Parse Log Event Extended Format (LEEF) encoded message. Only LEEF versions 1.0 and 2.0 are supported.
Parameter | Type | Required | Default Value | Description |
---|---|---|---|---|
delimiter | string | optional[a] | Delimiter to use when parsing the extension fields of a LEEF:1.0 message. When processing LEEF:2.0 messages this argument is ignored as the value is specified in a message header. The value must be a single character with unicode value in the range 0x0000-0xffff . | |
field [b] | string | optional[a] | @rawstring | Field that holds the input in LEEF form. |
headerprefix | string | optional[a] | leef. | Prefix to the field names for the header fields. |
keeplabels | boolean | optional[a] | false | Keep short form label fields (LEEF:1.0 only), which is interpreted as CEF. |
labelprefix | string | optional[a] | leef.label | Prefix to extension fields with labels (LEEF:1.0 only), which is interpreted as CEF. |
parsetime | boolean | optional[a] | true | Control if the devTime extension field should be parsed. Setting this to false can be used to disable the time parsing step. |
Valid Values | ||||
false | Disables parsing of the devTime field | |||
true | Enables parsing of the devTime field | |||
prefix | string | optional[a] | leef.ext. | Prefix to extension fields. Fields in the LEEF extension part are prefixed with this. |
timezone | string | optional[a] | Z | Time zone to use if none specified in devTimeFormat string. See the full list of timezones supported by LogScale at Supported Time Zones. |
[a] Optional parameters use their default value unless explicitly set. |
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
field
can be omitted; the following forms of this function are equivalent:logscale SyntaxparseLEEF("value")
and:
logscale SyntaxparseLEEF(field="value")
These examples show basic structure only.
This function will skip any prefix up to the marker
LEEF:1.0|
or
LEEF:2.0|
. So even though LEEF messages
are typically delivered via Syslog, the Syslog part of the message has to
be parsed separately.
If the LEEF message contains a devTime (and optionally
devTimeFormat
) this function will extract
the time stamp from there and assign it to
@timestamp.
Use the (unnamed) field parameter to specify which field should be parsed. Specify @rawstring to parse the rawstring. You can use the parameter prefix to specify an alternative to leef.ext. as prefix for the extension fields.
You may want to review the Specifications for LEEF. For legacy support, a LEEF:0| is parsed as LEEF:1.0 headers, with CEF:0-style body. In general the implementation is more permissive than the spec to allow for common mistakes in log writers.
parseLEEF()
Examples
From a log line like this:
logscale<13>1 2019-01-18T11:07:53.520Z 192.168.1.1 LEEF:2.0 | Lancope | StealthWatch | 1.0 | 41 | ^ | src=10.0.0.1^act=blocked an X^dst=1.1.1.1
Parse the @rawstring field to show how the LEEF format is parsed with the default field names:
logscaleparseLEEF(field=@rawstring)
Field Value leef.version 2.0
leef.device.vendor Lanscope
leef.device.product StealthWatch
leef.device.version 1.0
leef.event_id 41
leef.ext.src 10.0.0.1
leef.ext.act
"blocked an X"
leef.ext.dst 1.1.1.1
From a log line like this:
LEEF:2.0|Palo Alto Networks|LF|2.0|THREAT| |TimeReceived=2016-01-01T00:00:58.000000Z DeviceSN=123456789123 EventID=THREAT cat= ConfigVersion=9.1
Show how the LEEF format is parsed with changed header prefix:
logscaleparseLEEF(headerprefix="leef.header.")
This will add the following fields to the event:
Field Value leef.header.version 2.0
leef.header.device.vendor Palo Alto Networks
leef.header.device.product LF
leef.header.device.version 2.0
leef.ext.DeviceSN 123456789123
leef.ext.EventID THREAT
leef.ext.TimeReceived 2016-01-01T00:00:58.000000Z
leef.ext.cat ""
leef.ext.ConfigVersion 9.1
Show how the LEEF format is parsed with changed extension prefix:
logscaleparseLEEF(prefix="my.prefix.")
The output will produce the following:
Field Value leef.version 2.0
leef.event_id THREAT
leef.device.vendor Palo Alto Networks
leef.device.product 2LF
leef.device.version 2.0
my.prefix.DeviceSN 2123456789123
my.prefix.EventID THREAT
my.prefix.TimeReceived 2016-01-01T00:00:58.000000Z
my.prefix.cat ""
my.prefix.ConfigVersion 9.1