Create parent decoders for CEF (Common Event Format)

[chemamartinez]

From the LDAPwiki documentation:

Common Event Format (CEF) is a Logging and Auditing file format from ArcSight and is an extensible, text-based format designed to support multiple device types by offering the most relevant information. Message syntaxes are reduced to work with ESM normalization. Specifically, Common Event Format defines a syntax for log records comprised of a standard header and a variable extension, formatted as key-value pairs.

This log format is so widespread that, for example, Logstash includes a plugin to support it: https://www.elastic.co/guide/en/logstash/current/plugins-codecs-cef.html

In the following link we can find how that format looks like: https://help.deepsecurity.trendmicro.com/Events-Alerts/syslog-parsing.html

Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

It could be useful to create decoders to catch that events natively. In fact, there are a couple of Pull Requests that include decoders for especific logs using that format (see #177 and #178).

Regards.

[jctello]

Alternatively an implicit decoder (like the one for json) could be created for the CEF and LEEF formats given that all fields have a given name.

This has been requested here: https://github.com/wazuh/wazuh/issues/3408