TECHNICAL NOTE

LOG EVENT EXTENDED FORMAT (LEEF)

NOVEMBER, 2011

The Log Event Extended Format (LEEF) is a syslog event format used with
QRadar, allowing device manufacturers and Q1 Labs Security Intelligence
Partners (SCIP) to provide syslog events in the LEEF format for simple integration.
This document contains the following LEEF format information:

NOTE

LEEF Format
Header Content

LEEF Version 1.0

LEEF Format Header Content

Predefined Event Attributes

Custom Event Attributes

Custom Event Date Format

The Log Event Extended Format (LEEF) only supports UTF8 character encoding.

The LEEF format consists of the following three components:

<Syslog Header> <LEEF Header>|<Event Attributes>

Syslog header - The syslog header contains the timestamp and IP address or
host name of the system providing the event. The syslog header is an optional
component of the LEEF format. If you include the syslog header, you must
separate the syslog header from the LEEF header with a space.

LEEF header - The LEEF header is a pipe delimited (|) set of values that
identifies the product to QRadar.

Event attributes - The event attributes identify the payload information of the
event. Event attributes are tab separated and typically consist of predefined
event attributes, which allow QRadar to categorize and display the event. For
more information, see Predefined Event Attributes.

TN31112011-A

Table 1-1 LEEF Format Header

Header
Type

Entry

Delimiter

Description

Syslog
Header

Date

The date and timestamp of the host providing the event to QRadar.

IP Address

The IP address of the host providing the event to QRadar.

LEEF
Header

LEEF:Version

Pipe

The LEEF version information is an integer value that identifies the

major and minor version of the LEEF format.
For example, LEEF:1.0|Vendor|Product|Version|EventID|

Vendor

Pipe

Vendor is a text string that identifies the vendor of the device or

application sending the event log to QRadar.
For example, LEEF:1.0|Microsoft|Product|Version|EventID|
Note: The Vendor and Product fields must contain unique values when
specified in the LEEF header.

Product

Pipe

The product field is a text string that identifies the product sending the
event log to QRadar.
For example, LEEF:1.0|Microsoft|MSExchange|Version|EventID|
Note: The Vendor and Product fields must contain unique values when
specified in the LEEF header.

Version

Pipe

Version is a string that identifies the version of the device or application

sending the event log.
For example, LEEF:1.0|Microsoft|MSExchange|2.2|EventID|

EventID
Description

Pipe

Event ID is used to uniquely identify an event type in the LEEF header.

The description of the event should be treated as a fine grain identifier.
This allows QRadar to specifically identify an event outside of the
payload.
For example: LEEF:1.0|Microsoft|MSExchange|2.2|7732|
or
LEEF:1.0|Microsoft|MSExchange|2.2|7732 Logon Failure MSExchange|

Event
Attributes

Many Predefined Tab

Entries

Event attribute is a set of key value pairs that provide detailed

information about the event. Each event attribute must be tab delimited,
but the order of attributes is not enforced.
For example, src=172.16.77.100
A predefined set of event attributes are defined and should be used
whenever possible. However, the LEEF format is extensible and allows
for additional key value pairs to be added to the event log. For more
information on the predefined event attributes, see Predefined Event
Attributes.

LEEF Version 1.0

TN31112011-A

Predefined Event Attributes

LEEF Format
Example 1

An example of the LEEF format header with the optional syslog header:

Jan 18 11:07:53 192.168.1.1 LEEF:1.0|QRadar|QRM|1.0|NEW_PORT_DISCOVERD|src=7.5.6.6

dst=172.50.123.1 sev=5 cat=anomaly srcPort=3881 dstPort=21 usrName=joe.black
srcMAC=00:1C:23:1E:46:1D dstMAC=14:4F:54:1B:1A

LEEF Format
Example 2

An example of the LEEF format header without the optional syslog header:

LEEF:1.0|QRadar|QRM|1.0|NEW_PORT_DISCOVERD|src=17.5.6.67 dst=172.50.123.1 sev=5

cat=anomaly srcPort=3881 dstPort=21 usrName=joe.black srcMAC=00:1C:23:1E:46:1D
dstMAC=14:4F:54:1B:1A

Predefined Event
Attributes

The Log Event Extended Format (LEEF) supports the following predefined event
attributes in the event payload.

Table 1-2 Predefined Event Attributes

Key

Value Type

cat

String

Attribute
Limits

Normalized
Event Field Description
Yes

The key cat stands for event category.

The event attribute cat in the payload of the
event and the LEEF header Event ID are used
to map the log message to a QIDmap entry of
the QIDmap import file. The difference between
these two fields are as follows:

The Event ID, which is part of the LEEF

header maps to the first column in the
QIDmap import file. Event ID can be thought
of as a high level.

The cat event attribute maps to the second

column in the QIDmap import file and is only
required in the payload where you need to
distinguish between events with the same
Event ID.
For example, an Event ID could be defined
as login, where the category is used to
distinguish between a successful or failed
login.

devTime

Date

Yes

The device time is the raw event date and time

generated from the host providing the event
log. The devTime event attribute requires you
to format the date and time using the
devTimeFormat event attribute.

devTimeFormat

String

No

The devTimeFormat event attribute formats the

data and time of the raw devTime event
attribute. The devTimeFormat event attribute is
required if your event log contains devTime. For
more information, see Event Date Format.

TN31112011-A

LEEF Version 1.0

Table 1-2 Predefined Event Attributes (continued)

Key

Value Type

proto

Integer or
Keyword

Attribute
Limits

Normalized
Event Field Description
Yes

Identifies the transport protocol of the event.

Note: For a list of keywords or integer values, see

http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml
sev

Integer

1-10

Yes

A numeric value that indicates the severity of

the event.

1 is the lowest event severity.

10 is the highest event severity.

src

IPv4 or IPv6
Address

Yes

The IP address of the event source.

dst

IPv4 or IPv6
Address

Yes

IP address of the event destination.

scrPort

Integer

0 to 65535 Yes

Source port of the event.

dstPort

Integer

0 to 65535 Yes

Destination port of the event.

srcPreNAT

IPv4 or IPv6
Address

Yes

Source address for the event message before

Network Address Translation (NAT).

dstPreNAT

IPv4 or IPv6
Address

Yes

Destination address for the event message

before Network Address Translation (NAT).

srcPostNAT

IPv4 or IPv6
Address

Yes

Source address for the message before

Network Address Translation (NAT) occurred.

dstPostNAT

IPv4 or IPv6
Address

Yes

Destination address for the message before

Network Address Translation (NAT) occurred.

usrName

String

Yes

Username associated with the event.

srcMAC

MAC
Address

Yes

MAC address of the event source in

hexadecimal. The MAC address is comprised
of six groups of two hexadecimal digits, which
are colon-separated.

255

For example, 11:2D:67:BF:1A:71

dstMAC

MAC
Address

Yes

MAC address of the event destination in

hexadecimal. The MAC address is comprised
of six groups of two hexadecimal digits, which
are colon-separated.
For example, 11:2D:67:BF:1A:71

srcPreNATPORT

Integer

0 to 65535 Yes

Port number of the event source before

Network Address Translation (NAT).

dstPreNATPORT

Integer

0 to 65535 Yes

Port number of the event destination before

Network Address Translation (NAT).

srcPostNATPORT

Integer

0 to 65535 Yes

Port number of the event source after Network

Address Translation (NAT).

dstPostNATPORT

Integer

0 to 65535 Yes

Port number of the event destination after

Network Address Translation (NAT).

LEEF Version 1.0

TN31112011-A

Predefined Event Attributes

Table 1-2 Predefined Event Attributes (continued)

Key

Value Type

identSrc

IPv4 or IPv6
Address

Attribute
Limits

Normalized
Event Field Description
Yes

Identity source represents the IPv4 or IPv6

address used to associate an event with the a
user (username) or host (MAC address) to
identify the true event source IP address.
For example, an event is generated from
computer X, but in actuality, this event is based
on actions from a user logged in remotely from
computer Y. The identSrc provides the IP
address of computer Y, but only if the event log
from the device provides identity information in
the event logs, such as username or MAC
address that can be used to determine identity.
The following identity keys provide extra identity
information, but are dependant on identSrc
being present in the event payload:

identHostName

String

255

Yes

identHostName

identNetBios

identGrpName

identMAC

Host name information associated with the

identSrc to further identify the hostname of the
identity event.
The identHostName parameter is only usable
by QRadar if your device provides both the
identSrc key and identHostName together in an
event payload.

identNetBios

String

255

Yes

NetBIOS name associated with the identSrc to

further identify the identity event with NetBIOS
name resolution.
The identNetBios parameter is only usable by
QRadar if your device provides both the
identSrc key and identNetBios together in an
event payload.

identGrpName

String

255

Yes

Group name associated with the identSrc to

further identify the identity event with Group
name resolution.
The identGrpName parameter is only usable by
QRadar if your device provides both the
identSrc key and identGrpName together in an
event payload.

TN31112011-A

LEEF Version 1.0

Table 1-2 Predefined Event Attributes (continued)

Key

Value Type

identMAC

MAC
Address

Attribute
Limits

Normalized
Event Field Description
Yes

MAC address of the identity event in

hexadecimal. The MAC address is comprised
of six groups of two hexadecimal digits, which
are colon-separated
For example, 11:2D:67:BF:1A:71
The identMAC parameter is only usable by
QRadar if your device provides the identSrc key
and identMAC together in an event payload.

vSrc

IPv4 or IPv6
Address

No

IP address of the virtual event source.

vSrcName

String

255

No

Name of the virtual event source.

accountName

String

255

No

The account name associated with the event.

srcBytes

Integer

No

A numeric value indicating the byte count from

the event source.

dstBytes

Integer

No

A numeric value indicating the byte count to the

event destination.

srcPackets

Integer

No

A numeric value indicating the packet count

from the event source.

dstPackets

Integer

No

A numeric value indicating the packet count to

the event destination.

No

A numeric value indicating the total number of

packets transmitted between the source and
destination.

No

Role type associated with the user account that

created the event.

totalPackets

role

String

For example, Administrator, User, Domain

Admin.
realm

String

No

Realm associated with the user account.

Depending on your device, this could be a
general grouping or based on region.
For example, accounting, remote offices.

policy

String

No

Policy associated with the user account. This is

typically the security policy or group policy tied
to the user account.

resource

String

No

Resource associated with the user account.

This is typically the computer name.

url

String

No

URL information that is included with the event.

groupID

String

No

GroupID that is associated with the user

account.

domain

String

No

Domain associated with the user account.

LEEF Version 1.0

TN31112011-A

Custom Event Attributes

Custom Event
Attributes

Vendors and partners have the option to define their own custom event attributes
and include them in the pay of the LEEF format. A custom key and value attribute
can be used to include more information about an event. Custom event attributes
should only be created when there is no acceptable mapping to a predefined event
attribute.

CAUTION

Event attribute keys and values can only appear once per payload. Using a key
and value twice in the same payload can cause QRadar to ignore one of the
values and ignore the value of the duplicate key.
Unnormalized Custom attributes and events are not displayed by default on the
Log Activity tab of QRadar. To view custom attributes and non-normalized events
on the Log Activity tab of QRadar, you must create a custom event property. For
more information on creating a custom event property, see the QRadar
Administration Guide.
Custom event attributes must conform to the following rules:

Alphanumeric (A-Z, a-z, and 0-9)

Contain a single word for the key value

Spaces between characters in the key are not allowed

Cannot be named the same as any predefined attribute key

Key values must be human readable and concise

For example, item1111=172.16.100.110 is not allowed.

Custom Event Date

Format

The create a customized event format, your device must supply the raw date
format using the devTime event attribute in the payload of the event. The devTime
event attribute requires formatting using devTimeFormat to display the event in
QRadar. The suggested devTimeFormat patterns are listed as follows:

Table 1-3 devTimeFormat Suggested Patterns

devTimeFormat Pattern

Result

devTimeFormat=MMM dd yyyy HH:mm:ss

Jun 06 2010 16:07:36

devTimeFormat=MMM dd yyyy HH:mm:ss.SSS

Jun 06 2010 16:07:36.300

devTimeFormat=MMM dd yyyy HH:mm:ss.SSS z

Jun 06 2010 02:07:36.300 GMT

For further information on specifying a date format, visit the SimpleDateFormat

page at: http://java.sun.com/javase/6/docs/api/java/text/SimpleDateFormat.html

TN31112011-A

LEEF Version 1.0

Q1 Labs Inc.
890 Winter Street
Suite 230
Waltham, MA 02451 USA
Copyright 2011 Q1 Labs, Inc. All rights reserved. Q1 Labs, the Q1 Labs logo, Total Security Intelligence, and QRadar are trademarks or
registered trademarks of Q1 Labs, Inc. All other company or product names mentioned may be trademarks or registered trademarks of their
respective holders. The specifications and information contained herein are subject to change without notice.
This Software, and all of the manuals and other written materials provided with the Software, is the property of Q1 Labs Inc. These rights are
valid and protected in all media now existing or later developed, and use of the Software shall be governed and constrained by applicable U.S.
copyright laws and international treaties. Unauthorized use of this Software will result in severe civil and criminal penalties, and will be
prosecuted to the maximum extent under law.
Except as set forth in this Manual, users may not modify, adapt, translate, exhibit, publish, transmit, participate in the transfer or sale of,
reproduce, create derivative works from, perform, display, reverse engineer, decompile or dissemble, or in any way exploit, the Software, in
whole or in part. Unless explicitly provided to the contrary in this Manual, users may not remove, alter, or obscure in any way any proprietary
rights notices (including copyright notices) of the Software or accompanying materials. Q1 Labs Inc. reserves the right to revise this
documentation and to make changes in content from time to time without obligation on the part of Q1 Labs Inc. to provide notification of such
revision or change. Q1 Labs Inc. provides this documentation without warranty, term, or condition of any kind, either implied or expressed,
including, but not limited to, the implied warranties, terms, or conditions of merchantability, satisfactory quality, and fitness for a particular
purpose. Specifications of the Software are subject to change without notice.