- Introduction
- Deployment
- Configuration
- OS Support
- Integration
- Troubleshooting
- Enterprise Edition Reference Manual
- 127. Man Pages
- 128. Configuration
- 129. Language
- 130. Extension Modules
- 130.1. Remote Management (xm_admin)
- 130.2. AIX Auditing (xm_aixaudit)
- 130.3. Apple System Logs (xm_asl)
- 130.4. Basic Security Module Auditing (xm_bsm)
- 130.5. Common Event Format (xm_cef)
- 130.6. Character Set Conversion (xm_charconv)
- 130.7. Delimiter-Separated Values (xm_csv)
- 130.8. Encryption (xm_crypto)
- 130.9. External Programs (xm_exec)
- 130.10. File Lists (xm_filelist)
- 130.11. File Operations (xm_fileop)
- 130.12. GELF (xm_gelf)
- 130.13. Go (xm_go)
- 130.14. Grok (xm_grok)
- 130.15. Java (xm_java)
- 130.16. JSON (xm_json)
- 130.17. Key-Value Pairs (xm_kvp)
- 130.18. LEEF (xm_leef)
- 130.19. Microsoft DNS Server (xm_msdns)
- 130.20. Multiline Parser (xm_multiline)
- 130.21. NetFlow (xm_netflow)
- 130.22. Microsoft Network Policy Server (xm_nps)
- 130.23. Pattern Matcher (xm_pattern)
- 130.24. Perl (xm_perl)
- 130.25. Python (xm_python)
- 130.26. Resolver (xm_resolver)
- 130.27. Rewrite (xm_rewrite)
- 130.28. Ruby (xm_ruby)
- 130.29. SNMP Traps (xm_snmp)
- 130.30. Remote Management (xm_soapadmin)
- 130.31. Syslog (xm_syslog)
- 130.32. W3C (xm_w3c)
- 130.33. WTMP (xm_wtmp)
- 130.34. XML (xm_xml)
- 130.35. Compression (xm_zlib)
- 131. Input Modules
- 132. Processor Modules
- 133. Output Modules
- NXLog Manager
- NXLog Add-Ons
130.5. Common Event Format (xm_cef)
This module provides functions for generating and parsing data in the ArcSight Common Event Format (CEF). For more information about the format, see Implementing ArcSight Common Event Format (CEF).
Note
|
CEF uses Syslog as a transport. For this reason the xm_syslog module must be used in conjunction with xm_cef in order to parse or generate the additional Syslog header, unless the CEF data is used without Syslog. See examples for both cases below. |
Note
|
To examine the supported platforms, see the list of installer packages in the Available Modules chapter. |
130.5.1. Configuration
The xm_cef module accepts the following directive in addition to the common module directives.
130.5.2. Functions
The following functions are exported by xm_cef.
- string
to_cef()
-
Convert the specified fields to a single CEF formatted string.
Note that directive IncludeHiddenFields has an effect on extension fields in the output.
130.5.3. Procedures
The following procedures are exported by xm_cef.
parse_cef();
-
Parse the
$raw_event
field as CEF input. parse_cef(string source);
-
Parse the given string as CEF format.
to_cef();
-
Format the specified fields as CEF and put this into the
$raw_event
field. The CEF header fields can be overridden by values contained in the following NXLog fields: $CEFVersion, $CEFDeviceVendor, $CEFDeviceProduct, $CEFDeviceVersion, $CEFSignatureID, $CEFName, and $CEFSeverity.Note that directive IncludeHiddenFields has an effect on extension fields in the output.
130.5.4. Fields
The following fields are used by xm_cef.
In addition to the fields listed below, the
parse_cef()
procedure will create a field for every key-value pair contained in the
Extension
CEF field, such as $act
, $cnt
, $dhost
, etc.
$CEFDeviceProduct
(type: string)-
The name of the software or appliance that sent the CEF-formatted event log. This field takes the value of the
Device Product
CEF header field.
$CEFDeviceVendor
(type: string)-
The vendor or manufacturer of the device that sent the CEF-formatted event log. This field takes the value of the
Device Vendor
CEF header field.
$CEFDeviceVersion
(type: string)-
The version of the software or appliance that sent the CEF-formatted event log. This field takes the value of the
Device Version
CEF header field.
$CEFName
(type: string)-
A human-readable description of the event. This field takes the value of the
Name
CEF header field.
$CEFSeverity
(type: integer)-
A numeric value between 1 and 10 that indicates the severity of the event, where:
-
1 is the lowest event severity,
-
10 is the highest event severity.
This field takes the value of the
Severity
CEF header field. -
$CEFSignatureID
(type: string)-
A unique identifier (unique per event type) used to determine the type of the reported event. This field takes the value of the
Signature ID
CEF header field.
$CEFVersion
(type: integer)-
The version of the CEF format. This field takes the value of the
Version
CEF header field.
130.5.5. Examples
This configuration collects both Windows Event Log and NXLog internal messages, converts them to CEF with Syslog headers, and forwards the logs via UDP.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<Extension cef>
Module xm_cef
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Input internal>
Module im_internal
</Input>
<Input eventlog>
Module im_msvistalog
</Input>
<Output udp_output>
Module om_udp
Host 192.168.168.2:1514
Exec $Message = to_cef(); to_syslog_bsd();
</Output>
The following configuration receives CEF logs over UDP and converts the parsed data into JSON.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<Extension cef>
Module xm_cef
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Extension json>
Module xm_json
</Extension>
<Input udp_input>
Module im_udp
ListenAddr 0.0.0.0:1514
Exec parse_syslog(); parse_cef($Message);
</Input>
<Output file_output>
Module om_file
File "cef2json.log"
Exec to_json();
</Output>