Skip to main content
Version: 1.1.0

CEF

Parse

Synopsis

Parses Common Event Format (CEF) messages from a field into structured objects.

note

See Appendix

Schema

cef:
  - field: <ident>
  - target_field: <ident>
  - description: <text>
  - if: <script>
  - ignore_failure: <boolean>
  - ignore_missing: <boolean>
  - on_failure: <processor[]>
  - on_success: <processor[]>
  - tag: <string>

Configuration

FieldRequiredDefaultDescription
fieldY-Field containing the CEF message to parse
target_fieldNcefField to store the parsed CEF object
descriptionN-Explanatory note
ifN-Condition to run
ignore_failureNfalseContinue processing if parsing fails
ignore_missingNfalseSkip processing if source field doesn't exist
on_failureN-See Handling Failures
on_successN-See Handling Success
tagN-Identifier

Details

CEF is a standardized logging format commonly used by security devices and applications to communicate events.

The processor extracts both CEF header fields and extension fields. The header contains standardized fields like vendor, product, version, etc., while extensions contain key-value pairs with additional event details.

note

Type conversion is handled automatically for numeric values in extension fields, e.g. port numbers, counts, etc.

CEF header fields that the processor extracts:

cefVersion
CEF version, e.g. 0
deviceVendor
Event creator, e.g. Cisco
deviceProduct
Event generator, e.g. ASA
deviceVersion
Product version, e.g. 9.1
deviceEventClassId
Event type identifier, e.g. 106100
name
Human-readable identifier, e.g. access-list
severity
Integer indicating severity, e.g. 5
warning

The message must begin with "CEF:" and contain all seven header fields separated by pipe (|) characters. Messages not following this format will cause parsing to fail.

Examples

Basic Parsing

Parsing a basic CEF message...

{
  "message": "CEF:0|Security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232"
}
cef:
  - field: message

extracts the header and the extension fields:

{
  "message": "CEF:0|Security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232",
  "cef": {
    "cefVersion": 0,
    "deviceVendor": "Security",
    "deviceProduct": "threatmanager",
    "deviceVersion": "1.0",
    "deviceEventClassId": 100,
    "name": "worm successfully stopped",
    "severity": 10,
    "src": "10.0.0.1",
    "dst": "2.1.2.2",
    "spt": 1232
  }
}

Security Devices

Parsing a Cisco ASA firewall log...

{
  "message": "CEF:0|Cisco|ASA|9.1|106100|access-list|5|src=192.168.1.100 dst=10.0.0.50 spt=52777 dpt=443 proto=TCP act=Permit app=HTTPS deviceDirection=0 rt=Mar 10 2024 12:30:45"
}
cef:
  - field: message
  - target_field: firewall_event

structures the firewall event data:

{
  "message": "CEF:0|Cisco|ASA|9.1|106100|access-list|5|src=192.168.1.100 dst=10.0.0.50 spt=52777 dpt=443 proto=TCP act=Permit app=HTTPS deviceDirection=0 rt=Mar 10 2024 12:30:45",
  "firewall_event": {
    "cefVersion": 0,
    "deviceVendor": "Cisco",
    "deviceProduct": "ASA",
    "deviceVersion": "9.1",
    "deviceEventClassId": 106100,
    "name": "access-list",
    "severity": 5,
    "src": "192.168.1.100",
    "dst": "10.0.0.50",
    "spt": 52777,
    "dpt": 443,
    "proto": "TCP",
    "act": "Permit",
    "app": "HTTPS",
    "deviceDirection": 0,
    "rt": "Mar 10 2024 12:30:45"
  }
}

Error Handling

Handling invalid CEF messages...

{
  "message": "Invalid CEF message"
}
cef:
  - field: message
  - ignore_failure: true
  - on_failure:
      - append:
          field: tags
          value: cef_parse_error

adds an error tag when the parsing fails:

{
  "message": "Invalid CEF message",
  "tags": ["cef_parse_error"]
}