search

CEF

The Common Event Format (CEF) is a standardised log message format that is widely used for transmitting security events from IT devices and cloud services.

CEF is designed to normalize and standardize event logs across different devices and vendors, making it easier to parse and analyze security data in a consistent way.

hashtag
Structure of a CEF Message

A typical CEF log is a single-line message composed of two parts:

  1. Header – Contains fixed fields that describe the source and nature of the event.

  2. Extension – Contains additional details in key-value pairs.

CEF Format Overview

CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|key1=value1 key2=value2 ...

hashtag
Example CEF Log Entry

CEF:0|Fortinet|FortiGate|6.4|12345|Blocked TCP connection|5|src=192.168.1.10 dst=10.0.0.5 spt=12345 dpt=443 proto=TCP act=blocked

Breakdown:

Header:

  • CEF:0 – CEF version 0

  • Fortinet – Device vendor

  • FortiGate – Product name

  • 6.4 – Product version

  • 12345 – Signature ID (event type)

  • Blocked TCP connection – Event name

  • 5 – Severity (scale from 0 to 10)

Extension (Key-Value Pairs):

  • src=192.168.1.10 – Source IP

  • dst=10.0.0.5 – Destination IP

  • spt=12345 – Source port

  • dpt=443 – Destination port

  • proto=TCP – Protocol

  • act=blocked – Action taken

The CEF hos not any parameter to be configured, as it's applied to the whole event, that must be in CEF format.

PreviousKey-valueNextJSON

Last updated