AxoSyslog FilterX has several functions to format data into specific formats.
This is the multi-page printable view of this section. Click here to print.
Format data
- 1: Comma-separated values
- 2: Common Event Format (CEF)
- 3: JSON
- 4: Key-value pairs
- 5: Log Event Extended Format (LEEF)
- 6: RFC5424 syslog
- 7: Windows Event Logs XML
- 8: XML
1 - Comma-separated values
Formats a dictionary or a list into a comma-separated string.
Usage: format_csv(<input-list-or-dict>, columns=<json-list>, delimiter=<delimiter-character>, default_value=<string>)
Only the input is mandatory, other arguments are optional. Note that the delimiter must be a single character.
By default, the delimiter is the comma (delimiter=","), the columns and default_value are empty.
If the columns option is set, AxoSyslog checks that the number of fields or entries in the input data matches the number of columns. If there are fewer items, it adds the default_value to the missing entries.
2 - Common Event Format (CEF)
Available in AxoSyslog 4.13 and later.
Formats a dictionary into the Common Event Format (CEF).
Usage: ${MESSAGE} = format_cef(my_dictionary);
For example:
my_dictionary = {"version":"0","device_vendor":" KasperskyLab ","device_product":"SecurityCenter","device_version":"13.2.0.1511","device_event_class_id":"KLPRCI_TaskState","name":"Completed successfully","agent_severity":"1"};
Becomes:
CEF:0| KasperskyLab |SecurityCenter|13.2.0.1511|KLPRCI_TaskState|Completed successfully|1|
The following keys must be available in the dictionary, otherwise formatting fails with an error message like: FILTERX ERROR; ....| format_cef(my_dictionary)', error='Failed to evaluate event formatter function:.
cef_version, device_vendor, device_product, device_version, device_event_class_id, event_name, agent_severity, extensions
3 - JSON
Formats any value into a raw JSON string.
Usage: format_json($data)
4 - Key-value pairs
Formats a dictionary into a string containing key=value pairs.
Usage: format_kv(kvs_dict, value_separator="<separator-character>", pair_separator="<separator-string>")
By default, format_kv uses = to separate values, and , (comma and space) to separate the pairs:
filterx {
${MESSAGE} = format_kv(<input-dictionary>);
};
The value_separator option must be a single character, the pair_separator can be a string. For example, to use the colon (:) as the value separator and the semicolon (;) as the pair separator, use:
format_kv(<input-dictionary>, value_separator=":", pair_separator=";")
5 - Log Event Extended Format (LEEF)
Available in AxoSyslog 4.13 and later.
Formats a dictionary into the Log Event Extended Format (LEEF). Both LEEF versions (1.0 and 2.0) are supported.
Usage: ${MESSAGE} = format_leef(my_dictionary);
For example:
my_dictionary = {"leef_version":"1.0","vendor_name":"Microsoft","product_name":"MSExchange","product_version":"4.0 SP1","event_id":"15345","src":"192.0.2.0","dst":"172.50.123.1","sev":"5", "cat":"anomaly","srcPort":"81","dstPort":"21","usrName":"joe.black"};
Becomes:
LEEF:1.0|Microsoft|MSExchange|4.0 SP1|15345|src=192.0.2.0 dst=172.50.123.1 sev=5 cat=anomaly srcPort=81 dstPort=21 usrName=joe.black
The following keys must be available in the dictionary, otherwise formatting fails with an error message like: FILTERX ERROR; ....| format_leef(my_dictionary)', error='Failed to evaluate event formatter function:.
- LEEF version 1:
leef_version,vendor_name,product_name,product_version,event_id,extensions - LEEF version 2:
leef_version,vendor_name,product_name,product_version,event_id,leef_delimiter,extensions
6 - RFC5424 syslog
Available in AxoSyslog 4.21 and later.
Formats data as an RFC5424 (IETF-syslog) syslog message.
Usage:
format_syslog_5424(
message,
add_octet_count=false,
pri=<variable-or-expression>,
timestamp=<variable-or-expression>,
host=<variable-or-expression>,
program=<variable-or-expression>,
pid=<variable-or-expression>,
msgid=<variable-or-expression>
)
Setting the message option is required. You can set the other options using any FilterX variable, function, or expression. If you specify a nonexisting variable, or if evaluating an expression fails, default values will be used.
If you want to include SDATA in the message, set the SDATA macro.
For example:
format_syslog_5424("My static message text", timestamp=datetime(1765146872.0), host="host-value", program="prog-value", pid="5424", msgid="1234");
Becomes:
<13>1 2025-12-07T22:34:32.000000+00:00 host-value prog-value 5424 1234 - My static message text
7 - Windows Event Logs XML
Available in AxoSyslog 4.13 and later.
Formats a dictionary into Windows Event Logs XML. It’s a specialized version of the format_xml() function, all generic formatting tips apply to format_windows_eventlog_xml() as well.
Usage: format_windows_eventlog_xml(input_dictionary)
Example usage:
$MESSAGE = format_windows_eventlog_xml({
"Event": {
"@xmlns": "http://schemas.microsoft.com/win/2004/08/events/event",
"System": {
"Provider": {"@Name": "EventCreate"},
"EventID": {"@Qualifiers": "0", "#text": "999"},
"Version": "0",
"Level": "2",
"Task": "0",
"Opcode": "0",
"Keywords": "0x80000000000000",
"TimeCreated": {"@SystemTime": "2024-01-12T09:30:12.1566754Z"},
"EventRecordID": "934",
"Correlation": "",
"Execution": {"@ProcessID": "0", "@ThreadID": "0"},
"Channel": "Application",
"Computer": "DESKTOP-2MBFIV7",
"Security": {"@UserID": "S-1-5-21-3714454296-2738353472-899133108-1001"},
},
"RenderingInfo": {
"@Culture": "en-US",
"Message": "foobar",
"Level": "Error",
"Task": "",
"Opcode": "Info",
"Channel": "",
"Provider": "",
"Keywords": {"Keyword": "Classic"},
},
"EventData":
{eventdata}
}});"""
This JSON becomes the following XML:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='EventCreate'/><EventID Qualifiers='0'>999</EventID><Version>0</Version><Level>2</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2024-01-12T09:30:12.1566754Z'/><EventRecordID>934</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>DESKTOP-2MBFIV7</Computer><Security UserID='S-1-5-21-3714454296-2738353472-899133108-1001'/></System><RenderingInfo Culture='en-US'><Message>foobar</Message><Level>Error</Level><Task/><Opcode>Info</Opcode><Channel/><Provider/><Keywords><Keyword>Classic</Keyword></Keywords></RenderingInfo><EventData><Data>foo</Data><Data>bar</Data></EventData></Event>
8 - XML
Available in AxoSyslog 4.13 and later.
Formats a dictionary into XML. To format data as Windows Event Log XML, see Windows Event Logs XML.
Usage: format_xml({"key1":{"nestedkey":"value"}})
The output XML for the previous example will be: <key><nestedkey>value</nestedkey></key>
Note the following points:
-
Store attributions in
@attrkey-value pairs.JSON: {"foo": {"@bar": "123", "@baz": "bad"}} XML: <foo bar="123" baz="bad"/> -
If an XML element has both attributes and a value, store text value under the
#textkey.JSON: {"foo": {"@bar": "123", "#text": "baz"}} XML: <foo bar="123">baz</foo> -
An XML element can have both a value and inner elements. We use the
#textkey here, too.JSON: {"foo": {"#text": "bar", "baz": "123"}} XML: <foo>bar<baz>123</baz></foo> -
JSON lists become values of separate tags:
JSON: {"a":{"b":["c","d"]}} XML: <a><b>c</b><b>d</b></a>You can add attributions for specific elements of such lists:
JSON: {"a":{"b":["c",{"@attr":"attr_val","#text":"e"}]}} XML: <a><b>c</b><b attr='attr_val'>e</b></a> -
A top-level JSON lists becomes a multi-root XML:
JSON: {"a":["b","c"]} XML: <a>b</a><a>c</a> -
Numeric values become text:
JSON: {"a":100} XML: <a>100</a> -
Empty elements are represented as short-format XML tags:
JSON: {"a":""} XML: <a/>