cef

edit

This is a community-maintained plugin! It does not ship with Logstash by default, but it is easy to install by running bin/plugin install logstash-codec-cef.

Implementation of a Logstash codec for the ArcSight Common Event Format (CEF). Based on Revision 20 of Implementing ArcSight CEF, dated from June 05, 2013. https://protect724.hp.com/servlet/JiveServlet/downloadBody/1072-102-6-4697/CommonEventFormat.pdf

 

Synopsis

edit

This plugin supports the following configuration options:

Required configuration options:

cef {
  }

Available configuration options:

Setting Input type Required Default value

fields

array

No

[]

name

string

No

"Logstash"

product

string

No

"Logstash"

severity

string

No

"6"

signature

string

No

"Logstash"

vendor

string

No

"Elasticsearch"

version

string

No

"1.0"

Details

edit

 

fields

edit
  • Value type is array
  • Default value is []

Fields to be included in CEV extension part as key/value pairs

name

edit
  • Value type is string
  • Default value is "Logstash"

Name field in CEF header. The new value can include %{foo} strings to help you build a new value from other parts of the event.

product

edit
  • Value type is string
  • Default value is "Logstash"

Device product field in CEF header. The new value can include %{foo} strings to help you build a new value from other parts of the event.

sev (DEPRECATED)

edit
  • DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
  • Value type is string
  • Default value is "6"

Deprecated severity field for CEF header. The new value can include %{foo} strings to help you build a new value from other parts of the event.

This field is used only if :severity is unchanged set to the default value.

Defined as field of type string to allow sprintf. The value will be validated to be an integer in the range from 0 to 10 (including). All invalid values will be mapped to the default of 6.

severity

edit
  • Value type is string
  • Default value is "6"

Severity field in CEF header. The new value can include %{foo} strings to help you build a new value from other parts of the event.

Defined as field of type string to allow sprintf. The value will be validated to be an integer in the range from 0 to 10 (including). All invalid values will be mapped to the default of 6.

signature

edit
  • Value type is string
  • Default value is "Logstash"

Signature ID field in CEF header. The new value can include %{foo} strings to help you build a new value from other parts of the event.

vendor

edit
  • Value type is string
  • Default value is "Elasticsearch"

Device vendor field in CEF header. The new value can include %{foo} strings to help you build a new value from other parts of the event.

version

edit
  • Value type is string
  • Default value is "1.0"

Device version field in CEF header. The new value can include %{foo} strings to help you build a new value from other parts of the event.