Logstash CEF output 5.x vs 2.x

hybrid · March 18, 2017, 1:16am

Hi all.
I'm successfully using an ArcSight CEF connector to read a cef output file in logstash 2.3.2.
I have just done the same using 5.2.0

However, the ArcSight connector is not picking up any events.
It seems to be because the 5.2.0 logstash is not outputting CEF line by line like the old version was.

My config is this:

if [type] == "MSDNSLog" {
    file {
      path => "/opt/logstashout/msdns-%{+YYYY-MM-dd.HH}.cef"
      codec => cef {
        fields => [end, dvchost, src, dhost, deviceExternalId, app, deviceDirection, deviceSeverity, in, out]
        product => "DNS Trace Log"
        vendor => "Microsoft"
      }
    }
  }

Is this a bug, or do I need to do something differently in the new version?

I notice in the encode section of the rb file, the old version has this:

@on_event.call(event, "#{header}|#{values}\n")

New version has this:

@on_event.call(event, "#{header}|#{values}#{@delimiter}")

magnusbaeck · March 21, 2017, 6:16am

It looks like you need to set delimiter => "\n" in your cef codec configuration.

hybrid · March 21, 2017, 7:26am

Yes that's what it was.
I thought I had replied to the thread to that effect, but obviously I didn't!

system · April 18, 2017, 7:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.