CEF int too small

Hi,

I’m forwarding log entries from a firewall in CEF format to graylog. Some entries are skipped, because the value of the field in and out are bigger than integer.

CEF:0|Manufacture|Firewall|FW Version|70026|Connection_Progress|0|in=85068772 out=8747876628 app=TSM rt=Jan 14 2020 13:49:37 deviceFacility=Packet Filtering deviceInboundInterface=0 proto=6 dpt=1500 spt=45004 dst=192.168.0.1 src=192.168.0.2

2020-01-14T13:49:37.727+01:00 WARN [MappedMessage] Could not transform CEF field [out] according to standard. Skipping.
java.lang.NumberFormatException: For input string: “8747876628”
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) ~[?:1.8.0_232]
at java.lang.Integer.parseInt(Integer.java:583) ~[?:1.8.0_232]
at java.lang.Integer.parseInt(Integer.java:615) ~[?:1.8.0_232]
at org.graylog.plugins.cef.parser.CEFMapping.convertInteger(CEFMapping.java:249) ~[graylog.jar:?]
at org.graylog.plugins.cef.parser.CEFMapping.convert(CEFMapping.java:314) ~[graylog.jar:?]
at org.graylog.plugins.cef.parser.MappedMessage.mapExtensions(MappedMessage.java:52) [graylog.jar:?]
at org.graylog.plugins.cef.parser.MappedMessage.(MappedMessage.java:37) [graylog.jar:?]
at org.graylog.plugins.cef.codec.CEFCodec.decodeCEF(CEFCodec.java:128) [graylog.jar:?]
at org.graylog.plugins.cef.codec.CEFCodec.decode(CEFCodec.java:112) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:150) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:91) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:86) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:45) [graylog.jar:?]
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_232]

Graylog v3.1.3

Is it possible, that the CEF parser uses long or unsigned integer instead of integer?

Your firewall probably violate CEF standard. Only cn1, cn2, cn3 field should be long type:

key_name | Full Nane | Data Type
cn1 | deviceCustomNumber1 | Long
cn2 | deviceCustomNumber2 | Long
cn3 | deviceCustomNumber3 | Long

So correct CEF will be:
cn1Label=InputData cn1=85068772 cn2Label=OutputData cn2=8747876628

https://community.microfocus.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Implementation-Standard/ta-p/1645557

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.