31 August 2018

Logstash Lines: Improve CEF and Netflow codecs

By Monica Sarbu

Welcome to Logstash Lines! With these weekly series, we're keeping you up to date with what's new in Logstash, including the latest commits and releases.

Did you know that Logstash 6.4 is already available? Try it and let us know what you think.

Improved CEF and Netflow codecs

Several situations were reported where the CEF codec hasn't parsing the message correctly. Ry refactored decoding process and was able to both fix the issues and gain a performance boost of up to 25%. This improvement has been released in 5.0.4 of the CEF logstash codec plugin.

Ry also set out to improve the resiliency of the netflow codec by ensuring the interaction with the netflow caches was both thread-safe and easier to reason about by extracting this code into its own class. This rework had the nice side effect of a 10% performance improvement! You can find this in the 4.1.1 release of logstash-codec-netflow.

All changes

Repository: elastic/logstash

  • bump versions to 6.4.1 #9937
  • bump version to 5.6.12 #9935
  • bump doc version for 5.6.11 #9930
  • Release notes for 5.6.11 #9928
  • Increase timeout for long-running PQ tests #9926
  • Add missing dependency #9924
  • License checker reports unused dependencies #9923
  • Documentation for the dependency license audit tool #9921

Repositories under elastic/logstash-plugins

logstash-codec-cef - 5.0.4

  • Fix bug in parsing headers where certain legal escape sequences could cause non-escaped pipe characters to be ignored.
  • Fix bug in parsing extension values where a legal unescaped space in a field's value could be interpreted as a field separator (#54)
  • Add explicit handling for extension key names that use array-like syntax that isn't legal with the strict-mode field-reference parser (e.g., `fieldname[0]` becomes `[fieldname][0]`).

logstash-codec-netflow - 4.1.1

  • Reduced complexity of creating, persisting, loading an retrieving template caches.

logstash-filter-translate - 3.2.1

  • Updated formatting of examples in documentation for consistent rendering

logstash-input-udp - 3.3.4

  • Fixed input workers exception handling and shutdown handling #44

Repository: elastic/logstash-docs

Changes in 5.6:

  • Docs for 5.6.11 #619