FCEFPARSER

Parses ArcSight Common Event Format (CEF) log files.

Parses ArcSight Common Event Format (CEF) log files. The fcefparser loads values directly into any table column with a column name that matches a source data key. The parser stores the data loaded into a flex table in a single VMap.

Syntax

FAVROPARSER ( [parameter-name='value'[,...]] )

Parameters

delimiter

Single-character delimiter.

Default: ' '

record_terminator

Single-character record terminator.

**Default ****value: **newline

trim

Boolean, specifies whether to trim white space from header names and key values.

Default: true

reject_on_unescaped_delimiter

Boolean, specifies whether to reject rows containing unescaped delimiters. The CEF standard does not permit them.

Default: false

Examples

The following example illustrates creating a sample flex table for CEF data, with two real columns, eventId and priority.

  1. Create a flex table cefdata:

    => create flex table cefdata();
    CREATE TABLE
    
  2. Load some basic CEF data, using the flex parser fcefparser:

    => copy cefdata from stdin parser fcefparser();
    Enter data to be copied followed by a newline.
    End with a backslash and a period on a line by itself.
    >> CEF:0|ArcSight|ArcSight|2.4.1|machine:20|New alert|High|
    >> \.
    
  3. Use the maptostring() function to view the contents of your cefdata flex table:

    => select maptostring(__raw__) from cefdata;
                      maptostring
    -------------------------------------------------------------
     {
       "deviceproduct" : "ArcSight",
       "devicevendor" : "ArcSight",
       "deviceversion" : "2.4.1",
       "name" : "New alert",
       "severity" : "High",
       "signatureid" : "machine:20",
       "version" : "0"
    }
    
    
    (1 row)
    
  4. Select some virtual columns from the cefdata flex table:

    
    = select deviceproduct, severity, deviceversion from cefdata;
     deviceproduct | severity | deviceversion
    ---------------+----------+---------------
     ArcSight      | High     | 2.4.1
    (1 row)
    

    For more information, see Common event format (CEF) data

    See also