CEF codec unable to set dynamic fields

wanglin · September 24, 2025, 3:34am

I am using the Logstash CEF Output plugin and wish to add fields dyanmically. Below is my sample code:

output {
  udp {
    port => 514
    codec => cef {
      ...
      fields => ["cef_fields"]
    }
  }
}

I populated cef_fields with the list of fields that I want to be present in the CEF string but so far It does not obtain the values of the keys in cef_fields, but only displays the keys.

Issue is similar to CEF codec does not resolve extended fields but this was posted in 2018 and was wondering there was any new updates to this.

Any help will be greatly appreciated. Thank you!

Badger · September 24, 2025, 2:00pm

No, nothing has changed. The fields option is an array that lists the fields that should be encoded in the CEF output. The codec does not sprintf it, so it cannot be a field reference.

Topic		Replies	Views
CEF codec does not resolve extended fields Logstash	2	2808	October 10, 2018
Logstash CEF codec Logstash	4	1653	July 6, 2017
Outdated Documentation Logstash	1	249	July 7, 2020
Incomplete parsing by CEF codec? Logstash	1	906	December 26, 2017
Filter cef Logstash	7	6522	June 14, 2019

CEF codec unable to set dynamic fields

Related topics