CEF Header

The CEF header comprises of everything bar the [Extension]. ArcSight describes the CEF Header as follows:

Version

This is an integer and identifies the version of the CEF format. Event consumers use this information to determine what the following fields represent. The current CEF version is 0 (CEF:0).

The Progress Kemp Version is '0'.

Device Vendor, Device Product, and Device Version

These are strings that uniquely identify the type of sending device. No two products may use the same device-vendor and device-product pair. There is no central authority managing these pairs. Event producers must ensure that they assign unique name pairs.

The Progress Kemp Device Vendor is 'Kemp', the Device Product is 'LM' and the Device Version is '0'.

Device Event Class ID

This is a unique identifier per event-type. This can be a string or an integer. The Device Event Class ID identifies the type of event reported. In the Intrusion Detection System (IDS) world, each signature or rule that detects certain activity has a unique Device Event Class ID assigned. This is a requirement for other types of devices too, and helps correlation engines to process the events. This is also known as the Signature ID.

Name

This is a string representing a human-readable and understandable description of the event. The event name should not contain information that is specifically mentioned in other fields.

Severity

This is a string or integer and reflects the importance of the event.

The valid string values are Unknown, Low, Medium, High, and Very-High.

The valid integer values are 0-3=Low, 4-6=Medium, 7-8=High, and 9-10=Very-High.

The Progress Kemp Device Event Class ID, Name, and Severity are outlined in the table below. These all correlate together to provide a full understanding of the type and severity of the CEF log.

L7 ESP CEF Logs

SSOMGR CEF Logs