Parse CEF encoded message. Only CEF version 0 is supported. This function
will skip any prefix up to the marker
CEF:0.
For a log line like this:
Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected an X in packet|10|src=10.0.0.1 act=blocked an X dst=1.1.1.1Using parseCEF(result) will add these fields:
cef.version: 0
cef.device.vendor: security
cef.device.product: threatmanager
cef.device.version: 1.0
cef.event_class_id: 100
cef.name: "detected an X in packet"
cef.severity: 10
cef.ext.src: 10.0.0.1
cef.ext.act: "blocked an X"
cef.ext.dst: 1.1.1.1
Use the (unnamed) field parameter to specify which
field should be parsed. Specify @rawstring to parse
the rawstring.
You may want to review the specification for CEF:
ArcSight
CEF Spec. For compatibility with legacy systems, this
implementation allows the tab character (ascii
0x09) in addition to space (ascii
0x20) as separator for key value pairs in
the extensions section. Literal backslash followed by
t (as in
\t) is not a separator, but re-interpreted
line \n and
\r in the specification.
Function Traits: Transformation
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
field[a] | string | optional | @rawstring | Field that holds the input in CEF form. |
prefix | string | optional | cef.ext. | Prefix to extension fields. Fields in the CEF extension part are prefixed with this. |
The parameter name for field can be omitted; the following forms are equivalent:
parseCEF("@rawstring")and:
parseCEF(field="@rawstring")parseCEF() Examples
CEF parse the @rawstring field from a log line:
Sep 19 08:26:10 host CEF:0 | security| threatmanager| 1.0| 100| detected a \\ in packet| 10| src=10.0.0.1 act=blocked a \\ dst=1.1.1.1
This will add the fields
cef.version
cef.device.vendor
cef.device.product
cef.device.version
cef.event_class_id
cef.name
cef.severity
cef.ext.src
cef.ext.act and
cef.ext.dst to the event.
parseCEF(field=@rawstring)