Common Event Format - Add-on
| Topics: | Log Analysis |
|---|---|
| Tags: | cef, common event format, interoperability |
| Share: |
The common event format (CEF) is a standard for the interoperability of event- or log generating devices and applications. The standard defines a syntax for log records. It comprises of a standard prefix and a variable extension that is formatted as key-value pairs. The standards document is unfortunately only available if you register on the Web site. I wish ArcSight would post a link to the standards document, instead of making you register to download it. If you want more detailed information about CEF, check out an older post that I have written when I was still working on CEF.
I just wrote a CEF add-on for Splunk. It defines field extractions for CEF formatted messages. Just install the add-on, set your source type to cef and you will be able to use the extracted fields from your CEF messages. Note that because CEF has an extension that is all key-value pairs, I did not have to write any special extractions for that part. I only had to implement extractions for the prefix. Very slick!
December 7th, 2007 at 2:58 pm
Not going to hold my breath for a post that doesn’t contain anything negative on ArcSight.
January 3rd, 2008 at 7:54 pm
Raffy
How well does this CEF add-on intergrate with an ArcSight Logger component? Couldn’t Logger forward CEF base events via syslog to a Splunk implementation and the give a user the abilty use Splunk to do analysis on events normalized, filtered…by Logger? Just curious b/c I am a Splunk and ArcSight user looking on how to leverage such a cool plugin. Thx.
January 5th, 2008 at 12:45 am
That would certainly work. The add-on will help you extract the fields from CEF formatted messages. Where they are coming from is irrelevant.
I don’t quite understand why you would do that, however. Because you can get CEF formatted messages from the other sources in your network? Why not just using the ArcSight connectors and directly forwarding to Splunk? Actually, I am not 100% sure anymore, whether that’s possible or not. It might not be. In that case you’d have to go through logger first…
March 11th, 2008 at 5:18 am
Hey Raffy, great thanks for this plug in. Thanks to this we may even mean we start using splunk in our product base.
January 5th, 2009 at 2:16 pm
Trying to get this to parse other input sources rather than the coded /var/log messages in /opt/splunk/etc/bundles/cef/inputs.conf. Adding a udp input source does not seem to be working.
January 5th, 2009 at 3:53 pm
It should work, but you might have to change the regex in transforms.conf slightly, if the events don’t look exactly the same. And make sure you tag your sourcetype in the input definition in inputs.conf
March 31st, 2009 at 8:12 pm
is CEF still alive? There hasn’t been much talk about it in the last year and a half, and Arcsight isn’t answering requests for copies of the standard document itself.
April 1st, 2009 at 10:20 am
Nygard, CEF is still alive. Well, as much as a published standard can still be alive. I would still recommend it. I think when certain people left ArcSight (*hint*), they lost someone that is actually responsible for CEF. I am still mad at them that they don’t make the document publicly available. Not sure if I can share a copy with you. But you can always have a look at what I built for Splunk: http://www.splunk.com/base/Apps:Common_Information_Model
October 20th, 2009 at 1:29 pm
Is this app still available? with the new apps page I can’t get to any of the old apps that I used to use, like Splunk for Snort or this one. I get dumped to their top level apps page and only have access to some apps. Same minimal apps are available from my Splunk installation.
October 24th, 2009 at 12:12 pm
Yes, the problem is that the app has not been updated to 4.0. You can still install it in 4.0. Just manually copy it into the apps directory and it should work. Actually, I think you should put the app into your systems directory (merge with the existing content that’s already there). That way your extractions will be available in all the apps. If anyone should update the app, let me know …