Logstash Reference [7.0] » Codec plugins » Cef codec plugin
«  Avro codec plugin     Cloudfront codec plugin  »

Cef codec plugin

  • Plugin version: v6.0.0
  • Released on: 2019-01-11
  • Changelog

For other versions, see theVersioned plugin docs.

Getting Help

For questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github.For the list of Elastic supported plugins, please consult the Elastic Support Matrix.

Description

Implementation of a Logstash codec for the ArcSight Common Event Format (CEF)Based on Revision 20 of Implementing ArcSight CEF, dated from June 05, 2013https://community.saas.hpe.com/dcvta86296/attachments/dcvta86296/connector-documentation/1116/1/CommonEventFormatv23.pdf

If this codec receives a payload from an input that is not a valid CEF message, then it willproduce an event with the payload as the message field and a _cefparsefailure tag.

Cef Codec Configuration Options

Setting Input type Required

delimiter

string

No

fields

array

No

name

string

No

product

string

No

reverse_mapping

boolean

No

severity

string

No

signature

string

No

vendor

string

No

version

string

No

 

delimiter

  • Value type is string
  • There is no default value for this setting.

If your input puts a delimiter between each CEF event, you’ll want to setthis to be that delimiter.

For example, with the TCP input, you probably want to put this:

input {  tcp {    codec => cef { delimiter => "\r\n" }    # ...  }}

This setting allows the following character sequences to have special meaning:

  • \\r (backslash "r") - means carriage return (ASCII 0x0D)
  • \\n (backslash "n") - means newline (ASCII 0x0A)

fields

  • Value type is array
  • Default value is []

Fields to be included in CEV extension part as key/value pairs

name

  • Value type is string
  • Default value is "Logstash"

Name field in CEF header. The new value can include %{foo} stringsto help you build a new value from other parts of the event.

product

  • Value type is string
  • Default value is "Logstash"

Device product field in CEF header. The new value can include %{foo} stringsto help you build a new value from other parts of the event.

reverse_mapping

  • Value type is boolean
  • Default value is false

Set to true to adhere to the specifications and encode using the CEF key name (short name) for the CEF field names.

severity

  • Value type is string
  • Default value is "6"

Severity field in CEF header. The new value can include %{foo} stringsto help you build a new value from other parts of the event.

Defined as field of type string to allow sprintf. The value will be validatedto be an integer in the range from 0 to 10 (including).All invalid values will be mapped to the default of 6.

signature

  • Value type is string
  • Default value is "Logstash"

Signature ID field in CEF header. The new value can include %{foo} stringsto help you build a new value from other parts of the event.

vendor

  • Value type is string
  • Default value is "Elasticsearch"

Device vendor field in CEF header. The new value can include %{foo} stringsto help you build a new value from other parts of the event.

version

  • Value type is string
  • Default value is "1.0"

Device version field in CEF header. The new value can include %{foo} stringsto help you build a new value from other parts of the event.

«  Avro codec plugin     Cloudfront codec plugin  »