LEEF
Synopsis
Parses Log Event Extended Format (LEEF) messages into structured objects.
For details of LEEF, see Appendix.
Schema
- leef:
field: <ident>
target_field: <ident>
description: <text>
if: <script>
ignore_failure: <boolean>
ignore_missing: <boolean>
on_failure: <processor[]>
on_success: <processor[]>
tag: <string>
Configuration
The following fields are used to define the processor:
| Field | Required | Default | Description |
|---|---|---|---|
field | Y | - | Field containing the LEEF message string |
target_field | N | leef | Field to store parsed LEEF data |
description | N | - | Explanatory note |
if | N | - | Condition to run |
ignore_failure | N | false | See Handling Failures |
ignore_missing | N | false | If true, skip if field doesn't exist |
on_failure | N | - | See Handling Failures |
on_success | N | - | See Handling Success |
tag | N | - | Identifier |
Details
The processor identifies and extracts the LEEF version, header fields (vendor, product, version, and event ID), and attribute pairs. Field names are automatically normalized for consistent processing.
Different LEEF versions and custom delimiters are handled automatically. If a hex delimiter is specified—e.g. "x09" for tab—it will be used for attribute parsing.
The processor expects valid LEEF formatted messages starting with "LEEF:". Invalid messages will cause the processor to fail unless ignore_failure is set to true.
Examples
Basic Parsing
Parsing the LEEF message... | |
extracts the header and the attribute fields: | |
Keep Original
Storing parsed results in a specific field... | |
creates structured event data: | |
Error Handling
Handling invalid LEEF messages gracefully... | |
adds an error tag without failing: | |