Parses the contents of a CEF formatted message and adds attributes to the FlowFile for headers and extensions of the parts of the CEF message. Note: This Processor expects CEF messages WITHOUT the syslog headers (i.e. starting at “CEF:0”


logs, cef, attributes, system, event, message


In the list below, the names of required properties appear in bold. Any other properties (not in bold) are considered optional. The table also indicates any default values.

Name Default Value Allowable Values Description
Parsed fields destination flowfile-content * flowfile-content
* flowfile-attribute
Indicates whether the results of the CEF parser are written to the FlowFile content or a FlowFile attribute; if using flowfile-attribute, fields will be populated as attributes. If set to flowfile-content, the CEF extension field will be converted into a flat JSON object.
Append raw message to JSON true When using flowfile-content (i.e. JSON output), add the original CEF message to the resulting JSON object. The original message is added as a string to _raw.
Timezone Local Timezone (system Default) * UTC
* Local Timezone (system Default)
Timezone to be used when representing date fields. UTC will convert all dates to UTC, while Local Timezone will convert them to the timezone used by NiFi.


Name Description
success Any FlowFile that is successfully parsed as a CEF message will be transferred to this Relationship.
failure Any FlowFile that could not be parsed as a CEF message will be transferred to this Relationship without any attributes being added.

Reads Attributes:

None specified.

Writes Attributes:

Name Description
cef.header.version The version of the CEF message.
cef.header.deviceVendor The Device Vendor of the CEF message.
cef.header.deviceProduct The Device Product of the CEF message.
cef.header.deviceVersion The Device Version of the CEF message.
cef.header.deviceEventClassId The Device Event Class ID of the CEF message. The name of the CEF message.
cef.header.severity The severity of the CEF message.
cef.extension.* The key and value generated by the parsing of the message.

State management:

This component does not store state.


This component is not restricted.