parseleef
Parses logs in LEEF (Log Event Extended Format) and extracts each field. Supports both LEEF 1.0 and LEEF 2.0 formats used by IBM QRadar.
Command properties
| Item | Description |
|---|---|
| Command type | Processing query |
| Required permission | None |
| License usage | N/A |
| Parallel execution | Supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
field=FIELD- Name of the field containing the LEEF log to parse (default:
line) overlay={t|f}- Specifies whether to overlay the parse result onto the original record (default:
f)
t: Adds the parsed fields to the original record. Overwrites existing fields with the same name with the parsed value.f: Creates a new record containing only the parsed fields.
prefix=PREFIX- Prefix to prepend to output field names.
postfix=POSTFIX- Suffix to append to output field names.
Output fields
The following base fields are extracted from the LEEF header.
| Field | Type | Description |
|---|---|---|
| leef_ver | string | LEEF version (e.g., 1.0, 2.0) |
| vendor | string | Product vendor name |
| product | string | Product name |
| ver | string | Product version |
| event_id | string | Event identifier |
LEEF extension attribute fields vary depending on the content of the LEEF log. The following are examples of standard LEEF fields to which type conversion is applied.
| Field | Type | Description |
|---|---|---|
| sev | integer | Severity |
| src | ipaddr | Source IP address |
| dst | ipaddr | Destination IP address |
| srcPort | integer | Source port number |
| dstPort | integer | Destination port number |
| srcPreNAT | ipaddr | Source IP before NAT |
| dstPreNAT | ipaddr | Destination IP before NAT |
| srcPostNAT | ipaddr | Source IP after NAT |
| dstPostNAT | ipaddr | Destination IP after NAT |
| srcPreNATPort | integer | Source port before NAT |
| dstPreNATPort | integer | Destination port before NAT |
| srcPostNATPort | integer | Source port after NAT |
| dstPostNATPort | integer | Destination port after NAT |
| identSrc | ipaddr | Identified source IP |
| vSrc | ipaddr | Virtual source IP |
| srcBytes | long | Bytes sent from source |
| dstBytes | long | Bytes sent from destination |
| srcPackets | long | Source packet count |
| dstPackets | long | Destination packet count |
| totalPackets | long | Total packet count |
| isLoginEvent | boolean | Whether this is a login event |
| isLogoutEvent | boolean | Whether this is a logout event |
| identSecondIp | ipaddr | Second identified IP address |
| devTime | timestamp | Device event time (parsed using the format in the devTimeFormat field) |
| proto | integer | Protocol number (converted to integer when the value is numeric) |
Extension attribute fields not in the list above are output as string type.
Error codes
Parse errors
N/A
Runtime errors
N/A
Description
The parseleef command parses logs in LEEF 1.0 and LEEF 2.0 formats.
The basic structure of a LEEF log is as follows:
- LEEF 1.0:
LEEF:1.0|Vendor|Product|Version|EventID|key=value\tkey=value... - LEEF 2.0:
LEEF:2.0|Vendor|Product|Version|EventID|Delimiter|key=value<Delimiter>key=value...
In LEEF 2.0, the extension attribute delimiter is specified in the header. The delimiter is either a single character or a hexadecimal code in the format 0x09.
If parsing fails or the target field is null, the original record is passed through unchanged.
When a prefix or postfix option is specified, the prefix or suffix is added to all output field names.
Examples
-
Parsing LEEF logs from the default field
table duration=1h SYSLOG | parseleefParses the LEEF-format log in the
linefield and extracts each field. -
Parsing from a specific field while preserving the original fields
table duration=1h SYSLOG | parseleef field=message overlay=tParses the
messagefield and overlays the parsed result onto the original record. -
Adding a prefix to output field names
table duration=1h SYSLOG | parseleef prefix=leef_Prepends
leef_to all parsed field names. For example, thesrcfield is output asleef_src.
Compatibility
The parseleef command has been available since before Sonar 4.0.