CEF Plugin warning - Could not transform CEF field [type] according to standard. - avc: denied { signull } for"

daniejstriata · April 24, 2019, 8:16am

Hi,

I’m using OSSEC to ship its events using syslog to the CEF plugin listening on UDP. In the graylog server log I’m seeing a lot of these of which I’m not sure what to make of:

2019-04-24T08:15:31.668Z WARN  [MappedMessage] Could not transform CEF field [type] according to standard. Skipping.
java.lang.NumberFormatException: For input string: "1400 audit(1556093729.307:558793): avc:  denied  { signull } for"
	at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) ~[?:1.8.0_212]
	at java.lang.Integer.parseInt(Integer.java:580) ~[?:1.8.0_212]
	at java.lang.Integer.parseInt(Integer.java:615) ~[?:1.8.0_212]
	at org.graylog.plugins.cef.parser.CEFMapping.convertInteger(CEFMapping.java:249) ~[graylog.jar:?]
	at org.graylog.plugins.cef.parser.CEFMapping.convertType(CEFMapping.java:274) ~[graylog.jar:?]
	at org.graylog.plugins.cef.parser.CEFMapping.convert(CEFMapping.java:314) ~[graylog.jar:?]
	at org.graylog.plugins.cef.parser.MappedMessage.mapExtensions(MappedMessage.java:52) [graylog.jar:?]
	at org.graylog.plugins.cef.parser.MappedMessage.<init>(MappedMessage.java:37) [graylog.jar:?]
	at org.graylog.plugins.cef.codec.CEFCodec.decodeCEF(CEFCodec.java:128) [graylog.jar:?]
	at org.graylog.plugins.cef.codec.CEFCodec.decode(CEFCodec.java:112) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:150) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:91) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:74) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
	at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
	at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_212]
2019-04-24T08:15:31.668Z WARN  [MappedMessage] Could not transform CEF field [type] according to standard. Skipping.
java.lang.NumberFormatException: For input string: "1400 audit(1556093730.364:558794): avc:  denied  { name_connect } for"
	at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) ~[?:1.8.0_212]
	at java.lang.Integer.parseInt(Integer.java:580) ~[?:1.8.0_212]
	at java.lang.Integer.parseInt(Integer.java:615) ~[?:1.8.0_212]
	at org.graylog.plugins.cef.parser.CEFMapping.convertInteger(CEFMapping.java:249) ~[graylog.jar:?]
	at org.graylog.plugins.cef.parser.CEFMapping.convertType(CEFMapping.java:274) ~[graylog.jar:?]
	at org.graylog.plugins.cef.parser.CEFMapping.convert(CEFMapping.java:314) ~[graylog.jar:?]
	at org.graylog.plugins.cef.parser.MappedMessage.mapExtensions(MappedMessage.java:52) [graylog.jar:?]
	at org.graylog.plugins.cef.parser.MappedMessage.<init>(MappedMessage.java:37) [graylog.jar:?]
	at org.graylog.plugins.cef.codec.CEFCodec.decodeCEF(CEFCodec.java:128) [graylog.jar:?]
	at org.graylog.plugins.cef.codec.CEFCodec.decode(CEFCodec.java:112) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:150) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:91) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:74) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
	at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
	at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_212]

jan · April 29, 2019, 6:02am

I guess that OSSEC does not follow the CEF rules.

My personal advice - switch to a RAW Input and check what is delivered. Use the processing Pipelines and their CEF Parser to have the infomration extracted easily from the messages with a processing rule.

system · May 13, 2019, 6:02am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
CEF int too small Graylog Central (peer support)	2	469	January 29, 2020
Graylog doesn't work with CEF input Graylog Central (peer support)	2	2142	April 27, 2018
Graylog 3.1 CEF UDP Checkpoint Graylog Central (peer support)	6	1651	December 22, 2019
Workaround for CEF - Integer/Double Graylog Central (peer support)	4	1036	January 28, 2022
Graylof syslog output plugin cef format not working for nginx logs stream Graylog Add-ons	3	1310	June 1, 2021

CEF Plugin warning - Could not transform CEF field [type] according to standard. - avc: denied { signull } for"

Related topics