Feat: an attempt for handling target => ...

also a step towards using an ECS-like event factory
logstash-plugins · Mar 24, 2020 · 22a55da · 22a55da
1 parent ca80e3e
commit 22a55da
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/lib/logstash/codecs/cef.rb b/lib/logstash/codecs/cef.rb
@@ -2,6 +2,7 @@
 require "logstash/util/buftok"
 require "logstash/util/charset"
 require "logstash/codecs/base"
+require 'logstash/plugin_mixins/ecs_compatibility_support'
 require "json"
 
 # Implementation of a Logstash codec for the ArcSight Common Event Format (CEF)
@@ -11,6 +12,9 @@
 # If this codec receives a payload from an input that is not a valid CEF message, then it will
 # produce an event with the payload as the 'message' field and a '_cefparsefailure' tag.
 class LogStash::Codecs::CEF < LogStash::Codecs::Base
+
+  include LogStash::PluginMixins::ECSCompatibilitySupport
+
   config_name "cef"
 
   # Device vendor field in CEF header. The new value can include `%{foo}` strings
@@ -72,6 +76,12 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
   # the provided name is added, which contains the raw data.
   config :raw_data_field, :validate => :string
 
+  # Defines a target field for placing decoded fields.
+  # If this setting is omitted, data gets stored at the root (top level) of the event.
+  #
+  # NOTE: `raw_data_field` is always stored as requested, regardless of the `target` setting.
+  config :target, :validate => :string
+
   HEADER_FIELDS = ['cefVersion','deviceVendor','deviceProduct','deviceVersion','deviceEventClassId','name','severity']
 
   # Translating and flattening the CEF extensions with known field names as documented in the Common Event Format whitepaper
@@ -247,8 +257,8 @@ def decode(data, &block)
   end
 
   def handle(data, &block)
-    event = LogStash::Event.new
-    event.set(raw_data_field, data) unless raw_data_field.nil?
+    event = EventTargetDecorator.wrap(event_factory.new_event, @target)
+    event.set_raw(raw_data_field, data) unless raw_data_field.nil?
 
     @utf8_charset.convert(data)
 
@@ -308,7 +318,7 @@ def handle(data, &block)
       end
     end
 
-    yield event
+    yield event.__unwrap__
   rescue => e
     @logger.error("Failed to decode CEF payload. Generating failure event with payload in message field.",
                   :exception => e.class, :message => e.message, :backtrace => e.backtrace, :data => data)

diff --git a/logstash-codec-cef.gemspec b/logstash-codec-cef.gemspec
@@ -22,6 +22,7 @@ Gem::Specification.new do |s|
 
   # Gem dependencies
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
+  s.add_runtime_dependency "logstash-mixin-ecs_compatibility_support", "< 2"
 
   s.add_development_dependency 'logstash-devutils'
   s.add_development_dependency 'insist'