- ArcSight CEF guide
- Common Event Format Configuration Guide F5 Networks
- Common Event Format ArcSight, Inc.
- CEF Imperva Secure Sphere
- Syslog message formats: CEF&LEEF
- Common Event Format изнутри
- When Logstash And Syslog Go Wrong
- Structured Logging with Rsyslog and Elasticsearch
- Comparison of alert formats
- Hierarchical object log format for normalisation of security events
- How to Exchange Security Events? Overview and Evaluation of Formats and Protocols
- Clash of Titlans: arcsight vs qradar
- Log Standards: Put Up, Shut Up, Give Up, Or Throw Up?
IBM QRadar, LogRhythm, and McAfee SIEM selection
CEE is an open, practical, extensible, and industry-driven event logging specification with the goal of unifying event representation and classification. It's developed as a coordinated industry initiative with participation from end user groups, logging providers, SIEM vendors, independent experts, and U.S. government organizations. Development is facilitated by The MITRE Corporation as part of the Making Security Measurable initiative.
CEE Log Transport (CLT) provides the technical support necessary for a secure and reliable event management infrastructure. An event and audit infrastructure requires more than just standardized event records: support is needed for international string encodings, secure logging services, standardized event interfaces, and secure, verifiable event trails.
The CLT defines a listing of CLT Protocol Requirements that CEE-compliant event transport protocols must meet in order to support specific logging capabilities. For example, any CLT Protocol must be able to transmit a CLS Encoded CEE Event in one or more encodings. More advanced CLT Protocols, however, may provide things like encryption and reliable delivery.
CLT also defines transport mappings. A CLT Mapping defines a mechanism for CEE Events to be transmitted over a certain CLT Protocol. Currently, the only CLT Mapping provided is for sending JSON-encoded CEE Events over the RFC5425 TLS Syslog protocol. This Mapping defines how the CEE Event can be encoded using an RFC5424 Syslog-compatible CLS Encoding and placed at a certain point in the Syslog message.
For more information, please see the CEE Log Transport Specification.
<118> Apr 18 16:32:58 10.0.1.11 QAUDJRN: [AF@0 event="AF-Authority failure" violation="A-Not authorized to object" actual_type="AF-A" jrn_seq="1001363" timestamp="20120418163258988000" job_name="QPADEV000B" user_name="TESTFORAF" job_number="256937" err_user="TESTFORAF" ip_addr="10.0.1.23" port="55875" action="Undefined(x00)" val_job="QPADEV000B" val_user="TESTFORAF" val_jobno="256937" object="AFTEST" object_library="CUS9242" object_type="*FILE" pgm_name="" pgm_libr="" workstation=""]
May 29 15:26:33 host CEF:0|McAfee|Antivirus|5.2|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232
Feb 29 15:47:25 10.0.1.43 CEF: 0|PATownsend|IBM-QAUDJRN|1.28|1007|CO-Create object|4|msg=CO-Create object act=N-Create of new object actual_type=CO-N jrn_seq=102361 timestamp=20120229154725823000 dproc=ICC suser=MVAGANEK job_number=638012 eff_user=MVAGANEK object=X_BIGNUM object_library=ICAPITST object_type=*MODULE object_attrCLE
Jan 18 11:07:53 192.168.1.1 LEEF:1.0|QRadar|QRM|1.0|NEW_PORT_DISCOVERD|src=172.5.6.67 dst=172.50.123.1 sev=5 cat=anomaly msg=there are spaces in this message
A valid CEE JSON Event Record embedded within an RFC5424 Syslog transport:
<165>1 2011-12-20T12:38:06Z 10.10.0.1 process - example-event-1 @cee:{"pname":"auth","host":"system.example.com","time":"2011-12-20T12:38:05.123456-05:00"}
A valid CEE JSON Event Record used with a "legacy" Syslog transport:
<0>Dec 20 12:42:20 syslog-relay process[35]: @cee: {"crit":123,"id":"abc","appname":"application","pname":"auth","pid":123,"host":"system.example.com","pri":10,"time":"2011-12-20T12:38:05.123456-05:00","action":"login","domain":"app","object":"account","service":"web","status":"success"}