Class: CEF::Event

Inherits:

Object

• Object
• CEF::Event

Defined in:

lib/cef/event.rb

Instance Attribute Summary

• #event_time ⇒ Object

  Returns the value of attribute event_time.

• #my_hostname ⇒ Object

  Returns the value of attribute my_hostname.

• #syslog_pri ⇒ Object

  Returns the value of attribute syslog_pri.

Instance Method Summary

• #attrs ⇒ Object
• #escape_extension_value(val) ⇒ Object

  only equals signs need to be escaped in the extension.

• #escape_prefix_value(val) ⇒ Object

  escape only pipes and backslashes in the prefix.

• #format_extension ⇒ Object

  returns a space-delimeted list of attribute=value pairs for all optionals.

• #format_prefix ⇒ Object

  returns a pipe-delimeted list of prefix attributes.

• #get_additional(k, v) ⇒ Object
• #initialize(*params) {|_self| ... } ⇒ Event constructor

  so we can CEF::Event.new(:foo=>“bar”).

• #set_additional(k, v) ⇒ Object

  used for non-schema fields.

• #time_convert(val) ⇒ Object

  make a guess as to how the time was set.

• #to_s ⇒ Object

  returns a cef formatted string.

Constructor Details

#initialize(*params) {|_self| ... } ⇒ Event

so we can CEF::Event.new(:foo=>“bar”)

Yields:

• (_self)

Yield Parameters:

• _self (CEF::Event) —

  the object that the method was called on

# File 'lib/cef/event.rb', line 16

def initialize( *params )
  @event_time         = Time.new
  @deviceVendor       = "breed.org"
  @deviceProduct      = "CEF"
  @deviceVersion      = CEF::VERSION
  @deviceEventClassId = "0:event"
  @deviceSeverity     = CEF::SEVERITY_LOW
  @name               = "unnamed event"
  # used to avoid requiring syslog.h on windoze
  #syslog_pri= Syslog::LOG_LOCAL0 | Syslog::LOG_NOTICE
  @syslog_pri         = 131
  @my_hostname        = Socket::gethostname
  @other_attrs={}
  @additional={}
  Hash[*params].each { |k,v| self.send("%s="%k,v) }
  yield self if block_given?
  self
end

Instance Attribute Details

#event_time ⇒ Object

Returns the value of attribute event_time.

# File 'lib/cef/event.rb', line 3

def event_time
  @event_time
end

#my_hostname ⇒ Object

Returns the value of attribute my_hostname.

# File 'lib/cef/event.rb', line 3

def my_hostname
  @my_hostname
end

#syslog_pri ⇒ Object

Returns the value of attribute syslog_pri.

# File 'lib/cef/event.rb', line 3

def syslog_pri
  @syslog_pri
end

Instance Method Details

#attrs ⇒ Object

# File 'lib/cef/event.rb', line 11

def attrs
  CEF::ATTRIBUTES
end

#escape_extension_value(val) ⇒ Object

only equals signs need to be escaped in the extension. i think. TODO: something in the spec about n and some others.

# File 'lib/cef/event.rb', line 97

def escape_extension_value(val)
  escapes = {
    %r{=}  => '\=',
    %r{\n} => ' ',
    %r{\\} => '\\'
  }
  escapes.reduce(val) do |memo,replace|
    memo=memo.gsub(*replace)
  end
end

#escape_prefix_value(val) ⇒ Object

escape only pipes and backslashes in the prefix. you bet your sweet ass there’s a lot of backslashes in the substitution. you can thank the three levels of lexical analysis/substitution in the ruby interpreter for that.

# File 'lib/cef/event.rb', line 86

def escape_prefix_value(val)
  escapes={
    %r{(\||\\)} => '\\\\\&'
  }
  escapes.reduce(val) do|memo,replace|
    memo=memo.gsub(*replace)
  end
end

#format_extension ⇒ Object

returns a space-delimeted list of attribute=value pairs for all optionals

# File 'lib/cef/event.rb', line 119

def format_extension
  
  extensions=CEF::EXTENSION_ATTRIBUTES.keys.map do |meth|
    value=self.send(meth)
    next if value.nil?
    shortname=CEF::EXTENSION_ATTRIBUTES[meth]
    [shortname,value].join("=")
  end

  # make sure time comes out as milliseconds since epoch
  times=CEF::TIME_ATTRIBUTES.keys.map do |meth|
    value=self.send(meth)
    next if value.nil?
    shortname = CEF::TIME_ATTRIBUTES[meth]
    [shortname,value].join("=")
  end
  (extensions + times).compact.join(" ")
end

#format_prefix ⇒ Object

returns a pipe-delimeted list of prefix attributes

# File 'lib/cef/event.rb', line 109

def format_prefix
  values  = CEF::PREFIX_ATTRIBUTES.keys.map {|k| self.send(k) }
  escaped = values.map do |value|
    escape_prefix_value(value)
  end
  escaped.join('|')

end

#get_additional(k, v) ⇒ Object

# File 'lib/cef/event.rb', line 53

def get_additional(k,v)
  @additional[k]
end

#set_additional(k, v) ⇒ Object

used for non-schema fields

# File 'lib/cef/event.rb', line 50

def set_additional(k,v)
  @additional[k]=v
end

#time_convert(val) ⇒ Object

make a guess as to how the time was set. parse strings and convert them to epoch milliseconds, or leave it alone if it looks like a number bigger than epoch milliseconds when i wrote this.

# File 'lib/cef/event.rb', line 61

def time_convert(val)
       
  converted=case val
    when String
      if val.match(%r{\A[0-9]+\Z})
        converted=val.to_i
      else
        res=Chronic.parse(val)
        converted=Time.at(res).to_i * 1000
      end
    when Integer,Bignum
      if val < 1232589621000 #Wed Jan 21 20:00:21 -0600 2009
        val * 1000
      else
        val
      end
    end
  
end

#to_s ⇒ Object

returns a cef formatted string

# File 'lib/cef/event.rb', line 36

def to_s
  log_time=event_time.strftime(CEF::LOG_TIME_FORMAT)
  
  cef_message=sprintf(
    CEF::LOG_FORMAT,
    syslog_pri.to_s,
    log_time,
    my_hostname,
    format_prefix,
    format_extension
  )
end