Decode CEF
editDecode CEF
editThe decode_cef
processor decodes Common Event Format (CEF) messages. It
follows the specification defined in
Micro Focus Security ArcSight Common Event Format, Version 25. This processor
is available in Filebeat. This is an example CEF message.
CEF:0|SomeVendor|TheProduct|1.0|100|connection to malware C2 successfully
stopped|10|src=192.0.2.10 dst=203.0.113.2 spt=31224
Any content that precedes CEF:
is ignored. This allows the processor to
directly parse CEF content from messages that contain syslog headers.
Below is an example configuration that decodes the message
field as CEF after
renaming it to event.original
. It is best to rename message
to
event.original
because the decoded CEF data contains its own message
field.
processors: - rename: fields: - {from: "message", to: "event.original"} - decode_cef: field: event.original
The decode_cef
processor has the following configuration settings.
Table 1. Decode CEF options
Name | Required | Default | Description | |
---|---|---|---|---|
|
no |
message |
Source field containing the CEF message to be parsed. |
|
|
no |
cef |
Target field where the parsed CEF object will be written. |
|
|
no |
true |
Generate Elastic Common Schema (ECS) fields from the CEF data. Certain CEF header and extension values will be used to populate ECS fields. |
|
|
no |
UTC |
IANA time zone name (e.g. |
|
|
no |
false |
Ignore errors when the source field is missing. |
|
|
no |
false |
Ignore failures when the source field does not contain a CEF message. |
|
|
no |
An identifier for this processor instance. Useful for debugging. |