Logstash CEF output 5.x vs 2.x

hybrid · March 18, 2017, 1:16am

Hi all.
I'm successfully using an ArcSight CEF connector to read a cef output file in logstash 2.3.2.
I have just done the same using 5.2.0

However, the ArcSight connector is not picking up any events.
It seems to be because the 5.2.0 logstash is not outputting CEF line by line like the old version was.

My config is this:

if [type] == "MSDNSLog" {
    file {
      path => "/opt/logstashout/msdns-%{+YYYY-MM-dd.HH}.cef"
      codec => cef {
        fields => [end, dvchost, src, dhost, deviceExternalId, app, deviceDirection, deviceSeverity, in, out]
        product => "DNS Trace Log"
        vendor => "Microsoft"
      }
    }
  }

Is this a bug, or do I need to do something differently in the new version?

I notice in the encode section of the rb file, the old version has this:

@on_event.call(event, "#{header}|#{values}\n")

New version has this:

@on_event.call(event, "#{header}|#{values}#{@delimiter}")

magnusbaeck · March 21, 2017, 6:16am

It looks like you need to set delimiter => "\n" in your cef codec configuration.

hybrid · March 21, 2017, 7:26am

Yes that's what it was.
I thought I had replied to the thread to that effect, but obviously I didn't!

system · April 18, 2017, 7:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Sending logs from Logstash to ArcSight via Syslog CEF Logstash	3	2526	March 28, 2019
ArcSight module CEF input parsing (over TCP) [SOLVED] Logstash	1	533	August 8, 2019
Output CEF Logstash	1	1748	December 25, 2017
Plugin to generate CEF output for ARCsight Logstash	2	1304	November 29, 2017
Arcsight Logs do not Ouput to Kibana Logstash	2	628	August 8, 2017

Logstash CEF output 5.x vs 2.x

Related topics