Skip to main content

LEEF

Parse Elastic Compatible

Synopsis

Parses Log Event Extended Format (LEEF) messages into structured objects.

Schema

leef:
  - field: <ident>
  - target_field: <ident>
  - description: <text>
  - if: <script>
  - ignore_failure: <boolean>
  - ignore_missing: <boolean>
  - on_failure: <processor[]>
  - on_success: <processor[]>
  - tag: <string>

Configuration

FieldRequiredDefaultDescription
fieldY-Field containing the LEEF message string
target_fieldNleefField to store parsed LEEF data
descriptionN-Explanatory note
ifN-Condition to run
ignore_failureNfalseSee Handling Failures
ignore_missingNfalseIf true, skip if field doesn't exist
on_failureN-See Handling Failures
on_successN-See Handling Success
tagN-Identifier

Details

The processor identifies and extracts the LEEF version, header fields (vendor, product, version, and event ID), and attribute pairs. Field names are automatically normalized for consistent processing.

note

Different LEEF versions and custom delimiters are handled automatically. If a hex delimiter is specified—e.g. "x09" for tab—it will be used for attribute parsing.

warning

The processor expects valid LEEF formatted messages starting with "LEEF:". Invalid messages will cause the processor to fail unless ignore_failure is set to true.

Examples

Basic Parsing

Parsing the LEEF message...

{
  "message": "LEEF:1.0|CB|CB|5.1.0|process.event|procname=powershell.exe\tpid=1234\tseverity=3"
}
leef:
  - field: message

extracts the header and the attribute fields:

{
  "leef": {
    "leefVersion": "1.0",
    "deviceVendor": "CB",
    "deviceProduct": "CB",
    "deviceVersion": "5.1.0",
    "deviceEventClassId": "process.event",
    "procname": "powershell.exe",
    "pid": 1234,
    "severity": 3
  }
}

Custom Target

Storing parsed results in a specific field...

{
  "raw_event": "LEEF:2.0|Vendor|Product|1.0|Alert|src=10.0.0.1\tdst=8.8.8.8\tproto=TCP"
}
leef:
  - field: raw_event
  - target_field: parsed_event

creates structured event data:

{
  "parsed_event": {
    "leefVersion": "2.0",
    "deviceVendor": "Vendor",
    "deviceProduct": "Product",
    "deviceVersion": "1.0",
    "deviceEventClassId": "Alert",
    "src": "10.0.0.1",
    "dst": "8.8.8.8",
    "proto": "TCP"
  }
}

Error Handling

Handling invalid LEEF messages gracefully...

{
  "event": "Invalid LEEF Message"
}
leef:
  - field: event
  - ignore_failure: true
  - on_failure:
      - append:
          field: tags
          value: "leef_parse_error"

adds an error tag without failing:

{
  "event": "Invalid LEEF Message",
  "tags": ["leef_parse_error"]
}