CEF
Available in AxoSyslog 4.9 and later.
The parse_cef
FilterX function parses messages formatted in the Common Event Format (CEF).
Declaration
Usage: parse_cef(<input-string>, value_separator="=", pair_separator="|", separate_extensions=false)
The first argument is the input message. Optionally, you can set the pair_separator
and value_separator
arguments to override their default values.
The value_separator
must be a single-character string. The pair_separator
can be a regular string.
Starting with version 4.13, AxoSyslog parses fields from extensions to the same level as regular fields. In earlier versions, extensions were grouped under the extensions
key. To keep using the extensions
key, set separate_extensions=true
.
Example
The following is a CEF-formatted message including mandatory and custom (extension) fields:
CEF:0|KasperskyLab|SecurityCenter|13.2.0.1511|KLPRCI_TaskState|Completed successfully|1|foo=foo bar=bar baz=test
The following FilterX expression parses it and converts it into JSON format:
filterx {
${PARSED_MESSAGE} = json(parse_cef(${MESSAGE}));
};
The content of the JSON object for this message will be:
{
"version":"0",
"device_vendor":"KasperskyLab",
"device_product":"SecurityCenter",
"device_version":"13.2.0.1511",
"device_event_class_id":"KLPRCI_TaskState",
"name":"Completed successfully",
"agent_severity":"1",
"foo":"foo=bar",
"bar":"bar=baz",
"baz":"test"
}
If you set separate_extensions=true
, the extensions of the message will be grouped under the extensions
key:
{
"version":"0",
"device_vendor":"KasperskyLab",
"device_product":"SecurityCenter",
"device_version":"13.2.0.1511",
"device_event_class_id":"KLPRCI_TaskState",
"name":"Completed successfully",
"agent_severity":"1",
"extensions": {
"foo":"foo=bar",
"bar":"bar=baz",
"baz":"test"
}
}