CEF Severity Value Not getting Parsed Properly - Page 1

#1 himanshu.arora 4 years ago

Hi, I am following the CEF documentation from here https://community.microfocus.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Implementation-Standard/ta-p/1645557

In this its written that Severity is a string or integer and reflects the importance of the event. The valid string values are Unknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium, 7- 8=High, and 9-10=Very-High.

I am using xm_cef module to parse the CEF message and according to the above description if String values are provided they should be converted to appropriate Integer values or left as it is but the xm_cef module is converting the string values to 0.

Output:- (the field CEF Severity is 0 ) { "EventReceivedTime":"2019-05-02T04:58:30.333756-07:00", "SourceModuleName":"cef_input", "SourceModuleType":"im_file", "SyslogFacilityValue":1, "SyslogFacility":"USER", "SyslogSeverityValue":5, "SyslogSeverity":"NOTICE", "SeverityValue":1, "Severity":"DEBUG", "EventTime":"2019-05-02T04:58:30.333784-07:00", "Hostname":"ubuntu", "SourceName":"CEF", "Message":"0|Product|Example|unknown|1|Account|Very-High|dvchost=localhost duser=1234567 src=1.1.1.1", "CEFVersion":0, "CEFDeviceVendor":"Product", "CEFDeviceProduct":"Example", "CEFDeviceVersion":"unknown", "CEFSignatureID":"1", "CEFName":"Account", "CEFSeverity":0, "dvchost":"localhost", "duser":"1234567", "src":"1.1.1.1" }

I have tried with Low, Medium,High,Very-High,it converts all of them to 0. I have used the conf file same as in https://nxlog.co/question/4618/xmcef-xmjson-unexpected-behaviour-while-converting-cef-json#comment-7579 NXlog version :- nxlog-4.3.4308-trial

There is no log output with respect to this

Permalink

#2 Zhengshi Nxlog ✓ 4 years ago

#1 himanshu.arora

Hi, I am following the CEF documentation from here https://community.microfocus.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Implementation-Standard/ta-p/1645557 In this its written that Severity is a string or integer and reflects the importance of the event. The valid string values are Unknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium, 7- 8=High, and 9-10=Very-High. I am using xm_cef module to parse the CEF message and according to the above description if String values are provided they should be converted to appropriate Integer values or left as it is but the xm_cef module is converting the string values to 0. eg:- Input:- CEF:0|Product|Example|unknown|1|Account|Very-High|dvchost=localhost duser=1234567 src=1.1.1.1 the severity value is Very-High Output:- (the field CEF Severity is 0 ) { "EventReceivedTime":"2019-05-02T04:58:30.333756-07:00", "SourceModuleName":"cef_input", "SourceModuleType":"im_file", "SyslogFacilityValue":1, "SyslogFacility":"USER", "SyslogSeverityValue":5, "SyslogSeverity":"NOTICE", "SeverityValue":1, "Severity":"DEBUG", "EventTime":"2019-05-02T04:58:30.333784-07:00", "Hostname":"ubuntu", "SourceName":"CEF", "Message":"0|Product|Example|unknown|1|Account|Very-High|dvchost=localhost duser=1234567 src=1.1.1.1", "CEFVersion":0, "CEFDeviceVendor":"Product", "CEFDeviceProduct":"Example", "CEFDeviceVersion":"unknown", "CEFSignatureID":"1", "CEFName":"Account", "CEFSeverity":0, "dvchost":"localhost", "duser":"1234567", "src":"1.1.1.1" } I have tried with Low, Medium,High,Very-High,it converts all of them to 0. I have used the conf file same as in https://nxlog.co/question/4618/xmcef-xmjson-unexpected-behaviour-while-converting-cef-json#comment-7579 NXlog version :- nxlog-4.3.4308-trial There is no log output with respect to this

Currently the field is set to expect an integer. We have created a feature request to extend this to include strings as well.

$CEFSeverity (type: integer) A numeric value between 1 and 10 that indicates the severity of the event, where: 1 is the lowest event severity, 10 is the highest event severity. This field takes the value of the Severity CEF header field.

Thank you