Discuss the Elastic Stack

Reverse_mapping for cef input codec not working

Elastic Stack Logstash

FreddyFernando (Freddy) February 20, 2019, 10:51am 1

Cef reverse_mapping does not work.
I am expecting logstash to give me short form of cef, instead it gives me the long form.

Version: Logstash 6.5.0 (cef codec version 5.0.6)
Operating System: Ubuntu 16.04
Config File (if you have sensitive info, please remove it):

input
{
   tcp {
    port  => 1234
    codec => cef {
        reverse_mapping => true
    }
   }
}
filter { }
output {
stdout { codec => rubydebug }
}

Sample Data: CEF:0|XXXXX|XXXXX||SEC:xxxxxxxx:denied|denied|Low| eventId=9999 externalId=9999 msg=list xxxx-xxxxxx denied 10.0.0.0 1 packet categorySignificance=/Informational/Warning categoryBehavior=/Access categoryDeviceGroup=/Firewall catdt=Router categoryOutcome=/Failure categoryObject=/Host/Application/Service art=99999 deviceSeverity=6 act=denied rt=999999 src=10.1.100.17 sourceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 cs2=SEC cs3=xxxx cs5=SEC-6-xxxxxxxx cs6=xxxx-xxxxx cn2=1 cs1Label=Slot/Card cs2Label=XXXXX cs3Label=xxxxxx cs4Label=ICMP Type cs5Label=CiscoAlertCode cs6Label=ACL Number cn2Label=Packets ahost=xxx-xx-xxx.xxx.xxx.com agt=10.0.0.0 agentZoneURI=/All Zones/xxx xxxx/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 amac=00-00-00-00-00-00 av=7.6.0.8009.0 atz=Asia/xxxx at=syslog dvc=10.0.0.0 deviceZoneURI=/All Zones/xxx xxx/Private Address xxx xx/RFC999: 10.0.0.0-10.255.255.255 dtz=xxx/xxxx _cefVer=0.1 ad.Message=%Sxxx-6-xxxxxxxx: list xx-xx denied 10.0.0.0 1 packet ad.mnemonic=SEC-6-xxxxxxxx ad.message=list xx-xx denied 10.0.0.0 1 packet aid=xxx-xxxxxxxxxxxx+xxx==
Steps to Reproduce: Start logstash as process, run /usr/share/logstash/bin/logstash -r -f cef.conf

Badger February 20, 2019, 12:50pm 2

The reverse_mapping option is for output. So

   output { stdout { codec => cef { reverse_mapping => false fields => [ "sourceAddress", "deviceCustomString4Label" ] } } }

will get you

CEF:0|Elasticsearch|Logstash|1.0|Logstash|Logstash|6|sourceAddress=10.1.100.17 deviceCustomString4Label=ICMP Type

and if you flip that to true you get

CEF:0|Elasticsearch|Logstash|1.0|Logstash|Logstash|6|src=10.1.100.17 cs4Label=ICMP Type

Logstash output as CEF data to other server

FreddyFernando (Freddy) March 6, 2019, 8:42am 3

According to this, I can see that it should work on input plugin too.

https://www.elastic.co/guide/en/logstash/current/plugins-codecs-cef.html

Badger March 6, 2019, 12:41pm 4

No, that says it will " encode using the CEF key name". Encoding is only done on output.

You can check the source. @reverse_mapping is only tested in get_value, and get_value is only called in the encode function that is used for output.

system (system) Closed April 3, 2019, 12:41pm 5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

© 2020. All Rights Reserved - Elasticsearch

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.