cefedit
- Version: 4.1.0
- Released on: 2016-12-03
- Changelog
- Compatible: 5.1.1.1, 5.0.0, 2.4.1, 2.4.0, 2.3.4
This plugin does not ship with Logstash by default, but it is easy to install by running bin/logstash-plugin install logstash-codec-cef.
Implementation of a Logstash codec for the ArcSight Common Event Format (CEF) Based on Revision 20 of Implementing ArcSight CEF, dated from June 05, 2013 https://protect724.hp.com/servlet/JiveServlet/downloadBody/1072-102-6-4697/CommonEventFormat.pdf
If this codec receives a payload from an input that is not a valid CEF message, then it will produce an event with the payload as the message field and a _cefparsefailure tag.
Synopsisedit
This plugin supports the following configuration options:
Required configuration options:
cef {
}
Available configuration options:
Detailsedit
delimiteredit
- Value type is string
- There is no default value for this setting.
If your input puts a delimiter between each CEF event, you’ll want to set this to be that delimiter.
For example, with the TCP input, you probably want to put this:
input {
tcp {
codec => cef { delimiter => "\r\n" }
# ...
}
}
This setting allows the following character sequences to have special meaning:
-
\r(backslash "r") - means carriage return (ASCII 0x0D) -
\n(backslash "n") - means newline (ASCII 0x0A)
deprecated_v1_fields (DEPRECATED)edit
- DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
- Value type is boolean
- There is no default value for this setting.
Set this flag if you want to have both v1 and v2 fields indexed at the same time. Note that this option will increase the index size and data stored in outputs like Elasticsearch This option is available to ease transition to new schema
enable_metricedit
- Value type is boolean
-
Default value is
true
Disable or enable metric logging for this specific plugin instance by default we record all the metrics we can, but you can disable metrics collection for a specific plugin.
fieldsedit
- Value type is array
-
Default value is
[]
Fields to be included in CEV extension part as key/value pairs
idedit
- Value type is string
- There is no default value for this setting.
Add a unique ID to the plugin instance, this ID is used for tracking
information for a specific configuration of the plugin.
output {
stdout {
id => "ABC"
}
}
If you don’t explicitely set this variable Logstash will generate a unique name.
nameedit
- Value type is string
-
Default value is
"Logstash"
Name field in CEF header. The new value can include %{foo} strings
to help you build a new value from other parts of the event.
productedit
- Value type is string
-
Default value is
"Logstash"
Device product field in CEF header. The new value can include %{foo} strings
to help you build a new value from other parts of the event.
sev (DEPRECATED)edit
- DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
- Value type is string
- There is no default value for this setting.
Deprecated severity field for CEF header. The new value can include %{foo} strings
to help you build a new value from other parts of the event.
This field is used only if :severity is unchanged set to the default value.
Defined as field of type string to allow sprintf. The value will be validated to be an integer in the range from 0 to 10 (including). All invalid values will be mapped to the default of 6.
severityedit
- Value type is string
-
Default value is
"6"
Severity field in CEF header. The new value can include %{foo} strings
to help you build a new value from other parts of the event.
Defined as field of type string to allow sprintf. The value will be validated to be an integer in the range from 0 to 10 (including). All invalid values will be mapped to the default of 6.
signatureedit
- Value type is string
-
Default value is
"Logstash"
Signature ID field in CEF header. The new value can include %{foo} strings
to help you build a new value from other parts of the event.