logstash-codec-cef 6.2.6-java → 6.2.7-java
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/lib/logstash/codecs/cef.rb +5 -3
- data/logstash-codec-cef.gemspec +1 -1
- data/spec/codecs/cef_spec.rb +20 -0
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 01a376239bfb11df166dda071f0227e6f2d9765f51683771728c98b586a5fd7e
|
|
4
|
+
data.tar.gz: 1d3fd32cb4e91a8a90d1711aa680d9af0960a50fde8766da8b1d58227850698f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: e020603736e15555195a08e450e3507bb20ede46d4577d28ad1d9af1972983c74fed1b8367ff85125515466392854e87fb65d8be9968eba61766ca76eb70d391
|
|
7
|
+
data.tar.gz: 1fa60af07dabf0482c6ca8fcf0431c2358503042f8a6ade62824a4e638dcac831b293b47f2b93c933deb2a5cac995fb278623bfa0c547f3987c46e32ae28836c
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,6 @@
|
|
|
1
|
+
## 6.2.7
|
|
2
|
+
- Fix: when decoding in an ecs_compatibility mode, timestamp-normalized fields now handle provided-but-empty values [#102](https://github.com/logstash-plugins/logstash-codec-cef/issues/102)
|
|
3
|
+
|
|
1
4
|
## 6.2.6
|
|
2
5
|
- Fix: when decoding, escaped newlines and carriage returns in extension values are now correctly decoded into literal newlines and carriage returns respectively [#98](https://github.com/logstash-plugins/logstash-codec-cef/pull/98)
|
|
3
6
|
- Fix: when decoding, non-CEF payloads are identified and intercepted to prevent data-loss and corruption. They now cause a descriptive log message to be emitted, and are emitted as their own `_cefparsefailure`-tagged event containing the original bytes in its `message` field [#99](https://github.com/logstash-plugins/logstash-codec-cef/issues/99)
|
data/lib/logstash/codecs/cef.rb
CHANGED
|
@@ -201,7 +201,7 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
|
201
201
|
end
|
|
202
202
|
|
|
203
203
|
require_relative 'cef/timestamp_normalizer'
|
|
204
|
-
@
|
|
204
|
+
@timestamp_normalizer = TimestampNormalizer.new(locale: @locale, timezone: @default_timezone)
|
|
205
205
|
|
|
206
206
|
generate_header_fields!
|
|
207
207
|
generate_mappings!
|
|
@@ -604,9 +604,11 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
|
604
604
|
end
|
|
605
605
|
|
|
606
606
|
def normalize_timestamp(value, device_timezone_name)
|
|
607
|
-
value
|
|
607
|
+
return nil if value.nil? || value.to_s.strip.empty?
|
|
608
608
|
|
|
609
|
-
|
|
609
|
+
normalized = @timestamp_normalizer.normalize(value, device_timezone_name).iso8601(9)
|
|
610
|
+
|
|
611
|
+
LogStash::Timestamp.new(normalized)
|
|
610
612
|
rescue => e
|
|
611
613
|
@logger.error("Failed to parse CEF timestamp value `#{value}` (#{e.message})")
|
|
612
614
|
raise InvalidTimestamp.new("Not a valid CEF timestamp: `#{value}`")
|
data/logstash-codec-cef.gemspec
CHANGED
data/spec/codecs/cef_spec.rb
CHANGED
|
@@ -721,6 +721,26 @@ describe LogStash::Codecs::CEF do
|
|
|
721
721
|
end
|
|
722
722
|
end
|
|
723
723
|
|
|
724
|
+
context "timestamp-normalized fields" do
|
|
725
|
+
context 'empty values' do
|
|
726
|
+
let(:message_with_empty_start) { %Q{CEF:0|Security|threatmanager|1.0|100|worm successfully stopped|Very-High| eventId=1 msg=Worm successfully stopped start=} }
|
|
727
|
+
if ecs_select.active_mode == :disabled
|
|
728
|
+
it 'leaves the empty value in-tact' do
|
|
729
|
+
decode_one(subject, message_with_empty_start) do |event|
|
|
730
|
+
expect(event.get('startTime')).to eq('')
|
|
731
|
+
end
|
|
732
|
+
end
|
|
733
|
+
else
|
|
734
|
+
it 'stores a nil value' do
|
|
735
|
+
decode_one(subject, message_with_empty_start) do |event|
|
|
736
|
+
expect(event).to include '[event][start]'
|
|
737
|
+
expect(event.get('[event][start]')).to be nil
|
|
738
|
+
end
|
|
739
|
+
end
|
|
740
|
+
end
|
|
741
|
+
end
|
|
742
|
+
end
|
|
743
|
+
|
|
724
744
|
let(:malformed_unescaped_equals_in_extension_value) { %q{CEF:0|FooBar|Web Gateway|1.2.3.45.67|200|Success|2|rt=Sep 07 2018 14:50:39 cat=Access Log dst=1.1.1.1 dhost=foo.example.com suser=redacted src=2.2.2.2 requestMethod=POST request='https://foo.example.com/bar/bingo/1' requestClientApplication='Foo-Bar/2018.1.7; Email:user@example.com; Guid:test=' cs1= cs1Label=Foo Bar} }
|
|
725
745
|
it 'should split correctly' do
|
|
726
746
|
decode_one(subject, malformed_unescaped_equals_in_extension_value) do |event|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-codec-cef
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.2.
|
|
4
|
+
version: 6.2.7
|
|
5
5
|
platform: java
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2023-05-12 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -127,7 +127,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
127
127
|
- !ruby/object:Gem::Version
|
|
128
128
|
version: '0'
|
|
129
129
|
requirements: []
|
|
130
|
-
rubygems_version: 3.
|
|
130
|
+
rubygems_version: 3.2.33
|
|
131
131
|
signing_key:
|
|
132
132
|
specification_version: 4
|
|
133
133
|
summary: Reads the ArcSight Common Event Format (CEF).
|