Class: CEF::Event

Inherits:

Object

• Object
• CEF::Event

Defined in:

lib/cef/event.rb

Instance Attribute Summary

• #event_time ⇒ Object

  Returns the value of attribute event_time.

• #my_hostname ⇒ Object

  Returns the value of attribute my_hostname.

• #syslog_pri ⇒ Object

  Returns the value of attribute syslog_pri.

Instance Method Summary

• #attrs ⇒ Object
• #escape_extension_value(val) ⇒ Object

  only equals signs need to be escaped in the extension.

• #escape_prefix_value(val) ⇒ Object

  escape only pipes and backslashes in the prefix.

• #format_extension ⇒ Object

  returns a space-delimeted list of attribute=value pairs for all optionals.

• #format_prefix ⇒ Object

  returns a pipe-delimeted list of prefix attributes.

• #get_additional(k, v) ⇒ Object
• #initialize(*params) {|_self| ... } ⇒ Event constructor

  so we can CEF::Event.new(:foo=>“bar”).

• #set_additional(k, v) ⇒ Object

  used for non-schema fields.

• #to_s ⇒ Object

  returns a cef formatted string.

Constructor Details

#initialize(*params) {|_self| ... } ⇒ Event

so we can CEF::Event.new(:foo=>“bar”)

Yields:

• (_self)

Yield Parameters:

• _self (CEF::Event) —

  the object that the method was called on

# File 'lib/cef/event.rb', line 16

def initialize( *params )
  @event_time         = Time.new
  @deviceVendor       = "breed.org"
  @deviceProduct      = "CEF"
  @deviceVersion      = CEF::VERSION
  @deviceEventClassId = "0:event"
  @deviceSeverity     = CEF::SEVERITY_LOW
  @name               = "unnamed event"
  # used to avoid requiring syslog.h on windoze
  #syslog_pri= Syslog::LOG_LOCAL0 | Syslog::LOG_NOTICE
  @syslog_pri         = 131
  @my_hostname        = Socket::gethostname
  @other_attrs={}
  @additional={}
  Hash[*params].each { |k,v| self.send("%s="%k,v) }
  yield self if block_given?
  self
end

Instance Attribute Details

#event_time ⇒ Object

Returns the value of attribute event_time.

# File 'lib/cef/event.rb', line 3

def event_time
  @event_time
end

#my_hostname ⇒ Object

Returns the value of attribute my_hostname.

# File 'lib/cef/event.rb', line 3

def my_hostname
  @my_hostname
end

#syslog_pri ⇒ Object

Returns the value of attribute syslog_pri.

# File 'lib/cef/event.rb', line 3

def syslog_pri
  @syslog_pri
end

Instance Method Details

#attrs ⇒ Object

# File 'lib/cef/event.rb', line 11

def attrs
  CEF::ATTRIBUTES
end

#escape_extension_value(val) ⇒ Object

only equals signs need to be escaped in the extension. i think. TODO: something in the spec about n and some others.

# File 'lib/cef/event.rb', line 97

def escape_extension_value(val)
  escapes = {
    %r{=}  => '\=',
    %r{\n} => ' ',
    %r{\\} => '\\'
  }
  escapes.reduce(val) do |memo,replace|
    memo=memo.gsub(*replace)
  end
end

#escape_prefix_value(val) ⇒ Object

escape only pipes and backslashes in the prefix. you bet your sweet ass there’s a lot of backslashes in the substitution. you can thank the three levels of lexical analysis/substitution in the ruby interpreter for that.

# File 'lib/cef/event.rb', line 86

def escape_prefix_value(val)
  escapes={
    %r{(\||\\)} => '\\\\\&'
  }
  escapes.reduce(val) do|memo,replace|
    memo=memo.gsub(*replace)
  end
end

#format_extension ⇒ Object

returns a space-delimeted list of attribute=value pairs for all optionals

# File 'lib/cef/event.rb', line 118

def format_extension
  extensions = CEF::EXTENSION_ATTRIBUTES.keys.map do |meth|
    value = self.send(meth)
    next if value.nil?
    shortname = CEF::EXTENSION_ATTRIBUTES[meth]
    [shortname, escape_extension_value(value)].join("=")
  end

  # make sure time comes out as milliseconds since epoch
  times = CEF::TIME_ATTRIBUTES.keys.map do |meth|
    value = self.send(meth)
    next if value.nil?
    shortname = CEF::TIME_ATTRIBUTES[meth]
    [shortname, escape_extension_value(value)].join("=")
  end
  (extensions + times).compact.join(" ")
end

#format_prefix ⇒ Object

returns a pipe-delimeted list of prefix attributes

# File 'lib/cef/event.rb', line 109

def format_prefix
  values = CEF::PREFIX_ATTRIBUTES.keys.map { |k| self.send(k) }
  escaped = values.map do |value|
    escape_prefix_value(value)
  end
  escaped.join('|')
end

#get_additional(k, v) ⇒ Object

# File 'lib/cef/event.rb', line 53

def get_additional(k,v)
  @additional[k]
end

#set_additional(k, v) ⇒ Object

used for non-schema fields

# File 'lib/cef/event.rb', line 50

def set_additional(k,v)
  @additional[k]=v
end

#to_s ⇒ Object

returns a cef formatted string

# File 'lib/cef/event.rb', line 36

def to_s
  log_time=event_time.strftime(CEF::LOG_TIME_FORMAT)
  
  sprintf(
    CEF::LOG_FORMAT,
    syslog_pri.to_s,
    log_time,
    my_hostname,
    format_prefix,
    format_extension
  )
end