December 6th, 2007

Common Event Format - Add-on

Topics: Log Analysis
Tags: , ,
Share:

logo_splunk.gifThe common event format (CEF) is a standard for the interoperability of event- or log generating devices and applications. The standard defines a syntax for log records. It comprises of a standard prefix and a variable extension that is formatted as key-value pairs. The standards document is unfortunately only available if you register on the Web site. I wish ArcSight would post a link to the standards document, instead of making you register to download it. If you want more detailed information about CEF, check out an older post that I have written when I was still working on CEF.

I just wrote a CEF add-on for Splunk. It defines field extractions for CEF formatted messages. Just install the add-on, set your source type to cef and you will be able to use the extracted fields from your CEF messages. Note that because CEF has an extension that is all key-value pairs, I did not have to write any special extractions for that part. I only had to implement extractions for the prefix. Very slick!

Posted by: Raffael Marty | Permalink | | Trackback

4 Responses to “Common Event Format - Add-on”

  1. Stefan Says:

    December 7th, 2007 at 2:58 pm

    Not going to hold my breath for a post that doesn’t contain anything negative on ArcSight.

  2. Rashaad Says:

    January 3rd, 2008 at 7:54 pm

    Raffy

    How well does this CEF add-on intergrate with an ArcSight Logger component? Couldn’t Logger forward CEF base events via syslog to a Splunk implementation and the give a user the abilty use Splunk to do analysis on events normalized, filtered…by Logger? Just curious b/c I am a Splunk and ArcSight user looking on how to leverage such a cool plugin. Thx.

  3. raffy Says:

    January 5th, 2008 at 12:45 am

    That would certainly work. The add-on will help you extract the fields from CEF formatted messages. Where they are coming from is irrelevant.
    I don’t quite understand why you would do that, however. Because you can get CEF formatted messages from the other sources in your network? Why not just using the ArcSight connectors and directly forwarding to Splunk? Actually, I am not 100% sure anymore, whether that’s possible or not. It might not be. In that case you’d have to go through logger first…

  4. D Says:

    March 11th, 2008 at 5:18 am

    Hey Raffy, great thanks for this plug in. Thanks to this we may even mean we start using splunk in our product base. :)

Leave a Reply