Class: LogStash::Codecs::CEF

Inherits:
Base
  • Object
show all
Defined in:
lib/logstash/codecs/cef.rb

Instance Method Summary collapse

Constructor Details

#initialize(params = {}) ⇒ CEF

Returns a new instance of CEF.



53
54
55
 
# File 'lib/logstash/codecs/cef.rb', line 53

def initialize(params={})
  super(params)
end

Instance Method Details

#decode(data) {|event| ... } ⇒ Object

Yields:

  • (event) 


58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
 
# File 'lib/logstash/codecs/cef.rb', line 58

def decode(data)
  # Strip any quotations at the start and end, flex connectors seem to send this
  if data[0] == "\""
    data = data[1..-2]
  end
  event = LogStash::Event.new

  # Split by the pipes
  event['cef_version'], event['cef_vendor'], event['cef_product'], event['cef_device_version'], event['cef_sigid'], event['cef_name'], event['cef_severity'], message = data.split /(?<!\\)[\|]/

  # Try and parse out the syslog header if there is one
  if event['cef_version'].include? ' '
    event['syslog'], unused, event['cef_version'] = event['cef_version'].rpartition(' ')
  end

  # Get rid of the CEF bit in the version
  version = event['cef_version'].sub /^CEF:/, ''
  event['cef_version'] = version

  # Strip any whitespace from the message
  if not message.nil? and message.include? '='
    message = message.strip

    # If the last KVP has no value, add an empty string, this prevents hash errors below
    if message.end_with?("=")
      message=message + ' '
    end

    # Now parse the key value pairs into it
    extensions = {}
    message = message.split(/ ([\w\.]+)=/)
    key, value = message.shift.split('=', 2)
    extensions[key] = value

    Hash[*message].each{ |k, v| extensions[k] = v }

    # And save the new has as the extensions
    event['cef_ext'] = extensions
  end

  yield event
end

#encode(event) ⇒ Object 



102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
 
# File 'lib/logstash/codecs/cef.rb', line 102

def encode(event)
  # "CEF:0|Elasticsearch|Logstash|1.0|Signature|Name|Sev|"

  vendor = sanitize_header_field(event.sprintf(@vendor))
  vendor = self.class.get_config["vendor"][:default] if vendor == ""

  product = sanitize_header_field(event.sprintf(@product))
  product = self.class.get_config["product"][:default] if product == ""

  version = sanitize_header_field(event.sprintf(@version))
  version = self.class.get_config["version"][:default] if version == ""

  signature = sanitize_header_field(event.sprintf(@signature))
  signature = self.class.get_config["signature"][:default] if signature == ""

  name = sanitize_header_field(event.sprintf(@name))
  name = self.class.get_config["name"][:default] if name == ""

  # :sev is deprecated and therefore only considered if :severity equals the default setting or is invalid
  severity = sanitize_severity(event, @severity)
  if severity == self.class.get_config["severity"][:default]
    # Use deprecated setting sev
    severity = sanitize_severity(event, @sev)
  end

  # Should also probably set the fields sent
  header = ["CEF:0", vendor, product, version, signature, name, severity].join("|")
  values = @fields.map {|fieldname| get_value(fieldname, event)}.compact.join(" ")

  @on_event.call(event, "#{header}|#{values}\n")
end