Skip to content

SEKOIA.IO Documentation

Common Event Format

SEKOIA.IO Documentation

Getting Started
Getting Started
- Overview
- First steps
- Inviting users to join your community
- Search
  Search
  - Dork Language
  - Querying Operations Center Events
Operations Center
Operations Center
- Overview
- Dashboards
- Integration Catalog
  Integration Catalog
  - Overview
  - Custom Format
  - Application
    Application
    
    Alsid
    
    Apache
    
    BIND
    
    ISC DHCP
    
    HAProxy
    
    Nginx
    
    OpenSSH
    
    SEKOIA.IO
    
    Unbound
    
    The Hive
  - Cloud and SaaS
    Cloud and SaaS
    
    AWS
    AWS
    
    CloudTrail
    
    VPC Flow Logs
    
    Cisco Umbrella
    Cisco Umbrella
    
    Proxy
    
    IP
    
    DNS
    
    Digital Shadows
    
    Microsoft Azure
    Microsoft Azure
    
    Azure Active Directory
    
    Azure MySQL
    
    Azure Linux machines
    
    Azure Network Watcher
    
    Azure Windows machines
    
    Microsoft Office 365
    
    Imperva Web Application Firewall
  - Email
    Email
    
    FortiMail
    
    Postfix
    
    Retarus Email Security
    
    SpamAssassin
    
    Vade for M365
  - Endpoint
    Endpoint
    
    Auditbeat Linux
    
    Cybereason MalOp
    
    HarfangLab
    
    Linux
    
    Panda Security Aether
    
    SentinelOne
    
    SentinelOne Deep Visibility
    
    Tanium
    
    Windows
    
    Windows (Log Insight)
  - Network
    Network
    
    Checkpoint
    
    Cisco
    
    F5 BigIP
    
    FortiGate
    
    FortiProxy
    
    FortiWeb
    
    McAfee Web Gateway
    
    NetFilter
    
    PaloAlto
    
    Pulse Connect Secure
    
    Sophos Firewall
    
    Squid
    
    Stormshield
    
    Suricata
    
    Vectra
    
    Wallix
    
    Zeek
  - Generic
    Generic
    
    Common Event Format Common Event Format
    Table of contents
    
    Overview
    
    Configure
    
    Rsyslog
    
    Further Reading
- Data Collection
  Data Collection
  - Overview
  - Ingestion methods
    Ingestion methods
    
    Overview
    
    Rsyslog
    
    Logstash
    
    syslog-ng
    
    Graylog
    
    HTTPS
- Configure
  Configure
  - Entities
  - Intakes
  - Assets
- Detect
  Detect
  - Rules Catalog
- Investigate
  Investigate
  - Alerts
  - Events
  - Cases
- FAQ
Intelligence Center
Intelligence Center
- Overview
- Data Model
- API
- External Integrations
  External Integrations
- Web Application
  Web Application
User Center
User Center
Playbooks
Playbooks
- Overview
- Triggers
- Operators
- Actions
- Library
  Library
  - AWS
  - Binaryedge's api
  - Censys
  - Certificate_transparency
  - Detection-rules
  - Digital Shadows
  - Fileutils
  - Fortigate_fw
  - Glimps
  - Google
  - Git
  - Http
  - Harfanglab
  - Iknowwhatyoudownload
  - Imperva
  - Iptoasn
  - Misp
  - Mwdb
  - Mandrill
  - Mattermost
  - Osint
  - Onyphe
  - Pagerduty
  - Panda Security
  - Public_suffix
  - Rss
  - Riskiq
  - SEKOIA.IO
  - STIX
  - Servicenow
  - Shodan
  - TheHive
  - Tranco
  - Triage
  - Vade secure
  - Virustotal
  - Whois
Develop
Develop
- Overview
- Guides
  Guides
- REST API
  REST API
  - Authentication
  - Community
  - Dashboard
  - Notification
  - Operation Center
    Operation Center
    
    Configuration
    
    Parser
    
    Alert
    
    Assets
  - Intelligence Center
    Intelligence Center
    
    Intelligence
    
    Enrichments
  - Playbooks

Common Event Format

Overview

ArcSight's Common Event Format (CEF) is an open log management standard. If one of your applications or devices is not covered by one of the other intakes we support but can produce logs in CEF you can use this intake.

Still we recommend using an intake tailored to your specific application or device, even with CEF, in order to ensure you get the most out of your logs. If an intake is missing, please contact us.

Configure

As of now, the main solution to collect CEF logs leverages the Rsyslog recipe. Please share your experiences with other recipes by editing this documentation.

Rsyslog

Please refer to the documentation of your vendor to forward events to your rsyslog server. The reader is also invited to consult the Rsyslog Transport documentation to forward these logs to SEKOIA.IO.

Further Reading

CEF specification