Any support for the Common Event Format (CEF)?
We have a requirement to send the logs out in the Common Event Format and the way the app is setup it is not recognizing it. I have changed some of the settings in the transforms.conf file to change the sourcetype on the log entries but the delimiting character is not the same and the fields are all out of sorts.
Has anyone already made these modifications to have the app work? Does the author of the application plan to include different types of formats?
Jan 31 01:11:11 192.168.1.1 CEF:0|Palo Alto Networks|PAN-OS|hostname|end|TRAFFIC|1|rt=$cefformatted-receive_time deviceExternalId=0002D01655 src=126.96.36.199 dst=188.8.131.52 sourceTranslatedAddress=184.108.40.206 destinationTranslatedAddress=220.127.116.11 cs1Label=Rule cs1=InternetDNS suser= duser= app=dns cs3Label=Virtual System cs3=vsys1 cs4Label=Source Zone cs4=InetRIP cs5Label=Destination Zone cs5=InternetDMZ deviceInboundInterface=ethernet10/20 deviceOutboundInterface=ethernet10/30 cs6Label=LogProfile cs6=Main Logging Profile cn1Label=SessionID cn1=261776 cnt=1 spt=18430 dpt=53 sourceTranslatedPort=18430 destinationTranslatedPort=53 flexString1Label=Flags flexString1=0x400000 proto=udp act=allow flexNumber1Label=Total bytes flexNumber1=84 cn2Label=Packets cn2=1 start=$cefformatted-time_generated cn3Label=Elapsed time in seconds cn3=0 cs2Label=URL Category cs2=any
there is no plan to support the CEF format in this app. the app conforms to Splunk's common information model and it also conforms to PaloAlto's Syslog specification. you could create field aliases for misc fields in the CEF format. the app's dashboards and views will render appropriately.
splunk common information model: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/UnderstandandusetheCommonInformationMod...
splunk field aliasing: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addaliasestofields