parseCEF( ) Query Function

Parse CEF encoded message. Only CEF version 0 is supported. This function will skip any prefix up to the marker CEF:0.

For a log line like this:

Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected an X in packet|10|src=10.0.0.1 act=blocked an X dst=1.1.1.1

Using parseCEF(result) will add these fields:

  • cef.version: 0
  • cef.device.vendor: security
  • cef.device.product: threatmanager
  • cef.device.version: 1.0
  • cef.event_class_id: 100
  • cef.name: “detected an X in packet”
  • cef.severity: 10
  • cef.ext.src: 10.0.0.1
  • cef.ext.act: “blocked an X”
  • cef.ext.st: 1.1.1.1

Use the (unnamed) field parameter to specify which field should be parsed. Specify @rawstring to parse the rawstring.

You may want to review the specification for CEF: ArcSight CEF Spec. For compatibility with legacy systems, this implementation allows the tab character (ascii 0x09) in addition to space (ascii 0x20) as separator for key value pairs in the extensions section. Literal backslash followed by t (as in \t) is not a separator, but re-interpreted line \n and \r in the specification.

Parameters

Name Type Required Default Description
field string No @rawstring Field that holds the input in CEF form
prefix string No cef.ext. Prefix to extension fields. Fields in the CEF extension part are prefixed with this.

field is the unnamed parameter.

Examples

CEF parse the @rawstring field from a log line: Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected a \ in packet|10|src=10.0.0.1 act=blocked a \ dst=1.1.1.1. This will add the fields cef.version, cef.device.vendor, cef.device.product, cef.device.version, cef.event_class_id, cef.name, cef.severity, cef.ext.src, cef.ext.act and cef.ext.dst to the event.

parseCEF(field=@rawstring)