Skip to content

Instantly share code, notes, and snippets.

@andrewkroh
Last active October 24, 2023 20:41
Show Gist options
  • Save andrewkroh/f8b670707a7543a80f2361c3725c0e38 to your computer and use it in GitHub Desktop.
Save andrewkroh/f8b670707a7543a80f2361c3725c0e38 to your computer and use it in GitHub Desktop.
ExtraHop CEF logging to Filebeat
filebeat.inputs:
- host: localhost:9514
id: udp-extrahop-cef-9514
type: udp
processors:
- convert:
mode: copy
fields:
- { from: "message", to: "event.original" }
- script:
lang: javascript
source: |
var extrahop = (function () {
var processor = require("processor");
var macRegex = /( |\|)(dst|src)=((?:[0-9A-Fa-f]{2}[:-]){5}(?:[0-9A-Fa-f]{2}))/gm;
// Extrahop uses the wrong field names for MAC addresses.
var fixMacAddressFields = function(evt) {
var msg = evt.Get("message");
msg = msg.replace(macRegex, function(match, prefix, key, mac) {
if (key == "dst") {
key = "dmac";
} else {
key = "smac";
}
return prefix + key + "=" + mac
});
evt.Put("message", msg);
};
var timeRegex = / (rt|start|end)=(\d{4}-\d{2}-\d{2}T\d{1,2}:\d{2}:\d{2}.\d+Z)/gm;
var timeSubstitution = "$2";
// Extrahop does not format time stamps as per the CEF spec. So convert them to
// to unix epoch in milliseconds.
var fixTimestamps = function(evt) {
var msg = evt.Get("message")
msg = msg.replace(timeRegex, function(match, key, time, offset, whole, groups) {
return " " + key + "=" + Date.parse(time);
})
msg
evt.Put("message", msg);
};
var newlineRegex = /(?:\r\n|\r|\n)/g;
// Newline (aka line feed) characters are supposed to be encoded a '\n', but
// on the wire 0xA was being received.
var encodeNewline = function(evt) {
var msg = evt.Get("message");
msg = msg.replace(newlineRegex, "\\n")
msg = msg.trim();
evt.Put("message", msg);
}
var escapeRegex = /([^\\])\\([-.])/gm;
// Some logs have invalid escape sequences. It's not known whether they
// are meant to be literals or escapes. I'm choosing to remove them as
// errant escapes.
var removeInvalidEscape = function(evt) {
var msg = evt.Get('message');
msg = msg.replace(escapeRegex, "$1$2");
evt.Put("message", msg);
}
var extrahopProcessor = new processor.Chain()
.Add(removeInvalidEscape)
.Add(encodeNewline)
.Add(fixTimestamps)
.Add(fixMacAddressFields)
.Build();
return {
process: function (evt) {
extrahopProcessor.Run(evt);
},
};
})();
function process(evt) {
return extrahop.process(evt);
}
- decode_cef:
field: message
output.console.enable: true
logging.level: info
http.port: 6060
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment