Tuesday, August 1, 2017

fortiOS CEF formatted logs

Logging to  Syslog   just got better imho. The CEF log-format is now a option. What is CEF?

Common Event Format 

This is the  simplified  log-format that most SIEM and analytics tools like splunk  or arcsight. The format is simple and has required fields  similar to the below.

CEF typeversion | MFG'er | Model | Version

e.g ( prefix for fortinet devices )


CEF:0|Fortinet|Fortigate|v5.6.1


These fields helps in  reporting and identifying the source of the log and the format is common and well support and known. It allows for a plug-play and walkaway approach with most SIEMs that support CEF

Here's a few syslog_dumps  from a FGT firewall.







Various vendors support CEF

examples....
  • Barracuda
  • CitrixNS
  • PaloAlto
  • FireEye





Ken   Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \




No comments:

Post a Comment