ParseCEF

Description:

Parses the contents of a CEF formatted message and adds attributes to the FlowFile for headers and extensions of the parts of the CEF message. Note: This Processor expects CEF messages WITHOUT the syslog headers (i.e. starting at "CEF:0"

Tags:

logs, cef, attributes, system, event, message

Properties:

In the list below, the names of required properties appear in bold. Any other properties (not in bold) are considered optional. The table also indicates any default values.

Display NameAPI NameDefault ValueAllowable ValuesDescription
Parsed fields destinationFIELDS_DESTINATIONflowfile-content
  • flowfile-content
  • flowfile-attribute
Indicates whether the results of the CEF parser are written to the FlowFile content or a FlowFile attribute; if using flowfile-attributeattribute, fields will be populated as attributes. If set to flowfile-content, the CEF extension field will be converted into a flat JSON object.
Append raw message to JSONAPPEND_RAW_MESSAGE_TO_JSONtrueWhen using flowfile-content (i.e. JSON output), add the original CEF message to the resulting JSON object. The original message is added as a string to _raw.
Include custom extensionsINCLUDE_CUSTOM_EXTENSIONSfalse
  • true
  • false
If set to true, custom extensions (not specified in the CEF specifications) will be included in the generated data/attributes.
Accept empty extensionsACCEPT_EMPTY_EXTENSIONSfalse
  • true
  • false
If set to true, empty extensions will be accepted and will be associated to a null value.
Validate the CEF eventVALIDATE_DATAtrue
  • true
  • false
If set to true, the event will be validated against the CEF standard (revision 23). If the event is invalid, the FlowFile will be routed to the failure relationship. If this property is set to false, the event will be processed without validating the data.
TimezoneTIME_REPRESENTATIONLocal Timezone (system Default)
  • UTC
  • Local Timezone (system Default)
Timezone to be used when representing date fields. UTC will convert all dates to UTC, while Local Timezone will convert them to the timezone used by NiFi.
DateTime LocaleDATETIME_REPRESENTATIONen-USThe IETF BCP 47 representation of the Locale to be used when parsing date fields with long or short month names (e.g. may <en-US> vs. mai. <fr-FR>. The defaultvalue is generally safe. Only change if having issues parsing CEF messages

Relationships:

NameDescription
successAny FlowFile that is successfully parsed as a CEF message will be transferred to this Relationship.
failureAny FlowFile that could not be parsed as a CEF message will be transferred to this Relationship without any attributes being added

Reads Attributes:

None specified.

Writes Attributes:

NameDescription
cef.header.versionThe version of the CEF message.
cef.header.deviceVendorThe Device Vendor of the CEF message.
cef.header.deviceProductThe Device Product of the CEF message.
cef.header.deviceVersionThe Device Version of the CEF message.
cef.header.deviceEventClassIdThe Device Event Class ID of the CEF message.
cef.header.nameThe name of the CEF message.
cef.header.severityThe severity of the CEF message.
cef.extension.*The key and value generated by the parsing of the message.

State management:

This component does not store state.

Restricted:

This component is not restricted.

Input requirement:

This component requires an incoming relationship.

System Resource Considerations:

None specified.

See Also:

ParseSyslog