LEEF Mapping
Log Event Extended Format (LEEF) from QRadar
The LEEF format consists of an optional syslog header, an LEEF header and a collection of attributes describing the event.
Syslog_Header(optional) LEEF_Header|Event_Attributes
The LEEF header is pipe (‘|’) separated and attributes are tab separated
Example
Jan 18 11:07:53 host LEEF:Version|Vendor|Product|Version|EventID|Key1=Value1<tab>Key2=Value2<tab>Key3=Value3<tab>...<tab>KeyN=ValueN
Parameters | Description |
---|---|
LEEF: Version |
Version Integer identifying the version of LEEF used for the log message |
Vendor |
String identifying the vendor of the device or application sending the event log |
Product |
Product String identifying product sending the event log Note: The combination of vendor and product must be unique |
Version |
String identifying the version of the device or application Sending the event log |
EventID |
ID that uniquely identifies the event |
Attributes 1..N |
A set of key value pairs attributes for the event separated by the tab character. Order is not enforced. A pre defined set of keys are defined and should be used when possible. LEEF format is extensible and allows for additional key value pairs to be added to the event log. Keys must not contain spaces or equal signs Values must not contain tabs |
Jan 18 11:07:53 192.168.1.1 LEEF:1.0|QRadar|QRM|1.0|NEW_PORT_DISCOVERD|src=172.5.6.67 dst=172.50.123.1 sev=5 cat=anomaly msg=there are spaces in this message
Character Encoding
UTF8
Predefined Attributes
Key Name | Data Type | Max Length | Description |
---|---|---|---|
Cat |
string |
|
Event category |
devTime |
date |
|
Time the device or application emitted the event |
devTimeFormat |
string |
|
Defined by the java SimpleDateFormat. This is only required if using a customized date format. See Date Format section for further details. |
proto |
integer |
|
Transport protocol |
sev |
integer (1-10) |
|
Severity of this event |
src |
IPv4 or IPv6 address |
|
Source address |
dst |
IPv4 or IPv6 address |
|
Destination address |
VSrc |
IPv4 or IPv6 address |
|
Virtual source address |
srcPort |
integer |
|
Source Port. The valid port numbers are between 0 and 65535. |
dstPort |
integer |
|
Destination Port. The valid port numbers are between 0 and 65535. |
srcPreNat |
IPv4 or IPv6 address |
|
Source address for the message before Network Address Translation (NAT) occurred |
dstPreNat |
IPv4 or IPv6 address |
|
Destination address for the message before Network Address Translation (NAT) occurred |
srcPostNat |
IPv4 or IPv6 address |
|
Source address for the message after Network Address Translation (NAT) occurred |
dstPostNat |
IPv4 or IPv6 address |
|
Destination address for the message after Network Address Translation (NAT) occurred |
usrName |
string |
255 |
User name associated with the event |
srcMAC |
MAC address |
|
Six colon-separated hexadecimal numbers.
Example: |
dstMAC |
MAC address |
|
Six colon-separated hexadecimal numbers.
Example: |
srcPreNATPort |
integer |
|
Source Port. The valid port numbers are between 0 and 65535. |
dstPreNATPort |
integer |
|
Destination Port. The valid port numbers are between 0 and 65535. |
srcPostNATPort |
integer |
|
Source Port. The valid port numbers are between 0 and 65535. |
dstPostNATPort |
integer |
|
Destination Port. The valid port numbers are between 0 and 65535. |
identSRC |
IPv4 or IPv6 address |
|
|
identHostName |
string |
255 |
Host name associated with the event. Typically, this parameter is only associated with identity events |
identNetBios |
string |
255 |
NetBIOS name associated with the event. Typically, this parameter is only associated with identity events |
identGrpName |
string |
255 |
Group name associated with the event. Typically, this parameter is only associated with identity events. |
Custom Attributes
In some cases custom attributes may be required to identify more information about the event being generated. In these cases vendors may define their own custom attributes and include them in the event log. Custom attribute fields should be used only when there is no acceptable mapping in to a predefined field.
- Single word no spaces
- Alphanumeric
- Clear and concise
- Cannot be named the same as any predefined attribute key
Custom attributes may be used for viewing in the QRadar Event Viewer by creating custom properties.
Custom attributes may be used by the QRadar reporting engine by creating customer properties.
Custom attributes can NOT be used for event correlation
Date Formats
- Milliseconds since January 1, 1970 (integer)
- MMM dd yyyy HH:mm:ss, for example, Jun 06 2012 16:07:36
- MMM dd yyyy HH:mm:ss.SSS, for example, Jun 06 2012 16:07:36.300
- MMM dd yyyy HH:mm:ss.SSS zzz, for example, Jun 06 2012 02:07:36.300 GMT
For further information on specifying a date format, visit the SimpleDateFormat page at: http://java.sun.com/javase/6/docs/api/java/text/SimpleDateFormat.html