cef-logs Log Parser

This parser handles logs in the Common Event Format (CEF), a standardized logging format used by various security devices and applications.

The parser extracts key CEF fields including the device vendor (manufacturer), product, version, signature ID, event name, and severity level.

The parser handles the standard CEF format:

CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

When using this parser, you need to specify type: cef in your acquis.yaml configuration. The parser will automatically extract the manufacturer from the Device Vendor field and set it as the program field for downstream processing.

source: file
filenames:
  - /var/log/cef/*.log
labels:
  type: cef

The parser extracts the following CEF fields:

cef_device_vendor - The device manufacturer/vendor
cef_device_product - The product name
cef_device_version - The product version
cef_signature_id - Unique event signature identifier
cef_event_name - Human-readable event name
cef_severity - Event severity level (0-10)
message - Any additional extension data or message content

The cef_device_vendor field is also mapped to the program field for compatibility with other parsers.

1filter: "evt.Line.Labels.type == 'cef'"

2onsuccess: next_stage

3pattern_syntax:

4 CEF_HEADER: '(CEF:)?%{SPACE}%{INT:cef_version}\|%{DATA:cef_device_vendor}\|%{DATA:cef_device_product}\|%{DATA:cef_device_version}\|%{DATA:cef_signature_id}\|%{DATA:cef_event_name}\|%{INT:cef_severity}'

5 CEF_SYSLOG_OPTIONAL: '(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601})(?: %{DATA:hostname})? ?'

6name: crowdsecurity/cef-logs

7description: CEF (Common Event Format) logs parser

8nodes:

9 - grok:

10 pattern: "^%{CEF_SYSLOG_OPTIONAL}?%{CEF_HEADER}%{SPACE}\\|?%{GREEDYDATA:message}"

11 apply_on: Line.Raw

12statics:

13 - parsed: "program"

14 expression: evt.Parsed.cef_device_vendor

15 - parsed: "logsource"

16 value: "cef"

17 # syslog timestamp can be in two different fields (one of the assignment will fail)

18 - target: evt.StrTime

19 expression: evt.Parsed.timestamp

20 - target: evt.StrTime

21 expression: evt.Parsed.timestamp8601

22 - meta: datasource_path

23 expression: evt.Line.Src

24 - meta: datasource_type

25 expression: evt.Line.Module

Hub configuration

« cef-logs »
v0.1 by crowdsecurity
Log parser

Hub configuration

« cef-logs »v0.1 by crowdsecurityLog parser

« cef-logs »
v0.1 by crowdsecurity
Log parser