Open jalogisch opened 5 years ago
the following pipeline rule work around
rule "split and parse"
when
has_field("pure_cef")
then
let message=split("\\|", to_string($message.pure_cef));
// split parts out of CEF
set_field("device_vendor", message[1]);
set_field("device_product", message[2]);
set_field("device_version", message[3]);
set_field("device_event_class_id", message[4]);
set_field("name", message[5]);
set_field("severity", message[6]);
set_field("device_message", message[7]);
//parse k-v message
let kv = key_value(value: to_string(message[7]), trim_value_chars: "\"", trim_key_chars:"\"", delimiters:" ", kv_delimiters:"=");
set_fields(kv);
let gmsg = grok(pattern: "%{GREEDYDATA}msg=%{GREEDYDATA:message}", value: to_string(message[7]), only_named_captures: true);
set_fields(gmsg);
// cleanup
remove_field("pure_cef");
remove_field("device_message");
remove_field("msg");
end
Isn't this something that should be fixed in the CEF input? What does CEF say about escaping =
characters?
To answer my own question, according to https://community.microfocus.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Implementation-Standard/ta-p/1645557?attachment-id=68077 values need to escape =
characters in extensions.
My rule fix the TrendMicro Devices not following the CEF Rules. That is the only I have seen so far that just place a common syslog message in the msg
field without any kind of escaping. Also msg
is always the last key-value pair.
That is the reason the above is working, other devices might not be that broken.
Maybe we can add some kind of option to the CEF Input that does the above?
JFYI, We faced the same problem with McAfee Network Security Monitoring solution. They provide custom template for syslog messages, but there is no configuration for escaping.
For example, Palo Alto provides such configuration with options "Escaped Characters" and "Escape Character": https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cef/pan-os-80-cef-configuration-guide.pdf
We'll raise a support ticket with McAfee, but these options also might be a good idea for CEF plugin to implement.
Just dropping in for a massive thanks in the time-save for the Trend Micro parse work. It took some massaging for the 2019 Apex XYZ products but the principals remained. Thanks
Expected Behavior
When using the
parse_cef
function or the CEF Input it should work for all ingested messages and extract the key-value out of the message.Current Behavior
Using
parse_cef
(and ingest CEF messages) takes every=
and split that into key-value even if the=
is part of the value of one key:Possible Solution
If you use the
key_value
function it works flawless:Maybe the above can be used for the key-value extraction of CEF messages.
The following message parses cleanly by the default CEF Parserver - no addition
=
is part of themsg
keyThe following message parses not by the default CEF Parser - because the
msg
field contains=
in it. The abovekey_value
configuration does parese it cleanly.Context
Graylog does the parsing of CEF Messages right, but the Vendors does not. So we could try to implement the above mentioned fix to be able to parse more messages.
Your Environment