tevfikceydeliler created
Hi, I am following the CEF documentation from here https://community.microfocus.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Implementation-Standard/ta-p/1645557
In this its written that
Severity is a string or integer and reflects the importance of the event. The valid string values are Unknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium, 7- 8=High, and 9-10=Very-High.
I am using xm_cef module to parse the CEF message and according to the above description if String values are provided they should be converted to appropriate Integer values or left as it is but the xm_cef module is converting the string values to 0.
eg:- Input:- CEF:0|Product|Example|unknown|1|Account|Very-High|dvchost=localhost duser=1234567 src=1.1.1.1 the severity value is Very-High
Output:- (the field CEF Severity is 0 ) { "EventReceivedTime":"2019-05-02T04:58:30.333756-07:00", "SourceModuleName":"cef_input", "SourceModuleType":"im_file", "SyslogFacilityValue":1, "SyslogFacility":"USER", "SyslogSeverityValue":5, "SyslogSeverity":"NOTICE", "SeverityValue":1, "Severity":"DEBUG", "EventTime":"2019-05-02T04:58:30.333784-07:00", "Hostname":"ubuntu", "SourceName":"CEF", "Message":"0|Product|Example|unknown|1|Account|Very-High|dvchost=localhost duser=1234567 src=1.1.1.1", "CEFVersion":0, "CEFDeviceVendor":"Product", "CEFDeviceProduct":"Example", "CEFDeviceVersion":"unknown", "CEFSignatureID":"1", "CEFName":"Account", "CEFSeverity":0, "dvchost":"localhost", "duser":"1234567", "src":"1.1.1.1" }
I have tried with Low, Medium,High,Very-High,it converts all of them to 0.
I have used the conf file same as in https://nxlog.co/question/4618/xmcef-xmjson-unexpected-behaviour-while-converting-cef-json#comment-7579
NXlog version :- nxlog-4.3.4308-trial
There is no log output with respect to this
himanshu.arora created
