Beruflich Dokumente
Kultur Dokumente
The Log Event Extended Format (LEEF) is a syslog event format used with
QRadar, allowing device manufacturers and Q1 Labs Security Intelligence
Partners (SCIP) to provide syslog events in the LEEF format for simple integration.
This document contains the following LEEF format information:
NOTE
LEEF Format
Header Content
The Log Event Extended Format (LEEF) only supports UTF8 character encoding.
Syslog header - The syslog header contains the timestamp and IP address or
host name of the system providing the event. The syslog header is an optional
component of the LEEF format. If you include the syslog header, you must
separate the syslog header from the LEEF header with a space.
LEEF header - The LEEF header is a pipe delimited (|) set of values that
identifies the product to QRadar.
Event attributes - The event attributes identify the payload information of the
event. Event attributes are tab separated and typically consist of predefined
event attributes, which allow QRadar to categorize and display the event. For
more information, see Predefined Event Attributes.
TN31112011-A
Header
Type
Entry
Delimiter
Description
Syslog
Header
Date
The date and timestamp of the host providing the event to QRadar.
IP Address
LEEF
Header
LEEF:Version
Pipe
Vendor
Pipe
Product
Pipe
The product field is a text string that identifies the product sending the
event log to QRadar.
For example, LEEF:1.0|Microsoft|MSExchange|Version|EventID|
Note: The Vendor and Product fields must contain unique values when
specified in the LEEF header.
Version
Pipe
EventID
Description
Pipe
Event
Attributes
TN31112011-A
LEEF Format
Example 1
An example of the LEEF format header with the optional syslog header:
LEEF Format
Example 2
An example of the LEEF format header without the optional syslog header:
Predefined Event
Attributes
The Log Event Extended Format (LEEF) supports the following predefined event
attributes in the event payload.
Key
Value Type
cat
String
Attribute
Limits
Normalized
Event Field Description
Yes
devTime
Date
Yes
devTimeFormat
String
No
TN31112011-A
Key
Value Type
proto
Integer or
Keyword
Attribute
Limits
Normalized
Event Field Description
Yes
Integer
1-10
Yes
src
IPv4 or IPv6
Address
Yes
dst
IPv4 or IPv6
Address
Yes
scrPort
Integer
0 to 65535 Yes
dstPort
Integer
0 to 65535 Yes
srcPreNAT
IPv4 or IPv6
Address
Yes
dstPreNAT
IPv4 or IPv6
Address
Yes
srcPostNAT
IPv4 or IPv6
Address
Yes
dstPostNAT
IPv4 or IPv6
Address
Yes
usrName
String
Yes
srcMAC
MAC
Address
Yes
255
MAC
Address
Yes
srcPreNATPORT
Integer
0 to 65535 Yes
dstPreNATPORT
Integer
0 to 65535 Yes
srcPostNATPORT
Integer
0 to 65535 Yes
dstPostNATPORT
Integer
0 to 65535 Yes
TN31112011-A
Key
Value Type
identSrc
IPv4 or IPv6
Address
Attribute
Limits
Normalized
Event Field Description
Yes
identHostName
String
255
Yes
identHostName
identNetBios
identGrpName
identMAC
identNetBios
String
255
Yes
identGrpName
String
255
Yes
TN31112011-A
Key
Value Type
identMAC
MAC
Address
Attribute
Limits
Normalized
Event Field Description
Yes
vSrc
IPv4 or IPv6
Address
No
vSrcName
String
255
No
accountName
String
255
No
srcBytes
Integer
No
dstBytes
Integer
No
srcPackets
Integer
No
dstPackets
Integer
No
No
No
totalPackets
role
String
String
No
policy
String
No
resource
String
No
url
String
No
groupID
String
No
domain
String
No
TN31112011-A
Custom Event
Attributes
Vendors and partners have the option to define their own custom event attributes
and include them in the pay of the LEEF format. A custom key and value attribute
can be used to include more information about an event. Custom event attributes
should only be created when there is no acceptable mapping to a predefined event
attribute.
CAUTION
Event attribute keys and values can only appear once per payload. Using a key
and value twice in the same payload can cause QRadar to ignore one of the
values and ignore the value of the duplicate key.
Unnormalized Custom attributes and events are not displayed by default on the
Log Activity tab of QRadar. To view custom attributes and non-normalized events
on the Log Activity tab of QRadar, you must create a custom event property. For
more information on creating a custom event property, see the QRadar
Administration Guide.
Custom event attributes must conform to the following rules:
The create a customized event format, your device must supply the raw date
format using the devTime event attribute in the payload of the event. The devTime
event attribute requires formatting using devTimeFormat to display the event in
QRadar. The suggested devTimeFormat patterns are listed as follows:
devTimeFormat Pattern
Result
TN31112011-A
Q1 Labs Inc.
890 Winter Street
Suite 230
Waltham, MA 02451 USA
Copyright 2011 Q1 Labs, Inc. All rights reserved. Q1 Labs, the Q1 Labs logo, Total Security Intelligence, and QRadar are trademarks or
registered trademarks of Q1 Labs, Inc. All other company or product names mentioned may be trademarks or registered trademarks of their
respective holders. The specifications and information contained herein are subject to change without notice.
This Software, and all of the manuals and other written materials provided with the Software, is the property of Q1 Labs Inc. These rights are
valid and protected in all media now existing or later developed, and use of the Software shall be governed and constrained by applicable U.S.
copyright laws and international treaties. Unauthorized use of this Software will result in severe civil and criminal penalties, and will be
prosecuted to the maximum extent under law.
Except as set forth in this Manual, users may not modify, adapt, translate, exhibit, publish, transmit, participate in the transfer or sale of,
reproduce, create derivative works from, perform, display, reverse engineer, decompile or dissemble, or in any way exploit, the Software, in
whole or in part. Unless explicitly provided to the contrary in this Manual, users may not remove, alter, or obscure in any way any proprietary
rights notices (including copyright notices) of the Software or accompanying materials. Q1 Labs Inc. reserves the right to revise this
documentation and to make changes in content from time to time without obligation on the part of Q1 Labs Inc. to provide notification of such
revision or change. Q1 Labs Inc. provides this documentation without warranty, term, or condition of any kind, either implied or expressed,
including, but not limited to, the implied warranties, terms, or conditions of merchantability, satisfactory quality, and fitness for a particular
purpose. Specifications of the Software are subject to change without notice.