tag _cefparsefailure on parse failure

CHANGELOG.md

@@ -1,3 +1,6 @@
+## 3.1.0
+ - add _cefparsefailure tag on failed decode
+
 ## 3.0.0
  - breaking: Updated plugin to use new Java Event APIs
 

lib/logstash/codecs/cef.rb

@@ -5,6 +5,9 @@
 # Implementation of a Logstash codec for the ArcSight Common Event Format (CEF)
 # Based on Revision 20 of Implementing ArcSight CEF, dated from June 05, 2013
 # https://protect724.hp.com/servlet/JiveServlet/downloadBody/1072-102-6-4697/CommonEventFormat.pdf
+#
+# If this codec receives a payload from an input that is not a valid CEF message, then it will
+# produce an event with the payload as the 'message' field and a '_cefparsefailure' tag.
 class LogStash::Codecs::CEF < LogStash::Codecs::Base
   config_name "cef"
 
@@ -114,6 +117,9 @@ def decode(data)
     end
 
     yield event
+  rescue => e
+    @logger.error("Failed to decode event payload. Generating failure event with payload in message field.", :error => e.message, :backtrace => e.backtrace, :data => data)
+    yield LogStash::Event.new("message" => data, "tags" => ["_cefparsefailure"])
   end
 
   public

logstash-codec-cef.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-codec-cef'
-  s.version         = '3.0.0'
+  s.version         = '3.1.0'
   s.platform        = 'java'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "CEF codec to parse and encode CEF formated logs"

spec/codecs/cef_spec.rb

@@ -451,7 +451,16 @@ def validate(e)
       subject.decode(syslog) do |e|
         validate(e)
         insist { e.get('syslog') } == 'Syslogdate Sysloghost'
-      end 
+      end
+    end
+
+    context "when payload is not in CEF" do
+      let (:message) { "potatoes" }
+      it "Should detect headers before CEF starts" do
+        subject.decode(message) do |e|
+          insist { e.get('tags') } == ['_cefparsefailure']
+        end
+      end
     end
   end