Logmanager documentation
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Logmanager documentation
  2. /
  3. Additional informations
  4. /
  5. Events processing in blockly
  6. /
  7. Defined XML blocks
  8. /
  9. Special blocks
  10. /
  11. Special elements
  12. /
  13. Decode CEF

Decode CEF

This block is used to convert data in CEF format to the dictionary data type. Block containing data in CEF format is connected to the input, in most cases “message” block with “raw” key. Output of this block is a dictionary data type.

Block XML representation

XML representation of decode_cef block

<xml xmlns="http://www.w3.org/1999/xhtml">
  <block type="decode_cef">
    <field name="TRANSLATE">FALSE</field>
    <value name="CEF">
      <block type="message">
        <field name="OBJECT">raw</field>
      </block>
    </value>
  </block>
</xml>

Example of visual representation

Block "Decode CEF"

Block “Decode CEF”

Example of block usage

Example of "Decode CEF" block

Example of “Decode CEF” block

Block is used on the “set item to” row in the example:

  • loads data from “raw” key of “message” dictionary, created dictionary is saved into the “item” variable,
  • variables from input message will appear in the processing result.

Input data 

0|Flowmon Networks|FlowMon ADS Business|8.00.04|ICMPANOM|ICMP anomaly|6|src=192.168.1.1 start=Aug 05 2016 10:45:00 msg=ICMP ping flood was detected. Echo requests sent: 537, hosts flooded: 1. targetList: 10.10.10.10

Processing result

Results of "Decode CEF" block

Results of “Decode CEF” block