CEF format Reports

EventLog Analyzer collects log data in the CEF format and presents it in the form of graphical reportsFor the solution to start collecting this log data, the device has to be added as a threat source.

Adding a device with logs in the CEF format as a threat source:

To add the application that uses CEF as a threat source, the syslog service has to be configured.

1. Login to the application or device which supports CEF log format.
2. Go to syslog server configuration.
3. In the field for Log Format, select CEF Format.
4. In the Syslog Server IP address field, enter the <EventLog Analyzer IP address>.
5. Enter the syslog port and save the configuration.

Once the threat source is added, EventLog Analyzer will start parsing the fields in the logs. This log data can now be viewed in the form of reports.

1. In the EventLog Analyzer console, navigate to Settings > Log Source Configurations > Applications > Security Applications > Add Security Applications
2. Select Add-on type as CEF format
3. Expand the list by clicking the "+" icon to add a new device.
4. Choose from the drop-down menu to add Configured devices, Workgroup devices, domain devices, etc.
5. To add new devices manually, click on Configure Manually and enter Log Source >Select and click on Add.

The available reports are:

• CEF Format Overview
• Very High Severity Events
• High Severity Events
• Medium Severity Events
• Low Severity Events
• Top Events Based On Event Class ID
• Top Events Based On Event Name