You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+51-1Lines changed: 51 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -52,7 +52,7 @@ Example:
52
52
53
53
### cef
54
54
55
-
Common event format aka HP ArcSight format. This is Work in progress as I don`t have access to HP ArcSight instance. Please leave your feedback in issues.
55
+
Common event format aka HP ArcSight format. For this format to work you must set ARCSight port which expects CEF messages without syslog header. Also read CEF format handling below.
56
56
57
57
### full
58
58
@@ -66,6 +66,55 @@ Example:
66
66
67
67
Specify your implementation of com.wizecore.graylog2.plugin.MessageSender interface.
68
68
69
+
## CEF format handling
70
+
71
+
Here is the algorithm for CEF message delivery used in this plugin. If you don`t understand that this, consult [Common Event Format Guide](https://community.saas.hpe.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Guide/ta-p/1589306)
72
+
73
+
### Header
74
+
75
+
Plugin outputs CEF Header with following fields: ``CEF:0|Graylog|graylog-output-syslog:cefsender|2.1.1|``
76
+
77
+
### Device Event Class ID field
78
+
79
+
Currently it is hardcoded as ``log:1``
80
+
81
+
### Name field
82
+
83
+
- If message contains ``act`` field then it is used
84
+
- If message contains ``short_message`` field then it is used
85
+
- else Graylog messageId is used for Name field
86
+
87
+
New lines are stripped from this field. Proper escaping applied.
88
+
89
+
### Severity field
90
+
91
+
Mapping performed between syslog level and CEF log level.
92
+
93
+
Syslog | CEF
94
+
--- | ---
95
+
DEBUG | 1
96
+
NOTICE | 2
97
+
INFO | 3
98
+
WARN | 6
99
+
ERROR | 7
100
+
CRITICAL | 8
101
+
ALERT | 9
102
+
EMERGENCY | 10
103
+
104
+
### Extension fields
105
+
106
+
Every existing message fields is written to Extension except ``message``, ``full_message`` and ``short_message``
107
+
108
+
### Automatically generated extension fields
109
+
110
+
If existing fields does not contain such keys, following fields will be added to extension:
111
+
112
+
CEF Key Name | Source
113
+
--- | ---
114
+
start | Message timestamp, unix time in milliseconds
115
+
msg | Message text (``message``)
116
+
externalId | Message ID (assigned by Graylog)
117
+
69
118
## Links
70
119
71
120
*https://tools.ietf.org/html/rfc5424
@@ -76,3 +125,4 @@ Specify your implementation of com.wizecore.graylog2.plugin.MessageSender interf
0 commit comments