- [Doc] Added
raw_data_fieldto docs. #105
- Fix: when decoding in an ecs_compatibility mode, timestamp-normalized fields now handle provided-but-empty values #102
- Fix: when decoding, escaped newlines and carriage returns in extension values are now correctly decoded into literal newlines and carriage returns respectively #98
- Fix: when decoding, non-CEF payloads are identified and intercepted to prevent data-loss and corruption. They now cause a descriptive log message to be emitted, and are emitted as their own
_cefparsefailure-tagged event containing the original bytes in itsmessagefield #99 - Fix: when decoding while configured with a
delimiter, flushing this codec now correctly consumes the remainder of its internal buffer. This resolves an issue where bytes that are written without a trailing delimiter could be lost #100
- [DOC] Update link to CEF implementation guide #97
- [DOC] Emphasize importance of delimiter setting for byte stream inputs #95
- Feat: event_factory support #94
- Fixed invalid Field Reference that could occur when ECS mode was enabled and the CEF field
fileHashwas parsed. - Added expanded mapping for numbered
deviceCustom*anddeviceCustom*Labelfields so that all now include numbers 1 through 15. #89.
- Added field mapping to docs.
- Fixed ECS mapping of
deviceMacAddressfield. #88.
- Introduce ECS Compatibility mode #83.
- Added error log with full payload when something bad happens in decoding a message #84
- Improved encoding performance, especially when encoding many extension fields #81
- Fixed CEF short to long name translation for ahost/agentHostName field, according to documentation #75
- Fixed support for deep dot notation #73
- Removed obsolete
sevanddeprecated_v1_fieldsfields
- Fixed minor doc inconsistencies (added reverse_mapping to options table, moved it to alpha order in option descriptions, fixed typo) #60
- Added reverse_mapping option, which can be used to make encoder compliant to spec #51
- Fix handling of malformed inputs that have illegal unescaped-equals characters in extension field values (restores behaviour from <= v5.0.3 in some edge-cases) (#56)
- Fix bug in parsing headers where certain legal escape sequences could cause non-escaped pipe characters to be ignored.
- Fix bug in parsing extension values where a legal unescaped space in a field's value could be interpreted as a field separator (#54)
- Add explicit handling for extension key names that use array-like syntax that isn't legal with the strict-mode field-reference parser (e.g.,
fieldname[0]becomes[fieldname][0]).
- Fix handling of higher-plane UTF-8 characters in message body
- Update gemspec summary
- Fix some documentation issues
- move
sevanddeprecated_v1_fieldsfields from deprecated to obsolete
- added mapping for outcome = eventOutcome from CEF whitepaper (ref:p26/39)
- changed rt from receiptTime to deviceReceiptTime (ref:p27/39)
- changed tokenizer to include additional fields (ad.fieldname)
- Add
delimitersetting. This allows the decoder to be used with inputs like the TCP input where event delimiters are used.
- Implements the dictionary translation for abbreviated CEF field names from chapter Chapter 2: ArcSight Extension Dictionary page 3 of 39 CEF specification.
- add
_cefparsefailuretag on failed decode
- breaking: Updated plugin to use new Java Event APIs
- Switch in-place sub! to sub when extracting
cef_version. new Logstash Java Event does not support in-place String changes.
- Depend on logstash-core-plugin-api instead of logstash-core, removing the need to mass update plugins on major releases of logstash
- New dependency requirements for logstash-core for the 5.0 release
- Implements
encodewith escaping according to the CEF specification. - Config option
sevis deprecated, useseverityinstead.
- Plugins were updated to follow the new shutdown semantic, this mainly allows Logstash to instruct input plugins to terminate gracefully, instead of using Thread.raise on the plugins' threads. Ref: elastic/logstash#3895
- Dependency on logstash-core update to 2.0