FilterX is an experimental feature currently under development. Feedback is most welcome on Discord and GitHub.

Available in AxoSyslog 4.8.1 and later.

Available in AxoSyslog 4.9 and later.

The parse_leef FilterX function parses messages formatted in the Log Event Extended Format (LEEF).

Both LEEF versions (1.0 and 2.0) are supported.


Usage: parse_leef(<input-string>, value_separator="=", pair_separator="|")

The first argument is the input message. Optionally, you can set the pair_separator and value_separator arguments to override their default values.

The value_separator must be a single-character string. The pair_separator can be a regular string.


The following is a LEEF-formatted message including mandatory and custom (extension) fields:

LEEF:1.0|Microsoft|MSExchange|4.0 SP1|15345|src= dst= sev=5cat=anomaly srcPort=81 dstPort=21 usrName=john.smith

The following FilterX expression parses it and converts it into JSON format:

filterx {
    ${PARSED_MESSAGE} = json(parse_leef(${MESSAGE}));

The content of the JSON object for this message will be:

"product_version":"4.0 SP1",
"extensions": {
Last modified November 11, 2024: [4.9][filterx] Leef 2.0 is also supported (0cf4cbc)