andrewkroh/filebeat.udp-cef-extrahop.yml

## filebeat.udp-cef-extrahop.yml
filebeat.inputs:
  - host: localhost:9514
    id: udp-extrahop-cef-9514
    type: udp
    processors:
      - convert:
          mode: copy
          fields:
            - { from: "message", to: "event.original" }

      - script:
          lang: javascript
          source: |
            var extrahop = (function () {
                var processor = require("processor");

                var macRegex = /( |\|)(dst|src)=((?:[0-9A-Fa-f]{2}[:-]){5}(?:[0-9A-Fa-f]{2}))/gm;

                // Extrahop uses the wrong field names for MAC addresses.
                var fixMacAddressFields = function(evt) {
                  var msg = evt.Get("message");
                  msg = msg.replace(macRegex, function(match, prefix, key, mac) {
                    if (key == "dst") {
                      key = "dmac";
                    } else {
                      key = "smac";
                    }
                    return prefix + key + "=" + mac
                  });
                  evt.Put("message", msg);
                };

                var timeRegex = / (rt|start|end)=(\d{4}-\d{2}-\d{2}T\d{1,2}:\d{2}:\d{2}.\d+Z)/gm;
                var timeSubstitution = "$2";

                // Extrahop does not format time stamps as per the CEF spec. So convert them to
                // to unix epoch in milliseconds.
                var fixTimestamps = function(evt) {
                  var msg = evt.Get("message")
                  msg = msg.replace(timeRegex, function(match, key, time, offset, whole, groups) {
                    return " " + key + "=" + Date.parse(time);
                  })

                  msg
                  evt.Put("message", msg);
                };

                var newlineRegex = /(?:\r\n|\r|\n)/g;

                // Newline (aka line feed) characters are supposed to be encoded a '\n', but
                // on the wire 0xA was being received.
                var encodeNewline = function(evt) {
                  var msg = evt.Get("message");
                  msg = msg.replace(newlineRegex, "\\n")
                  msg = msg.trim();
                  evt.Put("message", msg);
                }

                var escapeRegex = /([^\\])\\([-.])/gm;

                // Some logs have invalid escape sequences. It's not known whether they
                // are meant to be literals or escapes. I'm choosing to remove them as
                // errant escapes.
                var removeInvalidEscape = function(evt) {
                  var msg = evt.Get('message');
                  msg = msg.replace(escapeRegex, "$1$2");
                  evt.Put("message", msg);
                }

                var extrahopProcessor = new processor.Chain()
                    .Add(removeInvalidEscape)
                    .Add(encodeNewline)
                    .Add(fixTimestamps)
                    .Add(fixMacAddressFields)
                    .Build();

                return {
                    process: function (evt) {
                        extrahopProcessor.Run(evt);
                    },
                };
            })();

            function process(evt) {
                return extrahop.process(evt);
            }

      - decode_cef:
          field: message


output.console.enable: true

logging.level: info

http.port: 6060
	filebeat.inputs:
	- host: localhost:9514
	id: udp-extrahop-cef-9514
	type: udp
	processors:
	- convert:
	mode: copy
	fields:
	- { from: "message", to: "event.original" }

	- script:
	lang: javascript
	source: \|
	var extrahop = (function () {
	var processor = require("processor");

	var macRegex = /( \|\\|)(dst\|src)=((?:[0-9A-Fa-f]{2}[:-]){5}(?:[0-9A-Fa-f]{2}))/gm;

	// Extrahop uses the wrong field names for MAC addresses.
	var fixMacAddressFields = function(evt) {
	var msg = evt.Get("message");
	msg = msg.replace(macRegex, function(match, prefix, key, mac) {
	if (key == "dst") {
	key = "dmac";
	} else {
	key = "smac";
	}
	return prefix + key + "=" + mac
	});
	evt.Put("message", msg);
	};

	var timeRegex = / (rt\|start\|end)=(\d{4}-\d{2}-\d{2}T\d{1,2}:\d{2}:\d{2}.\d+Z)/gm;
	var timeSubstitution = "$2";

	// Extrahop does not format time stamps as per the CEF spec. So convert them to
	// to unix epoch in milliseconds.
	var fixTimestamps = function(evt) {
	var msg = evt.Get("message")
	msg = msg.replace(timeRegex, function(match, key, time, offset, whole, groups) {
	return " " + key + "=" + Date.parse(time);
	})

	msg
	evt.Put("message", msg);
	};

	var newlineRegex = /(?:\r\n\|\r\|\n)/g;

	// Newline (aka line feed) characters are supposed to be encoded a '\n', but
	// on the wire 0xA was being received.
	var encodeNewline = function(evt) {
	var msg = evt.Get("message");
	msg = msg.replace(newlineRegex, "\\n")
	msg = msg.trim();
	evt.Put("message", msg);
	}

	var escapeRegex = /([^\\])\\([-.])/gm;

	// Some logs have invalid escape sequences. It's not known whether they
	// are meant to be literals or escapes. I'm choosing to remove them as
	// errant escapes.
	var removeInvalidEscape = function(evt) {
	var msg = evt.Get('message');
	msg = msg.replace(escapeRegex, "$1$2");
	evt.Put("message", msg);
	}

	var extrahopProcessor = new processor.Chain()
	.Add(removeInvalidEscape)
	.Add(encodeNewline)
	.Add(fixTimestamps)
	.Add(fixMacAddressFields)
	.Build();

	return {
	process: function (evt) {
	extrahopProcessor.Run(evt);
	},
	};
	})();

	function process(evt) {
	return extrahop.process(evt);
	}

	- decode_cef:
	field: message


	output.console.enable: true

	logging.level: info

	http.port: 6060