Abhishek Dwivedi

Changes to be done in cef.xml  to support unknown CEF logs

Discussion created by Abhishek Dwivedi Employee on Jun 30, 2016
Latest reply on Sep 21, 2016 by Joe Gumke

Hi All,

I am forwarding my logs from ESA to hybrid in CEF format (using syslog) . I am extracting all available  information  from alerts. I have enabled cef.xml , but logs are going as rsa_securitanyaltics_esa. 

jun 29 07:27:46 localhost CEF:2.0|RSA|Security Analytics ESA|10.5.1.0|Module_7001_Alert--0|RSA_IGSOC_CitrixNetScaler_7001_Misuse_SSLVPN Connectivity Originated from same source by different Users|5|rt=2016-06-29T07:27Z id=7cd4c968-85f2-4cd1-9cd6-6fd7bb68c4f2 source=10.68.136.105:56005:484525335521 alert="rcf_test2" bytes_src="0" city_src="Hyderabad" country_dst="India" country_src="India" dclass_r1="0.00%" dclass_r1_str="Compression_ratio_send" dclass_r2="0.00%" dclass_r2_str="Compression_ratio_recv" device_class="Application Firewall" device_group="Citrix Netscalar" device_ip="10.68.100.134" device_type="citrixns" device_type_id="168" did="blrsiemdec1" disposition="Allowed" dtransaddr="10.67.252.6" dtransport="443" duration_str="00:00:00" endtime="1467185619" esa_time="1467185060412" event_byte_size="531" event_cat="1605000000" event_cat_name="System.Normal Conditions" event_desc="TCP connection related information for a connection belonging to a SSLVPN session" event_source_id="10.68.136.105:56005:484525335521" event_time="1467185619" global_alerting="citrixns.forward" group="N/A" header_id="0001" ip_addr="203.171.211.144" ip_dst="122.15.156.5" ip_dstport="47873" ip_src="203.27.235.106" ip_srcport="64303" latdec_dst="13" latdec_src="17" level="6" log_session_id="6515" longdec_dst="80" longdec_src="78" medium="32" msg_id="SSLVPN_TCPCONNSTAT" msg_vid="SSLVPN_TCPCONNSTAT" org_dst="Vodafone India" org_src="ICICIBANK Ltd, Banking, Mumbai" rbytes="346" rid="485773059317" sessionid="484525335521" severity="Informational" size="632" starttime="1467185619" stransaddr="10.68.100.135" time="1467185058" user_dst="venuskalra" alert="rcf_test2" bytes_src="0" city_src="Hyderabad" country_dst="India" country_src="India" dclass_r1="0.00%" dclass_r1_str="Compression_ratio_send" dclass_r2="0.00%" dclass_r2_str="Compression_ratio_recv" device_class="Application Firewall" device_group="Citrix Netscalar" device_ip="10.68.100.134" device_type="citrixns" device_type_id="168" did="blrsiemdec1" disposition="Allowed" dtransaddr="10.6

 

Please suggest the changes what I need to do in cef.xml  .Also please suggest do I need to do some work around in case of custom parsers.

Outcomes