Merge pull request #26 from jsvd/tag_on_failure

tag _cefparsefailure on parse failure
logstash-plugins · Nov 17, 2016 · bbf6ca9 · bbf6ca9
2 parents b27f2ee + 8601834
commit bbf6ca9
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+## 3.1.0
+ - add _cefparsefailure tag on failed decode
+
 ## 3.0.0
  - breaking: Updated plugin to use new Java Event APIs
  - Implements the dictionary translation for abbreviated CEF field names from chapter Chapter 2: ArcSight Extension Dictionary page 3 of 39 [CEF specification](https://protect724.hp.com/docs/DOC-1072). 

diff --git a/lib/logstash/codecs/cef.rb b/lib/logstash/codecs/cef.rb
@@ -5,6 +5,9 @@
 # Implementation of a Logstash codec for the ArcSight Common Event Format (CEF)
 # Based on Revision 20 of Implementing ArcSight CEF, dated from June 05, 2013
 # https://protect724.hp.com/servlet/JiveServlet/downloadBody/1072-102-6-4697/CommonEventFormat.pdf
+#
+# If this codec receives a payload from an input that is not a valid CEF message, then it will
+# produce an event with the payload as the 'message' field and a '_cefparsefailure' tag.
 class LogStash::Codecs::CEF < LogStash::Codecs::Base
   config_name "cef"
 
@@ -143,6 +146,9 @@ def decode(data)
     end
 
     yield event
+  rescue => e
+    @logger.error("Failed to decode CEF payload. Generating failure event with payload in message field.", :error => e.message, :backtrace => e.backtrace, :data => data)
+    yield LogStash::Event.new("message" => data, "tags" => ["_cefparsefailure"])
   end
 
   public

diff --git a/logstash-codec-cef.gemspec b/logstash-codec-cef.gemspec
@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-codec-cef'
-  s.version         = '3.0.0'
+  s.version         = '3.1.0'
   s.platform        = 'java'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "CEF codec to parse and encode CEF formated logs"

diff --git a/spec/codecs/cef_spec.rb b/spec/codecs/cef_spec.rb
@@ -656,7 +656,16 @@ def validate(e)
       subject.decode(syslog) do |e|
         validate(e)
         insist { e.get('syslog') } == 'Syslogdate Sysloghost'
-      end 
+      end
+    end
+
+    context "when payload is not in CEF" do
+      let (:message) { "potatoes" }
+      it "Should detect headers before CEF starts" do
+        subject.decode(message) do |e|
+          insist { e.get('tags') } == ['_cefparsefailure']
+        end
+      end
     end
   end