CEF module

This is a module for receiving Common Event Format (CEF) data over Syslog. When messages are received over the syslog protocol the syslog input will parse the header and set the timestamp value. Then the decode_cef processor is applied to parse the CEF encoded data. The decoded data is written into a cef object field. Lastly any Elastic Common Schema (ECS) fields that can be populated with the CEF data are populated.

Read the quick start to learn how to set up and run modules.

Configure the module

You can further refine the behavior of the cef module by specifying variable settings in the modules.d/cef.yml file, or overriding settings at the command line.

Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the cef module uses the defaults.

For more information, see Configure variable settings. Also see Override input settings.

When you specify a setting at the command line, remember to prefix the setting with the module name, for example, cef.log.var.paths instead of log.var.paths.

log fileset settings

var.syslog_host
The interface to listen to UDP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port
The UDP port to listen for syslog traffic. Defaults to 9003

Ports below 1024 require Filebeat to run as root.

Fields

For a description of each field in the module, see the exported fields section.