IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Decode Base64 fields Decode CSV fields »
Elastic Docs Filebeat Reference [7.9] Configure Filebeat Filter and enhance data with processors

Decode CEF

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Decode CEF

edit

The decode_cef processor decodes Common Event Format (CEF) messages. This processor is available in Filebeat.

Below is an example configuration that decodes the message field as CEF after renaming it to event.original. It is best to rename message to event.original because the decoded CEF data contains its own message field.

processors:
  - rename:
      fields:
        - {from: "message", to: "event.original"}
  - decode_cef:
      field: event.original

The decode_cef processor has the following configuration settings.

Table 1. Decode CEF options

Name Required Default Description

field

no

message

Source field containing the CEF message to be parsed.

target_field

no

cef

Target field where the parsed CEF object will be written.

ecs

no

true

Generate Elastic Common Schema (ECS) fields from the CEF data. Certain CEF header and extension values will be used to populate ECS fields.

ignore_missing

no

false

Ignore errors when the source field is missing.

ignore_failure

no

false

Ignore failures when the source field does not contain a CEF message.

id

no

An identifier for this processor instance. Useful for debugging.

« Decode Base64 fields Decode CSV fields »