Skip to content

Common Event Format (CEF)

CEF is a text-based log format developed by ArcSight™ and used by HP ArcSight™ products. It uses Syslog as transport. The full format includes a Syslog header or "prefix", a CEF "header", and a CEF "extension". The extension contains a list of key-value pairs. Standard key names are provided, and user-defined extensions can be used for additional key names. In some cases, the CEF format is used with the Syslog header omitted.

Rule Function

This rule does two things: it parses the Device Product field from the CEF message and sets the LogZilla event program name to that product name; and it parses several other fields (vendor, product, version, class, description, and severity) from the CEF message and adds those fields as key-value pairs to the LogZilla message.

Vendor Documentation

ArcSight Common Event Format (CEF)

User Tags

Used Tag Name CEF Field Example
vendor vendor Infoblox
product_name product_name NIOS Threat
product_version 6.12.13-299142
event_class 130400100
description WARN & DROP DoS DNS possible reflect...
severity_id 8

Incoming Log Format

CEF Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|Extension

All log fields are used.

Log Examples

Example 1. DoS DNS attack

CEF:0|Infoblox|NIOS Threat|6.12.13-299142|130400100|WARN & DROP DoS DNS possible reflection/amplification attack attempts|8|src= spt=32544 dst= dpt=53 act="ALERT" cat="DNS Amplification and Reflection

Example 2: Executable code exploit

CEF:0||nxlog|2.7.1243|Executable Code was Detected|Advanced exploit detected|100|src= spt=46117 dst= dpt=80