Parse CEF encoded message. Only CEF version 0 is supported. This function will skip any prefix up to the marker CEF:0.

For a log line like this:

Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected an X in packet|10|src= act=blocked an X dst=

Using parseCEF(result) will add these fields:

  • cef.version: 0

  • cef.device.vendor: security

  • cef.device.product: threatmanager

  • cef.device.version: 1.0

  • cef.event_class_id: 100

  • "detected an X in packet"

  • cef.severity: 10

  • cef.ext.src:

  • cef.ext.act: "blocked an X"

  • cef.ext.dst:

Use the (unnamed) field parameter to specify which field should be parsed. Specify @rawstring to parse the rawstring.

You may want to review the specification for CEF: ArcSight CEF Spec. For compatibility with legacy systems, this implementation allows the tab character (ascii 0x09) in addition to space (ascii 0x20) as separator for key value pairs in the extensions section. Literal backslash followed by t (as in \t) is not a separator, but re-interpreted line \n and \r in the specification.

Function Traits: Transformation

field[a]stringoptional@rawstring Field that holds the input in CEF form.
prefixstringoptionalcef.ext. Prefix to extension fields. Fields in the CEF extension part are prefixed with this.

[a] The argument name field can be omitted.

The parameter name for field can be omitted; the following forms are equivalent:




parseCEF() Examples

CEF parse the @rawstring field from a log line:

Sep 19 08:26:10 host CEF:0 | security| threatmanager| 1.0| 100| detected a \\ in packet| 10| src= act=blocked a \\ dst=

This will add the fields cef.version cef.device.vendor cef.device.product cef.device.version cef.event_class_id cef.severity cef.ext.src cef.ext.act and cef.ext.dst to the event.