Vendor - Common Event Format Data Sources¶
Product - Various products that send CEF-format messages via syslog¶
Each CEF product should have their own source entry in this documentation set. In a departure from normal configuration, all CEF products should use the “CEF” version of the unique port and archive environment variable settings (rather than a unique one per product), as the CEF log path handles all products sending events to SC4S in the CEF format. Examples of this include Arcsight, Imperva, and Cyberark. Therefore, the CEF environment variables for unique port, archive, etc. should be set only once.
If your deployment has multiple CEF devices that send to more than one port, set the CEF unique port variable(s) as a comma-separated list. See Unique Listening Ports for details.
The source documentation included below is a reference baseline for any product that sends data using the CEF log path.
|Splunk Add-on CEF||https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/|
Splunk Metadata with CEF events¶
The keys (first column) in
splunk_metadata.csv for CEF data sources have a slightly different meaning than those for non-CEF ones.
vendor_product syntax is instead replaced by checks against specific columns of the CEF event – namely the first,
second, and fourth columns following the leading
CEF:0 (“column 0”). These specific columns refer to the CEF
device_event_class, respectively. The third column,
device_version, is not used for metadata assignment.
SC4S sets metadata based on the first two columns, and (optionally) the fourth. While the key (first column) in the
splunk_metadata file for non-CEF sources uses a “vendor_product” syntax that is arbitrary, the syntax for this key for CEF
events is based on the actual contents of columns 1,2 and 4 from the CEF event, namely:
device_class portion is optional. Therefore, CEF entries in
splunk_metadata can have a key representing the vendor and
product, and others representing a vendor and product coupled with one or more additional classes. This allows for more granular
metadata assignment (or overrides).
Here is a snippet of a sample Imperva CEF event that includes a CEF device class entry (which is “Firewall”):
Apr 19 10:29:53 188.8.131.52 CEF:0|Imperva Inc.|SecureSphere|12.0.0|Firewall|SSL Untraceable Connection|Medium|
and the corresponding match in
Default Index Configuration¶
MSG Parse: This filter parses message content
|SC4S_LISTEN_CEF_UDP_PORT||empty string||Enable a UDP port for this specific vendor product using a comma-separated list of port numbers|
|SC4S_LISTEN_CEF_TCP_PORT||empty string||Enable a TCP port for this specific vendor product using a comma-separated list of port numbers|
|SC4S_LISTEN_CEF_TLS_PORT||empty string||Enable a TLS port for this specific vendor product using a comma-separated list of port numbers|
|SC4S_ARCHIVE_CEF||no||Enable archive to disk for this specific source|
|SC4S_DEST_CEF_HEC||no||When Splunk HEC is disabled globally set to yes to enable this specific source|
An active site will generate frequent events use the following search to check for new events
Verify timestamp, and host values match as expected
index=<asconfigured> (sourcetype=cef source=<asconfigured>)