User:Ubaidhayee/sandbox

Common Event Format

The format called Common Event Format (CEF) can be readily adopted by vendors of both security and non-security devices. This format contains the most relevant event information, making it easy for event consumers to parse and use them.

To simplify integration, the syslog message format is used as a transport mechanism. This applies a common prefix to each message, containing the date and hostname, as shown below.

Jan 18 11:07:53 host message

If an event producer is unable to write syslog messages, it is still possible to write the events to a file. To do so:

1. Omit the syslog header (shown above)

2. Begin the message with the format shown below

CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension After the mandatory CEF: prefix, the remainder of the message is formatted using a common prefix composed of fields delimited by a bar ("|") character. All of the fields specified above should be present and are defined under “Definitions of Prefix Fields” on page 2.

The Extension part of the message is a placeholder for additional fields. These additional fields are documented under “The Extension Dictionary” on page 4, and are logged as key-value pairs.