Graylog 3.1 CEF UDP Checkpoint

Since migrate to Graylog 3.1, the CEF UDP input was unbale to decode message (works fine in 2.4).

Error message

 2019-12-03T16:52:09.226+01:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=dcf8ef90-15e4-11ea-b6a8-0050568a1266, journalOffset=-9223372036854775808, codec=CEF, payloadSize=19, timestamp=2019-12-03T15:52:09.225Z, remoteAddress=/}
java.lang.NullPointerException: null
	at org.graylog.plugins.cef.parser.MappedMessage.<init>( ~[graylog.jar:?]
	at org.graylog.plugins.cef.codec.CEFCodec.decodeCEF( ~[graylog.jar:?]
	at org.graylog.plugins.cef.codec.CEFCodec.decode( ~[graylog.jar:?]
	at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage( ~[graylog.jar:?]
	at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent( [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent( [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent( [graylog.jar:?]
	at [graylog.jar:?]
	at com.codahale.metrics.InstrumentedThreadFactory$ [graylog.jar:?]
	at [?:1.8.0_222]

The message come from Checkpoint Firewall

CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|sqlnet1|Unknown|act=Drop deviceDirection=0 rt=1575387805000 spt=51690 dpt=1521 cs2Label=Rule Name layer_name=Prod_fw Security layer_uuid=927f269b-52dd-4cab-8550-7aeffda6ca02 match_id=4019 parent_rule=0 rule_action=Drop rule_uid=3e517596-1229-c34a-86e4-ab3a7f3ff752 ifname=bond1.45 logid=0 loguid={0x0,0x0,0x0,0x0} origin= originsicname=CN=fw, sequencenum=292 version=5 dst= inzone=Internal outzone=Internal product=VPN-1 & FireWall-1 proto=6 service_id=sqlnet1 src=

The CEF message seem correct :confused:

Any idea ?


he @guiguiabloc

at least the key=value part you provide is nearly not parsable by any automation. The values hold spaces, what is also the delimiter for key and the previous value … If that is really your CEF message, ingest that into a RAW input and use the processing pipeline to work on this kind of messages.

Hi @jan
i’m surprised by your answer.
This message was parsable in graylog 2.4 on a CEF input.

The CEF format allow space in value (see ArcSight commont Event Format Implementation Standard

The original message is coming from a Chekpoint firewall. I think that checkpoint correctly implement the CEF Format.

he @guiguiabloc

I do not have that device available - my guessing was based on a first manual scan of the message you have provided.

Should the same message be parsed on a different Graylog Version without any problems and now has a problem, please open a bug report over at GitHub that makes this visible.

hi @jan

thanks for your answer.
I already opened a bug report on github some days ago.

for reference:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.