Cef codec plugin v5.0.4

Plugin version: v5.0.4
Released on: 2018-08-22
Changelog

For other versions, see the overview list.

To learn more about Logstash, see the Logstash Reference.

Getting help

For questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github. For the list of Elastic supported plugins, please consult the Elastic Support Matrix.

Description

Implementation of a Logstash codec for the ArcSight Common Event Format (CEF) Based on Revision 20 of Implementing ArcSight CEF, dated from June 05, 2013 https://community.saas.hpe.com/dcvta86296/attachments/dcvta86296/connector-documentation/1116/1/CommonEventFormatv23.pdf

If this codec receives a payload from an input that is not a valid CEF message, then it will produce an event with the payload as the message field and a _cefparsefailure tag.

Cef Codec Configuration Options

Setting	Input type	Required
`delimiter`	string	No
`fields`	array	No
`name`	string	No
`product`	string	No
`severity`	string	No
`signature`	string	No
`vendor`	string	No
`version`	string	No

`delimiter`

Value type is string
There is no default value for this setting.

If your input puts a delimiter between each CEF event, you’ll want to set this to be that delimiter.

For example, with the TCP input, you probably want to put this:

		input {
  tcp {
    codec => cef { delimiter => "\r\n" }
    # ...
  }
}

	

This setting allows the following character sequences to have special meaning:

\\r (backslash "r") - means carriage return (ASCII 0x0D)
\\n (backslash "n") - means newline (ASCII 0x0A)

`deprecated_v1_fields` (OBSOLETE)

OBSOLETE WARNING: This configuration item is obsolete and will prevent the pipeline from starting if used
Value type is boolean
There is no default value for this setting.

`fields`

Value type is array
Default value is []

Fields to be included in CEV extension part as key/value pairs

`name`

Value type is string
Default value is "Logstash"

Name field in CEF header. The new value can include %{{foo}} strings to help you build a new value from other parts of the event.

`product`

Value type is string
Default value is "Logstash"

Device product field in CEF header. The new value can include %{{foo}} strings to help you build a new value from other parts of the event.

`sev` (OBSOLETE)

OBSOLETE WARNING: This configuration item is obsolete and will prevent the pipeline from starting.
Value type is string
There is no default value for this setting.

Obsolete severity field for CEF header use :severity instead.

`severity`

Value type is string
Default value is "6"

Severity field in CEF header. The new value can include %{{foo}} strings to help you build a new value from other parts of the event.

Defined as field of type string to allow sprintf. The value will be validated to be an integer in the range from 0 to 10 (including). All invalid values will be mapped to the default of 6.

`signature`

Value type is string
Default value is "Logstash"

Signature ID field in CEF header. The new value can include %{{foo}} strings to help you build a new value from other parts of the event.

`vendor`

Value type is string
Default value is "Elasticsearch"

Device vendor field in CEF header. The new value can include %{{foo}} strings to help you build a new value from other parts of the event.

`version`

Value type is string
Default value is "1.0"

Device version field in CEF header. The new value can include %{{foo}} strings to help you build a new value from other parts of the event.