This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

FireEye CMS Log Parsing

DionStempfley
Occasional Contributor
Occasional Contributor

‎2018-12-31 12:33 PM

We are trying to import logs from FireEye Central Management System (CMS).  One of the logging formats for FE CM is Common Event Format (CEF).  Has anybody configured custom cef parsing for this device? 

 

When I enabled CEF logging on CMS the device.type came is as ciscorouter even when I configure a parser mapping for the device to the cef parser.  I've read the article on configuration of cef-custom.xml but any push in the right direction would help.

 

/Dion

Dion Stempfley
Cybersecurity Analyst
Institute for Defense Analyses
0 Likes
4 REPLIES 4

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2019-01-01 12:33 AM

Have you enabled the CEF parser on the Log Decoder?

 

What other log formats are supported?  

 

Is LEEF one of them?

0 Likes

DionStempfley
Occasional Contributor
Occasional Contributor
In response to DaveGlover

‎2019-01-02 08:37 AM

The cef log parser is enabled. The CMS supports CEF, LEEF, CSV, TEXT, JSON, XML. I assumed that with the CEF parser and the cef-custom.xml it would be easiest to get CEF working the way I want. When I use LEEF, the messages are parsed as fireeyewebmps. But this doesn’t parse cleanly. We have several of the FireEye products and would like to implement support for all of them.

Dion Stempfley
Cybersecurity Analyst
Institute for Defense Analyses
0 Likes

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor
In response to DionStempfley

‎2019-01-02 10:12 AM

Dion

 

Would you contact me directly to discuss a an idea that I have for you?

 

dave dot glover at rsa dot com

 

Thanks

 

Dave

0 Likes

DionStempfley
Occasional Contributor
Occasional Contributor
In response to DaveGlover

‎2019-01-26 09:10 AM

Dave,  

Thanks for your help.  The CEF logs from the CMS seem to be lacking the timestamp and other information in the header so they are not being identified correctly as CEF.  You helped me get started with a version of a parser for LEEF formatted logs. 

 

I'm including my modifications. I'm not really a parser writer, so I'm sure it could use some work.  

 

============

<?xml version="1.0" encoding="UTF-8"?>

<DEVICEMESSAGES

name="fireeyecms"

displayname="FireEye CMS"

group="Intrusion"

type="7104">

<VERSION

xml="1"

revision="1"

device="2.0"/>

<TAGVALMAP

pairdelimiter="^"

valuedelimiter="="/>

<HEADER

id1="HDR1"

id2="HDR1"

messageid="STRCAT('CMS-MSG')"

content="fenotify-&lt;hfld1&gt;.alert: LEEF:1.0|&lt;hfld2&gt;|&lt;obj_type&gt;|&lt;content_version&gt;|&lt;detail&gt;|&lt;!payload&gt;"/>

<MESSAGE

id1="CMS-MSG"

id2="CMS-MSG"

tagval="true"

missField="true"

content="devTime=&lt;event_time_string&gt;^devTimeFormat=&lt;time_format&gt;^sev=&lt;severity&gt;^proto=&lt;protocol&gt;^src=&lt;saddr&gt;^dst=&lt;daddr&gt;^cncHost=&lt;daddr&gt;^srcPort=&lt;sport&gt;^shost=&lt;shost&gt;^dstPort=&lt;dport&gt;^srcMAC=&lt;smacaddr&gt;^request=&lt;url&gt;^dstMAC=&lt;dmacaddr&gt;^url=&lt;url&gt;^link=&lt;url&gt;^vlan=&lt;vlan&gt;^externalId=&lt;ext_id&gt;^dvchost=&lt;device.host&gt;^cncPort=&lt;dport&gt;^sigId=&lt;sigid&gt;^cat=&lt;event_type&gt;^signame=&lt;signame&gt;^action=&lt;action&gt;^sname=&lt;category&gt;^filePath=&lt;filename&gt;^sha256sum=&lt;checksum&gt;^duser=&lt;email.dst&gt;^subject=&lt;subject&gt;^suser=&lt;email.src&gt;^msg&lt;msg&gt;^dvc=&lt;fld1&gt;^uuid=&lt;uuid&gt;^fileHash=&lt;checksum&gt;^cncChannel=&lt;webpage&gt;^osinfo=&lt;os&gt;"/>

</DEVICEMESSAGES>

Dion Stempfley
Cybersecurity Analyst
Institute for Defense Analyses
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.