CEF¶
The CEF notification action uses CEF (Common Event Format) syslog messages to forward alarm/event details to external applications.
To add a CEF notification to a notification profile, follow these steps:
Click the notification profile to open the configuration tray.
Under Actions, click the + button.
In the secondary tray, select CEF from the action type dropdown.
Enter the IP address or hostname of the host to send the CEF syslog message to.
Enter the port UDP port to use on the destination host.
Click the Add button to save the action configuration to the profile.
Once added, the CEF notification will be triggered following the alarm policy’s settings for the notification profile.
CEF message mapping¶
Based on the standard CEF message format (CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
), Plixer Scrutinizer uses the following mapping for the first seven (prefix) keys:
Prefix keys
The first seven keys of the CEF message will use the following standard mappings across all alarm policies:
Key |
Value |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Extension keys
Because the CEF message is automatically generated using the event message of the alarm policy violated, the extension
keys included will vary based on what details/fields are reported under the policy.
The following table lists all mappings that may be used for event details in the CEF message:
CEF Key |
Event Key |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Note
By default, Plixer Scrutinizer maps the dst
and src
CEF keys to the target
and violator
event keys exclusive to Plixer Scrutinizer’s Report Threshold Violation alarm policy. These are not same general targets
and violators
keys that are common to all events. This is to support a specific use case for report thresholds.
Sample CEF message sent by Plixer Scrutinizer:
CEF:1|Plixer|Scrutinizer|${SCRUTINIZER_VERSION}|${EVENT_POLICY_LANGKEY}|${EVENT_POLICY_NAME}|${EVENT_SEVERITY_AS_INTEGER}|dvc=${EVENT_DEVICES} start=${EVENT_FIRST_TS} end=${EVENT_LAST_TS} cnt=${EVENT_HITS}
To learn more about the customization of Plixer Scrutinizer CEF key mappings, contact Plixer Technical Support.