Ignore trailing spaces in CEF messages

[adriansr]

What does this PR do?

This patch updates the Ragel state machine to skip trailing space at the end of CEF messages.

Some CEF exporters, Check Point for example, have been observed to add a trailing space to CEF messages:

"CEF:0:| [...] src=127.0.0.1 "

Currently, this space character is interpreted as part of the last field's value, which can cause decoding errors if the value is an integer or an IP address:

"error": {
    "message": "sourceAddress: value is not a valid IP address"
  }

For maximizing compatibility, we also want to ignore other kinds of white-space characters (newline, carriage return, tab). For example we can get a trailing newline when processing CEF messages from UDP input instead of syslog, which removes newlines.

Trailing space in other extensions' values is preserved, as the CEF standard permits (but discourages) it's use in non-final extensions.

Why is it important?

We've observed users experiencing this problem, trying to fix it (unsuccessfully) with a processor:

- dissect:
      when:
        equals:
          event.module: "cef"
      tokenizer: "%{sourceAddress} "
      field: "cef.extensions.sourceAddress"
      target_prefix: "cef.extensions"

Why a draft?

While the current solution is complete, I'm not satisfied of the changes that introduces to the Ragel SM definition.

Originally I wanted to get something more elegant like this to work:

extensions = (extension " ")* final_extension space*

So that we can keep the extension machine as-is, and add a specialized final_extension machine that will disallow trailing space. However, I didn't manage to get this kind of pattern to work. It requires rewriting a lot of the capture actions to allow for the necessary backtracking, and I wasn't confident enough to get that right without introducing more problems than I was solving, or dedicating too many hours to this fix, due to my limited experience with ragel.

The current solution works by accident. I decided to try a different approach starting by disallowing trailing space in all extensions, and found out that it works as I wanted and captures white-space as value in all extensions but the last. This is a side effect of how an extension value is captured differently in extension_key vs extension_eof. The former captures the previous value up to mark-1, that is the start of the current key minus the space separator. The later captures up to extValueEnd, which is not incremented for trailing space.

The current machine definition is an ugly mix of " " and space usage, because we want to have the space character as the only separator, but trim al trailing space: [\t\v\f\n\r ]

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[andrewkroh]

Nice to see you got it working! Two things I'm curious about. 1) Maybe run benchcmp on this to see how/if the result changed. 2) How does this compare vs a TrimRight solution in a benchmark.

[andrewkroh]

I was surprised that %/extension_eof worked for each individual extension, rather than just the final one. I'm definitely no Ragel expert.

[adriansr]

No, I guess I didn't explain myself properly. extension_eof worked as expected. It's just that it captures a value until the last point saved by @extension_value_mark while extension_key saves the previous value up to the start of the separator. This made no difference before, but now it helps to capture trailing spaces in non-final extensions and to drop it in the final extension.

I had to move it to a different place here to adjust for the case where a msg is padded and EOF is never reached by extension_value due to it not accepting trailing spaces.

[adriansr]

@andrewkroh I ran some benchmarks with count=10 and comparing with benchstat.

All implementations are compared against the original state machine that doesn't trim.

Modified SM (this PR)

name                      old time/op  new time/op  delta
pkg:github.com/elastic/beats/v7/x-pack/filebeat/processors/decode_cef goos:darwin goarch:amd64
ProcessorRun/short_msg-8  5.29µs ± 0%  5.34µs ± 1%  +1.02%  (p=0.000 n=9+9)
ProcessorRun/long_msg-8   65.5µs ± 1%  65.7µs ± 0%    ~     (p=0.165 n=10+10)
pkg:github.com/elastic/beats/v7/x-pack/filebeat/processors/decode_cef/cef goos:darwin goarch:amd64
EventUnpack-8             2.17µs ± 1%  2.14µs ± 1%  -1.25%  (p=0.000 n=10+9)

strings.TrimRight [changes]

name                      old time/op  new time/op  delta
pkg:github.com/elastic/beats/v7/x-pack/filebeat/processors/decode_cef goos:darwin goarch:amd64
ProcessorRun/short_msg-8  5.29µs ± 0%  5.36µs ± 1%  +1.29%  (p=0.000 n=9+10)
ProcessorRun/long_msg-8   65.5µs ± 1%  64.3µs ± 1%  -1.94%  (p=0.000 n=10+10)
pkg:github.com/elastic/beats/v7/x-pack/filebeat/processors/decode_cef/cef goos:darwin goarch:amd64
EventUnpack-8             2.17µs ± 1%  2.17µs ± 1%    ~     (p=0.388 n=10+9)

Custom Loop [changes]

name                      old time/op  new time/op  delta
pkg:github.com/elastic/beats/v7/x-pack/filebeat/processors/decode_cef goos:darwin goarch:amd64
ProcessorRun/short_msg-8  5.29µs ± 0%  5.30µs ± 1%    ~     (p=0.660 n=9+10)
ProcessorRun/long_msg-8   65.5µs ± 1%  64.4µs ± 1%  -1.72%  (p=0.000 n=10+9)
pkg:github.com/elastic/beats/v7/x-pack/filebeat/processors/decode_cef/cef goos:darwin goarch:amd64
EventUnpack-8             2.17µs ± 1%  2.08µs ± 1%  -4.36%  (p=0.000 n=10+10)

Dedicated state-machine [changes]

Did this one just for the sake of it.

name                      old time/op  new time/op  delta
pkg:github.com/elastic/beats/v7/x-pack/filebeat/processors/decode_cef goos:darwin goarch:amd64
ProcessorRun/short_msg-8  5.29µs ± 0%  5.40µs ± 1%  +2.05%  (p=0.000 n=9+10)
ProcessorRun/long_msg-8   65.5µs ± 1%  66.1µs ± 1%  +0.91%  (p=0.001 n=10+10)
pkg:github.com/elastic/beats/v7/x-pack/filebeat/processors/decode_cef/cef goos:darwin goarch:amd64
EventUnpack-8             2.17µs ± 1%  2.16µs ± 1%  -0.61%  (p=0.003 n=10+10)

[andrewkroh]

Thanks for running the comparison. I didn't know about benchstat 😄 .

LGTM, but needs a changelog.