The Log Event Extended Format (LEEF) is a customized event format for IBM® Security QRadar®.
Any vendor can use this documentation to generate LEEF events.
QRadar can integrate, identify, and process LEEF events. LEEF events must use UTF-8 character encoding.
You can send events in LEEF output to QRadar by using the following protocols:
- File import with the Log File Protocol
The method that you select to provide LEEF events determines whether the events can be automatically discovered in QRadar. When events are automatically discovered the level of manual configuration that is needed in QRadar is reduced.
As LEEF events are received, QRadar analyzes the event traffic in an attempt to identify the device or appliance. This process is referred to as traffic analysis. It typically takes at least 25 LEEF events to identify and create a new log source in QRadar. Until traffic analysis identifies the event source, the initial 25 events are categorized as SIM Generic Log DSM events and the event name is set as Unknown Log Event. After the event traffic is identified, QRadar creates a log source to properly categorize and label any events that are forwarded from your appliance or software. Events that are sent from your device are viewable in QRadar on the Log Activity tab.