Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tag _cefparsefailure on parse failure #26

Merged
merged 2 commits into from
Nov 17, 2016
Merged

tag _cefparsefailure on parse failure #26

merged 2 commits into from
Nov 17, 2016

Conversation

jsvd
Copy link
Member

@jsvd jsvd commented Oct 10, 2016

fixes #25

breml
breml reviewed Oct 10, 2016
View reviewed changes
Copy link
Collaborator

@breml breml left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Over all it looks good to me, only a few minor suggestions.

The CEF specification () states in section Header Field Definitions that the version (field cef_version) is an integer. Maybe we should throw an exception if this is not the case as it is not valid CEF. This should go after https://github.com/logstash-plugins/logstash-codec-cef/pull/26/files#diff-60997264fb4df8acacfb3987dc3049a5L95

lib/logstash/codecs/cef.rb
@@ -114,6 +117,9 @@ def decode(data)
end

yield event
rescue => e
@logger.error("Failed to decode event payload. Generating failure event with payload in message field.", :error => e.message, :backtrace => e.backtrace, :data => data)
yield LogStash::Event.new("message" => data, "tags" => ["_cefparsefailure"])
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

logstash-filter-json allows to configure the tag for the failure case: https://github.com/logstash-plugins/logstash-filter-json/blob/master/lib/logstash/filters/json.rb#L60
should we provide similar behavior?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

they most used one (codec json) doesn't allow it, so I'm not that concerned, maybe we can have this as is and eventually add it if needed?

lib/logstash/codecs/cef.rb
@@ -114,6 +117,9 @@ def decode(data)
end

yield event
rescue => e
@logger.error("Failed to decode event payload. Generating failure event with payload in message field.", :error => e.message, :backtrace => e.backtrace, :data => data)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest to add some kind of reference to CEF to the error log message. While checking the logs it would be easier to understand the error.
Maybe something like: "Failed to decode CEF payload." ...

@breml
Copy link
Collaborator

breml commented Oct 10, 2016

Forgot to paste the link to the CEF specification: https://www.protect724.hpe.com/servlet/JiveServlet/downloadBody/1072-102-9-20354/CommonEventFormatv23.pdf

@jsvd jsvd mentioned this pull request Oct 10, 2016
Open
@jsvd
Copy link
Member Author

jsvd commented Oct 10, 2016

@breml created issue for cef_version validation in #27

@breml
Copy link
Collaborator

breml commented Oct 14, 2016

@jsvd Today I wanted to review your PR and let the spec tests run on my machine. Unfortunately this does not work. May be you can give me an hint what might be the problem. After updating to java 1.8.0_101 and running bundle install on your pr, I get the following output with rspec:

Ignoring executable-hooks-1.3.2 because its extensions are not built.  Try: gem pristine executable-hooks --version 1.3.2
Ignoring gem-wrappers-1.2.7 because its extensions are not built.  Try: gem pristine gem-wrappers --version 1.2.7
Ignoring jruby-launcher-1.1.1-java because its extensions are not built.  Try: gem pristine jruby-launcher --version 1.1.1
/home/lubr/.rvm/gems/jruby-1.7.19/gems/concurrent-ruby-1.0.0-java/lib/concurrent/executor/thread_pool_executor.rb:12 warning: already initialized constant ThreadPoolExecutorImplementation
--- jar coordinate com.fasterxml.jackson.core:jackson-databind already loaded with version 2.7.4 - omit version 2.7.3
--- jar coordinate com.fasterxml.jackson.core:jackson-core already loaded with version 2.7.4 - omit version 2.7.3
--- jar coordinate com.fasterxml.jackson.core:jackson-annotations already loaded with version 2.7.3 - omit version 2.7.0
--- jar coordinate com.fasterxml.jackson.core:jackson-core already loaded with version 2.7.4 - omit version 2.7.3
--- jar coordinate com.fasterxml.jackson.core:jackson-databind already loaded with version 2.7.4 - omit version 2.7.3
NameError: uninitialized constant LogStash::Util::SafeURI::Forwardable
  const_missing at org/jruby/RubyModule.java:2726
        SafeURI at /home/lubr/.rvm/gems/jruby-1.7.19/gems/logstash-core-5.0.0.pre.beta1-java/lib/logstash/util/safe_uri.rb:11
         (root) at /home/lubr/.rvm/gems/jruby-1.7.19/gems/logstash-core-5.0.0.pre.beta1-java/lib/logstash/util/safe_uri.rb:7
        require at org/jruby/RubyKernel.java:1071
         (root) at /home/lubr/.rvm/rubies/jruby-1.7.19/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:1
        require at /home/lubr/.rvm/rubies/jruby-1.7.19/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:69
        require at /home/lubr/.rvm/gems/jruby-1.7.19/gems/polyglot-0.3.5/lib/polyglot.rb:65
        require at org/jruby/RubyKernel.java:1071
         (root) at /home/lubr/.rvm/gems/jruby-1.7.19/gems/logstash-core-5.0.0.pre.beta1-java/lib/logstash/config/mixin.rb:7
         (root) at /home/lubr/.rvm/rubies/jruby-1.7.19/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:1
        require at /home/lubr/.rvm/rubies/jruby-1.7.19/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:69
        require at org/jruby/RubyKernel.java:1071
        require at /home/lubr/.rvm/gems/jruby-1.7.19/gems/polyglot-0.3.5/lib/polyglot.rb:65
         (root) at /home/lubr/.rvm/gems/jruby-1.7.19/gems/logstash-core-5.0.0.pre.beta1-java/lib/logstash/plugin.rb:4
         (root) at /home/lubr/.rvm/rubies/jruby-1.7.19/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:1
        require at org/jruby/RubyKernel.java:1071
        require at /home/lubr/.rvm/rubies/jruby-1.7.19/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:69
        require at /home/lubr/.rvm/gems/jruby-1.7.19/gems/polyglot-0.3.5/lib/polyglot.rb:65
         (root) at /home/lubr/.rvm/gems/jruby-1.7.19/gems/logstash-core-5.0.0.pre.beta1-java/lib/logstash/filters/base.rb:5
        require at org/jruby/RubyKernel.java:1071
         (root) at /home/lubr/.rvm/rubies/jruby-1.7.19/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:1
        require at /home/lubr/.rvm/rubies/jruby-1.7.19/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:69
        require at org/jruby/RubyKernel.java:1071
        require at /home/lubr/.rvm/gems/jruby-1.7.19/gems/polyglot-0.3.5/lib/polyglot.rb:65
         (root) at /home/lubr/.rvm/gems/jruby-1.7.19/gems/logstash-core-5.0.0.pre.beta1-java/lib/logstash/pipeline.rb:9
        require at org/jruby/RubyKernel.java:1071
         (root) at /home/lubr/.rvm/rubies/jruby-1.7.19/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:1
        require at /home/lubr/.rvm/rubies/jruby-1.7.19/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:69
        require at org/jruby/RubyKernel.java:1071
         (root) at /home/lubr/.rvm/gems/jruby-1.7.19/gems/logstash-core-5.0.0.pre.beta1-java/lib/logstash/agent.rb:10
         (root) at /home/lubr/.rvm/rubies/jruby-1.7.19/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:1
           load at org/jruby/RubyKernel.java:1087
        require at /home/lubr/.rvm/rubies/jruby-1.7.19/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:69
           each at org/jruby/RubyArray.java:1613
         (root) at /home/lubr/.rvm/gems/jruby-1.7.19/gems/logstash-devutils-0.0.18-java/lib/logstash/devutils/rspec/logstash_helpers.rb:1
         (root) at /home/lubr/.rvm/rubies/jruby-1.7.19/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:1
        require at /home/lubr/.rvm/rubies/jruby-1.7.19/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:69
         (root) at /home/lubr/.rvm/gems/jruby-1.7.19/gems/logstash-devutils-0.0.18-java/lib/logstash/devutils/rspec/spec_helper.rb:17
         (root) at /home/lubr/.rvm/rubies/jruby-1.7.19/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:1
        require at /home/lubr/.rvm/rubies/jruby-1.7.19/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:128
           load at org/jruby/RubyKernel.java:1087
         (root) at /home/lubr/logstash/logstash-codec-cef/spec/codecs/cef_spec.rb:3
           eval at org/jruby/RubyKernel.java:1107
         (root) at /home/lubr/.rvm/gems/jruby-1.7.19/gems/rspec-core-3.1.7/lib/rspec/core/configuration.rb:1

The same also happens on current master of this plugin. Therefore I think this problem is not related to your PR.

@jsvd
Copy link
Member Author

jsvd commented Oct 17, 2016

@breml strange, I tried to replicate your issue with jruby 1.7.19 but failed to:

~/new_plugins/logstash-codec-cef (git)-[tag_on_failure] % rvm install jruby-1.7.19
Found remote file https://s3.amazonaws.com/jruby.org/downloads/1.7.19/jruby-bin-1.7.19.tar.gz
Checking requirements for osx.
Requirements installation successful.
jruby-1.7.19 - #configure
Unknown ruby string (do not know how to handle): jruby-1.7.19.
jruby-1.7.19 - #download
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 31.2M  100 31.2M    0     0  2707k      0  0:00:11  0:00:11 --:--:-- 3262k
jruby-1.7.19 - #validate archive
jruby-1.7.19 - #extract
jruby-1.7.19 - #validate binary
jruby-1.7.19 - #setup
jruby-1.7.19 - #gemset created /Users/joaoduarte/.rvm/gems/jruby-1.7.19@global
jruby-1.7.19 - #importing gemset /Users/joaoduarte/.rvm/gemsets/jruby/global.gems..
jruby-1.7.19 - #generating global wrappers........
jruby-1.7.19 - #gemset created /Users/joaoduarte/.rvm/gems/jruby-1.7.19
jruby-1.7.19 - #importing gemsetfile /Users/joaoduarte/.rvm/gemsets/default.gems evaluated to empty gem list
jruby-1.7.19 - #generating default wrappers........
~/new_plugins/logstash-codec-cef (git)-[tag_on_failure] % rvm use jruby-1.7.19
Using /Users/joaoduarte/.rvm/gems/jruby-1.7.19
~/new_plugins/logstash-codec-cef (git)-[tag_on_failure] % gem install bundler
Fetching: bundler-1.13.5.gem (100%)
Successfully installed bundler-1.13.5
1 gem installed
  21.53s user 0.81s system 256% cpu 8.699 total
~/new_plugins/logstash-codec-cef (git)-[tag_on_failure] % bundle install
Fetching gem metadata from https://rubygems.org/.........
Fetching version metadata from https://rubygems.org/..
Fetching dependency metadata from https://rubygems.org/.
Resolving dependencies....
Using rake 11.3.0
Installing numerizer 0.1.1
Installing clamp 0.6.5
Installing coderay 1.1.1
Installing concurrent-ruby 1.0.0
Installing diff-lcs 1.2.5
Installing ffi 1.9.14
Installing filesize 0.0.4
Installing fivemat 1.3.2
Installing gem_publisher 1.5.0
Installing gems 0.8.3
Installing i18n 0.6.9
Installing insist 1.0.0
Installing jar-dependencies 0.3.5
Installing jrjackson 0.4.0
Installing jrmonitor 0.4.2
Installing jruby-openssl 0.9.16
Installing kramdown 1.12.0
Installing ruby-maven-libs 3.3.9
Installing minitar 0.5.4
Installing method_source 0.8.2
Installing slop 3.6.0
Installing puma 2.16.0
Installing rubyzip 1.1.7
Installing rack 1.6.4
Installing tilt 2.0.5
Installing stud 0.0.22
Installing thread_safe 0.3.5
Installing polyglot 0.3.5
Installing rspec-support 3.5.0
Using bundler 1.13.5
Installing chronic_duration 0.10.6
Installing spoon 0.0.6
Installing ruby-maven 3.3.12
Installing rack-protection 1.5.3
Installing treetop 1.4.15
Installing rspec-core 3.5.4
Installing rspec-expectations 3.5.0
Installing rspec-mocks 3.5.0
Installing pry 0.10.4
Installing logstash-core-event-java 5.0.0.pre.beta1
Installing sinatra 1.4.7
Installing rspec 3.5.0
Installing logstash-core 5.0.0.pre.beta1
Installing rspec-wait 0.0.9
Installing logstash-core-plugin-api 2.1.16
Using logstash-codec-cef 3.1.0 from source at `.`
Installing logstash-devutils 1.1.0
Bundle complete! 2 Gemfile dependencies, 48 gems now installed.
Use `bundle show [gemname]` to see where a bundled gem is installed.
Post-install message from jar-dependencies:

if you want to use the executable lock_jars then install ruby-maven gem before using lock_jars 

   $ gem install ruby-maven -v '~> 3.3.11'

or add it as a development dependency to your Gemfile

   gem 'ruby-maven', '~> 3.3.11'

~/new_plugins/logstash-codec-cef (git)-[tag_on_failure] % bundle exec rspec
--- jar coordinate com.fasterxml.jackson.core:jackson-databind already loaded with version 2.7.4 - omit version 2.7.3
--- jar coordinate com.fasterxml.jackson.core:jackson-core already loaded with version 2.7.4 - omit version 2.7.3
--- jar coordinate com.fasterxml.jackson.core:jackson-databind already loaded with version 2.7.4 - omit version 2.7.3
--- jar coordinate com.fasterxml.jackson.core:jackson-annotations already loaded with version 2.7.3 - omit version 2.7.0
--- jar coordinate com.fasterxml.jackson.core:jackson-core already loaded with version 2.7.4 - omit version 2.7.3
Run options: exclude {:redis=>true, :socket=>true, :performance=>true, :couchdb=>true, :elasticsearch=>true, :elasticsearch_secure=>true, :export_cypher=>true, :integration=>true, :windows=>true}

Randomized with seed 57442
...........................................

Finished in 0.66 seconds (files took 3.5 seconds to load)
43 examples, 0 failures

Randomized with seed 57442

@breml
Copy link
Collaborator

breml commented Oct 18, 2016

@jsvd I tried again today even with removal of jruby and reinstallation with the same steps you executed.

The bad news is: it does still not work completely.
The good news is: On branch master it worked and all rspec tests execute without failure.
On your PR/branch I still have problems, but they changed. My output now reads:

--- jar coordinate com.fasterxml.jackson.core:jackson-databind already loaded with version 2.7.4 - omit version 2.7.3
--- jar coordinate com.fasterxml.jackson.core:jackson-core already loaded with version 2.7.4 - omit version 2.7.3
--- jar coordinate com.fasterxml.jackson.core:jackson-annotations already loaded with version 2.7.3 - omit version 2.7.0
--- jar coordinate com.fasterxml.jackson.core:jackson-core already loaded with version 2.7.4 - omit version 2.7.3
--- jar coordinate com.fasterxml.jackson.core:jackson-databind already loaded with version 2.7.4 - omit version 2.7.3
Using Accessor#strict_set for specs
NameError: undefined method '[]=' for class 'LogStash::Event'
     alias_method at org/jruby/RubyModule.java:2316
            Event at /home/lubr/.rvm/gems/jruby-1.7.19/gems/logstash-devutils-0.0.18-java/lib/logstash/devutils/rspec/spec_helper.rb:38
           (root) at /home/lubr/.rvm/gems/jruby-1.7.19/gems/logstash-devutils-0.0.18-java/lib/logstash/devutils/rspec/spec_helper.rb:37
          require at org/jruby/RubyKernel.java:1071
           (root) at /home/lubr/logstash/logstash-codec-cef/spec/codecs/cef_spec.rb:1
             load at org/jruby/RubyKernel.java:1087
           (root) at /home/lubr/logstash/logstash-codec-cef/spec/codecs/cef_spec.rb:3
             each at org/jruby/RubyArray.java:1613
           (root) at /home/lubr/.rvm/gems/jruby-1.7.19/gems/rspec-core-3.1.7/lib/rspec/core/configuration.rb:1
  load_spec_files at /home/lubr/.rvm/gems/jruby-1.7.19/gems/rspec-core-3.1.7/lib/rspec/core/configuration.rb:1105
  load_spec_files at /home/lubr/.rvm/gems/jruby-1.7.19/gems/rspec-core-3.1.7/lib/rspec/core/configuration.rb:1105
            setup at /home/lubr/.rvm/gems/jruby-1.7.19/gems/rspec-core-3.1.7/lib/rspec/core/runner.rb:96
              run at /home/lubr/.rvm/gems/jruby-1.7.19/gems/rspec-core-3.1.7/lib/rspec/core/runner.rb:84
              run at /home/lubr/.rvm/gems/jruby-1.7.19/gems/rspec-core-3.1.7/lib/rspec/core/runner.rb:69
             load at org/jruby/RubyKernel.java:1087
           invoke at /home/lubr/.rvm/gems/jruby-1.7.19/gems/rspec-core-3.1.7/lib/rspec/core/runner.rb:37
             eval at org/jruby/RubyKernel.java:1107
           (root) at /home/lubr/.rvm/gems/jruby-1.7.19/bin/jruby_executable_hooks:15

Does this mean anything to you?

@breml
Copy link
Collaborator

breml commented Oct 26, 2016

Today I tried again and I first removed the Gemfile.lock and reinstalled the Gems with bundle install. This did the trick and the test cases ran without any problems.

This showed me, that your PR is depending on a recent version of the logstash-devutils, so I was wondering, if we should add a dependency to logstash-codec-cef.gemspec (with version 1.1.0 it is working, with version 0.0.22 it does not).

@jsvd what do you think?

Other than that, there is no longer any reason to not merge this PR.

@breml
Copy link
Collaborator

breml commented Nov 17, 2016

@suyograo @jsvd LGTM, will merge, my issues disappeared.

@breml breml merged commit bbf6ca9 into logstash-plugins:master Nov 17, 2016
@breml breml mentioned this pull request Nov 17, 2016
Merged
@maxious
Copy link

maxious commented Jan 7, 2020

To those getting here via Google 4 years later, just add require "forwardable" to the top of safe_uri.rb as fixed in elastic/logstash#5978

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@breml breml breml left review comments

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Tag parsing failures instead of throwing an exception
3 participants
@jsvd @breml @maxious