ParseCEF

Description:

Parses the contents of a CEF formatted message and adds attributes to the FlowFile for headers and extensions of the parts of the CEF message. Note: This Processor expects CEF messages WITHOUT the syslog headers (i.e. starting at "CEF:0"

Tags:

logs, cef, attributes, system, event, message

Properties:

In the list below, the names of required properties appear in bold. Any other properties (not in bold) are considered optional. The table also indicates any default values.

NameDefault ValueAllowable ValuesDescription
Parsed fields destinationflowfile-content
  • flowfile-content
  • flowfile-attribute
Indicates whether the results of the CEF parser are written to the FlowFile content or a FlowFile attribute; if using flowfile-attributeattribute, fields will be populated as attributes. If set to flowfile-content, the CEF extension field will be converted into a flat JSON object.
Append raw message to JSONtrueWhen using flowfile-content (i.e. JSON output), add the original CEF message to the resulting JSON object. The original message is added as a string to _raw.
TimezoneLocal Timezone (system Default)
  • UTC
  • Local Timezone (system Default)
Timezone to be used when representing date fields. UTC will convert all dates to UTC, while Local Timezone will convert them to the timezone used by NiFi.
DateTime Localeen-USThe IETF BCP 47 representation of the Locale to be used when parsing date fields with long or short month names (e.g. may <en-US> vs. mai. <fr-FR>. The defaultvalue is generally safe. Only change if having issues parsing CEF messages

Relationships:

NameDescription
successAny FlowFile that is successfully parsed as a CEF message will be transferred to this Relationship.
failureAny FlowFile that could not be parsed as a CEF message will be transferred to this Relationship without any attributes being added

Reads Attributes:

None specified.

Writes Attributes:

NameDescription
cef.header.versionThe version of the CEF message.
cef.header.deviceVendorThe Device Vendor of the CEF message.
cef.header.deviceProductThe Device Product of the CEF message.
cef.header.deviceVersionThe Device Version of the CEF message.
cef.header.deviceEventClassIdThe Device Event Class ID of the CEF message.
cef.header.nameThe name of the CEF message.
cef.header.severityThe severity of the CEF message.
cef.extension.*The key and value generated by the parsing of the message.

State management:

This component does not store state.

Restricted:

This component is not restricted.

Input requirement:

This component requires an incoming relationship.

System Resource Considerations:

None specified.

See Also:

ParseSyslog