Incomplete parsing by CEF codec?

Elastic Stack Logstash
1

Taking input from some network elements that are forwarding CEF, and using the CEF codec, there's an issue where if one the keys in the body has a two character sub-name (e.g ad.vd=) , it doesn't get parsed properly and gets appended to the previous key?

Example using stdin with the cef codec and ruby debug output:

Input:

Nov 28 20:25:25 TestDevice CEF:0|Fortinet|FortiGate|5.x.x (GA)|13|forward traffic accept|5|ad.logver=50 dvchost=testdevice deviceExternalId=FG-5K00000000004 ad.logid=13 cat=traffic ad.subtype=forward deviceSeverity=notice ad.vd=TestVDOM src=172.16.1.1 spt=57609 deviceInboundInterface=TestVDOM-S dst=8.8.8.8 dpt=53 deviceOutboundInterface=TestVDOM-N externalID=472728212 proto=17 act=accept ad.policyid=6 ad.dstcountry=United States ad.srccountry=Reserved ad.trandisp=snat sourceTranslatedAddress=10.10.10.10 sourceTranslatedPort=57609 app=DNS ad.duration=60 out=59 in=905 ad.sentpkt=1 ad.rcvdpkt=1

ruby debug output:

{
            "destinationPort" => "53",
                 "sourcePort" => "57609",
         "destinationAddress" => "8.8.8.8",
                "ad.policyid" => "6",
               "deviceVendor" => "Fortinet",
                 "externalID" => "472728212",
                     "syslog" => "Nov 28 20:25:25 TestDevice",
                "ad.trandisp" => "snat",
           "deviceExternalId" => "FG-5K00000000004",
    "deviceOutboundInterface" => "TestVDOM-N",
                  "ad.logver" => "50",
             "deviceSeverity" => "notice ad.vd=TestVDOM",
     "deviceInboundInterface" => "TestVDOM-S",
          "transportProtocol" => "17",
                "ad.duration" => "60",
                   "@version" => "1",
              "ad.srccountry" => "Reserved",
                       "host" => "labhost1",
              "deviceProduct" => "FortiGate",
                 "ad.subtype" => "forward",
             "deviceHostName" => "testdevice",
        "applicationProtocol" => "DNS",
                   "bytesOut" => "59",
                    "bytesIn" => "905",
                   "severity" => "5",
              "sourceAddress" => "172.16.1.1",
               "deviceAction" => "accept",
       "sourceTranslatedPort" => "57609",
                 "ad.rcvdpkt" => "1",
              "deviceVersion" => "5.x.x (GA)",
         "deviceEventClassId" => "13",
        "deviceEventCategory" => "traffic",
    "sourceTranslatedAddress" => "10.10.10.10",
                   "ad.logid" => "13",
                 "@timestamp" => 2017-11-28T22:00:25.959Z,
              "ad.dstcountry" => "United States",
                 "cefVersion" => "0",
                       "name" => "forward traffic accept",
                 "ad.sentpkt" => "1"
}

See how ad.vd is appended to deviceSeverity?

Changing ad.vd to ad.vdom (or anything more than two characters in the sub position). Changing any other value to a key.nn structure also causes that key to get appended to the immediate previous value, so its not something specific to this key or the stream coming in.

Is this a known bug with the cef codec? Any thoughts on how to work around it with additional filters?

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.