CEF

Available in AxoSyslog 4.9 and later.

The parse_cef FilterX function parses messages formatted in the Common Event Format (CEF) into a JSON object.

Declaration

Usage: parse_cef(<input-string>, value_separator="=", pair_separator="|", separate_extensions=false)

The first argument is the input message. Optionally, you can set the pair_separator and value_separator arguments to override their default values.

The value_separator must be a single-character string. The pair_separator can be a regular string.

Starting with version 4.13, AxoSyslog parses fields from extensions to the same level as regular fields. In earlier versions, extensions were grouped under the extensions key. To keep using the extensions key, set separate_extensions=true.

The parsed JSON object has the following fields:

  • cef_version
  • device_vendor
  • device_product
  • device_version
  • device_event_class_id
  • event_name
  • agent_severity
  • extensions

Example

The following is a CEF-formatted message including mandatory and custom (extension) fields:

CEF:0|KasperskyLab|SecurityCenter|13.2.0.1511|KLPRCI_TaskState|Completed successfully|1|foo=foo bar=bar baz=test

The following FilterX expression parses it and converts it into JSON format:

filterx {
    ${PARSED_MESSAGE} = json(parse_cef(${MESSAGE}));
};

The content of the JSON object for this message will be:

{
"cef_version":"0",
"device_vendor":"KasperskyLab",
"device_product":"SecurityCenter",
"device_version":"13.2.0.1511",
"device_event_class_id":"KLPRCI_TaskState",
"name":"Completed successfully",
"agent_severity":"1",
"foo":"foo=bar",
"bar":"bar=baz",
"baz":"test"
}

If you set separate_extensions=true, the extensions of the message will be grouped under the extensions key:

{
"cef_version":"0",
"device_vendor":"KasperskyLab",
"device_product":"SecurityCenter",
"device_version":"13.2.0.1511",
"device_event_class_id":"KLPRCI_TaskState",
"name":"Completed successfully",
"agent_severity":"1",
"extensions": {
    "foo":"foo=bar",
    "bar":"bar=baz",
    "baz":"test"
    }
}

Options of CEF parsers

The parse_cef FilterX function has the following options.

pair_separator

Specifies the character or string that separates the key-value pairs in the extensions. Default value: (space).

separate_extensions

Available in AxoSyslog 4.13 and later.

Starting with version 4.13, AxoSyslog parses fields from extensions to the same level as regular fields. In earlier versions, extensions were grouped under the extensions key. To keep using the extensions key, set separate_extensions=true.

Default value: false

value_separator

Specifies the character that separates the keys from the values in the extensions. Default value: =.