CEF Plugin warning - Could not transform CEF field [type] according to standard. - avc: denied { signull } for"

(Daniejstriata) #1

Hi,

I’m using OSSEC to ship its events using syslog to the CEF plugin listening on UDP. In the graylog server log I’m seeing a lot of these of which I’m not sure what to make of:

2019-04-24T08:15:31.668Z WARN  [MappedMessage] Could not transform CEF field [type] according to standard. Skipping.
java.lang.NumberFormatException: For input string: "1400 audit(1556093729.307:558793): avc:  denied  { signull } for"
	at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) ~[?:1.8.0_212]
	at java.lang.Integer.parseInt(Integer.java:580) ~[?:1.8.0_212]
	at java.lang.Integer.parseInt(Integer.java:615) ~[?:1.8.0_212]
	at org.graylog.plugins.cef.parser.CEFMapping.convertInteger(CEFMapping.java:249) ~[graylog.jar:?]
	at org.graylog.plugins.cef.parser.CEFMapping.convertType(CEFMapping.java:274) ~[graylog.jar:?]
	at org.graylog.plugins.cef.parser.CEFMapping.convert(CEFMapping.java:314) ~[graylog.jar:?]
	at org.graylog.plugins.cef.parser.MappedMessage.mapExtensions(MappedMessage.java:52) [graylog.jar:?]
	at org.graylog.plugins.cef.parser.MappedMessage.<init>(MappedMessage.java:37) [graylog.jar:?]
	at org.graylog.plugins.cef.codec.CEFCodec.decodeCEF(CEFCodec.java:128) [graylog.jar:?]
	at org.graylog.plugins.cef.codec.CEFCodec.decode(CEFCodec.java:112) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:150) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:91) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:74) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
	at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
	at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_212]
2019-04-24T08:15:31.668Z WARN  [MappedMessage] Could not transform CEF field [type] according to standard. Skipping.
java.lang.NumberFormatException: For input string: "1400 audit(1556093730.364:558794): avc:  denied  { name_connect } for"
	at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) ~[?:1.8.0_212]
	at java.lang.Integer.parseInt(Integer.java:580) ~[?:1.8.0_212]
	at java.lang.Integer.parseInt(Integer.java:615) ~[?:1.8.0_212]
	at org.graylog.plugins.cef.parser.CEFMapping.convertInteger(CEFMapping.java:249) ~[graylog.jar:?]
	at org.graylog.plugins.cef.parser.CEFMapping.convertType(CEFMapping.java:274) ~[graylog.jar:?]
	at org.graylog.plugins.cef.parser.CEFMapping.convert(CEFMapping.java:314) ~[graylog.jar:?]
	at org.graylog.plugins.cef.parser.MappedMessage.mapExtensions(MappedMessage.java:52) [graylog.jar:?]
	at org.graylog.plugins.cef.parser.MappedMessage.<init>(MappedMessage.java:37) [graylog.jar:?]
	at org.graylog.plugins.cef.codec.CEFCodec.decodeCEF(CEFCodec.java:128) [graylog.jar:?]
	at org.graylog.plugins.cef.codec.CEFCodec.decode(CEFCodec.java:112) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:150) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:91) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:74) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
	at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
	at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_212]
(Jan Doberstein) #2

I guess that OSSEC does not follow the CEF rules.

My personal advice - switch to a RAW Input and check what is delivered. Use the processing Pipelines and their CEF Parser to have the infomration extracted easily from the messages with a processing rule.

(system) closed #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.