Graylog 3.1 CEF UDP Checkpoint

Graylog Central (peer support)
1

Since migrate to Graylog 3.1, the CEF UDP input was unbale to decode message (works fine in 2.4).

Error message

 2019-12-03T16:52:09.226+01:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=dcf8ef90-15e4-11ea-b6a8-0050568a1266, journalOffset=-9223372036854775808, codec=CEF, payloadSize=19, timestamp=2019-12-03T15:52:09.225Z, remoteAddress=/10.145.24.247:38344}
java.lang.NullPointerException: null
	at org.graylog.plugins.cef.parser.MappedMessage.<init>(MappedMessage.java:37) ~[graylog.jar:?]
	at org.graylog.plugins.cef.codec.CEFCodec.decodeCEF(CEFCodec.java:128) ~[graylog.jar:?]
	at org.graylog.plugins.cef.codec.CEFCodec.decode(CEFCodec.java:117) ~[graylog.jar:?]
	at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:150) ~[graylog.jar:?]
	at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:91) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:86) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:45) [graylog.jar:?]
	at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
	at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222]

The message come from Checkpoint Firewall

CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|sqlnet1|Unknown|act=Drop deviceDirection=0 rt=1575387805000 spt=51690 dpt=1521 cs2Label=Rule Name layer_name=Prod_fw Security layer_uuid=927f269b-52dd-4cab-8550-7aeffda6ca02 match_id=4019 parent_rule=0 rule_action=Drop rule_uid=3e517596-1229-c34a-86e4-ab3a7f3ff752 ifname=bond1.45 logid=0 loguid={0x0,0x0,0x0,0x0} origin=10.254.4.203 originsicname=CN=fw,O=fw.net.m9ug26 sequencenum=292 version=5 dst=10.140.27.121 inzone=Internal outzone=Internal product=VPN-1 & FireWall-1 proto=6 service_id=sqlnet1 src=10.241.45.1

The CEF message seem correct :confused:

Any idea ?

Thx

2

he @guiguiabloc

at least the key=value part you provide is nearly not parsable by any automation. The values hold spaces, what is also the delimiter for key and the previous value … If that is really your CEF message, ingest that into a RAW input and use the processing pipeline to work on this kind of messages.

3

Hi @jan
i’m surprised by your answer.
This message was parsable in graylog 2.4 on a CEF input.

The CEF format allow space in value (see ArcSight commont Event Format Implementation Standard https://community.microfocus.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Implementation-Standard/ta-p/1645557)

The original message is coming from a Chekpoint firewall. I think that checkpoint correctly implement the CEF Format.

4

he @guiguiabloc

I do not have that device available - my guessing was based on a first manual scan of the message you have provided.

Should the same message be parsed on a different Graylog Version without any problems and now has a problem, please open a bug report over at GitHub that makes this visible.

5

hi @jan

thanks for your answer.
I already opened a bug report on github some days ago.

6

for reference:

7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.