Class: LogStash::Codecs::CEF

Inherits:
Base
  • Object
show all
Defined in:
lib/logstash/codecs/cef.rb

Instance Method Summary collapse

Constructor Details

#initialize(params = {}) ⇒ CEF

Returns a new instance of CEF.



12
13
14
 
# File 'lib/logstash/codecs/cef.rb', line 12

def initialize(params={})
    super(params)
end

Instance Method Details

#decode(data) {|event| ... } ⇒ Object

Yields:

  • (event) 


17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
 
# File 'lib/logstash/codecs/cef.rb', line 17

def decode(data)
    # Strip any quotations at the start and end, flex connectors seem to send this
    if data[0] == "\""
        data = data[0..-2]
        data.slice!(0)
    end
    event = LogStash::Event.new()

    # Split by the pipes
    event['cef_version'], event['cef_vendor'], event['cef_product'], event['cef_device_version'], event['cef_sigid'], event['cef_name'], event['cef_severity'], message = data.split /(?<!\\)[\|]/

    # Try and parse out the syslog header if there is one
    if event['cef_version'].include? ' '
        event['syslog'], event['cef_version'] = event['cef_version'].split(' ')
    end

    # Get rid of the CEF bit in the version
    event['cef_version'].sub! /^CEF:/, ''

    # Strip any whitespace from the message
    message = message.to_s.strip

    # If the last KVP has no value, add an empty string, this prevents hash errors below
    if message[-1, 1] == "="
        message=message + ' '
    end

    # Now parse the key value pairs into it
    extensions = {}
    if message.length != 0 and message.include? "="
        message = message.split(/ ([\w\.]+)=/)
        key, value = message.shift.split('=', 2)
        extensions[key] = value

        Hash[*message].each{|k, v| 
            extensions[k] = v
        }

        # And save the new has as the extensions
        event['cef_ext'] = extensions
    end
    yield event
end

#encode(data) ⇒ Object 



62
63
64
65
66
67
68
69
70
71
72
73
 
# File 'lib/logstash/codecs/cef.rb', line 62

def encode(data)
    # "CEF:0|Elasticsearch|Logstash|1.0|Signature|Name|Sev|"

    # TODO: Need to check that fields are set!

    # Signature, Name, and Sev should be set in the config, with ref to fields
    # Should also probably set the fields sent
    header = ["CEF:0", "Elasticsearch", "Logstash", "1.0", @signature, @name, @sev].join("|")
    values = @fields.map {|name| get_value(name, data)}.join(" ")
    # values = values.map {|k,v| "#{k}=#{v}"}.join(" ")
    @on_event.call(header + " " + values + "\n")
end