diff --git a/x-pack/filebeat/processors/decode_cef/cef/cef.rl b/x-pack/filebeat/processors/decode_cef/cef/cef.rl index 3ac5af35a40..147b4a9f29a 100644 --- a/x-pack/filebeat/processors/decode_cef/cef/cef.rl +++ b/x-pack/filebeat/processors/decode_cef/cef/cef.rl @@ -4,6 +4,7 @@ package cef import ( "fmt" "strconv" + "strings" "go.uber.org/multierr" ) @@ -17,6 +18,9 @@ import ( // unpack unpacks a CEF message. func (e *Event) unpack(data string) error { + const ws = " \r\n\t\v\f" + data = strings.TrimRight(data, ws) + cs, p, pe, eof := 0, 0, len(data), len(data) mark := 0 diff --git a/x-pack/filebeat/processors/decode_cef/cef/parser.go b/x-pack/filebeat/processors/decode_cef/cef/parser.go index 2ddcb942401..72664060827 100644 --- a/x-pack/filebeat/processors/decode_cef/cef/parser.go +++ b/x-pack/filebeat/processors/decode_cef/cef/parser.go @@ -9,11 +9,12 @@ package cef import ( "fmt" "strconv" + "strings" "go.uber.org/multierr" ) -//line parser.go:15 +//line parser.go:16 var _cef_eof_actions []byte = []byte{ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, @@ -31,10 +32,13 @@ const cef_en_gobble_extension int = 28 const cef_en_main int = 1 const cef_en_main_cef_extensions int = 24 -//line cef.rl:16 +//line cef.rl:17 // unpack unpacks a CEF message. func (e *Event) unpack(data string) error { + const ws = " \r\n\t\v\f" + data = strings.TrimRight(data, ws) + cs, p, pe, eof := 0, 0, len(data), len(data) mark := 0 @@ -50,12 +54,12 @@ func (e *Event) unpack(data string) error { e.init(data) -//line parser.go:55 +//line parser.go:59 { cs = cef_start } -//line parser.go:60 +//line parser.go:64 { if (p) == (pe) { goto _test_eof @@ -752,55 +756,55 @@ func (e *Event) unpack(data string) error { goto f17 f0: -//line cef.rl:37 +//line cef.rl:41 mark = p goto _again f1: -//line cef.rl:40 +//line cef.rl:44 e.Version, _ = strconv.Atoi(data[mark:p]) goto _again f3: -//line cef.rl:43 +//line cef.rl:47 e.DeviceVendor = replaceHeaderEscapes(data[mark:p]) goto _again f5: -//line cef.rl:46 +//line cef.rl:50 e.DeviceProduct = replaceHeaderEscapes(data[mark:p]) goto _again f7: -//line cef.rl:49 +//line cef.rl:53 e.DeviceVersion = replaceHeaderEscapes(data[mark:p]) goto _again f9: -//line cef.rl:52 +//line cef.rl:56 e.DeviceEventClassID = replaceHeaderEscapes(data[mark:p]) goto _again f11: -//line cef.rl:55 +//line cef.rl:59 e.Name = replaceHeaderEscapes(data[mark:p]) goto _again f13: -//line cef.rl:58 +//line cef.rl:62 e.Severity = data[mark:p] goto _again f14: -//line cef.rl:61 +//line cef.rl:65 // A new extension key marks the end of the last extension value. if len(extKey) > 0 && extValueStart <= mark-1 { @@ -811,120 +815,124 @@ func (e *Event) unpack(data string) error { goto _again f20: -//line cef.rl:69 +//line cef.rl:73 extValueStart = p extValueEnd = p goto _again f16: -//line cef.rl:73 +//line cef.rl:77 extValueEnd = p + 1 goto _again f15: -//line cef.rl:83 +//line cef.rl:87 recoveredErrs = append(recoveredErrs, fmt.Errorf("malformed value for %s at pos %d", extKey, p+1)) (p)-- cs = 28 goto _again + + goto _again f17: -//line cef.rl:87 +//line cef.rl:91 extKey, extValueStart, extValueEnd = "", 0, 0 // Resume processing at p, the start of the next extension key. p = mark cs = 24 goto _again + + goto _again f2: -//line cef.rl:37 +//line cef.rl:41 mark = p -//line cef.rl:43 +//line cef.rl:47 e.DeviceVendor = replaceHeaderEscapes(data[mark:p]) goto _again f4: -//line cef.rl:37 +//line cef.rl:41 mark = p -//line cef.rl:46 +//line cef.rl:50 e.DeviceProduct = replaceHeaderEscapes(data[mark:p]) goto _again f6: -//line cef.rl:37 +//line cef.rl:41 mark = p -//line cef.rl:49 +//line cef.rl:53 e.DeviceVersion = replaceHeaderEscapes(data[mark:p]) goto _again f8: -//line cef.rl:37 +//line cef.rl:41 mark = p -//line cef.rl:52 +//line cef.rl:56 e.DeviceEventClassID = replaceHeaderEscapes(data[mark:p]) goto _again f10: -//line cef.rl:37 +//line cef.rl:41 mark = p -//line cef.rl:55 +//line cef.rl:59 e.Name = replaceHeaderEscapes(data[mark:p]) goto _again f12: -//line cef.rl:37 +//line cef.rl:41 mark = p -//line cef.rl:58 +//line cef.rl:62 e.Severity = data[mark:p] goto _again f23: -//line cef.rl:37 +//line cef.rl:41 mark = p -//line cef.rl:73 +//line cef.rl:77 extValueEnd = p + 1 goto _again f19: -//line cef.rl:69 +//line cef.rl:73 extValueStart = p extValueEnd = p -//line cef.rl:73 +//line cef.rl:77 extValueEnd = p + 1 goto _again f22: -//line cef.rl:73 +//line cef.rl:77 extValueEnd = p + 1 -//line cef.rl:37 +//line cef.rl:41 mark = p @@ -943,7 +951,7 @@ func (e *Event) unpack(data string) error { if (p) == eof { switch _cef_eof_actions[cs] { case 22: -//line cef.rl:76 +//line cef.rl:80 // Reaching the EOF marks the end of the final extension value. if len(extKey) > 0 && extValueStart <= extValueEnd { @@ -952,7 +960,7 @@ func (e *Event) unpack(data string) error { } case 16: -//line cef.rl:83 +//line cef.rl:87 recoveredErrs = append(recoveredErrs, fmt.Errorf("malformed value for %s at pos %d", extKey, p+1)) (p)-- @@ -960,12 +968,12 @@ func (e *Event) unpack(data string) error { goto _again case 19: -//line cef.rl:69 +//line cef.rl:73 extValueStart = p extValueEnd = p -//line cef.rl:76 +//line cef.rl:80 // Reaching the EOF marks the end of the final extension value. if len(extKey) > 0 && extValueStart <= extValueEnd { @@ -973,7 +981,7 @@ func (e *Event) unpack(data string) error { extKey, extValueStart, extValueEnd = "", 0, 0 } -//line parser.go:847 +//line parser.go:851 } } @@ -982,7 +990,7 @@ func (e *Event) unpack(data string) error { } } -//line cef.rl:145 +//line cef.rl:149 // Check if state machine completed. if cs < cef_first_final {