Skip to content

print_cef

Prints records as Common Event Format (CEF) messages

print_cef(extension:record, cef_version=str, device_vendor=str,
          device_product=str, device_version=str, signature_id=str,
          name=str, severity=str, [flatten_separator=str, null_value=str]) -> str

Description

Section titled “Description”

Prints records as the attributes of a CEF message.

extension: record

Section titled “extension: record”

The record to print as the extension of the CEF message

cef_version = str

Section titled “cef_version = str”

The CEF version in the CEF header.

device_vendor = str

Section titled “device_vendor = str”

The vendor in the CEF header.

device_product = str

Section titled “device_product = str”

The product name in the CEF header.

device_version = str

Section titled “device_version = str”

The product version in the CEF header.

signature_id = str

Section titled “signature_id = str”

The event (class) ID in the CEF header.

name = str

Section titled “name = str”

The name field in the CEF header, i.e. the human readable description.

severity = str

Section titled “severity = str”

The severity in the CEF header.

null_value = str (optional)

Section titled “null_value = str (optional)”

A string to use if any of the values in extension are null.

Defaults to the empty string.

flatten_separator = str (optional)

Section titled “flatten_separator = str (optional)”

A string used to flatten nested records in attributes.

Defaults to ".".

Examples

Section titled “Examples”

Write a CEF

Section titled “Write a CEF”
from {
  extension: {
    a: 42,
    b: "Hello"
  },
  signature_id: "MyCustomSignature",
  severity: "8"
}
r = extension.print_cef(
    cef_version="0",
    device_vendor="Tenzir", device_product="Tenzir Node", device_version="5.5.0",
    signature_id=signature_id, severity=severity,
    name= signature_id + " written by Tenzir"
)
select r
write_lines
CEF:0|Tenzir|Tenzir Node|5.5.0|MyCustomSignature|MyCustomSignature written by Tenzir|8|a=42 b=Hello

Upgrade a nested CEF message in Syslog

Section titled “Upgrade a nested CEF message in Syslog”
from "my.log" {
  read_syslog // produces the expected shape for `write_syslog`
}
// read the message into a structured form
message = message.parse_cef()
// re-write the message with modifications
message = message.extension.print_cef(
  cef_version=message.cef_version,
  device_vendor=message.device_vendor, device_product=message.device_product,
  device_version=message.device_version, signature_id=signature_id, severity="9"
  name=message.name
)
write_syslog

See Also

Section titled “See Also”

parse_cef, read_cef, read_syslog, write_syslog

Last updated: