CEF

Parse

Synopsis

Parses Common Event Format (CEF) messages from a field into structured objects.

Schema

cef:
  - field: <ident>
  - target_field: <ident>
  - description: <text>
  - if: <script>
  - ignore_failure: <boolean>
  - ignore_missing: <boolean>
  - on_failure: <processor[]>
  - on_success: <processor[]>
  - tag: <string>

Configuration

Field	Required	Default	Description
`field`	Y	-	Field containing the CEF message to parse
`target_field`	N	`cef`	Field to store the parsed CEF object
`description`	N	-	Explanatory note
`if`	N	-	Condition to run
`ignore_failure`	N	`false`	Continue processing if parsing fails
`ignore_missing`	N	`false`	Skip processing if source field doesn't exist
`on_failure`	N	-	See Handling Failures
`on_success`	N	-	See Handling Success
`tag`	N	-	Identifier

Details

CEF is a standardized logging format commonly used by security devices and applications to communicate events.

The processor extracts both CEF header fields and extension fields. The header contains standardized fields like vendor, product, version, etc., while extensions contain key-value pairs with additional event details.

note

Type conversion is handled automatically for numeric values in extension fields, e.g. port numbers, counts, etc.

CEF header fields that the processor extracts:

`cefVersion`	CEF version, e.g. `0`
`deviceVendor`	Event creator, e.g. `Cisco`
`deviceProduct`	Event generator, e.g. `ASA`
`deviceVersion`	Product version, e.g. `9.1`
`deviceEventClassId`	Event type identifier, e.g. `106100`
`name`	Human-readable identifier, e.g. `access-list`
`severity`	Integer indicating severity, e.g. `5`

warning

The message must begin with "CEF:" and contain all seven header fields separated by pipe (|) characters. Messages not following this format will cause parsing to fail.

Examples

Basic Parsing

Parsing a basic CEF message...

{
  "message": "CEF:0|Security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232"
}

cef:
  - field: message

extracts the header and the extension fields:

{
  "message": "CEF:0|Security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232",
  "cef": {
    "cefVersion": 0,
    "deviceVendor": "Security",
    "deviceProduct": "threatmanager",
    "deviceVersion": "1.0",
    "deviceEventClassId": 100,
    "name": "worm successfully stopped",
    "severity": 10,
    "src": "10.0.0.1",
    "dst": "2.1.2.2",
    "spt": 1232
  }
}

Security Devices

Parsing a Cisco ASA firewall log...

{
  "message": "CEF:0|Cisco|ASA|9.1|106100|access-list|5|src=192.168.1.100 dst=10.0.0.50 spt=52777 dpt=443 proto=TCP act=Permit app=HTTPS deviceDirection=0 rt=Mar 10 2024 12:30:45"
}

cef:
  - field: message
  - target_field: firewall_event

structures the firewall event data:

{
  "message": "CEF:0|Cisco|ASA|9.1|106100|access-list|5|src=192.168.1.100 dst=10.0.0.50 spt=52777 dpt=443 proto=TCP act=Permit app=HTTPS deviceDirection=0 rt=Mar 10 2024 12:30:45",
  "firewall_event": {
    "cefVersion": 0,
    "deviceVendor": "Cisco",
    "deviceProduct": "ASA",
    "deviceVersion": "9.1",
    "deviceEventClassId": 106100,
    "name": "access-list",
    "severity": 5,
    "src": "192.168.1.100",
    "dst": "10.0.0.50",
    "spt": 52777,
    "dpt": 443,
    "proto": "TCP",
    "act": "Permit",
    "app": "HTTPS",
    "deviceDirection": 0,
    "rt": "Mar 10 2024 12:30:45"
  }
}

Error Handling

Handling invalid CEF messages...

{
  "message": "Invalid CEF message"
}

cef:
  - field: message
  - ignore_failure: true
  - on_failure:
      - append:
          field: tags
          value: cef_parse_error

adds an error tag when the parsing fails:

{
  "message": "Invalid CEF message",
  "tags": ["cef_parse_error"]
}

Synopsis​

Schema​

Configuration​

Details​

Examples​

Basic Parsing​

Security Devices​

Error Handling​