Common Event Format
This is the simplified log-format that most SIEM and analytics tools like splunk or arcsight. The format is simple and has required fields similar to the below.
CEF typeversion | MFG'er | Model | Version
e.g ( prefix for fortinet devices )
CEF:0|Fortinet|Fortigate|v5.6.1
These fields helps in reporting and identifying the source of the log and the format is common and well support and known. It allows for a plug-play and walkaway approach with most SIEMs that support CEF
Here's a few syslog_dumps from a FGT firewall.
Various vendors support CEF
examples....
- Barracuda
- CitrixNS
- PaloAlto
- FireEye
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment