Description:
Parses the contents of a CEF formatted message and adds attributes to the FlowFile for headers and extensions of the parts of the CEF message. Note: This Processor expects CEF messages WITHOUT the syslog headers (i.e. starting at “CEF:0”
Tags:
logs, cef, attributes, system, event, message
Properties:
In the list below, the names of required properties appear in bold. Any other properties (not in bold) are considered optional. The table also indicates any default values.
Name | Default Value | Allowable Values | Description |
Parsed fields destination | flowfile-content |
* flowfile-content * flowfile-attribute |
Indicates whether the results of the CEF parser are written to the FlowFile content or a FlowFile attribute; if using flowfile-attribute, fields will be populated as attributes. If set to flowfile-content, the CEF extension field will be converted into a flat JSON object. |
Append raw message to JSON | true | When using flowfile-content (i.e. JSON output), add the original CEF message to the resulting JSON object. The original message is added as a string to _raw. | |
Timezone | Local Timezone (system Default) |
* UTC * Local Timezone (system Default) |
Timezone to be used when representing date fields. UTC will convert all dates to UTC, while Local Timezone will convert them to the timezone used by NiFi. |
Relationships:
Name | Description |
success | Any FlowFile that is successfully parsed as a CEF message will be transferred to this Relationship. |
failure | Any FlowFile that could not be parsed as a CEF message will be transferred to this Relationship without any attributes being added. |
Reads Attributes:
None specified.
Writes Attributes:
Name | Description |
cef.header.version | The version of the CEF message. |
cef.header.deviceVendor | The Device Vendor of the CEF message. |
cef.header.deviceProduct | The Device Product of the CEF message. |
cef.header.deviceVersion | The Device Version of the CEF message. |
cef.header.deviceEventClassId | The Device Event Class ID of the CEF message. |
cef.header.name | The name of the CEF message. |
cef.header.severity | The severity of the CEF message. |
cef.extension.* | The key and value generated by the parsing of the message. |
State management:
This component does not store state.
Restricted:
This component is not restricted.