1. Logsign Support Center
  2. Logsign Unified SecOps Platform
  3. Deployment

Custom Plugin - Parse with CEF & LEEF

Updated

There is a main header structure that we need to pay attention to in CEF and LEEF structure.

In this structure, there should be 7 pipe '|' in the CEF log and 5 pipe '|' in the LEEF log. Logs that do not match the number of pipes should be requested to be converted to this form. If not, this method will not work for you for parse.

CEF Log Sample;

CEF:0|Palo Alto Networks|Firewall|10.3.0|100|EXE Threat|10|src=192.168.1.1 dst=10.0.0.1 spt=5050 dpt=443 cs1Label=Application cs1=web-browsing cs2Label=Severity cs2=high cs3Label=File Type cs3=exe cs4Label=Action cs4=block act=server-to-client cn1Label=Session ID cn1=123456 rt=Oct 08 2024 16:44:29

LEEF Log Sample;

LEEF:2.0|Palo Alto Networks|Firewall|10.3.0|100|devTime=Oct 08 2024 16:44:29|src=192.168.1.1|dst=10.0.0.1|spt=5050|dpt=443|sev=10|cat=EXE Threat|proto=tcp|app=web-browsing|act=block|direction=server-to-client|fileType=exe|fileHash=abc123|sessionID=123456

CEF

In our work to parse the CEF log, when we put the log in the Sample field, it automatically pulls the header part. We need to assign fields to this header part and then start to parse the fields in the log.

If you do not understand what the fields in the header correspond to, you can use AI.

If you do not need it, you do not need to select Value Strip Policy. I chose it for example, it does not mean anything in the log.

There is one more difference in CEF and LEEF structure that should be noted.

cs1Label=Application cs1=web-browsing

In this log you have seen, we will select the application text written in the cs1Label section under the Match field and when it is parse, it will give us the web-browsing data that appears in cs1.

As long as you pay attention to this detail, you can parse all data in CEF.

LEEF

In our work to parse the LEEF log, when we put the log in the Sample field, it automatically pulls the header part. We need to assign fields to this header part and then start to parse the fields in the log.

You can use Static mapping in logs. At this stage, you need to take reference from the  Log Message List.

However, if you want to make a mapping with file, you can find what you need to do specific to that method under Parse with JSON.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.