Parse CEF encoded message. Only CEF version 0 is supported. This function will skip any prefix up to the marker CEF:0.

For a log line like this:

logscale
Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected an X in packet|10|src=10.0.0.1 act=blocked an X dst=1.1.1.1

Using parseCEF(result) will add these fields:

  • cef.version: 0

  • cef.device.vendor: security

  • cef.device.product: threatmanager

  • cef.device.version: 1.0

  • cef.event_class_id: 100

  • cef.name: "detected an X in packet"

  • cef.severity: 10

  • cef.ext.src: 10.0.0.1

  • cef.ext.act: "blocked an X"

  • cef.ext.st: 1.1.1.1

Use the (unnamed) field parameter to specify which field should be parsed. Specify @rawstring to parse the rawstring.

You may want to review the specification for CEF: ArcSight CEF Spec. For compatibility with legacy systems, this implementation allows the tab character (ascii 0x09) in addition to space (ascii 0x20) as separator for key value pairs in the extensions section. Literal backslash followed by t (as in \t) is not a separator, but re-interpreted line \n and \r in the specification.

ParameterTypeRequiredDefaultDescription
fieldstringfalse@rawstringField that holds the input in CEF form. [a]
prefixstringfalsecef.ext.Prefix to extension fields. Fields in the CEF extension part are prefixed with this.

[a] If an argument name is not given, field is the default argument.

parseCEF() Examples

CEF parse the @rawstring field from a log line:

logscale
Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected a \\ in packet|10|src=10.0.0.1 act=blocked a \\ dst=1.1.1.1

This will add the fields cef.version cef.device.vendor cef.device.product cef.device.version cef.event_class_id cef.name cef.severity cef.ext.src cef.ext.act and cef.ext.dst to the event.

logscale
parseCEF(field=@rawstring)