Zero Signup ToolsFree browser tools

Developer Tools

CEF Log Parser

Parse ArcSight CEF log lines into header fields and a labelled extension map. Strips the syslog prefix, decodes escaping, and exports JSON. No signup.

CEF log parser and builder

ArcSight Common Event Format
129 chars

Quick samples

Paste raw CEF lines from a SIEM, a firewall, or a log file. A leading syslog header is detected and stripped automatically. Header fields are unescaped and the extension is split into labelled key/value pairs.

Summary

Events

1

Lines

1

Errors

0

Notes

1

Severity

unknown1

Parsed events

1 event
worm successfully stoppedsev 10|src=10.0.0.1 dst=2.1.2.2 spt=1232 dpt=445 proto=TCP act=blocked (unknown)Line 1

Security threatmanager 1.0

Version
0
Device Vendor
Security
Device Product
threatmanager
Device Version
1.0
Signature ID
100
Name
worm successfully stopped

Extension (0 fields)

none (header only)

  • Severity "10|src=10.0.0.1 dst=2.1.2.2 spt=1232 dpt=445 proto=TCP act=blocked" is not 0 to 10 or Low/Medium/High/Very-High.

Export

Header fields and a flat extension object per event.

JSON

{
  "version": "0",
  "deviceVendor": "Security",
  "deviceProduct": "threatmanager",
  "deviceVersion": "1.0",
  "signatureId": "100",
  "name": "worm successfully stopped",
  "severity": "10|src=10.0.0.1 dst=2.1.2.2 spt=1232 dpt=445 proto=TCP act=blocked",
  "severityBand": "unknown",
  "extension": {}
}

NDJSON

{"version":"0","deviceVendor":"Security","deviceProduct":"threatmanager","deviceVersion":"1.0","signatureId":"100","name":"worm successfully stopped","severity":"10|src=10.0.0.1 dst=2.1.2.2 spt=1232 dpt=445 proto=TCP act=blocked","severityBand":"unknown","extension":{}}

CEF format reference

The structure a CEF record follows, summarized in one place. This tool reads and writes the same rules.

Record shape

CEF:Version|Vendor|Product|Version|
  SignatureID|Name|Severity|Extension
  • Seven pipe-delimited header fields, then the extension.
  • The extension is space-separated key=value pairs.
  • One record per line.

Escaping

  • Header: \| for a pipe, \\ for a backslash.
  • Extension: \= for equals, plus \n and \r.
  • Pipes inside the extension are literal.

Severity

  • An integer 0 to 10, or Low, Medium, High, Very-High.
  • 0 to 3 low, 4 to 6 medium, 7 to 8 high, 9 to 10 very high.
  • Higher means more important.

Common extension keys

  • src / dst source and destination address.
  • spt / dpt source and destination port.
  • act action, suser user, rt receipt time.

How to use

  1. Keep Parse events selected, then paste one or more CEF lines. A leading syslog timestamp and host are detected and stripped automatically.
  2. Read the summary for the event count, line count, and how many records had errors or notes, plus a severity breakdown.
  3. Review each event: the unescaped header fields, the severity band, and the extension as a table where standard CEF keys are expanded to their full names.
  4. Check the per-record notes for missing fields, bad version or severity, or duplicate keys, then copy the parsed events as JSON or NDJSON.
  5. Switch to Build an event to hand-craft a CEF line: fill the seven header fields, add key=value pairs, and the tool escapes everything correctly.
  6. Use the copy buttons to grab the JSON, the NDJSON, or the built CEF line. Everything stays in your browser.

About this tool

CEF Log Parser turns ArcSight Common Event Format events into a structured, readable view in your browser. CEF is the pipe-delimited event format that security appliances emit by the million: firewalls and next-generation firewalls (Palo Alto, Fortinet FortiGate, Check Point, Cisco), web application firewalls, intrusion detection and prevention systems, proxies, and endpoint tools all speak it, and SIEM platforms such as ArcSight, Splunk, IBM QRadar, and Microsoft Sentinel ingest it. A CEF record begins with the literal marker CEF: and a version number, followed by six mandatory pipe-delimited header fields (Device Vendor, Device Product, Device Version, Signature ID, Name, and Severity) and then a free-form Extension made of space-separated key=value pairs. The format looks simple but two details trip people up. First, CEF events are almost always wrapped inside a syslog message, so the real line you copy from a collector starts with a timestamp and host before the CEF: marker; this tool detects that leading syslog header and strips it automatically before parsing. Second, escaping differs between the two parts of the record. In the header a backslash escapes a literal pipe or a literal backslash, while in the extension a backslash escapes a literal equals sign plus the C-style newline and carriage-return sequences, and pipes inside the extension are literal. Splitting the extension correctly is the hard part, because a value can contain spaces and runs only up to the point where the next key= begins. This tool implements those rules exactly. In Parse mode you paste one or many CEF lines and get, per event, the unescaped header fields, a severity band derived from the 0 to 10 scale or the named Low, Medium, High, and Very-High levels, and the extension rendered as a table where every standard CEF key (such as src, dst, spt, dpt, suser, act, proto, request, and rt) is expanded to its full field name from the published CEF key dictionary, with custom vendor keys shown as-is. Malformed records are flagged in place: a missing CEF: marker, fewer than seven header fields, a non-integer version, empty mandatory fields, an out-of-range severity, and duplicate extension keys each get a clear note rather than a silent failure. The parsed events export as JSON or NDJSON with one click, ready to drop into a notebook, a ticket, or a follow-up query. In Build mode you fill the seven header fields and add extension pairs, and the tool escapes pipes, equals signs, and backslashes for you and emits one valid CEF line. Useful when you need to read a raw event a SIEM rule fired on, hand-craft a test event, sanity-check a vendor integration, or just understand what spt=51920 and act=blocked actually mean. Everything runs locally in your browser; the events you paste or build are never uploaded, logged, or sent anywhere.

Free to use. Works in your browser. No signup, no login.

Related tools

You may also like

All tools
Developer

Syslog Message Parser

Decode RFC 5424 and RFC 3164 syslog lines: split the PRI into facility and severity, read each header field, parse structured data, and export JSON.

Open tool

Developer

Access Log Parser

Parse Apache CLF, Combined, and NGINX access logs into a sortable, exportable table.

Open tool

Developer

Logfmt Parser and Formatter

Parse logfmt to JSON or NDJSON and emit clean logfmt from JSON, NDJSON, or rows.

Open tool

Developer

StatsD Line Parser

Read StatsD and DogStatsD metric lines into name, value, type, sample rate, and tags, flag mistakes, export JSON, or build a valid line.

Open tool

Developer

Grok Pattern Tester

Match a grok pattern against a log line, pull out the named fields it captures, and see the full regular expression it compiles to.

Open tool

Developer

Prometheus Metrics Parser

Read /metrics exposition text into metric families with labels and values, export JSON or NDJSON, or build a valid metric line.

Open tool

All toolsDeveloper Tools