This is an old project, in need of some refactoring.

What do you folks think about having it rewritten in Go?

My arguments:

• Easier deployment in restricted environments (only a single binary), as was usually the case when I consulted ArcSight
• Better data assertion with types
• Better (although uglier) error handling
• Likely a higher EPS thoughput with the use of goroutines and channels
• I like Go :D

@tristanlatr
@pcktdmp
@urbantom
@lewisoaten

Hi Kamus, thanks for this wonderful classs.
I noticed an Issue on flex fields i saw is that flexString1 should be decoded to "flexString1" in CEF and not to "fs1".
maybe it used to be like this in the past but now it not working.

Hello!

I do not have any awesome examples to create csv file with right headers for input to your programm.
Can you add to project 1-2 csv files with examples?

Big thx.

Same for 'request' and 'spriv' tags

Looks like a copy and paste error with the fullName field.

Similar to #1 .

I get this error when running run.py. File /con/CEFtools/logfiles/test_out.log contains a CSV file with CEF header.
It seems the module struggles finding his own imports. Same on Linux or Windows.

[cefevent]# /opt/rh/rh-python36/root/bin/python ./run.py --host localhost --port 10514 --auto_send --eps 10000 /con/CEFtools/logfiles/test_out.log
Traceback (most recent call last):
File "./run.py", line 2, in
from cefevent import CEFSender, CEFEvent
File "/opt/rh/rh-python36/root/usr/lib/python3.6/site-packages/cefevent/cefevent.py", line 4, in
from .extensions import extension_dictionary
ImportError: attempted relative import with no known parent package

Ok, so I remove the . in .extensions to have it find it, we go one step further

[cefevent]# /opt/rh/rh-python36/root/bin/python ./run.py --host localhost --port 10514 --auto_send --eps 10000 /con/CEFtools/logfiles/test_out.log
Traceback (most recent call last):
File "./run.py", line 2, in
from cefevent import CEFSender, CEFEvent
ImportError: cannot import name 'CEFSender'

So I modify the import line to
from cefsender import CEFSender

And I get this:

[cefevent]# /opt/rh/rh-python36/root/bin/python ./run.py --host localhost --port 10514 --auto_send --eps 10000 /con/CEFtools/logfiles/test_out.log
Traceback (most recent call last):
File "./run.py", line 4, in
from cefsender import CEFSender
File "/opt/rh/rh-python36/root/usr/lib/python3.6/site-packages/cefevent/cefsender.py", line 6, in
from cefevent.syslog import Syslog
ModuleNotFoundError: No module named 'cefevent.syslog'; 'cefevent' is not a package

All righty, trying with modifying that line in cefsender.py to
from cefevent import CEFEvent

I don’t think it requires all this tweaking, may be something I’m missing.

Also, it seems to resend the same events over and over. How can I make it only send the content of the file once?
And there seem to be a few fields missing from extensions.py (deviceVendor, deviceProduct, Name, deviceEventClassId, requestContext etc). It would be good to add them. Please refer to the list sent to you by email.

Thanks

event = CEFEvent()
event.set_field('cn1', 0)
string = event.build_cef()
assert 'cn1=0' in string

its expected to result 'cn1=0' in the string.

the fix is:

def set_field(self, field, value):

        if field in self._prefix_list:
            return self.set_prefix(field, value)

        if field in self._reverse_extension_dictionary:
            v = self._validate_field_value(field, value)
            if v:  <------- THIS SHOULD BE `if v is not False:`!!
                self.extensions[field] = v
                return self.extensions[field]
            else:
                return False
        elif field in self._extension_dictionary:
            field = self._extension_dictionary[field]['full_name']
            v = self._validate_field_value(field, value)
            if v:
                self.extensions[field] = v
                return self.extensions[field]
            else:
                return False

Hey @kamushadenes - I just stumbled across this valuable project, really appreciate your work.
I recently figured out, that in the current CEF definition, bytesIn and bytesOut is allowed to be Long from CEF version 1.0 onwards
(see V26 of CEF implementation guide)

do you have any thoughts of implementing these two different standards?
Cheers
A

Currently during build_cef() when a constraint barrier is hit in most cases False is being returned.
I would like to propose to use raise so these errors can be catched and handled.
A simple example is for instance the field length of requestClientApplication.

Hi,

I am trying to send Syslog events to a local Syslog server. For UDP, my messages work find, however, with TCP, I do not see any messages coming to the Syslog.

I noticed that the data is encoded to 'utf-8' for TCP. Is this the right encoding for TCP? Does TCP work for you?

Thanks,
Steve

Hi all,

Could you tell me if you introduce random data in your generator CEF ?

Thx