Common Event Format – Add-on

logo_splunk.gifThe common event format (CEF) is a standard for the interoperability of event- or log generating devices and applications. The standard defines a syntax for log records. It comprises of a standard prefix and a variable extension that is formatted as key-value pairs. The standards document is unfortunately only available if you register on the Web site. I wish ArcSight would post a link to the standards document, instead of making you register to download it. If you want more detailed information about CEF, check out an older post that I have written when I was still working on CEF.

I just wrote a CEF add-on for Splunk. It defines field extractions for CEF formatted messages. Just install the add-on, set your source type to cef and you will be able to use the extracted fields from your CEF messages. Note that because CEF has an extension that is all key-value pairs, I did not have to write any special extractions for that part. I only had to implement extractions for the prefix. Very slick!

By Raffael Marty

Posted by