CEF
Available in AxoSyslog 4.9 and later.
The parse_cef
FilterX function parses messages formatted in the Common Event Format (CEF) into a JSON object.
Declaration
Usage: parse_cef(<input-string>, value_separator="=", pair_separator="|", separate_extensions=false)
The first argument is the input message. Optionally, you can set the pair_separator
and value_separator
arguments to override their default values.
The value_separator
must be a single-character string. The pair_separator
can be a regular string.
Starting with version 4.13, AxoSyslog parses fields from extensions to the same level as regular fields. In earlier versions, extensions were grouped under the extensions
key. To keep using the extensions
key, set separate_extensions=true
.
The parsed JSON object has the following fields:
cef_version
device_vendor
device_product
device_version
device_event_class_id
event_name
agent_severity
extensions
The name of some fields changed in the parsed object in version 4.16 for clarity, and to avoid name collisions with fields in the extensions:
version
->cef_version
name
->event_name
Example
The following is a CEF-formatted message including mandatory and custom (extension) fields:
CEF:0|KasperskyLab|SecurityCenter|13.2.0.1511|KLPRCI_TaskState|Completed successfully|1|foo=foo bar=bar baz=test
The following FilterX expression parses it and converts it into JSON format:
filterx {
${PARSED_MESSAGE} = json(parse_cef(${MESSAGE}));
};
The content of the JSON object for this message will be:
{
"cef_version":"0",
"device_vendor":"KasperskyLab",
"device_product":"SecurityCenter",
"device_version":"13.2.0.1511",
"device_event_class_id":"KLPRCI_TaskState",
"name":"Completed successfully",
"agent_severity":"1",
"foo":"foo=bar",
"bar":"bar=baz",
"baz":"test"
}
If you set separate_extensions=true
, the extensions of the message will be grouped under the extensions
key:
{
"cef_version":"0",
"device_vendor":"KasperskyLab",
"device_product":"SecurityCenter",
"device_version":"13.2.0.1511",
"device_event_class_id":"KLPRCI_TaskState",
"name":"Completed successfully",
"agent_severity":"1",
"extensions": {
"foo":"foo=bar",
"bar":"bar=baz",
"baz":"test"
}
}
Options of CEF parsers
The parse_cef
FilterX function has the following options.
pair_separator
Specifies the character or string that separates the key-value pairs in the extensions. Default value:
(space).
separate_extensions
Available in AxoSyslog 4.13 and later.
Starting with version 4.13, AxoSyslog parses fields from extensions to the same level as regular fields. In earlier versions, extensions were grouped under the extensions
key. To keep using the extensions
key, set separate_extensions=true
.
Default value: false
value_separator
Specifies the character that separates the keys from the values in the extensions. Default value: =
.