Skip to content

Log Extended Event Format (LEEF)

Product - Various products that send LEEF V1 and V2 format messages via syslog

Each LEEF product should have their own source entry in this documentation set by vendor. In a departure from normal configuration, all LEEF products should use the “LEEF” version of the unique port and archive environment variable settings (rather than a unique one per product), as the LEEF log path handles all products sending events to SC4S in the LEEF format. Examples of this include QRadar itself as well as other legacy systems. Therefore, the LEEF environment variables for unique port, archive, etc. should be set only once.

If your deployment has multiple LEEF devices that send to more than one port, set the LEEF unique port variable(s) as a comma-separated list. See Unique Listening Ports for details.

The source documentation included below is a reference baseline for any product that sends data using the LEEF log path.

Some vendors implement LEEF v2.0 format events incorrectly, omitting the required “key=value” separator field from the LEEF header, thus forcing the consumer to assume the default tab \t character. SC4S will correctly process this omission, but will not correctly process other non-compliant formats.

The LEEF format allows for the inclusion of a field devTime containing the device timestamp and allows the sender to also specify the format of this timestamp in another field called devTimeFormat, which uses the Java Time format. SC4S uses syslog-ng strptime format which is not directly translatable to the Java Time format. Therefore, SC4S has provided support for the following common formats. If needed, additional time formats can be requested via an issue on github.

    '%s.%f',
    '%s',
    '%b %d %H:%M:%S.%f',
    '%b %d %H:%M:%S',
    '%b %d %Y %H:%M:%S.%f',
    '%b %e %Y %H:%M:%S',
    '%b %e %H:%M:%S.%f',
    '%b %e %H:%M:%S',
    '%b %e %Y %H:%M:%S.%f',
    '%b %e %Y %H:%M:%S'  
Ref Link
Splunk Add-on LEEF None
Product Manual https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_LEEF_Format_Guide_intro.html

Splunk Metadata with LEEF events

The keys (first column) in splunk_metadata.csv for LEEF data sources have a slightly different meaning than those for non-LEEF ones. The typical vendor_product syntax is instead replaced by checks against specific columns of the LEEF event – namely the first and second, columns following the leading LEEF:VERSION (“column 0”). These specific columns refer to the LEEF device_vendor, and device_product, respectively.

device_vendor_device_product

Here is a snippet of a sample LANCOPE event in LEEF 2.0 format:

<111>Apr 19 10:29:53 3.3.3.3 LEEF:2.0|Lancope|StealthWatch|1.0|41|^|src=192.0.2.0^dst=172.50.123.1^sev=5^cat=anomaly^srcPort=81^dstPort=21^usrName=joe.black

and the corresponding match in splunk_metadata.csv:

Lancope_StealthWatch,source,lancope:stealthwatch

Default Sourcetype

sourcetype notes
LEEF:1 Common sourcetype for all LEEF v1 events
LEEF:2:<separator> Common sourcetype for all LEEF v2 events separator is the printable literal or hex value of the separator used in the event

Default Source

source notes
vendor:product Varies

Default Index Configuration

key source index notes
Vendor_Product Varies main none

Filter type

MSG Parse: This filter parses message content

Options

Variable default description
SC4S_LISTEN_LEEF_UDP_PORT empty string Enable a UDP port for this specific vendor product using a comma-separated list of port numbers
SC4S_LISTEN_LEEF_TCP_PORT empty string Enable a TCP port for this specific vendor product using a comma-separated list of port numbers
SC4S_LISTEN_LEEF_TLS_PORT empty string Enable a TLS port for this specific vendor product using a comma-separated list of port numbers
SC4S_ARCHIVE_LEEF no Enable archive to disk for this specific source
SC4S_DEST_LEEF_HEC no When Splunk HEC is disabled globally set to yes to enable this specific source