Parses the contents of a CEF formatted message and adds attributes to the FlowFile for headers and extensions of the parts of the CEF message. Note: This Processor expects CEF messages WITHOUT the syslog headers (i.e. starting at "CEF:0"
logs, cef, attributes, system, event, message
In the list below, the names of required properties appear in bold. Any other properties (not in bold) are considered optional. The table also indicates any default values.
| Display Name | API Name | Default Value | Allowable Values | Description |
|---|---|---|---|---|
| Parsed fields destination | FIELDS_DESTINATION | flowfile-content |
| Indicates whether the results of the CEF parser are written to the FlowFile content or a FlowFile attribute; if using flowfile-attributeattribute, fields will be populated as attributes. If set to flowfile-content, the CEF extension field will be converted into a flat JSON object. |
| Append raw message to JSON | APPEND_RAW_MESSAGE_TO_JSON | true | When using flowfile-content (i.e. JSON output), add the original CEF message to the resulting JSON object. The original message is added as a string to _raw. | |
| Include custom extensions | INCLUDE_CUSTOM_EXTENSIONS | false |
| If set to true, custom extensions (not specified in the CEF specifications) will be included in the generated data/attributes. |
| Accept empty extensions | ACCEPT_EMPTY_EXTENSIONS | false |
| If set to true, empty extensions will be accepted and will be associated to a null value. |
| Timezone | TIME_REPRESENTATION | Local Timezone (system Default) |
| Timezone to be used when representing date fields. UTC will convert all dates to UTC, while Local Timezone will convert them to the timezone used by NiFi. |
| DateTime Locale | DATETIME_REPRESENTATION | en-US | The IETF BCP 47 representation of the Locale to be used when parsing date fields with long or short month names (e.g. may <en-US> vs. mai. <fr-FR>. The defaultvalue is generally safe. Only change if having issues parsing CEF messages |
| Name | Description |
|---|---|
| success | Any FlowFile that is successfully parsed as a CEF message will be transferred to this Relationship. |
| failure | Any FlowFile that could not be parsed as a CEF message will be transferred to this Relationship without any attributes being added |
| Name | Description |
|---|---|
| cef.header.version | The version of the CEF message. |
| cef.header.deviceVendor | The Device Vendor of the CEF message. |
| cef.header.deviceProduct | The Device Product of the CEF message. |
| cef.header.deviceVersion | The Device Version of the CEF message. |
| cef.header.deviceEventClassId | The Device Event Class ID of the CEF message. |
| cef.header.name | The name of the CEF message. |
| cef.header.severity | The severity of the CEF message. |
| cef.extension.* | The key and value generated by the parsing of the message. |