Prefix.java

package org.owasp.security.logging.layout.cef;

import java.util.HashMap;
import java.util.Map;
import java.util.Set;

/**
 * prefix of the CEF logging format example :
 * 
 * Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|worm successfully
 * stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232
 * 
 * @author sytze
 *
 */
public class Prefix {

	private final static String CEF_PREFIX = "CEF:";

	/**
	 * version of the CEF format
	 */
	int version;

	/**
	 * device that sends the logging events
	 */
	Device device = new Device();

	/**
	 * represents the type of event, for instance for intrusion detection
	 */
	String signatureId = "signatureId";

	/**
	 * human-readable description of the event
	 */
	String name = "name";

	/**
	 * severity/importance of the event, range 0 - 10. 10 is the most important
	 */
	int severity;

	/**
	 * key/value pairs with extra
	 */
	Map<String, String> extension = new ExtensionMap();

	class Device {
		String vendor = "vendor", product = "product", version = "version";

		public String toString() {
			return vendor + "|" + product + "|" + version;
		}
	}

	public String toString() {
		return CEF_PREFIX + version + "|" + device + "|" + signatureId + "|"
				+ name + "|" + severity + "|" + extension;
	}

	class ExtensionMap extends HashMap<String, String> {

		/**
		 * 
		 */
		private static final long serialVersionUID = 1499695924597182375L;

		public ExtensionMap() {
			put("extension", "value");
		}

		/**
		 * TODO : encoding, multi-line
		 */
		public String toString() {
			Set<String> keys = this.keySet();
			StringBuilder builder = new StringBuilder();
			for (Object key : keys) {
				builder.append(key);
				builder.append('=');
				builder.append(get(key));
				builder.append(' ');
			}
			return builder.toString();
		}
	}
}