CEF | No packet sended

[TenGbps]

Hello, in CEF on graylog 2.3.0, no packet is sended by the graylog server.

CEF : https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/78000/KB78712/en_US/CEF_White_Paper_20100722.pdf

Tell me if i can help you to debug with my ArcSight

Thanks

[huksley]

Hi. Have you used release JAR or build yourself?

[huksley]

Yes. There was CEF support only in 1.3-final branch. Ported to master and released new JAR. Can you try it? Ready to fix any quirks and bugs and implement proper ARCSight support.

[TenGbps]

Thanks you much for your fast reply, you need to change some code.

An example of forcepoint log in CEF and sended by your plugin

RFC:
<x>CEF:0|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|.......

Original
<6>CEF:0|FORCEPOINT|Firewall|unknown|12345|Connection_Closed|0|in=0 out=0 app=App rt=Sep 06 2017 10:10:00 deviceFacility=Packet filter deviceInboundInterface=1 proto=6 dpt=80 spt=12345 dst=10.11.12.13 src=10.13.12.11 dvchost=10.0.0.1 dvc=10.0.0.1 deviceExternalId=Node1

Plugin
<14>Sep  6 10:10:00 1.2.3.4 - -  CEF:0|ArcSight|Logger|5.0.0.5355.2|log:1|"2017-09-06 10:10:00","0000","10.0.0.1","Packet filter","Notification",,"Permit","10.11.12.13","10.13.12.11","App",

First you need remove date & ip before 'CEF:0' and put graylog info like

CEF:0|Graylog, Inc|Graylog Server|$GrayLogVersion|$MessageId|$Index|$message.severity|...

And for fields, don't use comma separator, space is the good way with the field name first

esfield1=esvalue1 esfield2=esvalue2 

[huksley]

Please check new release https://github.com/wizecore/graylog2-output-syslog/releases/tag/2.1.1b

For now I dont know how to send actual Graylog server version - using fixed 2.1.1. I`ll figure it out later.

[TenGbps]

In good way ;)

<x>CEF:0|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|.......

|Name| contant the full message, can you replace it by the indice name ? Can you replace 'log:1' by '1' ?

[huksley]

I`dont known generic way to reduce Name, here is from the spec:

Name is a string representing a human-readable and understandable description of the event. The
event name should not contain information that is specifically mentioned in other fields. For example:
"Port scan from 10.0.0.1 targeting 20.1.1.1" is not a good event name. It should be: "Port scan". The other
information is redundant and can be picked up from the other fields.

However, I don`t include message or full_message fields in the Extension so Name is seems to be most suitable place to write.

There is probably a need for configuration for example to make Name be a composition of other fields. Plus fields might need renaming to suit 'CEF Key Names For Event Producers'

[TenGbps]

Maybe the short_message is better for |Name| or detect if field act= is not empty and put them on |Name|, FORCEPOINT do it.

For the Severity take the severity field or level field maybe.

Now the plugin work !

[huksley]

What about these standard CEF extension key names?

• externalId - The ID used by an originating device. They are usually increasing numbers, associated with events.
• msg - An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the newline separator.

[TenGbps]

Also maybe dont send all value name start by gl2_* is better cause ArcSight dont index it

[TenGbps]

Name is fully indexed into ARCSight, better to put fixed value instead of put full message for perf.

[huksley]

Check the updated documentation: https://github.com/wizecore/graylog2-output-syslog/blob/master/README.md#cef-format-handling

[TenGbps]

Thanks for you work !