API tools faq
paste
Guest User

Untitled

a guest
Mar 19th, 2018
91
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.46 KB | None | 0 0
raw download clone embed print report
  1. ## Description
  2.  
  3. Sometimes you need to parse CEF with logstash but it is wrapped in some other format, such as JSON or syslog. In this case, you can't use the CEF codec in the input, so you're doomed to do it yourself since there is not currently a CEF codec for filter blocks. Try this logstash recipe, it works well. Just rmeember a comma will break it- so feel free to replace "," with a more rare character like "|" or something...
  4.  
  5. ## Context
  6.  
  7. At this point, the message has been processed so its a full CEF message starting in cef_message. Syslog "headers" were already removed in a previous step.
  8.  
  9. ## Stripped from production
  10.  
  11. filter {
  12. if "cef" in [tags] {
  13. mutate {
  14. # CEF:0 is pipe delimited, split into individual fields
  15. split => ["cef_message", "|"]
  16. add_field => { "cef_version" => "%{cef_message[0]}" }
  17. add_field => { "cef_device_vendor" => "%{cef_message[1]}" }
  18. add_field => { "cef_device_product" => "%{cef_message[2]}" }
  19. add_field => { "cef_device_version" => "%{cef_message[3]}" }
  20. add_field => { "cef_sig_id" => "%{cef_message[4]}" }
  21. add_field => { "cef_sig_name" => "%{cef_message[5]}" }
  22. add_field => { "cef_sig_severity" => "%{cef_message[6]}" }
  23. add_field => { "cef_kv_message" => "%{cef_message[7]}" }
  24. }
  25.  
  26.  
  27. # These next two (mutate and kv) are where the CEF is parsed
  28. # The mutate is required to bypass a limitation, the kv is
  29. # pretty straightforward key/value pair matching. It splits
  30. # them into key/value pairs and pops them into what will later
  31. # be renamed a device specific namespace. For now it is just
  32. # called `event_container`
  33.  
  34. # Workaround because `kv` doesn't support values that contain spaces
  35. # Transform and then use comma to separate instead of spaces. Then
  36. # make sure you act on commas instead of spaces in the kv
  37. mutate {
  38. gsub => ["cef_kv_message", "(\S+=)", ", \1"]
  39. }
  40.  
  41. kv {
  42. source => "cef_kv_message"
  43. trim_value => " "
  44. trim_key => " "
  45. value_split => "="
  46. field_split => ","
  47. target => "event_container"
  48. add_tag => "cef_kv_success"
  49. # remove_field => ["tmp_message", "cef_kv_message", "message", "cef_message"]
  50. remove_field => ["cef_kv_message", "message", "cef_message"]
  51. remove_tag => ["kv_section"]
  52. }
  53.  
  54. }
  55. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!