Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
DeletedUser
Not applicable

Log Exporter CEF Field Mappings

CEF defines a syntax for log records comprised of a standard header and a variable extension, formatted as key-value pairs. Please use this discussion as a guide to understand how Check Point syslog Log Exporter maps Check Point logs to the CEF format. This discussion is based upon R80.20 GA and may change in future versions.

 

CEF fields have their own names such as rt, suser, fname, etc. Check Point fields such as src and dst that already match a CEF field name do not need to be mapped from a Check Point to a CEF name so are not covered in this discussion.

Note: in this discussion we refer to the raw Check Point field value. Check Point may translate the raw field name to show a different display name in the user interface like Tracker in R77.30 or SmartConsole in R80.x.  

 

CEF Header Mapping

The mandatory CEF header is an integral part of the CEF message. The values in the header are displayed in the ArcSight GUI, and we took this into account during our mapping. As noted above we don’t map Check Point fields that already appear in the header. In those cases where a few values exist, we add them to the header in this order as explained in $EXPORTERDIR/conf/CefFormatDefinition.xml: first (use first added value - default) | last(use last added value) | join (join between values) | init (set value once to header formatted string on init and do not generate per every log).

 

CEF Format Header Definition (note: a space is added between the “|” delimiter to make it easier to see the values)

CEF:Version | Device Vendor | Device Product | Device Version | Signature ID | Name | Severity | Extension

 

  • CEF Version
    • CEF:0
  • Device Vendor
    • Check Point
  • Device Product
    • This is initialized to Check Point, but may also be Log Update or the value from the fields; product or productname.
  • Device Version
    • Check Point
  • Signature ID
    • The default is Log, but may also be the value from the fields attack, protection_type, verdict, dlp_data_type_name, app_category, app_properties.
  • Name
    • The default is Log, but may also be the value from the fields protection_name, appi_name, message_info, service_id.
  • Severity
    • The default is Unknown, but may also be the value from the fields app_risk, risk, severity.
  • Extensions
    • See the field mapping below.

 

Check Point CEF Header Example (note: a space is added between the “|” delimiter to make it easier to see the values)

CEF:0 | Check Point | VPN-1 & FireWall-1 | Check Point | Log  | https | Unknown | <extensions omitted and shown below>

 

Extensions

As noted above extensions are formatted as key-value pairs. In extensions there are flex fields which can be either numbers or strings and finally there are custom numbers and custom strings (cnX, csX). All CEF fields have a display name. In Log Exporter, we only use the actual field name and ignore the display name. Fields may also be accompanied by labels. In the targetConfiguration.xml file we see that exportAllFields is set to true so all fields are exported to CEF.

 

Extensions Example Cut from the Above Composed of <field=value> Pairs (note the escape character “\” before the “=” character)

act=Accept destinationTranslatedAddress=0.0.0.0 destinationTranslatedPort=0 deviceDirection=0 rt=1543270652000 sourceTranslatedAddress=192.168.103.254 sourceTranslatedPort=35398 spt=49363 dpt=443 cs2Label=Rule Name layer_name=Network layer_uuid=b406b732-2437-4848-9741-6eae1f5bf112 match_id=4 parent_rule=0 rule_action=Accept rule_uid=9e5e6e74-aa9a-4693-b9fe-53712dd27bea ifname=eth0 logid=0 loguid={0x5bfc70fc,0x1,0xfe65a8c0,0xc0000001} origin=192.168.101.254 originsicname=CN\=R80,O\=R80_M..6u6bdo sequencenum=1 version=5 dst=52.173.84.157 inzone=Internal nat_addtnl_rulenum=1 nat_rulenum=4 outzone=External product=VPN-1 & FireWall-1 proto=6 service_id=https src=192.168.101.100

 

The below is the Log Exporter CEF Field Mapping from R80.20 GA take 101 from $EXPORTERDIR/conf/CefFieldsMapping.xml where origName is the Check Point raw field name and dstName is the CEF field name sorted by the CEF dstName field name.

 

This excludes the table mappings from the file. 

origNamedstNamedstLabeldstLabelValnamekeyvalue
actionact
protocolapp
ipv6_srcc6a2c6a2LabelSource IPv6 Address
ipv6_dstc6a3c6a3LabelDestination IPv6 Address
update_versioncfp1cfp1LabelUpdate Version
elapsedcn1cn1LabelElapsed Time in Seconds
email_recipients_numcn1cn1LabelEmail Recipients Number
payloadcn1cn1LabelPayload
duration_seccn2cn2LabelDuration in Seconds
icmp_typecn2cn2LabelICMP Type
icmp_codecn3cn3LabelICMP Code
event_countcnt
suppressed_logscnt
app_riskcp_app_riskreplace_valuedefaultUnknown
app_riskcp_app_riskreplace_value0Unknown
app_riskcp_app_riskreplace_value1Low
app_riskcp_app_riskreplace_value2Low
app_riskcp_app_riskreplace_value3Medium
app_riskcp_app_riskreplace_value4High
app_riskcp_app_riskreplace_value5Very-High
severitycp_severityreplace_valuedefaultUnknown
severitycp_severityreplace_value0Low
severitycp_severityreplace_value1Low
severitycp_severityreplace_value2Medium
severitycp_severityreplace_value3High
severitycp_severityreplace_value4Very-High
app_rule_namecs1cs1LabelApplication Rule Name
connectivity_statecs1cs1LabelConnectivity State
dlp_rule_namecs1cs1LabelDLP Rule Name
email_idcs1cs1LabelEmail ID
malware_rule_namecs1cs1LabelThreat Prevention Rule Name
voip_log_typecs1cs1LabelVoIP Log Type
categoriescs2cs2LabelCategories
categorycs2cs2LabelCategory
email_subjectcs2cs2LabelEmail Subject
integrity_av_invoke_typecs2cs2LabelScan Invoke Type
peer_gatewaycs2cs2LabelPeer Gateway
protection_idcs2cs2LabelProtection ID
sensor_modecs2cs2LabelSensor Mode
update_statuscs2cs2LabelUpdate Status
email_spool_idcs3cs3LabelEmail Spool ID
identity_typecs3cs3LabelIdentity Type
incident_extensioncs3cs3LabelIncident Extension
protection_typecs3cs3LabelProtection Type
user_groupcs3cs3LabelUser Group
destination_oscs4cs4LabelDestination OS
email_controlcs4cs4LabelEmail Control
frequencycs4cs4LabelFrequency
malware_rule_idcs4cs4LabelThreat Prevention Rule ID
protection_namecs4cs4LabelProtection Name
scan_resultcs4cs4LabelScan Result
spyware_statuscs4cs4LabelMalware Status
tcp_flagscs4cs4LabelTCP Flags
user_statuscs4cs4LabelUser Response
auth_methodcs5cs5LabelAuthentication Method
email_session_idcs5cs5LabelEmail Session ID
matched_categorycs5cs5LabelMatched Category
vlan_idcs5cs5LabelVLAN ID
appi_namecs6cs6LabelApplication Name
malware_familycs6cs6LabelMalware Family
spyware_namecs6cs6LabelMalware Name
virus_namecs6cs6LabelVirus Name
destination_dns_hostnamedestinationDnsDomain
service_namedestinationServiceName
xlatedstdestinationTranslatedAddress
xlatedportdestinationTranslatedPort
subs_expdeviceCustomDate2deviceCustomDate2LabelSubscription Expiration
ifdirdeviceDirectionreplace_valuedefault0
ifdirdeviceDirectionreplace_valueoutbound1
ifdirdeviceDirectionreplace_valueinbound0
typedeviceExternalId
product_familydeviceFacility
client_inbound_interfacedeviceInboundInterface
client_outbound_interfacedeviceOutboundInterface
destination_dhcp_hostnamedhost
dst_machine_namedhost
endpoint_addrdhost
netbios_destination_hostnamedhost
mac_destination_addressdmac
servicedpt
usercheck_incident_uidduid
d_nameduser
dst_user_nameduser
orig_toduser
uname4domainduser
userduser
usercheckduser
vpn_userduser
endpoint_ipdvc
dlp_rule_uidexternalId
uuidexternalId
file_md5fileHash
file_sha1fileHash
file_idfileId
data_originfilePath
source_pathfilePath
file_typefileType
confidence_levelflexNumber1flexNumber1LabelConfidence
dst_phone_numberflexNumber2flexNumber2LabelDestination Phone Number
performance_impactflexNumber2flexNumber2LabelPerformance Impact
app_sig_idflexString1flexString1LabelApplication Signature ID
attack_infoflexString2flexString2LabelAttack Information
malware_actionflexString2flexString2LabelMalware Action
dlp_file_namefname
file_namefname
file_sizefsize
client_inbound_bytesin
received_bytesin
attackmsg
descriptionmsg
informationmsg
messagemsg
message_infomsg
client_outbound_bytesout
sent_bytesout
attack_assessmentoutcome
statusoutcome
verdictoutcome
termination_reasonreason
toRecipient
redirect_urlrequest
resourcerequest
urlrequest
client_namerequestClientApplication
web_client_typerequestClientApplication
http_refererrequestContext
origin_sic_namerequestContext
cookierequestCookies
methodrequestMethod
timertappend_stringappend000
mail_senderSender
src_machine_nameshost
industry_referenceSignature
mac_source_addresssmac
domain_namesntdom
source_ossourceServiceName
te_verdict_determined_bysourceServiceName
scopesourceTranslatedAddress
vpn_internal_source_ipsourceTranslatedAddress
xlatesrcsourceTranslatedAddress
xlatesportsourceTranslatedPort
src_user_groupspriv
portspt
s_portspt
client_ipsrc
start_timestartappend_stringappend000
email_addresssuser
fromsuser
orig_fromsuser
src_user_namesuser
1 Reply
Steven_van_de_B
Explorer

Does any one use IPv6 and output to CEF? In our situation Checkpoint (v80.10) does not put ipv6 adresses in ipv6_src and ipv6_dst (which should be mapped to cs6a2 and cs6a3 in CEF) but it puts ipv6 adresses in src and dst. This is not understood by the CEF parsers on ArcSight.

Source addresses and destination addresses remain empty when logexporter puts ipv6 addresses in src and dst. If  it is ipv4 it works. Manually testing messages with cs6a2 and cs6a3 populated with ipv6 adresses it works. So log exporter does not map ipv6 adresses to the correct fields.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events