- Don`t add syslog header

Ruslan Gainutdinov · Ruslan Gainutdinov · commit f9a81dbec332 · 2017-09-06T13:16:15.000+03:00
- Use values for CEF field Device Vendor|Device Product|Device Version specific to graylog-output-syslog plugin
- Space separated params in CEF Extension field
diff --git a/src/main/java/com/wizecore/graylog2/plugin/CEFSender.java b/src/main/java/com/wizecore/graylog2/plugin/CEFSender.java
@@ -25,28 +25,36 @@ public class CEFSender implements MessageSender {
 	@Override
 	public void send(SyslogIF syslog, int level, Message msg) {
 		StringBuilder out = new StringBuilder();
-		PlainSender.appendHeader(msg, out);
-		out.append("CEF:0|ArcSight|Logger|5.0.0.5355.2|log:1|");
+		// Header:
+		// CEF:Version|Device Vendor|Device Product|Device Version|
+		out.append("CEF:0|Graylog|graylog-output-syslog:cefsender|2.1.1|");
+		// Device Event Class ID
+		out.append("log:1");
+		out.append("|");
+		// Name
 		String str = msg.getMessage();
 		if (str.contains("|")) {
 			str = str.replace("|", "");
 		}
 		out.append(str);
-		out.append("|").append(level) .append("|"); // severity
+		// Severity
+		out.append("|").append(level) .append("|"); 
+		// Extension
 		Map<String, Object> fields = msg.getFields();
 		boolean have = false;
 		for (String k: fields.keySet()) {
 			Object v = fields.get(k);
 			if (!k.equals("message") && !k.equals("full_message")) {
-    			String s = v != null ? v.toString() : "null";
-    			if (have) {
-					have = true;
-				}
+    			String s = v != null ? v.toString() : "null";
 				s = s.replace("\\", "\\\\");
 				s = s.replace("=", "\\=");
 				s = s.replace("\r", "");
-				s = s.replace("\n", "\\n");
+				s = s.replace("\n", "\\n");
+				if (have) {
+					out.append(" ");
+				}
 				out.append(k).append('=').append(s);
+				have = true;
 			}
 		}
 
