CEF Extension
- Last Updated: January 15, 2025
- 3 minute read
- LoadMaster
- LoadMaster LTSF
- Documentation
The Progress Kemp Technologies CEF Extension is a key-value pairing of information providing extra details based on the 'Device Event Class ID'. This is clarified through the use of examples below.
L7 ESP CEF Logs
The following example shows an 'Accept' message with 'Device Event Class ID' of '0'.
CEF:0|Kemp|LM|1.0|0|Accept|0|vs=10.35.56.32:80 event=Accept srcip=10.0.30.127 srcport=6045 msg=AcceptThe CEF Extension comprises of:
|
Extension key-value pair |
Description |
|---|---|
|
vs |
This is the Virtual Service IP address |
| event | This is a string describing the event type; typically, the same as the 'Name' field in the CEF header |
| srcip | This is the source IP address that originated the request |
| srcport | This is the source port that originated the request |
| msg | This is a free-form string providing extra details |
The following example shows a 'Slave Accept' message with 'Device Event Class ID' of '1':
CEF:0|Kemp|LM|1.0|1|Slave accept|0|vs=10.0.70.142:80 event=Slave accept srcip=10.35.2.94 srcport=56838 msg=Slave acceptThe CEF Extension comprises of:
|
Extension key-value pair |
Description |
|---|---|
|
vs |
This is the Virtual Service IP address: Port combination |
| event | This is a string describing the event type; typically, the same as the 'Name' field in the CEF header |
| srcip | This is the source IP address that originated the request |
| srcport | This is the source port that originated the request |
| msg | This is a free-form string providing extra details |
The following example shows an 'SSL Accept' message with 'Device Event Class ID' of '2':
CEF:0|Kemp|LM|1.0|2|SSL accept|0|vs=10.0.70.141:80 event=SSL accept srcip=10.35.2.94 srcport=65431 msg=SSL acceptThe CEF Extension comprises of:
|
Extension key-value pair |
Description |
|---|---|
|
vs |
This is the Virtual Service IP address: Port combination |
| event | This is a string describing the event type; typically, the same as the 'Name' field in the CEF header |
| srcip | This is the source IP address that originated the request |
| srcport | This is the source port that originated the request |
The following example shows a 'Connection Timed Out' message with 'Device Event Class ID' of '3':
CEF:0|Kemp|LM|1.0|3|Connection timed out|1|vs=10.0.70.141:80 event=Connection timed out srcip=10.0.71.104 srcport=61956 msg=waiting for initial client request await_remaddr=0The CEF Extension comprises of:
|
Extension key-value pair |
Description |
|---|---|
|
vs |
This is the Virtual Service IP address: Port combination |
| event | This is a string describing the event type; typically, the same as the 'Name' field in the CEF header |
| srcip | This is the source IP address that originated the request |
| srcport | This is the source port that originated the request |
| msg | This is a free-form string providing extra details |
| await_remaddr | Internal flag - likely to be zero |
The following example shows an 'Connected' message with 'Device Event Class ID' of '4':
CEF:0|Kemp|LM|1.0|4|Connected|1|vs=10.35.56.32:80 event=Connected srcip=10.0.30.127 srcport=8454 dstip=10.35.9.11 dstport=80The CEF Extension comprises of:
|
Extension key-value pair |
Description |
|---|---|
|
vs |
This is the Virtual Service IP address: Port combination |
| event | This is a string describing the event type; typically, the same as the 'Name' field in the CEF header |
| srcip | This is the source IP address that originated the request |
| srcport | This is the source port that originated the request |
| dstip | This is the destination IP address for this connection |
| dstport | This is the destination port for this connection |
The following example shows a 'Connection Failed' message with 'Device Event Class ID' of '5':
CEF:0|Kemp|LM|1.0|5|Connection failed|3|vs=172.16.151.21:80 event=Connection failed srcip=192.168.10.67 srcport=17548 dstip=172.16.128.37 dstport=82The CEF Extension comprises of:
|
Extension key-value pair |
Description |
|---|---|
|
vs |
This is the Virtual Service IP address: Port combination |
| event | This is a string describing the event type; typically, the same as the 'Name' field in the CEF header |
| srcip | This is the source IP address that originated the request |
| srcport | This is the source port that originated the request |
| dstip | This is the destination IP address for this connection |
| dstport | This is the destination port for this connection |
The following example shows a 'Logged off' message with 'Device Event Class ID' of '6':
CEF:0|Kemp|LM|1.0|6|Logged off|1|vs=172.16.151.50:443 event=Logged off user=aduser1@kpauto.net srcip=192.168.10.67The CEF Extension comprises of:
|
Extension key-value pair |
Description |
|---|---|
|
vs |
This is the Virtual Service IP address: Port combination |
| event | This is a string describing the event type; typically, the same as the 'Name' field in the CEF header |
| user | The user that was entered in the ESP form and logged on |
| srcip | This is the source IP address that originated the request |
The following example shows an 'Accept' message with 'Device Event Class ID' of '7':
CEF:0|Kemp|LM|1.0|7|User Interaction|2|vs=10.0.70.141:443 event=User Interaction srcip=10.35.2.94 srcport=6045 msg=User Interaction|
Extension key-value pair |
Description |
|---|---|
|
vs |
This is the Virtual Service IP address: Port combination |
| event | This is a string describing the event type; typically, the same as the 'Name' field in the CEF header |
| srcip | This is the source IP address that originated the request |
| srcport | This is the source port that originated the request |
| msg | This is a free form string providing extra details |
The following example shows a 'Logged On' message with 'Device Event Class ID' of '8':
CEF:0|Kemp|LM|1.0|8|Logged on|1|vs=10.0.70.141:80 event=Logged on srcip=10.0.11.113 user=ruth msg=logged onThe CEF Extension comprises of:
|
Extension key-value pair |
Description |
|---|---|
|
vs |
This is the Virtual Service IP address |
| event | This is a string describing the event type; typically, the same as the 'Name' field in the CEF header |
| srcip | This is the source IP address that originated the request |
| user | The username of the user who attempted to log on |
| msg | This is a free-form string providing extra details |
The following example shows an 'Access Denied' message with 'Device Event Class ID' of '9':
CEF:0|Kemp|LM|1.0|9|Access Denied|6|vs=10.35.56.32:80 event=Access Denied srcip=10.0.30.127 user=ExampleUser msg=denied accessThe CEF Extension comprises of:
|
Extension key-value pair |
Description |
|---|---|
|
vs |
This is the Virtual Service IP address: Port combination |
| event | This is a string describing the event type; typically, the same as the 'Name' field in the CEF header |
| srcip | This is the source IP address that originated the request |
| user | The username of the user who attempted to log on |
| msg | This is a free-form string providing extra details |
The following example shows an 'Access Blocked' message with 'Device Event Class ID' of '10':
CEF:0|Kemp|LM|1.0|10|Access Blocked|6|vs=10.0.70.141:443 event=Access Blocked srcip=10.35.2.94 user=administrator msg=blocked accessThe CEF Extension comprises of:
|
Extension key-value pair |
Description |
|---|---|
|
vs |
This is the Virtual Service IP address: Port combination |
| event | This is a string describing the event type; typically, the same as the 'Name' field in the CEF header |
| srcip | This is the source IP address that originated the request |
| user | The user that was entered into the ESP form and logged on |
| msg | This is a free-form string providing extra details |
The following example shows a 'Request' message with 'Device Event Class ID' of '14':
CEF:0|Kemp|LM|1.0|14|Request|1|vs=10.35.56.32:80 event=Request srcip=10.0.30.127 srcport=8454 method=GET url=http://10.35.56.32/ user=peter@street.comThe CEF Extension comprises of:
|
Extension key-value pair |
Description |
|---|---|
|
vs |
This is the Virtual Service IP address: Port combination |
| event | This is a string describing the event type; typically, the same as the 'Name' field in the CEF header |
| srcip | This is the source IP address that originated the request |
| srcport | This is the source port that originated the request |
| method | The HTML method, for example GET or POST. |
| URL | The URL that the user is trying to access. |
| user | The user making the request. |
The following example shows an 'Attempt' message with 'Device Event Class ID' of '15':
CEF:0|Kemp|LM|1.0|15|Attempt|2|vs=172.16.151.21:80 event=Attempt srcip=192.168.10.67 srcport=17946 method=GET url=http://172.16.151.21/ user=test.030@kpauto.netThe CEF Extension comprises of:
|
Extension key-value pair |
Description |
|---|---|
|
vs |
This is the Virtual Service IP address: Port combination |
| event | This is a string describing the event type; typically, the same as the 'Name' field in the CEF header |
| srcip | This is the source IP address that originated the request |
| srcport | This is the source port that originated the request |
| method | The HTML method, for example GET or POST. |
| URL | The URL that the user is trying to access. |
| user | The user making the request. |
The following example shows an 'Attempted XSS attack' message with 'Device Event Class ID' of '16':
CEF:0|Kemp|LM||1.0|16|Attempted XSS attack|9|vs=10.0.70.141:80 event=Attempted XSS attack srcip=10.0.71.104 srcport=62098 dtcode=7The CEF Extension comprises of:
|
Extension key-value pair |
Description |
|---|---|
|
vs |
This is the Virtual Service IP address: Port combination |
| event | This is a string describing the event type; typically, the same as the 'Name' field in the CEF header |
| srcip | This is the source IP address that originated the request |
| srcport | This is the source port that originated the request |
| dtcode | This only appears if someone is trying to access an ESP Virtual Service in a way that suggests they are trying to hack the system (for example, there are missing fields or bad characters in the request) |
The following example shows an 'SMTP Parse Failure' message with 'Device Event Class ID' of '17':
2020-06-24T15:51:08+00:00 lb100 l7log: CEF:0|Kemp|LM|1.0|17|SMTP parse failure|7|vs=10.1.133.11:25 event=SMTP parse failure src=10.0.71.175:61401The CEF Extension comprises of:
|
Extension key-value pair |
Description |
|---|---|
|
vs |
This is the Virtual Service IP address: Port combination |
| event | This is a string describing the event type; typically, the same as the 'Name' field in the CEF header |
| src | This is the Source IP address: Port that originated the request |
The following example shows an 'SMTP Blocked' message with 'Device Event Class ID' of '18':
2020-06-24T15:49:20+00:00 lb100 l7log: CEF:0|Kemp|LM|1.0|18|SMTP Blocked|6|vs=10.1.133.11:25 event=SMTP Blocked src=10.0.71.175:61401 resource=ktest.comThe CEF Extension comprises of:
|
Extension key-value pair |
Description |
|---|---|
|
vs |
This is the Virtual Service IP address: Port combination |
| event | This is a string describing the event type; typically, the same as the 'Name' field in the CEF header |
| src | This is the Source IP address: Port that originated the request |
| resource | The URL that someone is trying to access. |
The following example shows a 'Blocked access to directory' message with 'Device Event Class ID' of '19':
CEF:0|Kemp|LM|1.0|19|Blocked access to directory|6|vs=10.0.70.141:80 event=Blocked access to directory srcip=10.35.2.94 srcport=62951 resource=/The CEF Extension comprises of:
|
Extension key-value pair |
Description |
|---|---|
|
vs |
This is the Virtual Service IP address: Port combination |
| event | This is a string describing the event type; typically, the same as the 'Name' field in the CEF header |
| srcip | This is the source IP address that originated the request |
| srcport | This is the source port that originated the request |
| resource | The URL that someone is trying to access. |
The following example shows a 'Blocked access to host' message with 'Device Event Class ID' of '20':
CEF:0|Kemp|LM|1.0|20|Blocked access to host|6|vs=10.0.70.141:80 event=Blocked access to host srcip=10.35.2.94 srcport=63054 resource=10.0.70.141The CEF Extension comprises of:
|
Extension key-value pair |
Description |
|---|---|
|
vs |
This is the Virtual Service IP address: Port combination |
| event | This is a string describing the event type; typically, the same as the 'Name' field in the CEF header |
| srcip | This is the source IP address that originated the request |
| srcport | This is the source port that originated the request |
| resource | The URL or IP address that someone is trying to access. |
SSOMGR CEF Logs
The following example shows a 'User AAA' message with 'Device Event Class ID' of '100':
CEF:0|Kemp|LM|1.0|100|User AAA|0|vs=10.35.46.235:443 event=User AAA user=mohit@parent.net domain=parent.net server=172.21.135.103 protocol=LDAP Unencrypted result=0:SuccessThe CEF Extension comprises of:
|
Extension key-value pair |
Description |
|---|---|
|
vs |
This is the Virtual Service IP address: Port combination |
| event | This is a string describing the event type; typically, the same as the 'Name' field in the CEF header |
| user | The username of the user who attempted to log on |
| domain | The name of the domain to be used |
| server | This is the address of the server |
| protocol | This is the type of selected protocol |
| result | This is the result for this connection |
The following example shows a 'User session timeout' message with 'Device Event Class ID' of '101':
CEF:0|Kemp|LM|1.0|101|User session timeout|0|vs=10.35.46.242:443 event=User session timeout user=mohit@parent.net domain=MULLTIDOMAIN msg=Deleted expired user session, start time:1629182393 duration:69 secondsThe CEF Extension comprises of:
|
Extension key-value pair |
Description |
|---|---|
|
vs |
This is the Virtual Service IP address: Port combination |
| event | This is a string describing the event type; typically, the same as the 'Name' field in the CEF header |
| user | The username of the user who attempted to log on |
| domain | The name of the domain to be used |
| msg | This is a free-form string providing extra details |
The following example shows a 'User session kill' message with 'Device Event Class ID' of '102':
CEF:0|Kemp|LM|1.0|102|User session kill|0|vs=10.35.46.235:443 event=User session kill user=mohit@parent.net domain=MULLTIDOMAIN msg=Deleted user session, start time:1629378587 duration:8 secondsThe CEF Extension comprises of:
|
Extension key-value pair |
Description |
|---|---|
|
vs |
This is the Virtual Service IP address: Port combination |
| event | This is a string describing the event type; typically, the same as the 'Name' field in the CEF header |
| user | The username of the user who attempted to log on |
| domain | The name of the domain to be used |
| msg | This is a free-form string providing extra details |
The following example shows a 'Kill all sessions' message with 'Device Event Class ID' of '103':
CEF:0|Kemp|LM|1.0|103|Kill all sessions|0|event=Kill all sessions domain=MULLTIDOMAIN msg=Deleted 1 user session(s) associated with domainThe CEF Extension comprises of:
|
Extension key-value pair |
Description |
|---|---|
|
vs |
This is the Virtual Service IP address: Port combination |
| event | This is a string describing the event type; typically, the same as the 'Name' field in the CEF header |
| user | The username of the user who attempted to log on |
| domain | The name of the domain to be used |
| msg | This is a free-form string providing extra details |
The following example shows a 'Flush SSO cache' message with 'Device Event Class ID' of '104':
CEF:0|Kemp|LM|1.0|104|Flush SSO cache|1|event=Flush SSO cache msg=SSO cache being flushed user sessions:1 cookie sessions:1The CEF Extension comprises of:
|
Extension key-value pair |
Description |
|---|---|
|
vs |
This is the Virtual Service IP address: Port combination |
| event | This is a string describing the event type; typically, the same as the 'Name' field in the CEF header |
| user | The username of the user who attempted to log on |
| domain | The name of the domain to be used |
| msg | This is a free-form string providing extra details |