CEF
Available in AxoSyslog 4.9 and later.
The parse_cef FilterX function parses messages formatted in the Common Event Format (CEF) into a JSON object.
Declaration
Usage: parse_cef(<input-string>, value_separator="=", pair_separator="|", separate_extensions=false)
The first argument is the input message. Optionally, you can set the pair_separator and value_separator arguments to override their default values.
The value_separator must be a single-character string. The pair_separator can be a regular string.
Starting with version 4.13, AxoSyslog parses fields from extensions to the same level as regular fields. In earlier versions, extensions were grouped under the extensions key. To keep using the extensions key, set separate_extensions=true.
The parsed JSON object has the following fields:
cef_versiondevice_vendordevice_productdevice_versiondevice_event_class_idevent_nameagent_severityextensions
The name of some fields changed in the parsed object in version 4.16 for clarity, and to avoid name collisions with fields in the extensions:
version->cef_versionname->event_name
Example
The following is a CEF-formatted message including mandatory and custom (extension) fields:
CEF:0|KasperskyLab|SecurityCenter|13.2.0.1511|KLPRCI_TaskState|Completed successfully|1|foo=foo bar=bar baz=test
The following FilterX expression parses it and converts it into JSON format:
filterx {
${PARSED_MESSAGE} = json(parse_cef(${MESSAGE}));
};
The content of the JSON object for this message will be:
{
"cef_version":"0",
"device_vendor":"KasperskyLab",
"device_product":"SecurityCenter",
"device_version":"13.2.0.1511",
"device_event_class_id":"KLPRCI_TaskState",
"name":"Completed successfully",
"agent_severity":"1",
"foo":"foo=bar",
"bar":"bar=baz",
"baz":"test"
}
If you set separate_extensions=true, the extensions of the message will be grouped under the extensions key:
{
"cef_version":"0",
"device_vendor":"KasperskyLab",
"device_product":"SecurityCenter",
"device_version":"13.2.0.1511",
"device_event_class_id":"KLPRCI_TaskState",
"name":"Completed successfully",
"agent_severity":"1",
"extensions": {
"foo":"foo=bar",
"bar":"bar=baz",
"baz":"test"
}
}
Options of CEF parsers
The parse_cef FilterX function has the following options.
pair_separator
Specifies the character or string that separates the key-value pairs in the extensions. Default value: (space).
separate_extensions
Available in AxoSyslog 4.13 and later.
Starting with version 4.13, AxoSyslog parses fields from extensions to the same level as regular fields. In earlier versions, extensions were grouped under the extensions key. To keep using the extensions key, set separate_extensions=true.
Default value: false
value_separator
Specifies the character that separates the keys from the values in the extensions. Default value: =.