Expand description
Zero-dependency CEF (Common Event Format) parser.
Parses ArcSight CEF
log lines into a structured CefRecord.
§Format
CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|ExtensionsThe header contains 7 pipe-delimited fields. Pipes in header values are
escaped as \| and backslashes as \\.
Extensions are space-separated key=value pairs where values may contain
spaces. The boundary between one value and the next key is determined by
looking back from each unescaped = to find the key name. In extension
values, \= is a literal =, \\ is a literal \, \n is a newline,
and \r is a carriage return.
§Syslog wrapping
This parser handles raw CEF only. If CEF arrives inside a syslog
envelope, the caller must strip the syslog prefix first (e.g. by finding
"CEF:" in the line). The find_cef_start helper locates the offset.
§Example
use rsigma_runtime::parse::cef::parse;
let record = parse(
"CEF:0|Security|IDS|1.0|100|Attack detected|9|src=10.0.0.1 dst=192.168.1.1 msg=Intrusion attempt"
).unwrap();
assert_eq!(record.device_vendor, "Security");
assert_eq!(record.severity, "9");
assert_eq!(record.extensions.len(), 3);
assert_eq!(record.extensions[2].0, "msg");
assert_eq!(record.extensions[2].1, "Intrusion attempt");Structs§
- CefRecord
- A parsed CEF record.
Enums§
- CefError
- Errors from CEF parsing.
Functions§
- find_
cef_ start - Find the byte offset of
"CEF:"in the input, if present. - parse
- Parse a CEF line into a
CefRecord.