Cribl Pack for Common Event Format and Log Event Extended Format reshapes your CEF and LEEF messages into formats that are easily processed by consuming systems. For example, CEF/LEEF to JSON. Additionally, the pack can process mapping of the custom string and custom number field values and labels into respective fields.
The pack turns this:
cs4=103.6.32.100 cs4Label=clientIPAddress
into this:
clientIPAddress=103.6.32.100
- Get the bits.
- Download the most recent .crbl file from the repo releases page.
- -or- Install in LogStream via the Github URL for this pack:
https://github.com/criblpacks/cribl-common-event-format.git
- Create a Route with a filter for your CEF events, or utilize as a pre-processing pipeline on the Syslog Source.
- Select the
CEF/LEEF Syslog Packpack as the pipeline. - Configure the pack
cef_processorand/orleef_processorpipeline with the desired output format. K=V, JSON, and CEF-like are pre-configured output options. Enable one of these function groups. Failure to enable an output configuration will result in functionality similar to the "passthru" pipeline.
Add LEEF v1 and v2 processing pipeline
Initial release
Discuss this pack on our Community Slack channel #packs.
The author of this pack is Brendan Dalpe and can be contacted at bdalpe@cribl.io.
This Pack uses the following license: Apache 2.0.