Workaround for CEF - Integer/Double

KPS · January 13, 2022, 7:52am

Hi!

I am sending CEF-logs from Fortigate-firewalls to graylog.
IN/OUT-bytes are sometimes bigger than the integer limits. This is already a known issue:

github.com/Graylog2/graylog2-server

Change CEF Parser: Use long for in and out

opened 11:15AM - 04 Feb 20 UTC

Maheine

bug triaged

I’m forwarding log entries from a firewall in CEF format to graylog. Some entrie…s are skipped, because the value of the field in and out are bigger than java integer. `CEF:0|Manufacture|Firewall|FW Version|70026|Connection_Progress|0|in=85068772 out=8747876628 app=TSM rt=Jan 14 2020 13:49:37 deviceFacility=Packet Filtering deviceInboundInterface=0 proto=6 dpt=1500 spt=45004 dst=192.168.0.1 src=192.168.0.2 ` ``` 2020-01-14T13:49:37.727+01:00 WARN [MappedMessage] Could not transform CEF field [out] according to standard. Skipping. java.lang.NumberFormatException: For input string: “8747876628” at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) ~[?:1.8.0_232] at java.lang.Integer.parseInt(Integer.java:583) ~[?:1.8.0_232] at java.lang.Integer.parseInt(Integer.java:615) ~[?:1.8.0_232] at org.graylog.plugins.cef.parser.CEFMapping.convertInteger(CEFMapping.java:249) ~[graylog.jar:?] at org.graylog.plugins.cef.parser.CEFMapping.convert(CEFMapping.java:314) ~[graylog.jar:?] at org.graylog.plugins.cef.parser.MappedMessage.mapExtensions(MappedMessage.java:52) [graylog.jar:?] at org.graylog.plugins.cef.parser.MappedMessage.(MappedMessage.java:37) [graylog.jar:?] at org.graylog.plugins.cef.codec.CEFCodec.decodeCEF(CEFCodec.java:128) [graylog.jar:?] at org.graylog.plugins.cef.codec.CEFCodec.decode(CEFCodec.java:112) [graylog.jar:?] at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:150) [graylog.jar:?] at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:91) [graylog.jar:?] at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:86) [graylog.jar:?] at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:45) [graylog.jar:?] at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?] at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_232] ``` I also asked the firewall manufacturer: > In definition of CEF, some fields are defined as integer. For some specific fields valid range is also specified. > > However CEF documentation DOES NOT specify the integer in more detailed level. So it totally leaves out the question of valid integer range. When it comes to minint and maxint, those are totally implementation dependent. In fact int data type can be promised to be at least 16 bits long. - Other than that it is fully implementation specific even if some languages may have more standardized meaning for it. So if integer is used to describe something presented in ASCII format, it only specified the format but does not specific the valid range. > > Please note also that clearly integer in the CEF documentation can mean also something longer than 32 bit integer: > > \"CEF supports several variations on time/date formats to accurately identify the time an event occurred. These formats are as follows: > Milliseconds since January 1, 1970 (integer). (This time format supplies an integer with the count in milliseconds from January 1, 1970 to the time the event occurred.)\" > > If the integer would be limited to 32 bit integer, this would overflow each month. So obviously CEF format must accept also longer integers. at least it must be able to handle numbers up to 1580733301527 (Which was timestamp today) and even larger before it is unable to deal with time values). > > So there is no evidence that values in those fields would violate CEF standard. There is only evidence that graylog developers have made inaccurate assumptions and due to this are unable to deal with those log entries. > Graylog v3.1.3 Is it possible, that the CEF parser uses long instead of integer for the in and out field? Thanks

But: Do you have any idea on how to do a workaround to this? Do you have any idea for an alternative handling of the logs?

Currently, I am using a pipeline-rule to extract CEF:
let result = regex(("(CEF:.*)$"),to_string($message.message));

But there is:
WARN [MappedMessage] Could not transform CEF field [out] according to standard. Skipping.
java.lang.NumberFormatException: For input string: “2273997656”

Thank you for your thoughts
KPS

KPS · January 13, 2022, 9:03am

Hi!

I just found a “nasty” workaround:
My rule-order is: Pipeline->Extractor

Pipeline:

rule "Fortigate Process CEF for traffic"
	when
		contains(to_string($message.message), "CEF:0", true)
	then
        let result = regex(("(CEF:.*)$"),to_string($message.message));
        let pure_cef = to_string(result["0"]);
        // Remove in and out for later extraction from message field by EXTRACTOR
        let pure_cef = regex_replace("(.*)( out=[0-9]{1,10} )(.*)", pure_cef, "$1 $3");
        let pure_cef = regex_replace("(.*)( in=[0-9]{1,10} )(.*)", pure_cef, "$1 $3");
        set_fields(parse_cef(to_string(pure_cef), false));
        set_field("message", to_string(result["0"]));
end

And extractors from message-field later.

KPS

KPS · January 13, 2022, 10:17am

Hi!

I had to change the rules and go to “pipeline-only” to be able to convert to “double”:

rule "Fortigate Process CEF for traffic"
	when
		contains(to_string($message.message), "CEF:0", true)
	then
        let result = regex(("(CEF:.*)$"),to_string($message.message));
        let pure_cef = to_string(result["0"]);
        // Remove in and out for later extraction from message field by EXTRACTOR
        let pure_cef = regex_replace("(.*)( out=[0-9]{1,20} )(.*)", pure_cef, "$1 $3");
        let pure_cef = regex_replace("(.*)( in=[0-9]{1,20} )(.*)", pure_cef, "$1 $3");
        set_fields(parse_cef(to_string(pure_cef), false));
        set_field("message", to_string(result["0"]));
        // set_field("pure_cef", to_string(pure_cef));
end

rule "Fortigate Process Traffic Counters Full Sessions"
	when
		contains(to_string($message.message), " in=", true)
		AND contains(to_string($message.message), " out=", true)
		AND NOT contains(to_string($message.message), " FTNTFGTlogid=0000000020 ", true)
	then
	    let intotal = to_double(regex_replace("(.* in=)([0-9]{1,20})( .*)",to_string($message.message),"$2"));
	    let outtotal = to_double(regex_replace("(.* out=)([0-9]{1,20})( .*)",to_string($message.message),"$2"));
	    set_field("in", to_double(intotal));
	    set_field("out", to_double(outtotal));
end

rule "Fortigate Process Traffic Counters Partial Sessions"
	when
		contains(to_string($message.message), " in=", true)
		AND contains(to_string($message.message), " out=", true)
		AND contains(to_string($message.message), " FTNTFGTlogid=0000000020 ", true)
	then
	    let intotal = to_double(regex_replace("(.* in=)([0-9]{1,20})( .*)",to_string($message.message),"$2"));
	    let outtotal = to_double(regex_replace("(.* out=)([0-9]{1,20})( .*)",to_string($message.message),"$2"));
	    set_field("intotal", to_double(intotal));
	    set_field("outtotal", to_double(intotal));
	    let inbyte = to_double(regex_replace("(.* FTNTFGTrcvddelta=)([0-9]{1,20})(.*)",to_string($message.message),"$2"));
	    let outbyte = to_double(regex_replace("(.* FTNTFGTsentdelta=)([0-9]{1,20})(.*)",to_string($message.message),"$2"));
	    set_field("in", to_double(inbyte));
	    set_field("out", to_double(outbyte));
end

gsmith · January 14, 2022, 12:39am

Hello @KPS

Nice I was wondering if you have seen the category in the forum below. It would be nice if you could write up something under pipelines there for future community members. This would give a better search later on. Also thank you for posting your resolution to the issue

system · January 28, 2022, 12:40am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
CEF int too small Graylog Central (peer support)	2	469	January 29, 2020
Fortigate field mapping problem Graylog Central (peer support)	4	1464	March 25, 2020
Fortinet CEF Formatting issues Graylog Central (peer support) pipeline-rules	17	5014	October 17, 2019
Graylog doesn't work with CEF input Graylog Central (peer support)	2	2142	April 27, 2018
FortiGate: I can get CEF logs over UDP and Syslog over TLS, but not CEF over TLS. Why? Graylog Central (peer support)	16	3330	May 2, 2023

Workaround for CEF - Integer/Double

Related topics