Logstash CEF codec

us3r · November 4, 2015, 7:07pm

Together with my collegue we found a few problems with this codec:

The first one is described here -> https://github.com/logstash-plugins/logstash-codec-cef/issues/9
Second one is related with the changes in Elasticsearch 2.0 like:

MapperParsingException[Field name [FOO.BAR] cannot contain '.']

Does anyone of you have a plan to solve that?

magnusbaeck · November 4, 2015, 7:12pm

As documented, Elasticsearch 2.0 doesn't allow periods in field names. You'll have to rename your fields.

https://www.elastic.co/guide/en/elasticsearch/reference/2.0/_mapping_changes.html#_field_names_may_not_contain_dots

us3r · November 4, 2015, 7:19pm

yes I know that. But maybe a good idea is to implement such kind of functionality (properly) directly on the codec layer.
There is a problem with the codec itself cause some fields like "cef_ext.whatever" are splited correctly. I have noticed this problem with for ex "ad.arcSightEventPath" field.

theuntergeek · November 4, 2015, 10:15pm

Please see: Please read: Upgrading Logstash and Elasticsearch to 2.0

Topic		Replies	Views
Field name cannot contain '.' Logstash	47	42237	July 6, 2017
Use the right codec field "date" Logstash	2	294	July 2, 2020
ArcSight module CEF input parsing (over TCP) [SOLVED] Logstash	1	533	August 8, 2019
Logstash CEF codec and ECS cannot parse 'rt' field throws an error Logstash	3	1304	August 25, 2022
Warning message Logstash	3	305	April 11, 2018

Logstash CEF codec

Related topics