I didn't get an answer from the experts, but I did consult with others who have used the CEF codec before. The consensus was that passing an object as the fields parameter does not work. I suspect this is related to some weirdness with the event API not implementing an event field value which contains an array in a way that the actual array is passed to the CEF codec (which is what the codec code expects).
Thankfully, though, if you hard code a valid cef key in the fields array but the cef key isn’t present as a root event field then the codec just skips over it. So the solution is just to include all the keys (or all keys that may be used in your solution) in the fields array and then selectively map the fields you want to the event.
The valid CEF keys can be found in the codec github. Just search for ‘MAPPINGS’
Here’s what my output looks like now:
output {
if [type] == "domain_controller" {
udp {
id => "arcsight_connector"
host => "1.2.3.4"
port => 514
codec => cef {
delimiter => " "
vendor => "%{device_vendor}"
product => "%{device_product}"
version => "%{device_version}"
severity => "%{device_severity}"
signature => "%{device_signature}"
name => "%{os_event_description}"
fields => [
"dvchost"
"duser",
"dntdom",
"cs5",
"cs4",
"shost",
"cs6",
"cs3",
"cs1",
"src",
"duid",
"cn1",
"fname",
"sntdom",
"dvchost",
"deviceProcessName",
"suid",
"destinationServiceName",
"dpriv",
"spt",
"susr",
"cs2",
"dproc"
]
}
}
}
}