IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« avro compress_spooler »

› ›

cef

edit

cef

edit

This is a community-maintained plugin! It does not ship with Logstash by default, but it is easy to install by running bin/logstash-plugin install logstash-codec-cef.

Implementation of a Logstash codec for the ArcSight Common Event Format (CEF). Based on Revision 20 of Implementing ArcSight CEF, dated from June 05, 2013. https://protect724.hp.com/servlet/JiveServlet/downloadBody/1072-102-6-4697/CommonEventFormat.pdf

Synopsis

edit

This plugin supports the following configuration options:

Required configuration options:

cef {
  }

Available configuration options:

Setting	Input type	Required	Default value
`fields`	array	No	`[]`
`name`	string	No	`"Logstash"`
`product`	string	No	`"Logstash"`
`severity`	string	No	`"6"`
`signature`	string	No	`"Logstash"`
`vendor`	string	No	`"Elasticsearch"`
`version`	string	No	`"1.0"`

Details

edit

`fields`

edit

Value type is array
Default value is []

Fields to be included in CEV extension part as key/value pairs

`name`

edit

Value type is string
Default value is "Logstash"

Name field in CEF header. The new value can include %{foo} strings to help you build a new value from other parts of the event.

`product`

edit

Value type is string
Default value is "Logstash"

Device product field in CEF header. The new value can include %{foo} strings to help you build a new value from other parts of the event.

`sev` (DEPRECATED)

edit

DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
Value type is string
Default value is "6"

Deprecated severity field for CEF header. The new value can include %{foo} strings to help you build a new value from other parts of the event.

This field is used only if :severity is unchanged set to the default value.

Defined as field of type string to allow sprintf. The value will be validated to be an integer in the range from 0 to 10 (including). All invalid values will be mapped to the default of 6.

`severity`

edit

Value type is string
Default value is "6"

Severity field in CEF header. The new value can include %{foo} strings to help you build a new value from other parts of the event.

Defined as field of type string to allow sprintf. The value will be validated to be an integer in the range from 0 to 10 (including). All invalid values will be mapped to the default of 6.

`signature`

edit

Value type is string
Default value is "Logstash"

Signature ID field in CEF header. The new value can include %{foo} strings to help you build a new value from other parts of the event.

`vendor`

edit

Value type is string
Default value is "Elasticsearch"

Device vendor field in CEF header. The new value can include %{foo} strings to help you build a new value from other parts of the event.

`version`

edit

Value type is string
Default value is "1.0"

Device version field in CEF header. The new value can include %{foo} strings to help you build a new value from other parts of the event.

« avro compress_spooler »

cef

cef

Synopsis

Details

fields

name

product

sev (DEPRECATED)

severity

signature

vendor

version

`fields`

`name`

`product`

`sev` (DEPRECATED)

`severity`

`signature`

`vendor`

`version`