79. Log Event Extended Format (LEEF)

Table of Contents

NXLog Enterprise Edition can be configured to collect or forward logs in the LEEF format.

The LEEF log format is used by IBM Security QRadar products and supports Syslog as a transport. It describes an event using key-value pairs, and provides a list of predefined event attributes. Additional attributes can be used for specific applications.

Basic LEEF syntax

SYSLOG_HEADER LEEF_HEADER|EVENT_ATTRIBUTES

The LEEF_HEADER part contains the following pipe-delimited fields.

LEEF version
Vendor
Product name
Product version
Event ID
Optional delimiter character, as the character or its hexadecimal value prefixed by 0x or x (LEEF version 2.0)

The EVENT_ATTRIBUTES part contains a list of key-value pairs separated by a tab or the delimiter specified in the LEEF header.

Full LEEF syntax

Oct 11 11:27:23 myserver LEEF:Version|Vendor|Product|Version|EventID|Delimiter|src=192.168.1.1⇥dst=10.0.0.1

79.1. Collecting LEEF logs

NXLog Enterprise Edition can parse LEEF logs with the xm_leef module’s parse_leef() procedure.

Example 390. Accepting LEEF logs via TCP

With the following configuration, NXLog will accept LEEF logs via TCP, convert them to JSON, and output the result to file.

nxlog.conf


  1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

  <Extension _json>
    Module  xm_json
</Extension>

<Extension _leef>
    Module  xm_leef
</Extension>

<Input in>
    Module  im_tcp
    Host    0.0.0.0
    Port    1514
    Exec    parse_leef();
</Input>

<Output out>
    Module  om_file
    File    '/var/log/json'
    Exec    to_json();
</Output>

Input sample

Oct 11 11:27:23 myserver LEEF:2.0|Microsoft|MSExchange|2013 SP1|15345|src=10.50.1.1⇥dst=2.10.20.20⇥spt=1200

Output sample

{
  "EventReceivedTime": "2016-10-11 11:27:24",
  "SourceModuleName": "in",
  "SourceModuleType": "im_file",
  "Hostname": "myserver",
  "LEEFVersion": "LEEF:2.0",
  "Vendor": "Microsoft",
  "SourceName": "MSExchange",
  "Version": "2013 SP1",
  "EventID": "15345"
}

79.2. Generating LEEF logs

NXLog Enterprise Edition can also generate LEEF logs, using the to_leef() procedure provided by the xm_leef extension module.

Example 391. Sending LEEF logs via TCP

With this configuration, NXLog will parse the input JSON format from file and forward it as LEEF via TCP.

nxlog.conf


  1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

  <Extension _json>
    Module  xm_json
</Extension>

<Extension _leef>
    Module  xm_leef
</Extension>

<Input in>
    Module  im_file
    File    '/var/log/json'
    Exec    parse_json();
</Input>

<Output out>
    Module  om_tcp
    Host    10.12.0.1
    Port    514
    Exec    to_leef();
</Output>

Input sample

{
  "EventTime": "2016-09-13 11:23:11",
  "Hostname": "myserver",
  "Purpose": "test",
  "Message": "This is a test log message."
}

Output sample

<13>Sep 13 11:23:11 myserver LEEF:1.0|NXLog|in|3.0.1775|unknown|EventReceivedTime=2016-09-13 11:23:12⇥SourceModuleName=in⇥SourceModuleType=im_file⇥devTime=2016-09-13 11:23:11⇥identHostName=myserver⇥Purpose=test⇥Message=This is a test log message.⇥devTimeFormat=yyyy-MM-dd HH:mm:ss

Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here.

Last revision: 03 June 2019

You are here

79. Log Event Extended Format (LEEF) | Log Collection Solutions