Common Event Format (CEF): An Introduction

In the world of software engineering, monitoring and logging are two essential processes that help developers keep track of the performance and behavior of their applications. To facilitate this process, several logging formats have been developed over the years, including the Common Event Format (CEF). In this blog post, we will take a closer look at what the Common Event Format is, how it works, and why it is important.

What is the Common Event Format (CEF)?

The Common Event Format (CEF) is a standardized logging format developed by ArcSight (now part of Micro Focus), a security information and event management (SIEM) solution provider. CEF is designed to simplify the process of logging security-related events and making it easier to integrate logs from different sources into a single system. CEF is based on the syslog format, which is a standard for message logging that is supported by most network devices and operating systems.

How does CEF work?

CEF uses a structured data format to log events, which includes a set of predefined fields that contain information about the event. The CEF format consists of two parts: the header and the message. The header contains metadata about the event, such as the timestamp, source IP address, and device hostname. The message contains details about the event, such as the event type, severity level, and any relevant data.

CEF supports a wide range of event types, including authentication events, network events, and system events. Each event is assigned a severity level, which indicates the importance of the event. Severity can be desrcibed either in string values or integer values.

• Valid string values are: Unknown, Low, Medium, High, and Very-High.
• Valid integer values are: 0-3=Low, 4-6=Medium, 7- 8=High, and 9-10=Very-High.

Why is CEF important?

CEF is important because it provides a standardized format for logging security-related events, which makes it easier to integrate logs from different sources into a single system. This can be particularly useful for security information and event management (SIEM) solutions, which are designed to collect and analyze logs from multiple sources to detect and respond to security threats.

In addition, CEF provides a consistent and structured way to log events, which can make it easier to analyze and troubleshoot issues. By using a standardized format, developers can more easily automate the analysis of logs and identify patterns and trends in the data.

Conclusion

The Common Event Format (CEF) is a standardized logging format that is used to simplify the process of logging security-related events and integrating logs from different sources into a single system. CEF uses a structured data format to log events and supports a wide range of event types and severity levels. By using a standardized format for logging, CEF makes it easier to analyze and troubleshoot issues, automate the analysis of logs, and identify patterns and trends in the data.