Skip to content

Instantly share code, notes, and snippets.

@it-sec-std
Last active June 21, 2023 20:14
Show Gist options
  • Save it-sec-std/35a3b66038d440ea7900f07ec1127b22 to your computer and use it in GitHub Desktop.
Save it-sec-std/35a3b66038d440ea7900f07ec1127b22 to your computer and use it in GitHub Desktop.
Security event log format and specs review

Security event log format and specs review

Sources

Specs

Others

Format & specs descriptions review

ArcSight CEF

LEEF

IBM QRadar, LogRhythm, and McAfee SIEM selection

Mitre CEE (suspended)

CEE is an open, practical, extensible, and industry-driven event logging specification with the goal of unifying event representation and classification. It's developed as a coordinated industry initiative with participation from end user groups, logging providers, SIEM vendors, independent experts, and U.S. government organizations. Development is facilitated by The MITRE Corporation as part of the Making Security Measurable initiative.

CEE Log Transport (CLT) provides the technical support necessary for a secure and reliable event management infrastructure. An event and audit infrastructure requires more than just standardized event records: support is needed for international string encodings, secure logging services, standardized event interfaces, and secure, verifiable event trails.

The CLT defines a listing of CLT Protocol Requirements that CEE-compliant event transport protocols must meet in order to support specific logging capabilities. For example, any CLT Protocol must be able to transmit a CLS Encoded CEE Event in one or more encodings. More advanced CLT Protocols, however, may provide things like encryption and reliable delivery.

CLT also defines transport mappings. A CLT Mapping defines a mechanism for CEE Events to be transmitted over a certain CLT Protocol. Currently, the only CLT Mapping provided is for sending JSON-encoded CEE Events over the RFC5425 TLS Syslog protocol. This Mapping defines how the CEE Event can be encoded using an RFC5424 Syslog-compatible CLS Encoding and placed at a certain point in the Syslog message.

For more information, please see the CEE Log Transport Specification.

Format & specs descriptions review

Syslog RFC 3164

<118> Apr 18 16:32:58 10.0.1.11 QAUDJRN: [AF@0 event="AF-Authority failure" violation="A-Not authorized to object" actual_type="AF-A" jrn_seq="1001363" timestamp="20120418163258988000" job_name="QPADEV000B" user_name="TESTFORAF" job_number="256937" err_user="TESTFORAF" ip_addr="10.0.1.23" port="55875" action="Undefined(x00)" val_job="QPADEV000B" val_user="TESTFORAF" val_jobno="256937" object="AFTEST" object_library="CUS9242" object_type="*FILE" pgm_name="" pgm_libr="" workstation=""]

ArcSight CEF

May 29 15:26:33 host CEF:0|McAfee|Antivirus|5.2|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232
Feb 29 15:47:25 10.0.1.43 CEF: 0|PATownsend|IBM-QAUDJRN|1.28|1007|CO-Create object|4|msg=CO-Create object act=N-Create of new object actual_type=CO-N jrn_seq=102361 timestamp=20120229154725823000 dproc=ICC suser=MVAGANEK job_number=638012 eff_user=MVAGANEK object=X_BIGNUM object_library=ICAPITST object_type=*MODULE object_attrCLE

QRadar LEEF

Jan 18 11:07:53 192.168.1.1 LEEF:1.0|QRadar|QRM|1.0|NEW_PORT_DISCOVERD|src=172.5.6.67 dst=172.50.123.1 sev=5 cat=anomaly msg=there are spaces in this message

Mitre CEE (suspended)

A valid CEE JSON Event Record embedded within an RFC5424 Syslog transport:

<165>1 2011-12-20T12:38:06Z 10.10.0.1 process - example-event-1 @cee:{"pname":"auth","host":"system.example.com","time":"2011-12-20T12:38:05.123456-05:00"}

A valid CEE JSON Event Record used with a "legacy" Syslog transport:

<0>Dec 20 12:42:20 syslog-relay process[35]: @cee: {"crit":123,"id":"abc","appname":"application","pname":"auth","pid":123,"host":"system.example.com","pri":10,"time":"2011-12-20T12:38:05.123456-05:00","action":"login","domain":"app","object":"account","service":"web","status":"success"}

Processing techs

Logstash

Using kv{}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment