Class: LogStash::Codecs::CEF

Inherits:
Base
  • Object
show all
Defined in:
lib/logstash/codecs/cef.rb

Instance Method Summary collapse

Constructor Details

#initialize(params = {}) ⇒ CEF

Returns a new instance of CEF.



12
13
14
 
# File 'lib/logstash/codecs/cef.rb', line 12

def initialize(params={})
  super(params)
end

Instance Method Details

#decode(data) {|event| ... } ⇒ Object

Yields:

  • (event) 


17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
 
# File 'lib/logstash/codecs/cef.rb', line 17

def decode(data)
  # %{SYSLOGDATE} %{HOST} CEF:Version|Device Vendor|Device Product|Device Version|SignatureID|Name|Severity|Extension
  event = LogStash::Event.new()
  event['syslog'], data = data.split('CEF:', 2) if not data.index('CEF:') == 0
  data.sub! /^CEF:/, ''
  event['cef_version'], event['cef_vendor'], event['cef_product'], event['cef_device_version'], event['cef_sigid'], event['cef_name'], event['cef_severity'], message = data.split /(?<!\\)[\|]/

  # Strip any whitespace from the message
  message = message.to_s.strip

  # Now parse the key value pairs into it
  extensions = {}
  if message.length != 0 and message.include? "="
    message = message.split(/ ([\w\.]+)=/)
    key, value = message.shift.split('=', 2)
    extensions[key] = value
    
    Hash[*message].each{|k, v| 
      extensions[k] = v
    }

    # And save the new has as the extensions
    event['cef_ext'] = extensions
  end
  yield event
end

#encode(data) ⇒ Object 



45
46
47
48
49
50
51
52
53
54
55
56
 
# File 'lib/logstash/codecs/cef.rb', line 45

def encode(data)
  # "CEF:0|Elasticsearch|Logstash|1.0|Signature|Name|Sev|"

  # TODO: Need to check that fields are set!

  # Signature, Name, and Sev should be set in the config, with ref to fields
  # Should also probably set the fields sent
  header = ["CEF:0", "Elasticsearch", "Logstash", "1.0", @signature, @name, @sev].join("|")
  values = @fields.map {|name| get_value(name, data)}.join(" ")
  # values = values.map {|k,v| "#{k}=#{v}"}.join(" ")
  @on_event.call(header + " " + values + "\n")
end