Sign upLogin

lunardial/fluent-plugin-parser_cef

View on GitHub
Star
README.md

Summary

Maintainability
Test Coverage
# fluent-plugin-parser_cef

[![Gem Version](https://badge.fury.io/rb/fluent-plugin-parser_cef.svg)](https://badge.fury.io/rb/fluent-plugin-parser_cef)
[![Build Status](https://travis-ci.org/lunardial/fluent-plugin-parser_cef.svg?branch=master)](https://travis-ci.org/lunardial/fluent-plugin-parser_cef)
[![Maintainability](https://api.codeclimate.com/v1/badges/9dc37fceb1caff2c0070/maintainability)](https://codeclimate.com/github/lunardial/fluent-plugin-parser_cef/maintainability)
[![Coverage Status](https://coveralls.io/repos/github/lunardial/fluent-plugin-parser_cef/badge.svg?branch=master)](https://coveralls.io/github/lunardial/fluent-plugin-parser_cef?branch=master)
[![downloads](https://img.shields.io/gem/dt/fluent-plugin-parser_cef.svg)](https://rubygems.org/gems/fluent-plugin-parser_cef)
[![MIT License](http://img.shields.io/badge/license-MIT-blue.svg?style=flat)](LICENSE)

Fluentd Parser plugin to parse CEF - common event format -

## Requirements

| fluent-plugin-parser_cef  | fluentd | ruby |
|---------------------------|---------|------|
| >= 1.0.0 | >= v0.14.0 | >= 2.1 |
|  < 1.0.0 | >= v0.12.0 | >= 1.9 |

## Installation

Add this line to your application's Gemfile:

```bash
# for fluentd v0.12
gem install fluent-plugin-parser_cef -v "< 1.0.0"

# for fluentd v0.14 or higher
gem install fluent-plugin-parser_cef

# for td-agent2
td-agent-gem install fluent-plugin-parser_cef -v "< 1.0.0"

# for td-agent3
td-agent-gem install fluent-plugin-parser_cef
```

## Usage

```
<source>
  @type   tail
  tag     develop.cef
  path      /tmp/fluentd/test.log
  pos_file  /tmp/fluentd/test.pos

  format  cef
  #log_format  syslog
  #syslog_timestamp_format  '\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}'
  #cef_version  0
  #parse_strict_mode  true
  #cef_keyfilename  'config/cef_version_0_keys.yaml'
  #output_raw_field  false
</source>
```

## parameters

* `log_format` (default: syslog)

  input log format, currently only 'syslog' is valid

* `log_utc_offset` (default: nil)

  set log utc_offset if each record does not have timezone information and the timezone is not local timezone

  if log_utc_offset set to nil or invalid value, then use system timezone

  if a log have timezone information, log_utc_offset is ignored

* `syslog_timestamp` (default: '\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}')

  syslog timestamp format, the default is traditional syslog timestamp

* `cef_version` (default: 0)

  CEF version, this should be 0

* `parse_strict_mode` (default: true)

  if the CEF extensions are the following, the value of the key cs2 should 'foo hoge=fuga'

  - cs1=test cs2=foo hoge=fuga cs3=bar

  if parse_strict_mode is false, this is raugh parse, so the value of the key cs2 become 'foo' and non CEF key 'hoge' shown, and the value is 'fuga'

* `cef_keyfilename` (default: 'config/cef_version_0_keys.yaml')

  used when parse_strict_mode is true, this is the array of the valid CEF keys

* `output_raw_field` (default: false)

  append {"raw":\<message itself\>} key-value even if success parsing

## License

The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).