CEF codec plugin


I'd like to use the CEF codec as a filter plugin - is this possible?

In a similar way that you have a json input codec, and a json filter plugin. I would like to check the message is a CEF message, and process appropriately.

The reason for this is that we have rsyslog setup on a box to pass messages in CEF format to logstash, but though we are getting valid CEF messages - there appears to be a lot of parsing errors - looking at the errors, they indicated some messages don't have a CEF version field being passed.

I'd like to be able to filter these out, and parse only the ones that do have the correct format, and look at the ones that dont separately.

Or is there any way to apply the codec to an input that is communicated to by another pipeline
pipeline-to-pipeline comms

i.e. in here:

input { pipeline { address => "cef-decoder" } }

That way i could do my checking/preprocess in another pipeline before passing to another for CEF decoding pipeline.

just saw this post - i might be able to do it this way


No, it is not, but as you have found, you can solve the problem using a tcp connection to a second pipeline (not a pipeline-to-pipeline connection).

Do not be tempted to run both inputs in a single pipeline and make processing conditional.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.