CEF int too small

maheine · January 15, 2020, 9:24am

Hi,

I’m forwarding log entries from a firewall in CEF format to graylog. Some entries are skipped, because the value of the field in and out are bigger than integer.

CEF:0|Manufacture|Firewall|FW Version|70026|Connection_Progress|0|in=85068772 out=8747876628 app=TSM rt=Jan 14 2020 13:49:37 deviceFacility=Packet Filtering deviceInboundInterface=0 proto=6 dpt=1500 spt=45004 dst=192.168.0.1 src=192.168.0.2

2020-01-14T13:49:37.727+01:00 WARN [MappedMessage] Could not transform CEF field [out] according to standard. Skipping.
java.lang.NumberFormatException: For input string: “8747876628”
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) ~[?:1.8.0_232]
at java.lang.Integer.parseInt(Integer.java:583) ~[?:1.8.0_232]
at java.lang.Integer.parseInt(Integer.java:615) ~[?:1.8.0_232]
at org.graylog.plugins.cef.parser.CEFMapping.convertInteger(CEFMapping.java:249) ~[graylog.jar:?]
at org.graylog.plugins.cef.parser.CEFMapping.convert(CEFMapping.java:314) ~[graylog.jar:?]
at org.graylog.plugins.cef.parser.MappedMessage.mapExtensions(MappedMessage.java:52) [graylog.jar:?]
at org.graylog.plugins.cef.parser.MappedMessage.(MappedMessage.java:37) [graylog.jar:?]
at org.graylog.plugins.cef.codec.CEFCodec.decodeCEF(CEFCodec.java:128) [graylog.jar:?]
at org.graylog.plugins.cef.codec.CEFCodec.decode(CEFCodec.java:112) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:150) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:91) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:86) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:45) [graylog.jar:?]
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_232]

Graylog v3.1.3

Is it possible, that the CEF parser uses long or unsigned integer instead of integer?

shoothub · January 15, 2020, 11:22am

Your firewall probably violate CEF standard. Only cn1, cn2, cn3 field should be long type:

key_name | Full Nane | Data Type
cn1 | deviceCustomNumber1 | Long
cn2 | deviceCustomNumber2 | Long
cn3 | deviceCustomNumber3 | Long

So correct CEF will be:
cn1Label=InputData cn1=85068772 cn2Label=OutputData cn2=8747876628

system · January 29, 2020, 11:22am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Workaround for CEF - Integer/Double Graylog Central (peer support)	4	1036	January 28, 2022
Fortigate field mapping problem Graylog Central (peer support)	4	1464	March 25, 2020
CEF Plugin warning - Could not transform CEF field [type] according to standard. - avc: denied { signull } for" Graylog Add-ons	2	1350	May 13, 2019
Unable to show top values Graylog Central (peer support)	2	836	August 28, 2020
Graylog doesn't work with CEF input Graylog Central (peer support)	2	2142	April 27, 2018

CEF int too small

Related topics