Common header
-
All syslog messages start with a timestamp and the string "
Center cybervision[xyz]:
".For example: 2021-01-12T09:57:50.986718+00:00 Center cybervision[5485]:
Here the timestamp is in RFC3164 Unix format.
-
CEF syslog messages have the same format, which consists of a list of fields separated by a “|”, such as: CEF:Version|Device Vendor|Device Product|Device Version| Device Event Class ID|Name|Severity|
For example:
CEF:0|Cisco|Cyber Vision|1.0|component_new|New component detected|2|
The following fields have a fixed value:
-
“
CEF:Version
”: will always be “CEF:0
” -
“
Device Vendor
”: “Cisco
” -
“
Device Product
”: “Cyber Vision
” -
“
Device Version
”: “1.0
”
Then, the fields below vary depending on the message type:
-
Device Event Class ID
: ID of the event type. -
Name
: name of the event type. -
Severity
: severity of the event type.
Refer to the annex appended at the end of this document to see examples of syslog messages contaning these fields.
Finally, there are 4 types of severities:
-
“0”: Low
-
“1”: Medium
-
“2”: High
-
“3”: Critical
-