Help Center
Header Information
CEF uses Syslog as a transport mechanism. It uses the following format that contains a Syslog prefix, a CEF header, and one or more extensions in this format:
<Syslog_prefix> <CEF_header>|[Extension]
The CEF header consists of seven fields separated by a pipe character (|). If the pipe character (|) is used in a “value” part of a CEF header field, it must be escaped. The pipe delimiter between the header fields must not be escaped.
The CEF header is –
CEF:Version|Vendor|Product|Version|Message ID|Name|Severity|
Header Field Definitions
| Header Name | Field Name | Type | Size | Description |
|---|---|---|---|---|
| CEF Version | CEF Version | String | N/A | CEF Version is an integer and identifies the version of the CEF format. Event consumers use this information to determine what the following fields represent.The current CEF format versions are:0 (CEF:0) – for CEF Specification version 0.11 (CEF:1) – for CEF Specification version 1.xFor example, for CEF Specification version 1.2, the value of the CEF Version header field will be ”1”. |
| Vendor | deviceVendor | String | 63 | deviceProduct and deviceVendor are strings that uniquely identify the type of device that sent the message.No two products might use the same deviceVendor and deviceProduct pair. There is no central authority managing these pairs. Event producers must ensure that they assign unique name pairs. |
| Product | deviceProduct | String | 63 | |
| Version | deviceVersion | String | 31 | The deviceVersion is the version of the product producing the logs. |
| Message ID | deviceEventClassId | String | 1023 | deviceEventClassId is a unique identifier for each event-type. This can be a string or an integer. deviceEventClassId identifies the type of event reported.In the Intrusion Detection System (IDS) world, each signature or rule that detects certain activity has a unique Signature ID assigned. This is a requirement for other types of devices as well and helps correlation engines process the events. It is also known as Signature ID.Note: The ‘=’, ‘%’ , and ‘#’characters must be escaped in the vulnerability string that are mapped to deviceEventClassId , and if they are present in the description or name of the vulnerability. However, these characters must not be escaped when used as a delimiter. |
| Name | name | String | 512 | name is a string representing a human readable and understandable description of the event. The event name must not contain information that is specifically mentioned in other fields. For example: ”Port scan from 10.0.0.1 targeting 20.1.1.1” is not a good event name. It must be: ”Port scan”. The other information is redundant and can be picked up from the rest of the fields. |
| Severity | agentSeverity | AgentSeverityEnumeration | N/A | agentSeverity is a string or integer and it reflects the importance of the event.The valid string values are: Unknown, Low, Medium, High, and Very-High.The valid integer values are: 0=Unknown, 1-3=Low, 4-6=Medium, 7- 8=High, and 9-10=Very-High. |
| deviceSeverity | String | 63 | deviceSeverity captures the language used by the data source to describe its interpretation of the danger posed by a particular event. For example, if a network IDS detects a DHCP packet that does not contain enough data to conform to the DHCP format, the device flags this as a high-priority exploit. |
English 
Swedish