Custom Integrations with CEF Notifications¶
A syslog notification in CEF format can be configured within the Notification Profiles in the Admin > Settings section, allowing Alarm and Event data to be forwarded for inclusion in a third party application.
Common Event Format (CEF) is a specific format of syslogs defined by ArchSite with the format of:
CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
The default CEF mapping in Plixer Scrutinizer is similar to:
CEF:1|Plixer|Scrutinizer|${SCRUTINIZER_VERSION}|${EVENT_POLICY_LANGKEY}|${EVENT_POLICY_NAME}|${EVENT_SEVERITY_AS_INTEGER}|dvc=${EVENT_DEVICES} start=${EVENT_FIRST_TS} end=${EVENT_LAST_TS} cnt=${EVENT_HITS}
The first seven keys are the prefix and will always be in the CEF syslog. The field mappings in the Extension key are optional and variable.
Key |
Value |
CEF:Version |
CEF:1 |
Device Vendor |
Plixer |
Device Product |
Scrutinizer |
Device Version |
${SCRUTINIZER_VERSION} |
Signature ID |
${EVENT_POLICY_LANGKEY} |
Name |
${EVENT_POLICY_NAME} |
Severity |
${EVENT_SEVERITY_AS_INTEGER} |
Extension |
dvc=${EVENT_DEVICES} |
start=${EVENT_FIRST_TS} |
|
end=${EVENT_LAST_TS} |
|
cnt=${EVENT_HITS} |
Mapping
The Extension key includes the specific event details from the alarm the syslog was generated from. Following is a list of available key mappings in the Extension portion of the syslog.
CEF key |
Event key |
app |
app_proto |
cnt |
hits |
dpt |
dst_port |
dst |
target |
duser |
target_username |
dvc |
devices |
end |
last_ts |
proto |
protocol |
spt |
src_port |
src |
violator |
start |
first_ts |
suser |
violator_username |
The CEF notifications are built based on the event defined by the Alarm policy that is triggered. The fields included in the specific Alarm policy are what determines which details are included in the Event details portion of the notification.
Note
By default Plixer Scrutinizer maps the dst and src CEF keys to the target and violator event keys.
These keys are exclusive to Scrutinizer’s report threshold policy and NOT the general targets and violators
keys common to all events. This is to support a specific use case for report threshold.
Please contact Plixer Technical Support for information on the customization of the Plixer Scrutinizer CEF syslog key mappings.