For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/logs/log_configuration/processors/ocsf_processor.md. A documentation index is available at /llms.txt.

OCSF Processor

Overview

Use the OCSF processor to normalize your security logs according to the Open Cybersecurity Schema Framework (OCSF). The OCSF processor creates custom mappings that remap your log attributes to OCSF schema classes and their corresponding attributes, including enumerated (ENUM) attributes.

The processor enables you to:

  • Map source log attributes to OCSF target attributes
  • Configure ENUM attributes with specific numerical values
  • Create sub-pipelines for different OCSF target event classes
  • Pre-process logs before OCSF remapping

For detailed setup instructions, configuration examples, and troubleshooting guidance, see OCSF Processor.

Further reading

Additional helpful documentation, links, and articles:

Discover Datadog PipelinesDOCUMENTATION more more Learn about OCSFDOCUMENTATION more more OCSF Processor setup guideDOCUMENTATION more more