Parses the contents of a CEF formatted message and adds attributes to the FlowFile for headers and extensions of the parts of the CEF message. Note: This Processor expects CEF messages WITHOUT the syslog headers (i.e. starting at "CEF:0"
logs, cef, attributes, system, event, message
In the list below, the names of required properties appear in bold. Any other properties (not in bold) are considered optional. The table also indicates any default values.
Display Name | API Name | Default Value | Allowable Values | Description |
---|---|---|---|---|
Parsed fields destination | FIELDS_DESTINATION | flowfile-content |
| Indicates whether the results of the CEF parser are written to the FlowFile content or a FlowFile attribute; if using flowfile-attributeattribute, fields will be populated as attributes. If set to flowfile-content, the CEF extension field will be converted into a flat JSON object. |
Append raw message to JSON | APPEND_RAW_MESSAGE_TO_JSON | true | When using flowfile-content (i.e. JSON output), add the original CEF message to the resulting JSON object. The original message is added as a string to _raw. | |
Include custom extensions | INCLUDE_CUSTOM_EXTENSIONS | false |
| If set to true, custom extensions (not specified in the CEF specifications) will be included in the generated data/attributes. |
Accept empty extensions | ACCEPT_EMPTY_EXTENSIONS | false |
| If set to true, empty extensions will be accepted and will be associated to a null value. |
Validate the CEF event | VALIDATE_DATA | true |
| If set to true, the event will be validated against the CEF standard (revision 23). If the event is invalid, the FlowFile will be routed to the failure relationship. If this property is set to false, the event will be processed without validating the data. |
Timezone | TIME_REPRESENTATION | Local Timezone (system Default) |
| Timezone to be used when representing date fields. UTC will convert all dates to UTC, while Local Timezone will convert them to the timezone used by NiFi. |
DateTime Locale | DATETIME_REPRESENTATION | en-US | The IETF BCP 47 representation of the Locale to be used when parsing date fields with long or short month names (e.g. may <en-US> vs. mai. <fr-FR>. The defaultvalue is generally safe. Only change if having issues parsing CEF messages |
Name | Description |
---|---|
success | Any FlowFile that is successfully parsed as a CEF message will be transferred to this Relationship. |
failure | Any FlowFile that could not be parsed as a CEF message will be transferred to this Relationship without any attributes being added |
Name | Description |
---|---|
cef.header.version | The version of the CEF message. |
cef.header.deviceVendor | The Device Vendor of the CEF message. |
cef.header.deviceProduct | The Device Product of the CEF message. |
cef.header.deviceVersion | The Device Version of the CEF message. |
cef.header.deviceEventClassId | The Device Event Class ID of the CEF message. |
cef.header.name | The name of the CEF message. |
cef.header.severity | The severity of the CEF message. |
cef.extension.* | The key and value generated by the parsing of the message. |