Class: LogStash::Codecs::CEF

Inherits:
Base
  • Object
show all
Defined in:
lib/logstash/codecs/cef.rb

Instance Method Summary collapse

Constructor Details

#initialize(params = {}) ⇒ CEF

Returns a new instance of CEF.



13
14
15
 
# File 'lib/logstash/codecs/cef.rb', line 13

def initialize(params={})
  super(params)
end

Instance Method Details

#decode(data) {|event| ... } ⇒ Object

Yields:

  • (event) 


18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
 
# File 'lib/logstash/codecs/cef.rb', line 18

def decode(data)
  # %{SYSLOGDATE} %{HOST} CEF:Version|Device Vendor|Device Product|Device Version|SignatureID|Name|Severity|Extension
  event = LogStash::Event.new()
  if @syslog
    @logger.debug("Expecting SYSLOG headers")
    event['syslog'], data = data.split('CEF:', 2)
    # Since we have the syslog headers, lets pull them out first and put them into their own field to be handled
  else 
    # We don't have syslog headers, so we just need to remove CEF:
    data.sub! /^CEF:/, ''
  end 

  # Get the headers
  event['cef_version'], event['cef_vendor'], event['cef_product'], event['cef_device_version'], event['cef_sigid'], event['cef_name'], event['cef_severity'], event['message'] =  data.split /(?<!\\)[\|]/

  # Strip any whitespace from the message 
  message=event['message'].to_s.strip
  event['message']=message

  # Now, try to break out the Extension Dictionary
  if message.length != 0
    message = message.split(/ ([\w\.]+)=/)

    key, value = message.shift.split('=',2)
    @logger.debug(message)
    kv = Hash[*message]
    @logger.debug(kv)
    addKey(kv,key,value)
    event.to_hash.merge!(Hash[kv.map{ |k,v| ["cef_ext_"+k,v] }])
  end #
  yield event
end

#encode(data) ⇒ Object 



52
53
54
55
56
57
58
59
60
61
62
63
 
# File 'lib/logstash/codecs/cef.rb', line 52

def encode(data)
  # "CEF:0|Elasticsearch|Logstash|1.0|Signature|Name|Sev|"

  # TODO: Need to check that fields are set!

  # Signature, Name, and Sev should be set in the config, with ref to fields
  # Should also probably set the fields sent
  header = ["CEF:0", "Elasticsearch", "Logstash", "1.0", @signature, @name, @sev].join("|")
  values = @fields.map {|name| get_value(name, data)}.join(" ")
  # values = values.map {|k,v| "#{k}=#{v}"}.join(" ")
  @on_event.call(header + " " + values + "\n")
end