SIEM log format reference

The following details the basic syntax of a SIEM record in CEF, LEEF, and Splunk formats.

CEF:

  • Header

    <13>%<:%b %_2d %T> %<applianceHostName> CEF:0|Device Vendor|Device Product|Product Version|Log Type|LogReason|5|

  • Data

    key1=value1 key2=value2

    Key value pairs are separated by a space.

LEEF:

  • Header

    <13>%<:%b %_2d %T> %<applianceHostName> LEEF:1.0|Device Vendor|Device Product|Product Version|Log Type|Log Reason|5|

  • Data

    key1=value1%<\t>key2=value2

    Key value pairs are separated by a tab.

Splunk:

  • Header

    <13>%<:%b %_2d %T> %<applianceHostName>

  • Data

    key1=value1 key2=value2 key3="value 3"

Splunk format includes a syslog protocol prefix, a header, and a set of extensions comprising key-value pairs. CEF and LEEF formats include a syslog protocol prefix, a header, and a set of extensions comprising key-value pairs:

PRI SP HEADER SP CEF:Version|Device_Vendor|Device_Product|Device_Version|Signature_ID|Name|Severity|Extension

  • PRI (priority value) is a combination of (Facility Level value*8) + Severity Level. The default values are:

    Facility Level (user-level messages) = 1

    Severity Level (Notice: Normal but significant condition) = 5

  • Header includes a timestamp (format MMM-dd hh:mm:ss) and the appliance hostname, separated by a space (SP).
  • CEF or LEEF indicates the common event or long event extended format portion of the data record and contains the following fields:
    • Version identifies the current CEF or LEEF format version.
    • The Device_Vendor field is a unique identifier. Along with Device_Product, it identifies the device. In this case, Device_Vendor is Forcepoint.
    • The Device_Product field is a unique identifier. Along with Device_Vendor, it identifies the device sending the data to SIEM. In this case, Device_Product is Email Security.
    • The Device_Version field indicates the Device_Product version.
    • The Signature_ID field is a unique event-type indicator. In this case, the field identifies the type of email protection system log that is generating the record: Connection, Message, Policy, Delivery, Audit, Console, or Hybrid (for email hybrid service traffic).
    • The Name component is the event description. For the policy log, this field contains the message analysis result. For the other email protection logs, this field contains the log type.
    • Severity is a value between 0 and 10 that indicates the importance of an event. A higher severity value indicates increased event importance. Default value is 5.
    • The Extension field contains a set of pre-defined key-value pairs separated by spaces. See CEF key-value table for details about these entries for Forcepoint Email Security.