CEF

The CEF notification action uses CEF (Common Event Format) syslog messages to forward alarm/event details to external applications.

To add a CEF notification to a notification profile, follow these steps:

  1. Click the notification profile to open the configuration tray.

  2. Under Actions, click the + button.

  3. In the secondary tray, select CEF from the action type dropdown.

  4. Enter the IP address or hostname of the host to send the CEF syslog message to.

  5. Enter the port UDP port to use on the destination host.

  6. Click the Add button to save the action configuration to the profile.

Once added, the CEF notification will be triggered following the alarm policy’s settings for the notification profile.

CEF message mapping

Based on the standard CEF message format (CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension), Plixer Scrutinizer uses the following mapping for the first seven (prefix) keys:

Prefix keys

The first seven keys of the CEF message will use the following standard mappings across all alarm policies:

Key

Value

Version

1

Device Vendor

Plixer

Device Product

Scrutinizer

Device Version

${SCRUTINIZER_VERSION}

Signature ID

${EVENT_POLICY_LANGKEY}

Name

${EVENT_POLICY_NAME}

Severity

${EVENT_SEVERITY_AS_INTEGER}

Extension keys

Because the CEF message is automatically generated using the event message of the alarm policy violated, the extension keys included will vary based on what details/fields are reported under the policy.

The following table lists all mappings that may be used for event details in the CEF message:

CEF Key

Event Key

app

app_proto

cnt

hits

dpt

dst_port

dst

target

duser

target_username

dvc

devices

end

last_ts

proto

protocol

spt

src_port

src

violator

start

first_ts

suser

violator_username

Note

By default, Plixer Scrutinizer maps the dst and src CEF keys to the target and violator event keys exclusive to Plixer Scrutinizer’s Report Threshold Violation alarm policy. These are not same general targets and violators keys that are common to all events. This is to support a specific use case for report thresholds.

Sample CEF message sent by Plixer Scrutinizer:

CEF:1|Plixer|Scrutinizer|${SCRUTINIZER_VERSION}|${EVENT_POLICY_LANGKEY}|${EVENT_POLICY_NAME}|${EVENT_SEVERITY_AS_INTEGER}|dvc=${EVENT_DEVICES} start=${EVENT_FIRST_TS} end=${EVENT_LAST_TS} cnt=${EVENT_HITS}

To learn more about the customization of Plixer Scrutinizer CEF key mappings, contact Plixer Technical Support.