Hello, How can I parse LEEF data. The format includes | separation in the heard and SPACE separation in Body. Below is a sample event, please advise. The objective is to parse both the LEEF header (LEEF:1.0|Cyber-Ark|Vault|12.2.0002|361|sev=6 ) and rest of the body <5>1 2022-09-14T07:56:47Z WIN09…

Parsing LEEF data

Badger September 14, 2022, 11:48pm 2

I would suggest using a mutate filter to change that into valid CEF and then using a TCP output/input pair with a cef codec on the input as shown here.

Topic		Replies	Views
Incomplete parsing by CEF codec? Logstash	1	892	December 26, 2017
Ingesting leef formatted log into logstash from other sources Logstash	2	1485	February 14, 2018
How to extract the entire value of a complicated field? Logstash	7	440	May 29, 2023
Filtering syslog message Logstash	5	613	August 25, 2021
CEF message parsing Logstash	1	350	December 9, 2022

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.

Parsing LEEF data

Related topics