parseCEF() Query Function

Parse CEF encoded message. Only CEF version 0 is supported. This function will skip any prefix up to the marker CEF:0.

For a log line like this:

humio
Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected an X in packet|10|src=10.0.0.1 act=blocked an X dst=1.1.1.1

Using parseCEF(result) will add these fields:

  • cef.version: 0

  • cef.device.vendor: security

  • cef.device.product: threatmanager

  • cef.device.version: 1.0

  • cef.event_class_id: 100

  • cef.name: "detected an X in packet"

  • cef.severity: 10

  • cef.ext.src: 10.0.0.1

  • cef.ext.act: "blocked an X"

  • cef.ext.st: 1.1.1.1

Use the (unnamed) field parameter to specify which field should be parsed. Specify @rawstring to parse the rawstring.

You may want to review the specification for CEF: ArcSight CEF Spec. For compatibility with legacy systems, this implementation allows the tab character (ascii 0x09) in addition to space (ascii 0x20) as separator for key value pairs in the extensions section. Literal backslash followed by t (as in \t) is not a separator, but re-interpreted line \n and \r in the specification.

Parameters

Name

Type

Required

Default

Description

field

string

No

@rawstring

Field that holds the input in CEF form.

prefix

string

No

cef.ext.

Prefix to extension fields. Fields in the CEF extension part are prefixed with this.

The implied parameter is field.

Examples

CEF parse the @rawstring field from a log line: Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected a \\ in packet|10|src=10.0.0.1 act=blocked a \\ dst=1.1.1.1. This will add the fields cef.version, cef.device.vendor, cef.device.product, cef.device.version, cef.event_class_id, cef.name, cef.severity, cef.ext.src, cef.ext.act and cef.ext.dst to the event.

humio
parseCEF(field=@rawstring)