string_3][value]"),
|
|
438
|
-
CEFField.new("deviceCustomString3Label", key: "cs3Label", ecs_field: "[cef][device_custom_string_3][label]"),
|
|
439
|
-
CEFField.new("deviceCustomString4", key: "cs4", ecs_field: "[cef][device_custom_string_4][value]"),
|
|
440
|
-
CEFField.new("deviceCustomString4Label", key: "cs4Label", ecs_field: "[cef][device_custom_string_4][label]"),
|
|
441
|
-
CEFField.new("deviceCustomString5", key: "cs5", ecs_field: "[cef][device_custom_string_5][value]"),
|
|
442
|
-
CEFField.new("deviceCustomString5Label", key: "cs5Label", ecs_field: "[cef][device_custom_string_5][label]"),
|
|
443
|
-
CEFField.new("deviceCustomString6", key: "cs6", ecs_field: "[cef][device_custom_string_6][value]"),
|
|
444
|
-
CEFField.new("deviceCustomString6Label", key: "cs6Label", ecs_field: "[cef][device_custom_string_6][label]"),
|
|
411
|
+
(1..15).map do |idx|
|
|
412
|
+
[
|
|
413
|
+
CEFField.new("deviceCustomFloatingPoint#{idx}", key: "cfp#{idx}", ecs_field: "[cef][device_custom_floating_point_#{idx}][value]"),
|
|
414
|
+
CEFField.new("deviceCustomFloatingPoint#{idx}Label", key: "cfp#{idx}Label", ecs_field: "[cef][device_custom_floating_point_#{idx}][label]"),
|
|
415
|
+
CEFField.new("deviceCustomIPv6Address#{idx}", key: "c6a#{idx}", ecs_field: "[cef][device_custom_ipv6_address_#{idx}][value]"),
|
|
416
|
+
CEFField.new("deviceCustomIPv6Address#{idx}Label", key: "c6a#{idx}Label", ecs_field: "[cef][device_custom_ipv6_address_#{idx}][label]"),
|
|
417
|
+
CEFField.new("deviceCustomNumber#{idx}", key: "cn#{idx}", ecs_field: "[cef][device_custom_number_#{idx}][value]"),
|
|
418
|
+
CEFField.new("deviceCustomNumber#{idx}Label", key: "cn#{idx}Label", ecs_field: "[cef][device_custom_number_#{idx}][label]"),
|
|
419
|
+
CEFField.new("deviceCustomString#{idx}", key: "cs#{idx}", ecs_field: "[cef][device_custom_string_#{idx}][value]"),
|
|
420
|
+
CEFField.new("deviceCustomString#{idx}Label", key: "cs#{idx}Label", ecs_field: "[cef][device_custom_string_#{idx}][label]"),
|
|
421
|
+
]
|
|
422
|
+
end,
|
|
445
423
|
CEFField.new("deviceDirection", ecs_field: "[network][direction]"),
|
|
446
424
|
CEFField.new("deviceDnsDomain", ecs_field: "[#{@device}][registered_domain]", priority: 10),
|
|
447
425
|
CEFField.new("deviceEventCategory", key: "cat", ecs_field: "[cef][category]"),
|
|
@@ -468,7 +446,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
|
468
446
|
CEFField.new("eventOutcome", key: "outcome", ecs_field: "[event][outcome]"),
|
|
469
447
|
CEFField.new("externalId", ecs_field: "[cef][external_id]"),
|
|
470
448
|
CEFField.new("fileCreateTime", ecs_field: "[file][created]"),
|
|
471
|
-
CEFField.new("fileHash", ecs_field: "[file][hash]
|
|
449
|
+
CEFField.new("fileHash", ecs_field: "[file][hash]"),
|
|
472
450
|
CEFField.new("fileId", ecs_field: "[file][inode]"),
|
|
473
451
|
CEFField.new("fileModificationTime", ecs_field: "[file][mtime]", normalize: :timestamp),
|
|
474
452
|
CEFField.new("fileName", key: "fname", ecs_field: "[file][name]"),
|
|
@@ -517,7 +495,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
|
517
495
|
CEFField.new("startTime", key: "start", ecs_field: "[event][start]", normalize: :timestamp),
|
|
518
496
|
CEFField.new("transportProtocol", key: "proto", ecs_field: "[network][transport]"),
|
|
519
497
|
CEFField.new("type", ecs_field: "[cef][type]"),
|
|
520
|
-
].sort_by(&:priority).each do |cef|
|
|
498
|
+
].flatten.sort_by(&:priority).each do |cef|
|
|
521
499
|
field_name = ecs_select[disabled:cef.name, v1:cef.ecs_field]
|
|
522
500
|
|
|
523
501
|
# whether the source is a cef_key or cef_name, normalize to field_name
|
data/logstash-codec-cef.gemspec
CHANGED
data/spec/codecs/cef_spec.rb
CHANGED
|
@@ -780,6 +780,29 @@ describe LogStash::Codecs::CEF do
|
|
|
780
780
|
end
|
|
781
781
|
end
|
|
782
782
|
|
|
783
|
+
let(:log_with_fileHash) { "Syslogdate Sysloghost CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|fileHash=1bad1dea" }
|
|
784
|
+
it 'decodes fileHash to [file][hash]' do
|
|
785
|
+
decode_one(subject, log_with_fileHash) do |e|
|
|
786
|
+
validate(e)
|
|
787
|
+
insist { e.get(ecs_select[disabled:"fileHash", v1:"[file][hash]"]) } == "1bad1dea"
|
|
788
|
+
end
|
|
789
|
+
end
|
|
790
|
+
|
|
791
|
+
let(:log_with_custom_typed_fields) { "Syslogdate Sysloghost CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|cfp15=3.1415926 cfp15Label=pi c6a12=::1 c6a12Label=localhost cn7=8191 cn7Label=mersenne cs4=silly cs4Label=theory" }
|
|
792
|
+
it 'decodes to mapped numbered fields' do
|
|
793
|
+
decode_one(subject, log_with_custom_typed_fields) do |e|
|
|
794
|
+
validate(e)
|
|
795
|
+
insist { e.get(ecs_select[disabled: "deviceCustomFloatingPoint15", v1: "[cef][device_custom_floating_point_15][value]"]) } == "3.1415926"
|
|
796
|
+
insist { e.get(ecs_select[disabled: "deviceCustomFloatingPoint15Label", v1: "[cef][device_custom_floating_point_15][label]"]) } == "pi"
|
|
797
|
+
insist { e.get(ecs_select[disabled: "deviceCustomIPv6Address12", v1: "[cef][device_custom_ipv6_address_12][value]"]) } == "::1"
|
|
798
|
+
insist { e.get(ecs_select[disabled: "deviceCustomIPv6Address12Label", v1: "[cef][device_custom_ipv6_address_12][label]"]) } == "localhost"
|
|
799
|
+
insist { e.get(ecs_select[disabled: "deviceCustomNumber7", v1: "[cef][device_custom_number_7][value]"]) } == "8191"
|
|
800
|
+
insist { e.get(ecs_select[disabled: "deviceCustomNumber7Label", v1: "[cef][device_custom_number_7][label]"]) } == "mersenne"
|
|
801
|
+
insist { e.get(ecs_select[disabled: "deviceCustomString4", v1: "[cef][device_custom_string_4][value]"]) } == "silly"
|
|
802
|
+
insist { e.get(ecs_select[disabled: "deviceCustomString4Label", v1: "[cef][device_custom_string_4][label]"]) } == "theory"
|
|
803
|
+
end
|
|
804
|
+
end
|
|
805
|
+
|
|
783
806
|
context 'with UTF-8 message' do
|
|
784
807
|
let(:message) { 'CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|src=192.168.1.11 target=aaaaaああああaaaa msg=Description Omitted' }
|
|
785
808
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-codec-cef
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.2.
|
|
4
|
+
version: 6.2.2
|
|
5
5
|
platform: java
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-06-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|