IT Event Analytics Guide
Be proactive. Manage alerts. Predict outages before they impact your customers, with event analytics.
Common Event Format (CEF): An Introduction
In the world of software engineering, monitoring and logging are two essential processes that help developers keep track of the performance and behavior of their applications.
To facilitate this process, several logging formats have been developed over the years, including the Common Event Format (CEF). In this article, we will take a look at: what the Common Event Format is, how it works, and why it is important.
What is the Common Event Format (CEF)?
The Common Event Format (CEF) is a standardized logging format. CEF is designed to simplify the process of logging security-related events. The goal of a common format is to make it easier to integrate logs from different sources into a single system.
CEF is based on the syslog format, which is a standard for message logging that is supported by most network devices and operating systems. Utilizing a standardized format for logging, CEF makes it easier to:
- Collect and aggregate log data from many sources.
- Analyze and troubleshoot issues.
- Automate the analysis of logs.
- Identify patterns and trends in the data.
CEF was originally developed by ArcSight, now part of Micro Focus.
(Related reading: IT event analytics & log management.)
How does CEF work?
CEF uses a structured data format to log events, which includes a set of predefined fields that contain information about the event. Common Event Format (CEF) is an extensible, text-based format.
The CEF format consists of two parts: the header and the message.
- The header contains metadata about the event, such as the timestamp, source IP address, and device hostname.
- The message contains details about the event, such as the event type, severity level, and any relevant data.
CEF supports a wide range of event types, including authentication events, network events, and system events.
Each event is assigned a severity level. This level indicates the importance of the event. Severity can be desrcibed either in string values or integer values.
Valid string values:
- Unknown
- Low
- Medium
- High
- Very High
Valid integer values:
- 0-3 = Low
- 4-6 = Medium
- 7-8 = High
- 9-10 = Very High
Why is CEF important?
CEF is important because it provides a standardized format for logging security-related events. This standardization makes it easier to integrate logs from different sources into a single system.
This is particularly useful for security information and event management (SIEM) solutions, which are designed to collect and analyze logs from multiple sources to detect and respond to security threats.
In addition, CEF provides a consistent and structured way to log events, which can make it easier to analyze and troubleshoot issues. By using a standardized format, developers can more easily automate the analysis of logs and identify patterns and trends in the data.
CEF summarized
The Common Event Format (CEF) is a standardized logging format that is used to simplify the process of logging security-related events and integrating logs from different sources into a single system.
CEF uses a structured data format to log events and supports a wide range of event types and severity levels.
See an error or have a suggestion? Please let us know by emailing splunkblogs@cisco.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
Related Articles
About Splunk
The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.
Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.
Subscribe to our blog
Get the latest articles from Splunk straight to your inbox.
Connect with Splunk on X
Follow @Splunk
