ArcSight CEF
Revision 20
http://support.openview.hp.com
https://protect724.arcsight.com
Revision History
Date
Product Version
Description
06/05/2013
Revision 20
01/2013
Revision 19
01/2011
Revision 17
07/2010
07/2009
05/2009
11/2007
06/2006
Contents
Chapter 1: What is CEF? ..................................................................................................... 5
The case for ArcSight CEF ................................................................................................ 5
What is CEF? ............................................................................................................ 5
The CEF Certification Program ..................................................................................... 6
CEF Implementation ........................................................................................................ 6
Header Information ................................................................................................... 6
Using CEF Without Syslog .......................................................................................... 6
Header Field Definitions ............................................................................................. 6
The Extension Field ................................................................................................... 7
Character Encoding ................................................................................................... 7
Chapter 2: ArcSight Extension Dictionary ............................................................................ 9
CEF Key Name Table ....................................................................................................... 9
Chapter 3: Special Mappings ............................................................................................. 27
Firewall ........................................................................................................................ 27
Anti-Virus ..................................................................................................................... 28
Email ........................................................................................................................... 28
Wireless ....................................................................................................................... 28
ipv6 Format .................................................................................................................. 28
Chapter 4: User-Defined Extensions .................................................................................. 29
Custom Extension Naming Guidelines ............................................................................... 29
Format .................................................................................................................. 29
Requirements ......................................................................................................... 29
Limitations of Custom Extensions .................................................................................... 29
Limitations Affecting ArcSight ESM ............................................................................ 30
Limitations Affecting ArcSight Logger ................................................................... 30
Appendix A: Date Formats ................................................................................................ 31
Index ................................................................................................................................. 33
Confidential
Contents
Confidential
Chapter 1
What is CEF?
The following topics are covered in this chapter:
The case for ArcSight CEF on page 5
The CEF Certification Program on page 6
CEF Implementation on page 6
Header Information on page 6
Using CEF Without Syslog on page 6
Header Field Definitions on page 6
The Extension Field on page 7
Character Encoding on page 7
What is CEF?
CEF is an extensible, text-based, high-performance format designed to support multiple
device types in the simplest manner possible. Various message syntaxes are reduced to
one-matching ESM normalization. Specifically, CEF defines a syntax for log records
comprised of a standard header and a variable extension, formatted as key-value pairs.
This format contains the most relevant event information, making it easy for event
consumers to parse and use them.
Other standards target a single component of the security infrastructure or are designed
for specific applications. These alternatives lack the ability to support today's
high-performance, real-time security requirements.
Confidential
1 What is CEF?
CEF Implementation
This document defines the CEF protocol and provides details on how to implement the
standard. It details the header and predefined extensions used within the standard, as well
as how to create user-defined extensions. It also includes a list of CEF supported date
formats.
Header Information
CEF uses syslog as a transport mechanism. It uses the following format, comprised of a
syslog prefix, a header and an extension, as shown below:
Jan 18 11:07:53 host CEF:Version|Device Vendor|Device
Product|Device Version|Signature ID|Name|Severity|[Extension]
The CEF:Version portion of the message is a mandatory header. The remainder of the
message is formatted using fields delimited by a pipe ("|") character. All of these remaining
fields should be present and are defined under Header Field Definitions on page 6".
The extension portion of the message is a placeholder for additional fields, but is not
mandatory. Any additional fields are logged as key-value pairs. See Chapter 2 ArcSight
Extension Dictionary on page 9 for a table of definitions.
The following example illustrates a CEF message using Syslog transport:
Sep 19 08:26:10 host CEF:0|Security|threatmanager|1.0|100|worm
successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232
Confidential
1 What is CEF?
Device Vendor, Device Product and Device Version are strings that uniquely identify
the type of sending device. No two products may use the same device-vendor and
device-product pair. There is no central authority managing these pairs. Event producers
must ensure that they assign unique name pairs.
Signature ID is a unique identifier per event-type. This can be a string or an integer.
Signature ID identifies the type of event reported. In the intrusion detection system (IDS)
world, each signature or rule that detects certain activity has a unique signature ID
assigned. This is a requirement for other types of devices as well, and helps correlation
engines process the events.
Name is a string representing a human-readable and understandable description of the
event. The event name should not contain information that is specifically mentioned in
other fields. For example: "Port scan from 10.0.0.1 targeting 20.1.1.1" is not a good event
name. It should be: "Port scan". The other information is redundant and can be picked up
from the other fields.
Severity is an integer and reflects the importance of the event. Only numbers from 0 to
10 are allowed, where 10 indicates the most important event.
Character Encoding
Because CEF uses the UTF-8 Unicode encoding method, certain symbols must use
character encoding. Within this context, character encoding specifies how to represent
characters that could be misinterpreted within the schema.
Please note the following when encoding symbols in CEF:
Spaces used in the header are valid. Do not encode a space character by using
<space>.
If a pipe (|) is used in the header, it has to be escaped with a backslash (\). But note
that pipes in the extension do not need escaping. For example:
Sep 19 08:26:10 host
CEF:0|security|threatmanager|1.0|100|detected a \| in
message|10|src=10.0.0.1 act=blocked a | dst=1.1.1.1
If a backslash (\) is used in the header or the extension, it has to be escaped with
another backslash (\). For example:
Sep 19 08:26:10 host
CEF:0|security|threatmanager|1.0|100|detected a \\ in
packet|10|src=10.0.0.1 act=blocked a \\ dst=1.1.1.1
Confidential
If an equal sign (=) is used in the extensions, it has to be escaped with a backslash
(\). Equal signs in the header need no escaping. For example:
1 What is CEF?
Multi-line fields can be sent by CEF by encoding the newline character as \n or \r.
Note that multiple lines are only allowed in the value part of the extensions. For
example:
Sep 19 08:26:10 host
CEF:0|security|threatmanager|1.0|100|Detected a threat. No
action needed.|10|src=10.0.0.1 msg=Detected a threat.\n No
action needed.
Confidential
Chapter 2
*Names containing an asterisk are best used with ESM v5.0. When using
earlier versions of ESM, refer to Limitations of Custom Extensions on
page 25.
Table 2-1
Full Name
Data
Type
Length
Meaning
act
deviceAction
String
63
app
applicationProtocol
String
31
Application level
protocol, example
values are: HTTP,
HTTPS, SSHv2, Telnet,
POP, IMAP, IMAPS,
etc.
Confidential
Table 2-1
Full Name
Data
Type
c6a1
*deviceCustomIPv6A
ddress1
IPv6
address
Length
Meaning
One of four IPV6
address fields
available to map fields
that do not apply to
any other in this
dictionary.
Tip: Please reference
the guidelines under
User-Defined
Extensions on
page 25 for tips on
using these fields.
c6a1Label
*deviceCustomIPv6A
ddress1Label
String
c6a2
*deviceCustomIPv6A
ddress2
IPv6
address
c6a2Label
*deviceCustomIPv6A
ddress2Label
String
c6a3
*deviceCustomIPv6A
ddress3
IPv6
address
c6a3Label
10
*deviceCustomIPv6A
ddress3Label
String
Confidential
Table 2-1
Full Name
Data
Type
c6a4
*deviceCustomIPv6A
ddress4
IPv6
address
Length
Meaning
One of four IPV6
address fields
available to map fields
that do not apply to
any other in this
dictionary.
Tip: Please reference
the guidelines under
User-Defined
Extensions on
page 25 for tips on
using these fields.
c6a4Label
*deviceCustomIPv6A
ddress4Label
String
cat
deviceEventCategory
String
cfp1
*deviceCustomFloati
ngPoint1
Floating
Point
cfp1Label
*deviceCustomFloati
ngPoint1Label
String
cfp2
*deviceCustomFloati
ngPoint2
Floating
Point
cfp2Label
*deviceCustomFloati
ngPoint2Label2
String
Confidential
Represents the
category assigned by
the originating device.
Devices oftentimes
use their own
categorization schema
to classify events.
Example:
"/Monitor/Disk/Read"
Table 2-1
Full Name
Data
Type
cfp3
*deviceCustomFloati
ngPoint3
Floating
Point
cfp3Label
*deviceCustomFloati
ngPoint3Labe3
String
cfp4
*deviceCustomFloati
ngPoint4
Floating
Point
cfp4Label
*deviceCustomFloati
ngPoint4Labe4
String
cn1
deviceCustomNumbe
r1
Long
cn1Label
deviceCustomNumbe
r1Label
String
cn2
deviceCustomNumbe
r2
Long
12
Length
1023
Meaning
Confidential
Table 2-1
Length
Meaning
deviceCustomNumbe
r2Label
String
1023
cn3
deviceCustomNumbe
r3
Long
cn3Label
deviceCustomNumbe
r3Label
String
cnt
baseEventCount
Integer
cs1
deviceCustomString
1
String
Full Name
cn2Label
1023
cs1Label
Confidential
deviceCustomString
1Label
String
1023
Table 2-1
Full Name
cs2
deviceCustomString
2
Data
Type
Length
Meaning
String
1023
cs2Label
deviceCustomString
2Label
String
1023
cs3
deviceCustomString
3
String
1023
cs3Label
14
deviceCustomString
3Label
String
1023
Confidential
Table 2-1
Full Name
cs4
deviceCustomString
4
Data
Type
Length
Meaning
String
1023
cs4Label
deviceCustomString
4Label
String
1023
cs5
deviceCustomString
5
String
1023
cs5Label
Confidential
deviceCustomString
5Label
String
1023
Table 2-1
Full Name
cs6
deviceCustomString
6
Data
Type
Length
Meaning
String
1023
cs6Label
deviceCustomString
6Label
String
1023
destinationDnsDomain
destinationDnsDoma
in
String
255
destinationServiceName
destinationServiceNa
me
String
1023
destinationTranslatedAddress
destinationTranslate
dAddress
IPv4
Address
Identifies the
translated destination
that the event refers
to in an IP network.
The format is an IPv4
address.
Example:
"192.168.10.1"
destinationTranslatedPort
16
destinationTranslate
dPort
Integer
Confidential
Table 2-1
Full Name
deviceCustomDate1
deviceCustomDate1
Data
Type
Length
TimeSt
amp
Meaning
One of two timestamp
fields available to map
fields that do not
apply to any other in
this dictionary. Use
sparingly and seek a
more specific,
dictionary supplied
field when possible.
Tip: Please reference
the guidelines under
User-Defined
Extensions on
page 25 for tips on
using these fields.
deviceCustomDate1Label
deviceCustomDate1L
abel
String
deviceCustomDate2
deviceCustomDate2
TimeSt
amp
1023
deviceCustomDate2Label
deviceCustomDate2L
abel
String
deviceDirection
deviceDirection
Integer
1023
deviceDnsDomain
Confidential
deviceDnsDomain
String
255
Table 2-1
Full Name
Data
Type
Length
Meaning
deviceExternalId
deviceExternalId
String
255
deviceFacility
deviceFacility
String
1023
deviceInboundInterface
deviceInboundInterf
ace
String
15
deviceMacAddress
deviceMacAddress
MAC
Address
Six colon-separated
hexadecimal numbers.
Example:
"00:0D:60:AF:1B:61"
deviceNtDomain
deviceNtDomain
String
255
deviceOutboundInterface
deviceOutboundInter
face
String
15
deviceProcessName
deviceProcessName
String
1023
Process name
associated with the
event. An example
might be the process
generating the syslog
entry in UNIX.
deviceTranslatedAddress
deviceTranslatedAdd
ress
IPv4
Address
Identifies the
translated device
address that the event
refers to in an IP
network. The format is
an IPv4 address.
Example:
"192.168.10.1"
dhost
destinationHostNam
e
String
1023
Identifies the
destination that an
event refers to in an
IP network. The
format should be a
fully qualified domain
name associated with
the destination node,
when a node is
available (FQDN).
Examples:
"host.domain.com" or
"host".
18
Confidential
Table 2-1
Full Name
Data
Type
dmac
destinationMacAddre
ss
MAC
Address
dntdom
destinationNtDomain
String
dpid
*destinationProcessI
d
Integer
dpriv
destinationUserPrivil
eges
String
1023
dproc
destinationProcessN
ame
String
1023
Length
Meaning
Six colon-separated
hexadecimal numbers.
Example:
"00:0D:60:AF:1B:61"
255
Example:
"telnetd", or "sshd".
dpt
destinationPort
Integer
dst
destinationAddress
IPv4
Address
Identifies the
destination address
that the event refers
to in an IP network.
The format is an IPv4
address.
Example:
"192.168.10.1"
duid
Confidential
destinationUserId
String
1023
Identifies the
destination user by
ID. For example, in
UNIX, the root user is
generally associated
with user ID 0.
Table 2-1
Length
Meaning
destinationUserNam
e
String
1023
Identifies the
destination user by
name. This is the user
associated with the
event's destination.
Email addresses are
often mapped into the
UserName fields. The
recipient is a
candidate to put into
destinationUserName.
deviceAddress
IPV4
Address
16
Full Name
duser
dvc
Example:
"192.168.10.1"
dvchost
deviceHostName
String
dvcpid
*deviceProcessId
Integer
end
endTime
Time
Stamp
externalID
externalID
String
fileCreateTime
fileCreateTime
Time
Stamp
fileHash
fileHash
String
255
Hash of a file.
fileId
fileId
String
1023
An ID associated with
a file could be the
inode.
20
100
40
The ID used by an
originating device.
They are usually
increasing numbers,
associated with
events.
Time when the file
was created.
Confidential
Table 2-1
Full Name
fileModificationTime
fileModificationTime
Time
Stamp
filePath
filePath
String
Length
Meaning
Time when the file
was last modified.
1023
filePermission
filePermission
String
1023
fileType
fileType
String
1023
fname
fileName
String
1023
fsize
fileSize
Integer
in
bytesIn
Integer
Number of bytes
transferred inbound.
Inbound relative to
the source to
destination
relationship, meaning
that data was flowing
from source to
destination.
msg
message
String
oldFileCreateTime
oldFileCreateTime
Time
Stamp
oldFileHash
oldFileHash
String
255
oldFileId
oldFileId
String
1023
An ID associated with
the old file could be
the inode.
oldFileModificationTime
oldFileModificationTi
me
Time
Stamp
oldFileName
oldFileName
String
Confidential
1023
An arbitrary message
giving more details
about the event.
Multi-line entries can
be produced by using
\n as the new-line
separator.
Time when old file was
created.
Table 2-1
Full Name
Data
Type
Length
Meaning
oldFilePath
oldFilePath
String
1023
oldFilePermission
oldFilePermission
String
1023
oldFileSize
oldFileSize
Integer
oldFileType
oldFileType
String
out
bytesOut
Integer
outcome
*eventOutcome
String
63
proto
transportProtocol
String
31
reason
*reason
String
1023
Example:
"0x1234"
request
requestURL
String
1023
22
Confidential
Table 2-1
Length
Meaning
requestClientApplicat
ion
String
1023
The User-Agent
associated with the
request.
requestCookies
requestCookies
String
1023
Cookies associated
with the request.
requestMethod
requestMethod
String
1023
rt
receiptTime
Time
Stamp
Full Name
requestClientApplication
shost
sourceHostName
String
smac
sourceMacAddress
MAC
Address
1023
sntdom
sourceNtDomain
String
255
sourceDnsDomain
sourceDnsDomain
String
255
sourceServiceName
sourceServiceName
String
1023
sourceTranslatedAddress
sourceTranslatedAdd
ress
IPv4
Address
Identifies the
translated source that
the event refers to in
an IP network. The
format is an IPv4
address.
Example:
"192.168.10.1"
Confidential
Table 2-1
Full Name
Data
Type
sourceTranslatedPort
sourceTranslatedPort
Integer
spid
*sourceProcessId
Integer
spriv
sourceUserPrivileges
String
1023
sproc
sourceProcessName
String
1023
spt
sourcePort
Integer
src
sourceAddress
IPv4
Address
Length
Meaning
Example:
"192.168.10.1"
start
startTime
Time
Stamp
suid
24
sourceUserId
String
1023
Confidential
Table 2-1
Full Name
Data
Type
Length
Meaning
suser
sourceUserName
String
1023
Confidential
26
Confidential
Chapter 3
Special Mappings
In some cases, the mappings between fields of the original device and those of the
ArcSight Extension Dictionary are not straightforward. The following tables provide
examples that should help in such cases.
Firewall
Original Field
Rule Number /
cs1
deviceCustomString1
ACL Number
Confidential
3 Special Mappings
Anti-Virus
Original Field
Virus name
cs1
deviceCustomString1
cs2
deviceCustomString2
act
deviceAction
Email
Original Field
duser
destinationUserName
suser
sourceUserName
Relay
cs1
deviceCustomString1
Wireless
Original Field
SSID
cs2
deviceCustomString2
Channel
cn1
deviceCustomNumber1
ipv6 Format
If the custom extension name is in ipv6 format and used to map
a device address, use c6a1. Use the corresponding label field to describe the
purpose of the custom field.
a source address, use c6a2. Use the corresponding label field to describe the
purpose of the custom field.
a destination address, use c6a3. Use the corresponding label field to describe the
purpose of the custom field.
It is permissible to use abbreviated formats when using ipv6 addresses.
28
Confidential
Chapter 4
User-Defined Extensions
This chapter covers the following topics
Custom Extension Naming Guidelines on page 29
Limitations of Custom Extensions on page 29
The Extension Dictionary provides a broad set of predefined extension names (CEF names
such as "fname" and full names such as "filetype") that should cover most event log
requirements. In some cases, vendors' devices may generate more information than can be
appropriately mapped into the predefined extensions or may generate information that
does not fit the orientation of the predefined extensions. In such cases, vendors may
define their own custom extensions to the standard ArcSight extension Dictionary.
Format
Custom extension names should take the form
VendornameProductnameExplanatoryKeyName
Requirements
Custom extension names should meet the following requirements. Custom extension
name(s)
must be alphanumeric.
may not be named the same as any name listed in ArcSight Extension Dictionary.
Confidential
4 User-Defined Extensions
Custom extension names also have significant limitations that implementers should be
aware of. These limitations can fundamentally affect the experience of ArcSight product
users.
Data submitted to ArcSight ESM using custom name extensions is retained; however, it
is largely inaccessible except when directly viewing events. This data shows up in a
section called "Additional Data".
Data submitted to ArcSight ESM using custom name extensions cannot be used
directly for reporting, as these "Additional Data" fields are not made available in the
reporting schema. Thus, any data in the "Additional Data" section of events is not
available in reports.
Data submitted to ArcSight ESM using custom name extensions cannot be used
directly for event correlation (as within Rules, Data Monitors, etc.). Thus, any data in
the "Additional Data" section is not available as output for correlation activities within
the ESM system.
30
Data submitted to ArcSight Logger using custom name extensions is retained in the
system; however, it is not available for use in the Logger reporting infrastructure.
Data submitted to ArcSight Logger using custom name extensions is available for
viewing by the customer using string-based search. Event export is also be available
for this purpose.
Confidential
Appendix A
Date Formats
CEF supports several variations on time/date formats to identify the time an event occurred
accurately. These formats are detailed below.
1
Milliseconds since January 1, 1970 (integer)-This time format supplies an integer with
the count in milliseconds from January 1, 1970 to the time the event occurred.
MMM dd HH:mm:ss
MMM dd HH:mm:ss.SSS
For a key to the date formats shown above, visit the SimpleDateFormat page at:
http://docs.oracle.com/javase/1.4.2/docs/api/java/text/SimpleDateFormat.html.
Confidential
32
Date Formats
Confidential
Index
C
CEF
certification program 6
Date formats 31
Header information 6
implementation 6
Name Table 9
Special Mappings 27
the case for ArcSight CEF 5
User-defined extensions 29
using without Syslog 6
what is 5
CEF Names 9
full names 9
Character Encoding 7
Custom Extension
Format 29
limitations 29
limitations affecting ESM 30
limitations affecting Logger 30
naming guidelines 29
Requirements 29
E
Extension Field 7
H
Header Field Definition 6
Device Product 7
Device Vendor 7
Device Version 7
Name 7
Severity 7
Signature ID 7
Version 6
S
Special Mappings
Anti-Virus 28
Email 28
Firewall 27
ipv6 Format 28
Wireless 28
Confidential
Index
34
Confidential