This document outlines the details of the Common Event Format (CEF) logs for the Edge Security Pack (ESP) feature. CEF logs were introduced in LoadMaster firmware version 7.2.50.

To enable the CEF log format, go to System Configuration > Miscellaneous Options > L7 Configuration and select the Use CEF Log Format check box. The Use CEF Log Format check box is disabled by default.

Once enabled, all the logs in the System Configuration > Logging Options > Extended Log Files page are recorded in CEF format. To export these logs, set the parameters in the System Configuration > Logging Options > Syslog Options page to point at your log collector/analyzer.

Note: The CEF log format is only available for ESP logs. It is not available for system, audit, GEO, WAF logs, and so on.

CEF is a widely used log message format that provides a standard format. In CEF format logs, data points are clearly labeled and this makes the overall message easier to read by people and third-party log collectors and analyzers. When used as a source format for monitored devices, CEF allows for easier overall log storage and analysis across a network of different devices. CEF logs also improve the interoperability of security-related information from different security and network devices and applications. CEF was developed by ArcSight and uses UTF-8 Unicode.

The CEF logs are composed of a header and an extension. The header is well-defined within the specification and the extension is a key-value pair vendor-specific segment. The format of the logs is as follows:

CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|[Extension]