You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Using bundled JDK: /usr/share/logstash/jdk
openjdk 11.0.24 2024-07-16 LTS
OpenJDK Runtime Environment (Red_Hat-11.0.24.0.8-2) (build 11.0.24+8-LTS)
OpenJDK 64-Bit Server VM (Red_Hat-11.0.24.0.8-2) (build 11.0.24+8-LTS, mixed mode, sharing)
OS version (uname -a if on a Unix-like system): Linux 5.14.0-427.33.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Aug 16 10:56:24 EDT 2024 x86_64 x86_64 x86_64 GNU/Linux
Red Hat Enterprise Linux release 9.4 (Plow)
Description of the problem including expected versus actual behavior:
When using the CEF codec with the Syslog input plugin, I found that event.severity was not the CEF Header "severity" as I expected, but was always set to 0. The incoming Syslog messages were lacking the standard priority prefix. I assume that event.severity was being set to the Syslog message priority, and was defaulting to 0 because the syslog priority was not present. I'll bet the codec and the plugin are using the same namespace and colliding on "severity", and since the syslog plugin runs last, it wins. Every other CEF field was properly parsed, only the "severity" field was incorrect.
To workaround this issue, I used the TCP input plugin in place of the Syslog plugin, and all worked as expected.
Steps to reproduce:
Setup a simple logstash pipeline using the above versions
Inject a properly formatted syslog message with a CEF payload using netcat. Use different integers for the syslog priority and the CEF severity, or simply leave out the syslog priority
Notice that the event field "severity" is set either to zero or the syslog priority. The CEF Header severity is nowhere to be found.
Provide logs (if relevant):
I'd provide the incoming messages and outputs, but I work in a SOC, so I can't provide what I was using. Any properly formatted syslog message with a proper CEF would work. For example:
Logstash information:
Please include the following information:
JVM (e.g.
java -version
):Using bundled JDK: /usr/share/logstash/jdk
openjdk 11.0.24 2024-07-16 LTS
OpenJDK Runtime Environment (Red_Hat-11.0.24.0.8-2) (build 11.0.24+8-LTS)
OpenJDK 64-Bit Server VM (Red_Hat-11.0.24.0.8-2) (build 11.0.24+8-LTS, mixed mode, sharing)
OS version (
uname -a
if on a Unix-like system): Linux 5.14.0-427.33.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Aug 16 10:56:24 EDT 2024 x86_64 x86_64 x86_64 GNU/LinuxRed Hat Enterprise Linux release 9.4 (Plow)
Description of the problem including expected versus actual behavior:
When using the CEF codec with the Syslog input plugin, I found that event.severity was not the CEF Header "severity" as I expected, but was always set to 0. The incoming Syslog messages were lacking the standard priority prefix. I assume that event.severity was being set to the Syslog message priority, and was defaulting to 0 because the syslog priority was not present. I'll bet the codec and the plugin are using the same namespace and colliding on "severity", and since the syslog plugin runs last, it wins. Every other CEF field was properly parsed, only the "severity" field was incorrect.
To workaround this issue, I used the TCP input plugin in place of the Syslog plugin, and all worked as expected.
Steps to reproduce:
Setup a simple logstash pipeline using the above versions
Use this simple pipeline:
input {
syslog {
port => XXXX
codec => cef {
delimiter => "\n"
}
grok_pattern => "%{TIMESTAMP_ISO8601:receiptTime}%{SPACE}?%{HOSTNAME:dvc}%{SPACE}?%{GREEDYDATA:smsg}"
}
}
filter {}
output {
file {
path => "/home/logstash/logstash_debug.txt"
codec => rubydebug
id => "Output_file_debug"
}
}
Inject a properly formatted syslog message with a CEF payload using netcat. Use different integers for the syslog priority and the CEF severity, or simply leave out the syslog priority
Notice that the event field "severity" is set either to zero or the syslog priority. The CEF Header severity is nowhere to be found.
Provide logs (if relevant):
I'd provide the incoming messages and outputs, but I work in a SOC, so I can't provide what I was using. Any properly formatted syslog message with a proper CEF would work. For example:
<5>2024-09-26T20:47:00.000Z myserver CEF:0|Vendor|Product|5.0.11.0|Something|Something Else|10|extension=dude
In this case, event.severity comes out in the output as "5", and there is no field holding the CEF Header severity of "10"
The text was updated successfully, but these errors were encountered: