TECHNICAL NOTE

LOG EVENT EXTENDED FORMAT (LEEF)NOVEMBER, 2011

The Log Event Extended Format (LEEF) is a syslog event format used with QRadar, allowing device manufacturers and Q1 Labs Security Intelligence Partners (SCIP) to provide syslog events in the LEEF format for simple integration.

This document contains the following LEEF format information:

• LEEF Format Header Content

• Predefined Event Attributes

• Custom Event Attributes

• Custom Event Date Format

NOTEThe Log Event Extended Format (LEEF) only supports UTF8 character encoding.

LEEF Format Header Content

The LEEF format consists of the following three components:

<Syslog Header> <LEEF Header>|<Event Attributes>

• Syslog header - The syslog header contains the timestamp and IP address or host name of the system providing the event. The syslog header is an optional component of the LEEF format. If you include the syslog header, you must separate the syslog header from the LEEF header with a space.

• LEEF header - The LEEF header is a pipe delimited (|) set of values that identifies the product to QRadar.

• Event attributes - The event attributes identify the payload information of the event. Event attributes are tab separated and typically consist of predefined event attributes, which allow QRadar to categorize and display the event. For more information, see Predefined Event Attributes.

LEEF Version 1.0 TN31112011-A

2

Table 1-1 LEEF Format Header

Header Type Entry Delimiter DescriptionSyslog Header

Date The date and timestamp of the host providing the event to QRadar.IP Address The IP address of the host providing the event to QRadar.

LEEF Header

LEEF:Version Pipe The LEEF version information is an integer value that identifies the major and minor version of the LEEF format.For example, LEEF:1.0|Vendor|Product|Version|EventID|

Vendor Pipe Vendor is a text string that identifies the vendor of the device or application sending the event log to QRadar.For example, LEEF:1.0|Microsoft|Product|Version|EventID|Note: The Vendor and Product fields must contain unique values when specified in the LEEF header.

Product Pipe The product field is a text string that identifies the product sending the event log to QRadar.For example, LEEF:1.0|Microsoft|MSExchange|Version|EventID|Note: The Vendor and Product fields must contain unique values when specified in the LEEF header.

Version Pipe Version is a string that identifies the version of the device or application sending the event log.For example, LEEF:1.0|Microsoft|MSExchange|2.2|EventID|

EventID Description

Pipe Event ID is used to uniquely identify an event type in the LEEF header. The description of the event should be treated as a fine grain identifier. This allows QRadar to specifically identify an event outside of the payload.For example: LEEF:1.0|Microsoft|MSExchange|2.2|7732|orLEEF:1.0|Microsoft|MSExchange|2.2|7732 Logon Failure MSExchange|

Event Attributes

Many Predefined Entries

Tab Event attribute is a set of key value pairs that provide detailed information about the event. Each event attribute must be tab delimited, but the order of attributes is not enforced.For example, src=172.16.77.100A predefined set of event attributes are defined and should be used whenever possible. However, the LEEF format is extensible and allows for additional key value pairs to be added to the event log. For more information on the predefined event attributes, see Predefined Event Attributes.

LEEF Version 1.0 TN31112011-A

Predefined Event Attributes 3

LEEF Format Example 1

An example of the LEEF format header with the optional syslog header:

Jan 18 11:07:53 192.168.1.1 LEEF:1.0|QRadar|QRM|1.0|NEW_PORT_DISCOVERD|src=7.5.6.6 dst=172.50.123.1 sev=5 cat=anomaly srcPort=3881 dstPort=21 usrName=joe.black srcMAC=00:1C:23:1E:46:1D dstMAC=14:4F:54:1B:1A

LEEF Format Example 2

An example of the LEEF format header without the optional syslog header:

LEEF:1.0|QRadar|QRM|1.0|NEW_PORT_DISCOVERD|src=17.5.6.67 dst=172.50.123.1 sev=5 cat=anomaly srcPort=3881 dstPort=21 usrName=joe.black srcMAC=00:1C:23:1E:46:1D dstMAC=14:4F:54:1B:1A

Predefined Event Attributes

The Log Event Extended Format (LEEF) supports the following predefined event attributes in the event payload.

Table 1-2 Predefined Event Attributes

Key Value TypeAttribute Limits

Normalized Event Field Description

cat String Yes The key cat stands for event category. The event attribute cat in the payload of the event and the LEEF header Event ID are used to map the log message to a QIDmap entry of the QIDmap import file. The difference between these two fields are as follows:• The Event ID, which is part of the LEEF

header maps to the first column in the QIDmap import file. Event ID can be thought of as a high level.

• The cat event attribute maps to the second column in the QIDmap import file and is only required in the payload where you need to distinguish between events with the same Event ID. For example, an Event ID could be defined as login, where the category is used to distinguish between a successful or failed login.

devTime Date Yes The device time is the raw event date and time generated from the host providing the event log. The devTime event attribute requires you to format the date and time using the devTimeFormat event attribute.

devTimeFormat String No The devTimeFormat event attribute formats the data and time of the raw devTime event attribute. The devTimeFormat event attribute is required if your event log contains devTime. For more information, see Event Date Format.

TN31112011-A LEEF Version 1.0

4

proto Integer or Keyword

Yes Identifies the transport protocol of the event.

Note: For a list of keywords or integer values, see http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml

sev Integer 1-10 Yes A numeric value that indicates the severity of the event. • 1 is the lowest event severity.• 10 is the highest event severity.

src IPv4 or IPv6 Address

Yes The IP address of the event source.

dst IPv4 or IPv6 Address

Yes IP address of the event destination.

scrPort Integer 0 to 65535 Yes Source port of the event. dstPort Integer 0 to 65535 Yes Destination port of the event. srcPreNAT IPv4 or IPv6

AddressYes Source address for the event message before

Network Address Translation (NAT).dstPreNAT IPv4 or IPv6

AddressYes Destination address for the event message

before Network Address Translation (NAT).srcPostNAT IPv4 or IPv6

AddressYes Source address for the message before

Network Address Translation (NAT) occurred.dstPostNAT IPv4 or IPv6

AddressYes Destination address for the message before

Network Address Translation (NAT) occurred.usrName String 255 Yes Username associated with the event.srcMAC MAC

AddressYes MAC address of the event source in

hexadecimal. The MAC address is comprised of six groups of two hexadecimal digits, which are colon-separated.For example, 11:2D:67:BF:1A:71

dstMAC MAC Address

Yes MAC address of the event destination in hexadecimal. The MAC address is comprised of six groups of two hexadecimal digits, which are colon-separated.For example, 11:2D:67:BF:1A:71

srcPreNATPORT Integer 0 to 65535 Yes Port number of the event source before Network Address Translation (NAT).

dstPreNATPORT Integer 0 to 65535 Yes Port number of the event destination before Network Address Translation (NAT).

srcPostNATPORT Integer 0 to 65535 Yes Port number of the event source after Network Address Translation (NAT).

dstPostNATPORT Integer 0 to 65535 Yes Port number of the event destination after Network Address Translation (NAT).

Table 1-2 Predefined Event Attributes (continued)

Key Value TypeAttribute Limits

Normalized Event Field Description

LEEF Version 1.0 TN31112011-A

Predefined Event Attributes 5

identSrc IPv4 or IPv6 Address

Yes Identity source represents the IPv4 or IPv6 address used to associate an event with the a user (username) or host (MAC address) to identify the true event source IP address.For example, an event is generated from computer X, but in actuality, this event is based on actions from a user logged in remotely from computer Y. The identSrc provides the IP address of computer Y, but only if the event log from the device provides identity information in the event logs, such as username or MAC address that can be used to determine identity.The following identity keys provide extra identity information, but are dependant on identSrc being present in the event payload:• identHostName• identNetBios• identGrpName• identMAC

identHostName String 255 Yes Host name information associated with the identSrc to further identify the hostname of the identity event. The identHostName parameter is only usable by QRadar if your device provides both the identSrc key and identHostName together in an event payload.

identNetBios String 255 Yes NetBIOS name associated with the identSrc to further identify the identity event with NetBIOS name resolution. The identNetBios parameter is only usable by QRadar if your device provides both the identSrc key and identNetBios together in an event payload.

identGrpName String 255 Yes Group name associated with the identSrc to further identify the identity event with Group name resolution. The identGrpName parameter is only usable by QRadar if your device provides both the identSrc key and identGrpName together in an event payload.

Table 1-2 Predefined Event Attributes (continued)

Key Value TypeAttribute Limits

Normalized Event Field Description

TN31112011-A LEEF Version 1.0

6

identMAC MAC Address

Yes MAC address of the identity event in hexadecimal. The MAC address is comprised of six groups of two hexadecimal digits, which are colon-separatedFor example, 11:2D:67:BF:1A:71The identMAC parameter is only usable by QRadar if your device provides the identSrc key and identMAC together in an event payload.

vSrc IPv4 or IPv6 Address

No IP address of the virtual event source.

vSrcName String 255 No Name of the virtual event source.accountName String 255 No The account name associated with the event.srcBytes Integer No A numeric value indicating the byte count from

the event source.dstBytes Integer No A numeric value indicating the byte count to the

event destination.srcPackets Integer No A numeric value indicating the packet count

from the event source.dstPackets Integer No A numeric value indicating the packet count to

the event destination.totalPackets No A numeric value indicating the total number of

packets transmitted between the source and destination.

role String No Role type associated with the user account that created the event.For example, Administrator, User, Domain Admin.

realm String No Realm associated with the user account. Depending on your device, this could be a general grouping or based on region.For example, accounting, remote offices.

policy String No Policy associated with the user account. This is typically the security policy or group policy tied to the user account.

resource String No Resource associated with the user account. This is typically the computer name.

url String No URL information that is included with the event.groupID String No GroupID that is associated with the user

account.domain String No Domain associated with the user account.

Table 1-2 Predefined Event Attributes (continued)

Key Value TypeAttribute Limits

Normalized Event Field Description

LEEF Version 1.0 TN31112011-A

Custom Event Attributes 7

Custom Event Attributes

Vendors and partners have the option to define their own custom event attributes and include them in the pay of the LEEF format. A custom key and value attribute can be used to include more information about an event. Custom event attributes should only be created when there is no acceptable mapping to a predefined event attribute.

CAUTIONEvent attribute keys and values can only appear once per payload. Using a key and value twice in the same payload can cause QRadar to ignore one of the values and ignore the value of the duplicate key.

Unnormalized Custom attributes and events are not displayed by default on the Log Activity tab of QRadar. To view custom attributes and non-normalized events on the Log Activity tab of QRadar, you must create a custom event property. For more information on creating a custom event property, see the QRadar Administration Guide.

Custom event attributes must conform to the following rules:

• Alphanumeric (A-Z, a-z, and 0-9)

• Contain a single word for the key value

• Spaces between characters in the key are not allowed

• Cannot be named the same as any predefined attribute key

• Key values must be human readable and concise

For example, item1111=172.16.100.110 is not allowed.

Custom Event Date Format

The create a customized event format, your device must supply the raw date format using the devTime event attribute in the payload of the event. The devTime event attribute requires formatting using devTimeFormat to display the event in QRadar. The suggested devTimeFormat patterns are listed as follows:

For further information on specifying a date format, visit the SimpleDateFormat page at: http://java.sun.com/javase/6/docs/api/java/text/SimpleDateFormat.html

Table 1-3 devTimeFormat Suggested Patterns

devTimeFormat Pattern ResultdevTimeFormat=MMM dd yyyy HH:mm:ss Jun 06 2010 16:07:36devTimeFormat=MMM dd yyyy HH:mm:ss.SSS Jun 06 2010 16:07:36.300 devTimeFormat=MMM dd yyyy HH:mm:ss.SSS z Jun 06 2010 02:07:36.300 GMT

TN31112011-A LEEF Version 1.0

Q1 Labs Inc. 890 Winter Street Suite 230 Waltham, MA 02451 USA

Copyright © 2011 Q1 Labs, Inc. All rights reserved. Q1 Labs, the Q1 Labs logo, Total Security Intelligence, and QRadar are trademarks or registered trademarks of Q1 Labs, Inc. All other company or product names mentioned may be trademarks or registered trademarks of their respective holders. The specifications and information contained herein are subject to change without notice.

This Software, and all of the manuals and other written materials provided with the Software, is the property of Q1 Labs Inc. These rights are valid and protected in all media now existing or later developed, and use of the Software shall be governed and constrained by applicable U.S. copyright laws and international treaties. Unauthorized use of this Software will result in severe civil and criminal penalties, and will be prosecuted to the maximum extent under law.

Except as set forth in this Manual, users may not modify, adapt, translate, exhibit, publish, transmit, participate in the transfer or sale of, reproduce, create derivative works from, perform, display, reverse engineer, decompile or dissemble, or in any way exploit, the Software, in whole or in part. Unless explicitly provided to the contrary in this Manual, users may not remove, alter, or obscure in any way any proprietary rights notices (including copyright notices) of the Software or accompanying materials. Q1 Labs Inc. reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of Q1 Labs Inc. to provide notification of such revision or change. Q1 Labs Inc. provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not limited to, the implied warranties, terms, or conditions of merchantability, satisfactory quality, and fitness for a particular purpose. Specifications of the Software are subject to change without notice.