Cef codec plugin

edit
  • Plugin version: v5.0.6
  • Released on: 2018-09-21
  • Changelog

For other versions, see the Versioned plugin docs.

Installation

edit

For plugins not bundled by default, it is easy to install by running bin/logstash-plugin install logstash-codec-cef. See Working with plugins for more details.

Getting Help

edit

For questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github. For the list of Elastic supported plugins, please consult the Elastic Support Matrix.

Description

edit

Implementation of a Logstash codec for the ArcSight Common Event Format (CEF) Based on Revision 20 of Implementing ArcSight CEF, dated from June 05, 2013 https://community.saas.hpe.com/dcvta86296/attachments/dcvta86296/connector-documentation/1116/1/CommonEventFormatv23.pdf

If this codec receives a payload from an input that is not a valid CEF message, then it will produce an event with the payload as the message field and a _cefparsefailure tag.

Cef Codec Configuration Options

edit
Setting Input type Required

delimiter

string

No

fields

array

No

name

string

No

product

string

No

severity

string

No

signature

string

No

vendor

string

No

version

string

No

 

delimiter

edit
  • Value type is string
  • There is no default value for this setting.

If your input puts a delimiter between each CEF event, you’ll want to set this to be that delimiter.

For example, with the TCP input, you probably want to put this:

input {
  tcp {
    codec => cef { delimiter => "\r\n" }
    # ...
  }
}

This setting allows the following character sequences to have special meaning:

  • \r (backslash "r") - means carriage return (ASCII 0x0D)
  • \n (backslash "n") - means newline (ASCII 0x0A)

deprecated_v1_fields (OBSOLETE)

edit
  • OBSOLETE WARNING: This configuration item is obsolete and will prevent the pipeline from starting if used
  • Value type is boolean
  • There is no default value for this setting.

reverse_mapping

edit
  • Value type is <boolean
  • Default value is false

Set to true to adhere to the specifications and encode using the CEF key name (short name) for the CEF field names.

fields

edit
  • Value type is array
  • Default value is []

Fields to be included in CEV extension part as key/value pairs

name

edit
  • Value type is string
  • Default value is "Logstash"

Name field in CEF header. The new value can include %{foo} strings to help you build a new value from other parts of the event.

product

edit
  • Value type is string
  • Default value is "Logstash"

Device product field in CEF header. The new value can include %{foo} strings to help you build a new value from other parts of the event.

sev (OBSOLETE)

edit
  • OBSOLETE WARNING: This configuration item is obsolete and will prevent the pipeline from starting.
  • Value type is string
  • There is no default value for this setting.

Obsolete severity field for CEF header use :severity instead.

severity

edit
  • Value type is string
  • Default value is "6"

Severity field in CEF header. The new value can include %{foo} strings to help you build a new value from other parts of the event.

Defined as field of type string to allow sprintf. The value will be validated to be an integer in the range from 0 to 10 (including). All invalid values will be mapped to the default of 6.

signature

edit
  • Value type is string
  • Default value is "Logstash"

Signature ID field in CEF header. The new value can include %{foo} strings to help you build a new value from other parts of the event.

vendor

edit
  • Value type is string
  • Default value is "Elasticsearch"

Device vendor field in CEF header. The new value can include %{foo} strings to help you build a new value from other parts of the event.

version

edit
  • Value type is string
  • Default value is "1.0"

Device version field in CEF header. The new value can include %{foo} strings to help you build a new value from other parts of the event.