Azure Sentinel CEF Logs

New Contributor

We are having a problem with our log collector setup whereby CEF logs are not being parsed to the right columns. They also repeat in syslog. Firstly can you see anything wrong in the format? Secondly could this be adjusted through a regex? I've seen syslog-ng can do adjustments I think?



Syslog entry

Aug 5 21:26:26 GREMLIN EventsFeederImporter.Host.exe: CEF:1|Panda Security|paps||socket|socket|1|Date=2021-08-05 20:22:48.051462 MachineName=xxxxxx MachineIP=xxxxxxxxxxx User=NT AUTHORITY\\SYSTEM MUID=xxxxxxxxxxxxxxxxxxxxx LocalDateTime=2021-08-05T20:23:43.051+01:00 PandaTimeStatus=2 Protocol=TCP LocalPort=58823 Direction=Up LocalIp= Hash=xxxxxxxxxxxxxxxx DriveType=Fixed Path=PROGRAM_FILES_COMMON|\\Microsoft Shared\\ClickToRun\\officesvcmgr.exe IP= Port=443 Times=1 Pid=45490 ValidSig=true Company=Microsoft Corporation Broken=true ImageType=EXE 64 ExeType=Unknown Prevalence=High PrevLastDay=Low Cat=Goodware MWName=

5 Replies
You may need a parser, examples for various products are here that you can get ideas from: that wont help with duplication however.

Also see: ASIM there is a link to this upcoming webcast and other info: Deep Dive into Azure Sentinel Normalizing Parsers and Normalized Content: next week, register here.

@Robbie Wallis 


So, basically CEF format should be as bellow - 
CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension 


In your case im not sure whether Signature ID  & Name value are correct or not. because they cant be same .


And yes you can do this adjustment with regex .




I am wondering if the "EventsFeederImporter.Host.exe:" bit is a problem. There is a colon directly preceding CEF. I wonder if that is why the columns are being messed up? Does someone know how to remove it using syslog-ng?
I managed to replace the program part and it wasnt that causing the issue. What I have noticed is that with the Panda Siemfeeder product there is a different amount of columns in logs depending on the type of event. There is always more than the base CEF format of CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|[Extension]

It is almost as though Azure starts from the right hand side and works to the left as everything is offset. How does Azure no what column is what when you exceed the 8 default columns? I've tried to remove the additional columns by replacing the additional breaks | using subst in syslog-ng but so far no luck in doing so.
I found the issue was two fold. One CEF version needed to be 0 and not 1. Also some reports had additional | characters and needed rewriting, I used syslog-ng to do this