A new parsing engine, now available for your use in the Alert Logic console, has added support for the Common Event Format (CEF) log format. CEF is a common syslog format used in many systems. You can send data to Alert Logic from some security-based software offering logs and messages in CEF, including:
- Imperva - Incapsula (web application firewall)
- MS ATA - MS Defender
- Minerva Labs - Armor
- Netskope CASB
The capabilities described below are available in the Alert Logic console at (navigation menu) > Investigate > Search > Search.
About CEF Format
The following is an example of a base CEF format.
CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
There are two parts of a CEF log - the header and the extension.
CEF Header
parsed.cef.header
contains the header part of the CEF message. Fields in the header are fixed and always present. The following table breaks down the various pieces of a CEF-formatted message header:
CEF Spec Name | parsed.cef.header Name |
parsed.cef.header Type |
---|---|---|
Version | version | Integer |
Device Vendor | device_vendor | String |
Device Product | device_product | String |
Device Version | device_version | String |
Device Event Class ID | event_id | String |
Name | name | String |
Severity | severity | String |
An example of the parsed.cef.header
is below:
{
"version": 0,
"severity": "10",
"name": "worm successfully stopped",
"event_id": "100",
"device_version": "1.0",
"device_vendor": "Security",
"device_product": "threatmanager"
}
CEF Extension
parsed.cef.extension
contains the extension part of the CEF message. It is possible to have three types of fields in the extension:
- Fields from Extension Dictionary
- Custom fields from Extensions Dictionary, such as
cs1Label=K cs1=V
- User-defined Extensions (fields not defined in the Extensions Dictionary)
Confirm Whether Log Messages Are in CEF Format
To understand whether you have logs in CEF format, you can filter your search results with EXISTS(parsed.cef)
. The query below will return the most recent log messages in CEF format in your account.
SELECT
time_recv AS "Time Received",
message AS "Message",
parsed.cef AS "CEF"
FROM logmsgs
WHERE
-- Only log messages where parsed.cef exists
EXISTS(parsed.cef)
ORDER BY time_recv DESC
LIMIT 100
To utilize this query immediately, open this query in the Alert Logic console.
Additional Resources
For more information on working with Alert Logic Search, see the following knowledge base articles:
Comments
0 comments
Please sign in to leave a comment.