Parse Common Event Format (CEF) encoded messages. Only CEF version 0 is supported. This function will skip any prefix up to the marker CEF:0.

ParameterTypeRequiredDefaultDescription
field[a]stringoptional[b]@rawstring Field that holds the input in CEF form. This parameter specifies which field should be parsed. The default value parses the rawstring.
headerprefixstringoptional[b]cef. Prefix to the field names for the header fields.
keeplabelsbooleanoptional[b]false Removes fields ending with label along with any field that has the same name, e.g., cef.ext.csLabel and cef.ext.cs.
labelprefixstringoptional[b]cef.label. Prefix to the field names for the label fields.
prefixstringoptional[b]cef.ext. Prefix to extension fields. Fields in the CEF extension part are prefixed with this.

[a] The argument name field can be omitted.

[b] Optional parameters use their default value unless explicitly set.

Hide omitted argument names for this function

Show omitted argument names for this function

You may want to review the specification for CEF: ArcSight CEF Spec. For compatibility with legacy systems, this implementation allows the tab character (ascii 0x09) in addition to space (ascii 0x20) as separator for key value pairs in the extensions section. Literal backslash followed by t (as in \t) is not a separator, but re-interpreted line \n and \r in the specification.

parseCEF() Examples

  • From a log line like this:

    Sep 19 08:26:10 host CEF:0 | security| threatmanager| 1.0| 100| detected a \\ in packet| 10| src=10.0.0.1 act=blocked a \\ dst=1.1.1.1

    CEF parse the @rawstring field to show how the CEF format is parsed with the default field names:

    logscale
    parseCEF(field=@rawstring)

    The following fields will be added to the event:

    Field Value
    cef.version 0
    cef.device.vendor security

    cef.device.product

    threatmanager
    cef.device.version 1.0
    cef.event_class_id 100

    cef.name

    "detected a \\ in packet"
    cef.severity 10
    cef.ext.src 10.0.0.1

    cef.ext.act

    "blocked a \\"

    cef.ext.dst

    1.1.1.1

  • From a log line like this:

    CEF:0|Incapsula|SIEMintegration|1|1|Illegal Resource Access|3| fileid=3412341160002518171 sourceServiceName=site123.abcd.info siteid=1509732 suid=50005477 requestClientApplication=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 deviceFacility=mia cs2=true cs2Label=Javascript Support start=14532901213
    • Show the output of parseCEF() with changed header prefix:

      logscale
      parseCEF(headerprefix="new.header.")

      This will add the following fields to the event:

      Field Value
      new.header.device.version 1
      new.header.device.vendor Incapsula
      new.header.event_class_id 1
      new.header.device.product SIEMintegration
      new.header.name Illegal Resource Access
      new.header.version 0
      new.header.severity 3
      cef.label.Javascript Support "true"
      cef.ext.requestClientApplication "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
      cef.ext.siteid 1509732
      cef.ext.sourceServiceName "site123.abcd.info"

      cef.ext.fileid

      3412341160002518171
      cef.ext.suid 50005477

      cef.ext.start

      14532901213
      cef.ext.deviceFacility mia

    • Show the output of parseCEF() with changed label prefix:

      logscale
      parseCEF(labelprefix="new.label.")

      This will add the following fields to the event:

      Field Value
      cef.device.version 1

      cef.device.vendor

      Incapsula
      cef.event_class_id 1
      cef.device.product SIEMintegration
      cef.name Illegal Resource Access
      cef.version 0

      cef.severity

      3
      new.label.Javascript Support "true"
      cef.ext.requestClientApplication "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
      cef.ext.siteid 1509732
      cef.ext.sourceServiceName "site123.abcd.info"
      cef.ext.fileid 3412341160002518171
      cef.ext.suid 50005477
      cef.ext.start 14532901213
      cef.ext.deviceFacility mia

    • Show the output of parseCEF() with changed extension prefix:

      logscale
      parseCEF(prefix="content.")

      This will add the following fields to the event:

      Field Value

      cef.device.version

      1

      cef.device.vendor

      Incapsula
      cef.event_class_id 1
      cef.device.product SIEMintegration
      cef.name Illegal Resource Access
      cef.version 0
      cef.severity 3
      cef.label.Javascript Support "true"
      content.requestClientApplication "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
      content.siteid 1509732
      content.sourceServiceName "site123.abcd.info"
      content.fileid 3412341160002518171

      content.suid

      50005477

      content.start

      14532901213
      content.deviceFacility mia