Decode CEF

edit

The decode_cef processor decodes Common Event Format (CEF) messages. It follows the specification defined in Micro Focus Security ArcSight Common Event Format, Version 25. This processor is available in Filebeat. This is an example CEF message.

CEF:0|SomeVendor|TheProduct|1.0|100|connection to malware C2 successfully stopped|10|src=192.0.2.10 dst=203.0.113.2 spt=31224

Any content that precedes CEF: is ignored. This allows the processor to directly parse CEF content from messages that contain syslog headers.

Below is an example configuration that decodes the message field as CEF after renaming it to event.original. It is best to rename message to event.original because the decoded CEF data contains its own message field.

processors:
  - rename:
      fields:
        - {from: "message", to: "event.original"}
  - decode_cef:
      field: event.original

The decode_cef processor has the following configuration settings.

Table 1. Decode CEF options

Name Required Default Description

field

no

message

Source field containing the CEF message to be parsed.

target_field

no

cef

Target field where the parsed CEF object will be written.

ecs

no

true

Generate Elastic Common Schema (ECS) fields from the CEF data. Certain CEF header and extension values will be used to populate ECS fields.

timezone

no

UTC

IANA time zone name (e.g. America/New_York) or fixed time offset (e.g. +0200) to use when parsing times that do not contain a time zone. Local may be specified to use the machine’s local time zone.

ignore_missing

no

false

Ignore errors when the source field is missing.

ignore_failure

no

false

Ignore failures when the source field does not contain a CEF message.

id

no

An identifier for this processor instance. Useful for debugging.