LEEF Mapping

Log Event Extended Format (LEEF) from QRadar

The LEEF format consists of an optional syslog header, an LEEF header and a collection of attributes describing the event.

Syslog_Header(optional) LEEF_Header|Event_Attributes

The LEEF header is pipe (‘|’) separated and attributes are tab separated

Example

Jan 18 11:07:53 host LEEF:Version|Vendor|Product|Version|EventID|Key1=Value1<tab>Key2=Value2<tab>Key3=Value3<tab>...<tab>KeyN=ValueN

Table 1. LEEF Parameters
Parameters Description

LEEF: Version

Version Integer identifying the version of LEEF used for the log message

Vendor

String identifying the vendor of the device or application sending the event log

Product

Product String identifying product sending the event log Note: The combination of vendor and product must be unique

Version

String identifying the version of the device or application Sending the event log

EventID

ID that uniquely identifies the event

Attributes 1..N

A set of key value pairs attributes for the event separated by the tab character.  Order is not enforced.  

A pre defined set of keys are defined and should be used when possible.  

LEEF format is extensible and allows for additional key value pairs to be added to the event log.  

Keys must not contain spaces or equal signs  

Values must not contain tabs

Example:
Jan 18 11:07:53 192.168.1.1 LEEF:1.0|QRadar|QRM|1.0|NEW_PORT_DISCOVERD|src=172.5.6.67 dst=172.50.123.1 sev=5 cat=anomaly msg=there are spaces in this message  

Character Encoding

UTF8

Predefined Attributes

Table 2. Predefined Attributes
Key Name Data Type Max Length Description

Cat

string

 

Event category

devTime

date

 

Time the device or application emitted the event

devTimeFormat

string

 

Defined by the java SimpleDateFormat.  This is only required if using a customized date format.  See Date Format section for further details.

proto

integer

 

Transport protocol

sev

integer (1-10)

 

Severity of this event

src

IPv4 or IPv6 address

 

Source address

dst

IPv4 or IPv6 address

 

Destination address

VSrc

IPv4 or IPv6 address

 

Virtual source address

srcPort

integer

 

Source Port. The valid port numbers are between 0 and 65535.

dstPort

integer

 

Destination Port. The valid port numbers are between 0 and 65535.

srcPreNat

IPv4 or IPv6 address

 

Source address for the message before Network Address Translation (NAT) occurred

dstPreNat

IPv4 or IPv6 address

 

Destination address for the message before Network Address Translation (NAT) occurred

srcPostNat

IPv4 or IPv6 address

 

Source address for the message after Network Address Translation (NAT) occurred

dstPostNat

IPv4 or IPv6 address

 

Destination address for the message after Network Address Translation (NAT) occurred

usrName

string

255

User name associated with the event

srcMAC

MAC address

 

Six colon-separated hexadecimal numbers. Example: 1:2D:67:BF:1A:71

dstMAC

MAC address

 

Six colon-separated hexadecimal numbers. Example: 11:2D:67:BF:1A:71

srcPreNATPort

integer

 

Source Port. The valid port numbers are between 0 and 65535.

dstPreNATPort

integer

 

Destination Port. The valid port numbers are between 0 and 65535.

srcPostNATPort

integer

 

Source Port. The valid port numbers are between 0 and 65535.

dstPostNATPort

integer

 

Destination Port. The valid port numbers are between 0 and 65535.

identSRC

IPv4 or IPv6 address

 

 

identHostName

string

255

Host name associated with the event. Typically, this parameter is only associated with identity events

identNetBios

string

255

NetBIOS name associated with the event. Typically, this parameter is only associated with identity events

identGrpName

string

255

Group name associated with the event. Typically, this parameter is only associated with identity events.

Custom Attributes

In some cases custom attributes may be required to identify more information about the event being generated. In these cases vendors may define their own custom attributes and include them in the event log. Custom attribute fields should be used only when there is no acceptable mapping in to a predefined field.

Custom attributes keys must be:
  • Single word no spaces
  • Alphanumeric
  • Clear and concise
  • Cannot be named the same as any predefined attribute key

Custom attributes may be used for viewing in the QRadar Event Viewer by creating custom properties.

Custom attributes may be used by the QRadar reporting engine by creating customer properties.

Custom attributes can NOT be used for event correlation

Note: Add databaseName=%%DBname to the LEEF template in order to capture the MS-SQL database name. Update the existing LEEF template or make a new template by cloning.

Date Formats

You can use any of these predefined formats:
  1. Milliseconds since January 1, 1970 (integer)
  2. MMM dd yyyy HH:mm:ss, for example, Jun 06 2012 16:07:36
  3. MMM dd yyyy HH:mm:ss.SSS, for example, Jun 06 2012 16:07:36.300
  4. MMM dd yyyy HH:mm:ss.SSS zzz, for example, Jun 06 2012 02:07:36.300 GMT
If these formats are not suitable, you can define a custom date format in the dTime field by specifying the date format using the dTimeFormat key.

For further information on specifying a date format, visit the SimpleDateFormat page at: http://java.sun.com/javase/6/docs/api/java/text/SimpleDateFormat.html