I was assuming that pipeline inputs and outputs would respect the codec if the user configured one, but that appears not to be the case. However, it works with a tcp input and output
input { generator { count => 1 lines => [ 'Foo' ] } }
filter {
mutate { add_field => { cefField => "Jan 18 11:07:53 dsmhost CEF:0|Trend Micro|Deep Security Manager|<DSM version>|600|Administrator Signed In|4|suser=Master randomPiggyBackedData=a1s2d3f4g5" } }
}
output { tcp { host => "localhost" port => 12888 codec => plain { format => "%{cefField}" } } }
and
input { tcp { host => localhost port => 12888 codec => cef } }
output { stdout {} }
gets me
"cefVersion" => "0",
"deviceVersion" => "<DSM version>",
"@timestamp" => 2019-05-16T14:27:44.576Z,
"deviceEventClassId" => "600",
"port" => 48406,
"sourceUserName" => "Master",
"name" => "Administrator Signed In",
"randomPiggyBackedData" => "a1s2d3f4g5",
"syslog" => "Jan 18 11:07:53 dsmhost",
"deviceVendor" => "Trend Micro",
"host" => "localhost",
"@version" => "1",
"deviceProduct" => "Deep Security Manager",
"severity" => "4"
Note the randomPiggyBackedData, which could be all of the other fields encoded. As charlie suggested, you could then decode in the second pipeline so you do not have to join different events together.