jctello
commented
5 years ago Alternatively an implicit decoder (like the one for json) could be created for the CEF and LEEF formats given that all fields have a given name.
This has been requested here: https://github.com/wazuh/wazuh/issues/3408
From the LDAPwiki documentation:
Common Event Format (CEF) is a Logging and Auditing file format from ArcSight and is an extensible, text-based format designed to support multiple device types by offering the most relevant information. Message syntaxes are reduced to work with ESM normalization. Specifically, Common Event Format defines a syntax for log records comprised of a standard header and a variable extension, formatted as key-value pairs.
This log format is so widespread that, for example, Logstash includes a plugin to support it: https://www.elastic.co/guide/en/logstash/current/plugins-codecs-cef.html
In the following link we can find how that format looks like: https://help.deepsecurity.trendmicro.com/Events-Alerts/syslog-parsing.html
It could be useful to create decoders to catch that events natively. In fact, there are a couple of Pull Requests that include decoders for especific logs using that format (see #177 and #178).
Regards.