Decode CEFedit
The decode_cef processor decodes Common Event Format (CEF) messages. It
follows the specification defined in
Micro Focus Security ArcSight Common Event Format, Version 25. This processor
is available in Filebeat. This is an example CEF message.
CEF:0|SomeVendor|TheProduct|1.0|100|connection to malware C2 successfully
stopped|10|src=192.0.2.10 dst=203.0.113.2 spt=31224
Any content that precedes CEF: is ignored. This allows the processor to
directly parse CEF content from messages that contain syslog headers.
Below is an example configuration that decodes the message field as CEF after
renaming it to event.original. It is best to rename message to
event.original because the decoded CEF data contains its own message field.
processors:
- rename:
fields:
- {from: "message", to: "event.original"}
- decode_cef:
field: event.original
The decode_cef processor has the following configuration settings.
Table 1. Decode CEF options
| Name | Required | Default | Description | |
|---|---|---|---|---|
|
no |
message |
Source field containing the CEF message to be parsed. |
|
|
no |
cef |
Target field where the parsed CEF object will be written. |
|
|
no |
true |
Generate Elastic Common Schema (ECS) fields from the CEF data. Certain CEF header and extension values will be used to populate ECS fields. |
|
|
no |
UTC |
IANA time zone name (e.g. |
|
|
no |
false |
Ignore errors when the source field is missing. |
|
|
no |
false |
Ignore failures when the source field does not contain a CEF message. |
|
|
no |
An identifier for this processor instance. Useful for debugging. |