Parse LEEF encoded message. Only LEEF version 1.0 and 2.0 is supported.
This function will skip any prefix up to the marker
LEEF:1.0| or
LEEF:2.0|. So even though LEEF messages
are typically delivered via Syslog, the Syslog part of the message has to
be parsed separately.
If the LEEF message contains a devTime (and optionally
devTimeFormat) this function will extract
the time stamp from there and assign it to
@timestamp.
For a log line like this:
<13>1 2019-01-18T11:07:53.520Z 192.168.1.1 LEEF:2.0| Lancope| StealthWatch| 1.0| 41| ^| src=10.0.0.1^act=blocked an X^dst=1.1.1.1Using parseLEEF(@rawstring) will add these fields:
leef.version: 2.0leef.device.vendor: Lanscope
leef.device.product: StealthWatch
leef.device.version: 1.0
leef.event_id: 41
leef.ext.src: 10.0.0.1
leef.ext.act: "blocked an X"
leef.ext.dst: 1.1.1.1
Use the (unnamed) field parameter to specify which field should be parsed. Specify @rawstring to parse the rawstring. You can use the parameter prefix to specify an alternative to leef.ext. as prefix for the extension fields.
You may want to review the Specifications for LEEF. For legacy support, a LEEF:0| is parsed as LEEF:1.0 headers, with CEF:0-style body. In general the implementation is more permissive than the spec to allow for common mistakes in log writers.
Function Traits: Transformation
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
delimiter | string | optional | Delimiter to use when parsing the extension fields of a LEEF:1.0 message. When processing LEEF:2.0 messages this argument is ignored as the value is specified in a message header. The value must be a single character with unicode value in the range 0x0000-0xffff. | |
field[a] | string | optional | @rawstring | Field that holds the input in LEEF form. |
parsetime | boolean | optional | true | Control if the devTime extension field should be parsed. Setting this to false can be used to disable the time parsing step. |
| Valid Values | false | Disables parsing of the devTime field | ||
true | Enables parsing of the devTime field | |||
prefix | string | optional | leef.ext. | Prefix to extension fields. Fields in the LEEF extension part are prefixed with this. |
timezone | string | optional | Z | Time zone to use if none specified in devTimeFormat string. See the full list of timezones supported by LogScale at Supported Timezones. |
The parameter name for field can be omitted; the following forms are equivalent:
parseLEEF("@rawstring")and:
parseLEEF(field="@rawstring")parseLEEF() Examples
CEF parse the @rawstring field from a log line:
<13>1 2019-01-18T11:07:53.520Z 192.168.1.1 LEEF:2.0| Lancope| StealthWatch| 1.0| 41| ^| src=10.0.0.1^act=blocked an X^dst=1.1.1.1.This will add the fields leef.version, leef.device.vendor, leef.device.product, leef.device.version, leef.event_id, leef.ext.src, leef.ext.act and leef.ext.dst to the event.
parseLeef(field=@rawstring)