Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CEF codec used with Syslog input plugin causes CEF Header severity field to be inaccessible #76

Open
StullK330i opened this issue Sep 27, 2024 · 0 comments
Labels

Comments

@StullK330i
Copy link

Logstash information:

Please include the following information:

  1. Logstash version: 7.16.3
  2. Logstash installation source: RPM
  3. How is Logstash being run: systemd service
  4. How was the Logstash Plugin installed: Not sure
  5. logstash 7.16.3, logstash-codec-cef (6.1.2), logstash-input-syslog (3.5.0)

JVM (e.g. java -version):

Using bundled JDK: /usr/share/logstash/jdk
openjdk 11.0.24 2024-07-16 LTS
OpenJDK Runtime Environment (Red_Hat-11.0.24.0.8-2) (build 11.0.24+8-LTS)
OpenJDK 64-Bit Server VM (Red_Hat-11.0.24.0.8-2) (build 11.0.24+8-LTS, mixed mode, sharing)

OS version (uname -a if on a Unix-like system): Linux 5.14.0-427.33.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Aug 16 10:56:24 EDT 2024 x86_64 x86_64 x86_64 GNU/Linux

Red Hat Enterprise Linux release 9.4 (Plow)

Description of the problem including expected versus actual behavior:

When using the CEF codec with the Syslog input plugin, I found that event.severity was not the CEF Header "severity" as I expected, but was always set to 0. The incoming Syslog messages were lacking the standard priority prefix. I assume that event.severity was being set to the Syslog message priority, and was defaulting to 0 because the syslog priority was not present. I'll bet the codec and the plugin are using the same namespace and colliding on "severity", and since the syslog plugin runs last, it wins. Every other CEF field was properly parsed, only the "severity" field was incorrect.

To workaround this issue, I used the TCP input plugin in place of the Syslog plugin, and all worked as expected.

Steps to reproduce:

  1. Setup a simple logstash pipeline using the above versions

  2. Use this simple pipeline:
    input {
    syslog {
    port => XXXX
    codec => cef {
    delimiter => "\n"
    }
    grok_pattern => "%{TIMESTAMP_ISO8601:receiptTime}%{SPACE}?%{HOSTNAME:dvc}%{SPACE}?%{GREEDYDATA:smsg}"
    }
    }
    filter {}
    output {
    file {
    path => "/home/logstash/logstash_debug.txt"
    codec => rubydebug
    id => "Output_file_debug"
    }
    }

  3. Inject a properly formatted syslog message with a CEF payload using netcat. Use different integers for the syslog priority and the CEF severity, or simply leave out the syslog priority

  4. Notice that the event field "severity" is set either to zero or the syslog priority. The CEF Header severity is nowhere to be found.

Provide logs (if relevant):
I'd provide the incoming messages and outputs, but I work in a SOC, so I can't provide what I was using. Any properly formatted syslog message with a proper CEF would work. For example:

<5>2024-09-26T20:47:00.000Z myserver CEF:0|Vendor|Product|5.0.11.0|Something|Something Else|10|extension=dude

In this case, event.severity comes out in the output as "5", and there is no field holding the CEF Header severity of "10"

@StullK330i StullK330i added the bug label Sep 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant