Return to
Portfolio

108.15. LEEF (xm_leef)

This module provides two functions to generate and parse data in the Log Event Extended Format (LEEF), which is used by IBM Security QRadar products. For more information about the format see the Log Event Extended Format (LEEF) Version 2 specification.

108.15.1. Configuration

The xm_leef module accepts the following directives in addition to the common module directives.

AddSyslogHeader

This optional boolean directive specifies whether a RFC 3164 (BSD-style) Syslog header should be prepended to the output. This defaults to TRUE (a Syslog header will be added by the to_leef() procedure).

IncludeHiddenFields

This boolean directive specifies that the to_leef() function or the to_leef() procedure should inlude fields having a leading dot (.) or underscore (_) in their names. The default is FALSE. If IncludeHiddenFields is set to TRUE, then generated LEEF text will contain these otherwise excluded fields.

LEEFHeader

This optional directive takes a string type expression and only has an effect on how to_leef() formats the result. It should evaluate to the following format:

LEEF:1.0|Microsoft|MSExchange|2013 SP1|15345|

It should typically be used as follows:

LEEFHeader 'LEEF:1.0|Microsoft|MSExchange|2013 SP1|' + $EventID + '|'

When this directive is not specified, the LEEF header is constructed using the $Vendor, $SourceName (or $SourceModuleName), $Version, and $EventID fields.

108.15.2. Functions

The following functions are exported by xm_leef.

string to_leef()

Convert the internal fields to a single LEEF formatted string.

Note that directive IncludeHiddenFields has an effect on fields included in the output.

108.15.3. Procedures

The following procedures are exported by xm_leef.

parse_leef();

Parse the $raw_event field as key-value pairs and create the following NXLog fields (if possible): $Category, $AccountName, $AccountType, $Domain, $EventTime, $Hostname, $MessageSourceAddress, $SeverityValue (mapped from the sev attribute), $SourceName, $devTimeFormat, $LEEFVersion, $Vendor, $Version, $EventID, $DelimiterCharacter.

parse_leef(string source);

Parse the the given string as key-value pairs and create the following NXLog fields (if possible): $Category, $AccountName, $AccountType, $Domain, $EventTime, $Hostname, $MessageSourceAddress, $SeverityValue (mapped from the sev attribute), $SourceName, $devTimeFormat, $LEEFVersion, $Vendor, $Version, $EventID, $DelimiterCharacter.

to_leef();

Format the internal fields as LEEF and put this into the $raw_event field. to_leef() will automatically map the following fields to event attributes, if available:

NXLog field LEEF attribute

$AccountName

accountName

$AccountType

role

$Category

cat

$Domain

domain

$EventTime

devTime

$Hostname

identHostName

$MessageSourceAddress

src

$SeverityValue (mapped)

sev

$SourceName

vSrcName

108.15.4. Fields

The following fields are used by xm_leef.

In addition to the fields listed below, the parse_leef() procedure will create a field for every LEEF attribute contained in the source LEEF message such as $srcPort, $cat, $identHostName, etc.

$AccountName (type: string)

The name of the user account that created the event.

$AccountType (type: string)

The type of the user account (e.g. Administrator, User, Domain Admin) that created the event. This field takes the value of the role LEEF attribute.

$Category (type: string)

A text string that extends the LEEF EventID field with more specific information about the LEEF event. This field takes the value of the cat LEEF attribute.

$DelimiterCharacter (type: string)

The character specified as a delimiter in the LEEF header.

$devTimeFormat (type: string)

A string that defines the date format of the LEEF event, contained in the devTimeFormat LEEF attribute, for example, "yyyy-MM-dd HH:mm:ss".

$Domain (type: string)

The name of the domain the user account belongs to.

$EventID (type: string)

The ID of the event. This field takes the value of the EventID LEEF header.

$EventTime (type: datetime)

The time when the event occurred. This field takes the value of the devTime LEEF attribute.

$Hostname (type: string)

The name of the host that created the event. This field takes the value of the identHostname LEEF attribute.

$LEEFVersion (type: string)

The LEEF format version contained in the LEEF header, for example, LEEF:1.0.

$MessageSourceAddress (type: ip4addr)

The IP address of the device that created the event. This field takes the value of the src LEEF attribute.

$SeverityValue (type: string)

A numeric value between 1 and 5 that indicates the severity of the event. This value is mapped to or from the value of the sev LEEF attribute:

LEEF sev attribute $SeverityValue

≤2

1

3

1

4

2

5

2

6

3

7

3

8

4

9

4

≥10

5
$SourceName (type: string)

The name of the subsystem or application that generated the event. This field takes the value of the Product LEEF header field.

$Vendor (type: string)

A text string that identifies the vendor or manufacturer of the device sending the syslog event in the LEEF format. This field takes the value of the Vendor LEEF header field.

$Version (type: string)

A string that identifies the version of the software or appliance that sent the event log. This field takes the value of the Product version LEEF header field.

108.15.5. Examples

Example 505. Sending Windows EventLog as LEEF over UDP

This configuration will collect Windows EventLog and NXLog internal messages, convert them to LEEF, and forward via UDP.

nxlog.conf [Download file]

  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22


  
<Extension leef>
    Module  xm_leef
</Extension>

<Input internal>
    Module  im_internal
</Input>

<Input eventlog>
    Module  im_msvistalog
</Input>

<Output udp>
    Module  om_udp
    Host    192.168.168.2
    Port    1514
    Exec    to_leef();
</Output>

<Route qradar>
    Path    internal, eventlog => udp
</Route>

← Previous: Key-Value Pairs (xm_kvp) | ↑ Up: Extension Modules | ⌂ Home: NXLog User Guide | Next: Microsoft DNS Server (xm_msdns) →