Skip to content

Commit

Permalink
Added optional syslogheader
Browse files Browse the repository at this point in the history
  • Loading branch information
root committed Jul 4, 2016
1 parent 6a3c8b9 commit 86c8e11
Showing 1 changed file with 28 additions and 4 deletions.
32 changes: 28 additions & 4 deletions lib/logstash/codecs/leef.rb
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
# encoding: utf-8
require "logstash/codecs/base"
require "json"
require "socket"
require "time"

# Implementation of a Logstash codec for the qRADAR Log Event Extended Format (LEEF)
# Based on Version 1.0 of Implementing QRadar LEEF.
Expand All @@ -9,6 +11,9 @@
class LogStash::Codecs::LEEF < LogStash::Codecs::Base
config_name "leef"

# Field to enable the default syslog header, which uses the default `%{host}` field for hostname and the timestamp is generated by the codec parsing time. If no value is set the hostname is set to the `hostname` value where logstash is running.
config :syslogheader, :validate => :boolean, :default => true

# Device vendor field in LEEF header. The new value can include `%{foo}` strings
# to help you build a new value from other parts of the event.
config :vendor, :validate => :string, :default => "Elastic"
Expand Down Expand Up @@ -115,7 +120,15 @@ def decode(data)
public
def encode(event)
# "LEEF:1.0|Elastic|Logstash|2.3.3|EventID|"


if self.class.get_config["syslogheader"][:default] == true
time = Time.new
syslogtime = time.strftime("%b %d %H:%M:%S")
sysloghost = sanitize_header_field(event.sprintf(@host))
if sysloghost == ""
sysloghost = Socket.gethostname
end
end
vendor = sanitize_header_field(event.sprintf(@vendor))
vendor = self.class.get_config["vendor"][:default] if vendor == ""

Expand All @@ -139,10 +152,21 @@ def encode(event)
# end

# Should also probably set the fields sent
header = ["LEEF:1.0", vendor, product, version, eventid].join("|")
values = @fields.map {|fieldname| get_value(fieldname, event)}.compact.join(" ")

if @syslogheader == true
sheader = [syslogtime, sysloghost].join(" ")
header = ["LEEF:1.0", vendor, product, version, eventid].join("|")
values = @fields.map {|fieldname| get_value(fieldname, event)}.compact.join(" ")

@on_event.call(event, "#{sheader} #{header}|#{values}\n")

else

@on_event.call(event, "#{header}|#{values}\n")
header = ["LEEF:1.0", vendor, product, version, eventid].join("|")
values = @fields.map {|fieldname| get_value(fieldname, event)}.compact.join(" ")

@on_event.call(event, "#{header}|#{values}\n")
end
end

private
Expand Down

0 comments on commit 86c8e11

Please sign in to comment.