Decode CEF
This block is used to convert data in CEF format to the dictionary data type. Block containing data in CEF format is connected to the input, in most cases “message” block with “raw” key. Output of this block is a dictionary data type.
XML representation of decode_cef block
<xml xmlns="http://www.w3.org/1999/xhtml">
<block type="decode_cef">
<field name="TRANSLATE">FALSE</field>
<value name="CEF">
<block type="message">
<field name="OBJECT">raw</field>
</block>
</value>
</block>
</xml>
Block is used on the “set item to” row in the example:
- loads data from “raw” key of “message” dictionary, created dictionary is saved into the “item” variable,
- variables from input message will appear in the processing result.
0|Flowmon Networks|FlowMon ADS Business|8.00.04|ICMPANOM|ICMP anomaly|6|src=192.168.1.1 start=Aug 05 2016 10:45:00 msg=ICMP ping flood was detected. Echo requests sent: 537, hosts flooded: 1. targetList: 10.10.10.10