Security log parser that normalizes CEF, LEEF, syslog, and Windows Event XML into OCSF format.
SOC teams and SIEM platforms ingest logs from dozens of sources — firewalls, IDS/IPS, endpoints, cloud — each in its own format. Normalizing these into a common schema is tedious, error-prone, and blocks automation. slogparse auto-detects the log format, parses it into a structured dict, and optionally maps it to the OCSF (Open Cybersecurity Schema Framework) base event schema for uniform downstream processing.
pip install slogparseOr install from source:
git clone https://github.com/cwccie/slogparse.git
cd slogparse
pip install -e ".[dev]"from slogparse import LogParser
parser = LogParser()
# Auto-detect and parse
cef_line = 'CEF:0|Security|ThreatDefense|1.0|100|Malware Detected|7|src=10.0.0.1 dst=192.168.1.1'
result = parser.parse(cef_line)
print(result["name"]) # "Malware Detected"
print(result["extension"]) # {"src": "10.0.0.1", "dst": "192.168.1.1"}
# Parse with OCSF mapping
ocsf_event = parser.parse(cef_line, ocsf=True)
print(ocsf_event["severity"]) # "High"
print(ocsf_event["severity_id"]) # 4
print(ocsf_event["class_name"]) # "Security Finding"
# Batch parsing (mixed formats)
lines = [cef_line, syslog_line, leef_line]
results = parser.parse_many(lines, ocsf=True)from slogparse import detect_format
fmt = detect_format('<165>1 2026-02-15T08:30:00Z host app - - - Message')
print(fmt) # "syslog_rfc5424"from slogparse import to_json, to_yaml
print(to_json(result)) # Pretty JSON
print(to_yaml(result)) # YAML# Parse a log file (auto-detect format)
slogparse parse access.log
# Parse with OCSF mapping
slogparse parse firewall.log --ocsf
# Force format
slogparse parse events.log --format cef
# Output as YAML
slogparse parse events.log -o yaml
# Detect format
slogparse detect mystery.log| Format | Identifier | Description |
|---|---|---|
| CEF | cef |
Common Event Format (ArcSight) — pipe-delimited header + key=value extension |
| LEEF | leef |
Log Event Extended Format (IBM QRadar) — pipe header + tab/custom-delimited extension |
| Syslog RFC 5424 | syslog_rfc5424 |
Modern syslog with structured data, ISO 8601 timestamps |
| Syslog RFC 3164 | syslog_rfc3164 |
BSD/legacy syslog with Mmm dd HH:MM:SS timestamps |
| Windows Event XML | windows_event |
Windows Event Log XML export format |
Parsed logs are mapped to the OCSF v1.1.0 Base Event schema:
| OCSF Field | Source |
|---|---|
class_uid |
Derived from log type (2001 for security events) |
category_uid |
Derived from log type (2=Findings, 1=System) |
severity_id |
Mapped from source severity (0-6 scale) |
severity |
Human-readable severity name |
time |
Timestamp normalized to ISO 8601 |
message |
Event name/description |
metadata.product |
Source device/product info |
metadata.log_provider |
Source vendor/application |
observables |
Extracted IPs, hostnames, ports |
raw_data |
Original log line |
unmapped |
Format-specific fields not in OCSF base |
| Source | Low | Medium | High | Critical |
|---|---|---|---|---|
| CEF (0-10) | 3-4 | 5-6 | 7-8 | 9-10 |
| Syslog (0-7) | 5 (notice) | 4 (warning) | 3 (error) | 1-2 (alert/critical) |
| Windows (0-5) | — | 3 (Warning) | 2 (Error) | 1 (Critical) |
docker build -t slogparse .
docker run --rm -v /path/to/logs:/data slogparse parse /data/events.log --ocsfpip install -e ".[dev]"
pytest --cov=slogparse tests/
ruff check src/ tests/MIT License — Copyright (c) 2026 Corey Wade