This is a Logstash filter configuration I have used when parsing CEF (Comment Event Format) logs which I need to stored in JSON format. Below are the CEF syslog generated by a TippingPoint NGFW for IPS alerts
IPS Alert Log for ICMP
"CEF:0|HP|XXXX|1.2.1.0000|79|ICMP: Echo Reply|1|dvchost=NGFW.IPS dvc=10.0.0.101 cat=IpsAlert deviceFacility=IPS act=Permit cs2=00000002-0002-0002-0002-000000000079 cs2Label=Policy UUID cs3=00000001-0001-0001-0001-000000000079 cs3Label=Signature UUID proto=ICMP src=192.168.1.1 dst=10.0.0.201 start=Feb 25 2016 14:39:28+0000 cnt=1 deviceInboundInterface=ethernet1 deviceOutboundInterface=ethernet2 cs1=20000 cs1Label=Rule cs5=Default IPS Profile cs5Label=Inspection Profile externalId=1317822437469935396918053171245265\n"
IPS Alert Log for TCP
"CEF:0|HP|XXXX|1.2.1.0000|16538|TCP: OpenSSL ClientHello Message|1|dvchost=NGFW.IPS dvc=10.0.0.101 cat=IpsAlert deviceFacility=IPS act=Permit cs2=00000002-0002-0002-0002-000000016538 cs2Label=Policy UUID cs3=00000001-0001-0001-0001-000000016538 cs3Label=Signature UUID proto=TCP src=192.168.1.1 spt=31964 dst=10.0.0.201 dpt=50707 start=Feb 25 2016 14:37:53+0000 cnt=1 deviceInboundInterface=ethernet2 deviceOutboundInterface=ethernet1 cs1=20000 cs1Label=Rule cs5=Default IPS Profile cs5Label=Inspection Profile externalId=1317822437469935396918053037030539"
IPS Alert Log for HTTP
"CEF:0|HP|XXXX|1.2.1.0000|17084|HTTP: Compressed File Download|1|dvchost=NGFW.IPS dvc=10.0.0.101 cat=IpsAlert deviceFacility=IPS act=Permit cs2=00000002-0002-0002-0002-000000017084 cs2Label=Policy UUID cs3=00000001-0001-0001-0001-000000017084 cs3Label=Signature UUID src=192.168.1.1 spt=20480 dst=10.0.0.201 dpt=54465 start=Feb 25 2016 14:36:26+0000 cnt=1 deviceInboundInterface=ethernet2 deviceOutboundInterface=ethernet1 cs1=20000 cs1Label=Rule cs5=Default IPS Profile cs5Label=Inspection Profile externalId=1317822437469935396918053171251576"
CEF logs have standard header (PREFIX) delimited by "|" and then followed by a variable length of data (EXTENSIONS) which are mapped with corresponding "=" character. Below is the logstash filter configuration I used from which I referenced from here.