Reverse_mapping for cef input codec not working

Cef reverse_mapping does not work.
I am expecting logstash to give me short form of cef, instead it gives me the long form.

  • Version: Logstash 6.5.0 (cef codec version 5.0.6)
  • Operating System: Ubuntu 16.04
  • Config File (if you have sensitive info, please remove it):
   tcp {
    port  => 1234
    codec => cef {
        reverse_mapping => true
filter { }
output {
stdout { codec => rubydebug }
  • Sample Data: CEF:0|XXXXX|XXXXX||SEC:xxxxxxxx:denied|denied|Low| eventId=9999 externalId=9999 msg=list xxxx-xxxxxx denied 1 packet categorySignificance=/Informational/Warning categoryBehavior=/Access categoryDeviceGroup=/Firewall catdt=Router categoryOutcome=/Failure categoryObject=/Host/Application/Service art=99999 deviceSeverity=6 act=denied rt=999999 src= sourceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: cs2=SEC cs3=xxxx cs5=SEC-6-xxxxxxxx cs6=xxxx-xxxxx cn2=1 cs1Label=Slot/Card cs2Label=XXXXX cs3Label=xxxxxx cs4Label=ICMP Type cs5Label=CiscoAlertCode cs6Label=ACL Number cn2Label=Packets agt= agentZoneURI=/All Zones/xxx xxxx/Private Address Space Zones/RFC1918: amac=00-00-00-00-00-00 av= atz=Asia/xxxx at=syslog dvc= deviceZoneURI=/All Zones/xxx xxx/Private Address xxx xx/RFC999: dtz=xxx/xxxx _cefVer=0.1 ad.Message=%Sxxx-6-xxxxxxxx: list xx-xx denied 1 packet ad.mnemonic=SEC-6-xxxxxxxx ad.message=list xx-xx denied 1 packet aid=xxx-xxxxxxxxxxxx+xxx==

  • Steps to Reproduce: Start logstash as process, run /usr/share/logstash/bin/logstash -r -f cef.conf

The reverse_mapping option is for output. So

   output { stdout { codec => cef { reverse_mapping => false fields => [ "sourceAddress", "deviceCustomString4Label" ] } } }

will get you

CEF:0|Elasticsearch|Logstash|1.0|Logstash|Logstash|6|sourceAddress= deviceCustomString4Label=ICMP Type

and if you flip that to true you get

CEF:0|Elasticsearch|Logstash|1.0|Logstash|Logstash|6|src= cs4Label=ICMP Type

According to this, I can see that it should work on input plugin too.

No, that says it will " encode using the CEF key name". Encoding is only done on output.

You can check the source. @reverse_mapping is only tested in get_value, and get_value is only called in the encode function that is used for output.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.