Normalize
Synopsis
Converts log field names between different normalization formats (ECS, CIM, ASIM, CEF, LEEF, CSL).
Schema
normalize:
- source_format: <string>
- target_format: <string>
- description: <text>
- if: <script>
- ignore_failure: <boolean>
- on_failure: <processor[]>
- on_success: <processor[]>
- tag: <string>
Configuration
| Field | Required | Default | Description |
|---|---|---|---|
source_format | N | auto-detect | Source format (ecs, cim, asim, cef, leef, csl) |
target_format | Y | - | Target format to convert to |
description | N | - | Documentation note |
if | N | - | Conditional expression |
ignore_failure | N | false | Skip processing errors |
on_failure | N | - | Error handling processors |
on_success | N | - | Success handling processors |
tag | N | - | Identifier for logging |
Details
The processor automatically detects source formats when not specified and handles field name transformations while preserving values.
Format detection is case-insensitive - i.e. "ECS", "ecs", and "Ecs" are equivalent.
The processor automatically detects the source format based on characteristic fields. Some commonly used field mappings:
| ECS | CIM | ASIM | |
|---|---|---|---|
| Network | |||
source.ip | src | SrcIp | |
destination.ip | dest | DstIp | |
network.direction | direction | NetworkDirection | |
| Event | |||
@timestamp | _time | TimeGenerated | |
event.type | action | EventType | |
event.category | category | EventCategory | |
| User | |||
user.name | user | ActorUsername | |
user.id | user_id | ActorUserId | |
user.domain | user_domain | ActorUserDomain |
Field mapping is non-reversible if the targeted format doesn't have equivalent fields. Test conversions with sample data.
Examples
ECS to CIM
ECS fields... | |
are mapped to CIM fields: | |
CIM to ECS
CIM fields... | |
are mapped to ECS fields: | |
Auto-detection
Auto-detection discovers CIM... | |
and maps the fields to ASIM: | |
Error Handling
Handling conversion errors... | |
captures the error information: | |