Common Event Format (CEF): An Introduction

In the world of software engineering, monitoring and logging are two essential processes that help developers keep track of the performance and behavior of their applications.

To facilitate this process, several logging formats have been developed over the years, including the Common Event Format (CEF). In this article, we will take a look at: what the Common Event Format is, how it works, and why it is important.

What is the Common Event Format (CEF)?

The Common Event Format (CEF) is a standardized logging format. CEF is designed to simplify the process of logging security-related events. The goal of a common format is to make it easier to integrate logs from different sources into a single system.

CEF is based on the syslog format, which is a standard for message logging that is supported by most network devices and operating systems. Utilizing a standardized format for logging, CEF makes it easier to:

• Collect and aggregate log data from many sources.
• Analyze and troubleshoot issues. 
• Automate the analysis of logs. 
• Identify patterns and trends in the data.

CEF was originally developed by ArcSight, now part of Micro Focus.

(Related reading: IT event analytics & log management.)

How does CEF work?

CEF uses a structured data format to log events, which includes a set of predefined fields that contain information about the event. Common Event Format (CEF) is an extensible, text-based format. 

The CEF format consists of two parts: the header and the message.

• The header contains metadata about the event, such as the timestamp, source IP address, and device hostname. 
• The message contains details about the event, such as the event type, severity level, and any relevant data.

CEF supports a wide range of event types, including authentication events, network events, and system events.

Each event is assigned a severity level. This level indicates the importance of the event. Severity can be desrcibed either in string values or integer values.

Valid string values:

• Unknown
• Low
• Medium
• High
• Very High

Valid integer values:

• 0-3 = Low
• 4-6 = Medium
• 7-8 = High
• 9-10 = Very High

Why is CEF important?

CEF is important because it provides a standardized format for logging security-related events. This standardization makes it easier to integrate logs from different sources into a single system.

This is particularly useful for security information and event management (SIEM) solutions, which are designed to collect and analyze logs from multiple sources to detect and respond to security threats.

In addition, CEF provides a consistent and structured way to log events, which can make it easier to analyze and troubleshoot issues. By using a standardized format, developers can more easily automate the analysis of logs and identify patterns and trends in the data.

CEF summarized

The Common Event Format (CEF) is a standardized logging format that is used to simplify the process of logging security-related events and integrating logs from different sources into a single system.

CEF uses a structured data format to log events and supports a wide range of event types and severity levels.