This is a module for receiving Common Event Format (CEF) data over Syslog. When
messages are received over the syslog protocol the syslog input will parse the
header and set the timestamp value. Then the
decode_cef processor is applied to parse the CEF
encoded data. The decoded data is written into a
cef object field. Lastly any
Elastic Common Schema (ECS) fields that can be populated with the CEF data are
Read the quick start to learn how to set up and run modules.
You can further refine the behavior of the
cef module by specifying
variable settings in the
modules.d/cef.yml file, or overriding settings at the command line.
Each fileset has separate variable settings for configuring the behavior of the
module. If you don’t specify variable settings, the
cef module uses
When you specify a setting at the command line, remember to prefix the
setting with the module name, for example,
The interface to listen to UDP based syslog traffic. Defaults to
localhost. Set to
0.0.0.0to bind to all available interfaces.
The UDP port to listen for syslog traffic. Defaults to
Ports below 1024 require Filebeat to run as root.
For a description of each field in the module, see the exported fields section.