How does logstash know what human-readable names to translate the CEF log into?

S

Studencheskaya322020-01-14 20:58:23

logstash

Studencheskaya32, 2020-01-14 20:58:23

Hello.
I deployed the ELK stack, I send logs from the firewall to it via SYSLOG, in the CEF format.
input like this:

type => "syslog"
syslog_field => "syslog"
codec => "cef"

Sobsno everything. filters don’t do anything special, I send it to elasticsearch immediately on output.
And if I now go to kibana, then all the logs are parsed there, and instead of encodings like "src", "spt", the values of the keys are already "sourceAddress" and "sourcePort". Where it's written, I can't find it.
And one more small question. In the log, Key\Value pairs are passed in two different parameters. For example,

cs4Label=Destination Zone
cs4=Untrusted.

How can they be correlated to each other during parsing and sent to the database a pair of "Destination Zone = Untrusted"?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

akelsey, 2020-01-15
@Studencheskaya32

Codec plugins
CEF codec for Logstash

/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-codec-cef-6.0.1-java
grep cs4Label * -iR
lib/logstash/codecs/cef.rb: "cs4Label" => "deviceCustomString4Label",