Log Event Extended Format (LEEF)
The IBM Security QRadar LEEF format supports syslog as a transport. It describes an event using predefined attributes in the form of key-value pairs. Additional custom attributes can be used to include application-specific information.
NXLog Enterprise Edition can be configured to collect or forward logs in the LEEF format.
LEEF components
According to IBM QRadar: Log Event Extended Format (LEEF), Version 2, this proprietary format consists of the following components:
- Syslog header
-
Contains the timestamp followed by the IPv4 address or hostname of the event source. An optional numeric priority tag containing no more than 3 digits enclosed in angle brackets (
< >
) can be specified as the first element. The header must conform to either RFC 3164 or RFC 5424. - LEEF header
-
A list typically comprised of five pipe-delimited values for LEEF version, vendor, source, product version, event ID, and an optional sixth value, delimiter, which can also be expressed as a hexadecimal value prefixed by
0x
in LEEF version 2.0. The syslog header and LEEF header are separated by a single space. The last character of the LEEF header must a pipe (|
). - Event attributes
-
A list of key-value pairs immediately following the last pipe character of the LEEF header, each having the syntax
key=value
. By default, each pair in the list is separated by a tab character. Otherwise, the pairs must be separated by the delimiter character that was defined as the last element of the LEEF header.
<PRI>Timestamp Hostname LEEF:Version|Vendor|Product|Version|EventID|Delimiter|key1=value1 key2=value2
Each row of the following table represents a complete, single-line LEEF event.
Syslog header | LEEF header | Event attributes |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
The first two events conform to RFC 3164, while the last two follow RFC 5424. The priority tag of 13 for the events on rows 2 and 3 represents Facility 1 (user-level messages), Severity 5 (Notice: normal but significant condition).The priority tag of 113 for the event on the last row represents Facility 14 (log alert), Severity 1 (Alert: action must be taken immediately).See either section 4.1.1 PRI Part of RFC 3164 or section 6.2.1. PRI of RFC 5424 for how to decode Facility and Severity from priority tags.
|
May 11 11:27:23 SERVER-1 LEEF:2.0|Microsoft|MSExchange|2016|15345|src=10.50.1.1 dst=2.10.20.20 spt=1200
<13>Jun 6 05:34:55 SERVER-1 LEEF:2.0|NXLog|MyApp|5.5.7535|91|0x09|SourceModuleName=json_logs Message=Module app-sched suspended LogLevel=WARNING
<13>1 2019-01-18T11:07:53.520Z 10.0.1.7 LEEF:1.0|Microsoft|MSExchange|2013 SP1|15345|src=10.0.1.7 dst=10.0.0.5 sev=5 srcPort=81 dstPort=21
<113>1 2019-01-18T11:07:53.520+07:00 hostname4 LEEF:2.0|Lancope|StealthWatch|1.0|41|^|src=10.0.1.8^dst=10.0.0.5^sev=5^srcPort=81^dstPort=21
Sending LEEF logs
NXLog Enterprise Edition can generate LEEF logs using the to_leef() procedure of the xm_leef extension module.
With this configuration, NXLog collects systemd logs using the im_systemd module, converts them to LEEF format, and saves the result to a file.
<Extension leef>
Module xm_leef
</Extension>
<Input systemd>
Module im_systemd
</Input>
<Output to_leef>
Module om_file
File "/var/log/systemd_output.log"
Exec to_leef();
</Output>
<13>Aug 19 10:30:01 centos7_server systemd[1]: LEEF:2.0|NXLog|systemd|5.5.7535|unknown|0x09|Severity=info sev=10 Facility=daemon FacilityValue=3 Message=Removed slice User Slice of root. MessageID=9d1aaa27d60140bd96365438aad20286 vSrcName=systemd CodeFile=src/core/job.c CodeLine=781 ProcessID=1 User=root Group=root ProcessName=systemd ProcessExecutable=/usr/lib/systemd/systemd ProcessCmdLine=/usr/lib/systemd/systemd --switched-root --system --deserialize 22 Capabilities=1fffffffff SystemdCGroup=/ SelinuxContext=system_u:system_r:init_t:s0 devTime=2022-08-19 10:30:01 BootID=feff0db8902d41ccba9fd1538f51305e MachineID=5f4fbea6502f45c4a1af4d69be37942b identHostName=centos7_server Transport=journal EventReceivedTime=2022-08-19 10:30:01 SourceModuleName=systemd SourceModuleType=im_systemd devTimeFormat=yyyy-MM-dd HH:mm:ss
Collecting LEEF logs
NXLog Enterprise Edition can parse the LEEF log format with the xm_leef module’s parse_leef() procedure.
With the following configuration, NXLog listens for LEEF events using the im_tcp input module, converts them to JSON format, and saves the result to a file.
<Extension json>
Module xm_json
</Extension>
<Extension leef>
Module xm_leef
</Extension>
<Input tcp>
Module im_tcp
ListenAddr 0.0.0.0:514
Exec parse_leef();
</Input>
<Output to_file>
Module om_file
File "/var/log/leef_output.json"
Exec to_json();
</Output>
<13>Aug 19 10:30:01 centos7_server systemd[1]: LEEF:2.0|NXLog|systemd|5.5.7535|unknown|0x09|Severity=info sev=10 Facility=daemon FacilityValue=3 Message=Removed slice User Slice of root. MessageID=9d1aaa27d60140bd96365438aad20286 vSrcName=systemd CodeFile=src/core/job.c CodeLine=781 ProcessID=1 User=root Group=root ProcessName=systemd ProcessExecutable=/usr/lib/systemd/systemd ProcessCmdLine=/usr/lib/systemd/systemd --switched-root --system --deserialize 22 Capabilities=1fffffffff SystemdCGroup=/ SelinuxContext=system_u:system_r:init_t:s0 devTime=2022-08-19 10:30:01 BootID=feff0db8902d41ccba9fd1538f51305e MachineID=5f4fbea6502f45c4a1af4d69be37942b identHostName=centos7_server Transport=journal EventReceivedTime=2022-08-19 10:30:01 SourceModuleName=systemd SourceModuleType=im_systemd devTimeFormat=yyyy-MM-dd HH:mm:ss
{
"MessageSourceAddress": "192.168.0.101",
"EventReceivedTime": "2022-08-19 02:30:01",
"SourceModuleName": "systemd",
"SourceModuleType": "im_systemd",
"Hostname": "192.168.0.101",
"LEEFVersion": "LEEF:2.0",
"Vendor": "NXLog",
"SourceName": "systemd",
"Version": "5.5.7535",
"EventID": "unknown",
"DelimiterCharacter": 9,
"Severity": "info",
"SeverityValue": 5,
"Facility": "daemon",
"FacilityValue": "3",
"Message": "Removed slice User Slice of root.",
"MessageID": "9d1aaa27d60140bd96365438aad20286",
"CodeFile": "src/core/job.c",
"CodeLine": "781",
"ProcessID": "1",
"User": "root",
"Group": "root",
"ProcessName": "systemd",
"ProcessExecutable": "/usr/lib/systemd/systemd",
"ProcessCmdLine": "/usr/lib/systemd/systemd --system --deserialize 21",
"Capabilities": "1fffffffff",
"SystemdCGroup": "/",
"SelinuxContext": "system_u:system_r:init_t:s0",
"EventTime": "2022-08-19T02:30:01.000000+03:00",
"BootID": "1494e2ff49134259b9ee0b59b95e92c9",
"MachineID": "5f4fbea6502f45c4a1af4d69be37942b",
"Transport": "journal",
"devTimeFormat": "yyyy-MM-dd HH:mm:ss"
}