Parse Log Event Extended Format (LEEF) encoded message. Only LEEF versions 1.0 and 2.0 are supported.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
delimiter | string | optional[a] | Delimiter to use when parsing the extension fields of a LEEF:1.0 message. When processing LEEF:2.0 messages this argument is ignored as the value is specified in a message header. The value must be a single character with unicode value in the range 0x0000-0xffff. | |
field[b] | string | optional[a] | @rawstring | Field that holds the input in LEEF form. |
parsetime | boolean | optional[a] | true | Control if the devTime extension field should be parsed. Setting this to false can be used to disable the time parsing step. |
| Valid Values | ||||
false | Disables parsing of the devTime field | |||
true | Enables parsing of the devTime field | |||
prefix | string | optional[a] | leef.ext. | Prefix to extension fields. Fields in the LEEF extension part are prefixed with this. |
timezone | string | optional[a] | Z | Time zone to use if none specified in devTimeFormat string. See the full list of timezones supported by LogScale at Supported Timezones. |
[a] Optional parameters use their default value unless explicitly set | ||||
Omitted Argument NamesThe argument name for
fieldcan be omitted; the following forms of this function are equivalent:logscaleparseLEEF("@rawstring")and:
logscaleparseLEEF(field="@rawstring")
This function will skip any prefix up to the marker
LEEF:1.0| or
LEEF:2.0|. So even though LEEF messages
are typically delivered via Syslog, the Syslog part of the message has to
be parsed separately.
If the LEEF message contains a devTime (and optionally
devTimeFormat) this function will extract
the time stamp from there and assign it to
@timestamp.
Use the (unnamed) field parameter to specify which field should be parsed. Specify @rawstring to parse the rawstring. You can use the parameter prefix to specify an alternative to leef.ext. as prefix for the extension fields.
You may want to review the Specifications for LEEF. For legacy support, a LEEF:0| is parsed as LEEF:1.0 headers, with CEF:0-style body. In general the implementation is more permissive than the spec to allow for common mistakes in log writers.
parseLEEF() Examples
From a log line like this:
logscale<13>1 2019-01-18T11:07:53.520Z 192.168.1.1 LEEF:2.0| Lancope| StealthWatch| 1.0| 41| ^| src=10.0.0.1^act=blocked an X^dst=1.1.1.1Parse the @rawstring field to show how the LEEF format is parsed with the default field names:
logscaleparseLEEF(field=@rawstring)Field Value leef.version 2.0leef.device.vendor Lanscopeleef.device.product StealthWatchleef.device.version 1.0leef.event_id 41leef.ext.src 10.0.0.1leef.ext.act
"blocked an X"leef.ext.dst 1.1.1.1From a log line like this:
LEEF:2.0|Palo Alto Networks|LF|2.0|THREAT| |TimeReceived=2016-01-01T00:00:58.000000Z DeviceSN=123456789123 EventID=THREAT cat= ConfigVersion=9.1Show how the LEEF format is parsed with changed header prefix:
logscaleparseLEEF(headerprefix="leef.header.")This will add the following fields to the event:
Field Value leef.header.version 2.0leef.header.device.vendor Palo Alto Networksleef.header.device.product LFleef.header.device.version 2.0leef.ext.DeviceSN 123456789123leef.ext.EventID THREATleef.ext.TimeReceived 2016-01-01T00:00:58.000000Zleef.ext.cat ""leef.ext.ConfigVersion 9.1Show how the LEEF format is parsed with changed extension prefix:
logscaleparseLEEF(prefix="my.prefix.")The output will produce the following:
Field Value leef.version 2.0leef.event_id THREATleef.device.vendor Palo Alto Networksleef.device.product 2LFleef.device.version 2.0my.prefix.DeviceSN 2123456789123my.prefix.EventID THREATmy.prefix.TimeReceived 2016-01-01T00:00:58.000000Zmy.prefix.cat ""my.prefix.ConfigVersion 9.1