Return to
Portfolio

108.5. Common Event Format (xm_cef)

This module provides functions for generating and parsing data in the ArcSight Common Event Format (CEF). For more information about the format, see Implementing ArcSight Common Event Format (CEF).

Note
CEF uses Syslog as a transport. For this reason the xm_syslog module must be used in conjunction with xm_cef in order to parse or generate the additional Syslog header, unless the CEF data is used without Syslog. See examples for both cases below.

108.5.1. Configuration

The xm_cef module accepts the following directive in addition to the common module directives.

IncludeHiddenFields

This boolean directive specifies that the to_cef() function or the to_cef() procedure should inlude fields having a leading dot (.) or underscore (_) in their names. The default is FALSE. If IncludeHiddenFields is set to TRUE, then generated CEF text will contain these otherwise excluded fields as extension fields.

108.5.2. Functions

The following functions are exported by xm_cef.

string to_cef()

Convert the specified fields to a single CEF formatted string.

Note that directive IncludeHiddenFields has an effect on extension fields in the output.

108.5.3. Procedures

The following procedures are exported by xm_cef.

parse_cef();

Parse the $raw_event field as CEF input.

parse_cef(string source);

Parse the given string as CEF format.

to_cef();

Format the specified fields as CEF and put this into the $raw_event field. The CEF header fields can be overridden by values contained in the following NXLog fields: $CEFVersion, $CEFDeviceVendor, $CEFDeviceProduct, $CEFDeviceVersion, $CEFSignatureID, $CEFName, and $CEFSeverity.

Note that directive IncludeHiddenFields has an effect on extension fields in the output.

108.5.4. Fields

The following fields are used by xm_cef.

In addition to the fields listed below, the parse_cef() procedure will create a field for every key-value pair contained in the Extension CEF field, such as $act, $cnt, $dhost, etc.

$CEFDeviceProduct (type: string)

The name of the software or appliance that sent the CEF-formatted event log. This field takes the value of the Device Product CEF header field.

$CEFDeviceVendor (type: string)

The vendor or manufacturer of the device that sent the CEF-formatted event log. This field takes the value of the Device Vendor CEF header field.

$CEFDeviceVersion (type: string)

The version of the software or appliance that sent the CEF-formatted event log. This field takes the value of the Device Version CEF header field.

$CEFName (type: string)

A human-readable description of the event. This field takes the value of the Name CEF header field.

$CEFSeverity (type: integer)

A numeric value between 1 and 10 that indicates the severity of the event, where:

  • 1 is the lowest event severity,

  • 10 is the highest event severity.

This field takes the value of the Severity CEF header field.

$CEFSignatureID (type: string)

A unique identifier (unique per event type) used to determine the type of the reported event. This field takes the value of the Signature ID CEF header field.

$CEFVersion (type: integer)

The version of the CEF format. This field takes the value of the Version CEF header field.

108.5.5. Examples

Example 486. Sending Windows EventLog as CEF over UDP

This configuration collects both Windows EventLog and NXLog internal messages, converts to CEF with Syslog headers, and forwards via UDP.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<Extension cef>
    Module  xm_cef
</Extension>

<Extension syslog>
    Module  xm_syslog
</Extension>

<Input internal>
    Module  im_internal
</Input>

<Input eventlog>
    Module  im_msvistalog
</Input>

<Output udp>
    Module  om_udp
    Host    192.168.168.2
    Port    1514
    Exec    $Message = to_cef(); to_syslog_bsd();
</Output>

<Route arcsight>
    Path    internal, eventlog => udp
</Route>
Example 487. Parsing CEF

The following configuration receives CEF over UDP and converts the parsed data into JSON.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<Extension cef>
    Module  xm_cef
</Extension>

<Extension syslog>
    Module  xm_syslog
</Extension>

<Extension json>
    Module  xm_json
</Extension>

<Input udp>
    Module  im_udp
    Host    0.0.0.0
    Exec    parse_syslog(); parse_cef($Message);
</Input>

<Output file>
    Module  om_file
    File    "cef2json.log"
    Exec    to_json();
</Output>

<Route cef2json>
    Path    udp => file
</Route>