CEF moduleedit
This is a module for receiving Common Event Format (CEF) data over Syslog. When
messages are received over the syslog protocol the syslog input will parse the
header and set the timestamp value. Then the
decode_cef processor is applied to parse the CEF
encoded data. The decoded data is written into a cef object field. Lastly any
Elastic Common Schema (ECS) fields that can be populated with the CEF data are
populated.
Read the quick start to learn how to set up and run modules.
Configure the moduleedit
You can further refine the behavior of the cef module by specifying
variable settings in the
modules.d/cef.yml file, or overriding settings at the command line.
Variable settingsedit
Each fileset has separate variable settings for configuring the behavior of the
module. If you don’t specify variable settings, the cef module uses
the defaults.
For more information, see Configure variable settings. Also see Override input settings.
When you specify a setting at the command line, remember to prefix the
setting with the module name, for example, cef.log.var.paths
instead of log.var.paths.
log fileset settingsedit
-
var.syslog_host -
The interface to listen to UDP based syslog traffic. Defaults to
localhost. Set to0.0.0.0to bind to all available interfaces. -
var.syslog_port -
The UDP port to listen for syslog traffic. Defaults to
9003
Ports below 1024 require Filebeat to run as root.
Fieldsedit
For a description of each field in the module, see the exported fields section.