LEEF

FilterX is an experimental feature currently under development. Feedback is most welcome on Discord and GitHub.

Available in AxoSyslog 4.8.1 and later.

Available in AxoSyslog 4.9 and later.

The parse_leef FilterX function parses messages formatted in the Log Event Extended Format (LEEF).

Both LEEF versions (1.0 and 2.0) are supported.

Declaration

Usage: parse_leef(<input-string>, value_separator="=", pair_separator="|")

The first argument is the input message. Optionally, you can set the pair_separator and value_separator arguments to override their default values.

The value_separator must be a single-character string. The pair_separator can be a regular string.

Example

The following is a LEEF-formatted message including mandatory and custom (extension) fields:

LEEF:1.0|Microsoft|MSExchange|4.0 SP1|15345|src=192.0.2.0 dst=172.50.123.1 sev=5cat=anomaly srcPort=81 dstPort=21 usrName=john.smith

The following FilterX expression parses it and converts it into JSON format:

filterx {
    ${PARSED_MESSAGE} = json(parse_leef(${MESSAGE}));
};

The content of the JSON object for this message will be:

{
"version":"1.0",
"vendor":"Microsoft",
"product_name":"MSExchange",
"product_version":"4.0 SP1",
"event_id":"15345",
"extensions": {
    "src":"192.0.2.0",
    "dst":"172.50.123.1",
    "sev":"5cat=anomaly",
    "srcPort":"81",
    "dstPort":"21",
    "usrName":"john.smith"
    }
}