ArcSight User Discussions
cancel

How to process CEF in custom Windows Event Log events (SWIFT Alliance Application Log)

alexeynl Honored Contributor.
Honored Contributor.

How to process CEF in custom Windows Event Log events (SWIFT Alliance Application Log)

During the long investigation how to integrate SWIFT Alliance with Arcsight we have found that our 7.2 version of software has CEF support. But during the further investigation we have encountered with the problem: we had not found a way to send CEF event using syslog transport. There is no such option in configuration of software and there is nothing mention about destination syslog server in the software documentation.

The following is mentioned about CEF for 7.2 Realese Notes:

Event Distribution to Monitoring Systems in CEF
More and more Security Information and Event Management (SIEM) systems are deployed in the financial industry. These SIEM systems use rules, heuristics and artificial intelligence to detect abnormal patterns in event logs of all types.

Until Release 7.2, the access to event details was limited and the structure was not formalised. Release 7.2 introduces the ability to use the Common Event Format (CEF) when writing events to the operating system log.

Most SIEM systems can then retrieve the information in CEF from the logs of the operating system.

It is now possible, similar to the event distribution via SNMP, to define for each event type whether it should be distributed in CEF format to the local system log (syslog or Windows Event Journal).

Alliance Access also provides the option to use JSON or formatted JSON next to CEF, using the same formalisation of data.

The security parameter Journalise Msg Text also applies to CEF events. Therefore, by configuring this you indicate whether the message related events must also carry the messages payload.

UNIX and Linux versions have a new security parameter Syslog facility to define in which syslog facility the events must be stored.

For more information, see the section System in the Alliance Access Configuration Guide.

So its looks like the SWIFT Alliance software has only ability write the CEF to operation system log. In our case SWIFT alliance software is installed on Windows. And we found that CEF events are in EventData field of Application Event Log.

We have WiNC that collect logs from Windows Application log and enabling Preserve Raw Event we see related Raw events look like this:

{"System":{"EventId":"1","Version":"","Channel":"Application","ProviderName":"SWIFT","Computer":"XX-XX-XXX","EventRecordID":"77805","Keywords":"Classic","Level":"Information","Opcode":"","Task":"None","ProcessID":"","ThreadID":"","TimeCreated":"1539584429329","UserId":""},"EventData":{"%1":"CEF:0|SWIFT|Alliance Access|7.2.50|BSS-2007|Process started|Low|cn1=2147482955 cn1Label=Event Sequence ID cs1=x88-34xxxe4-4538-9b9f-36xxxx6ca cs1Label=Instance UUID cat=Process msg=Component MXS, program mxs_from_ee : started. Full pname is /MXS:MXS_cont/sess:8, hostname is XXX-XX-XX, pid is 6280, tid is 21092. dvchost=xxx-xx-xxxxx dvc=xxx.1xx.1.xx dvcmac=00:xx:xx:xx:33:xx deviceProcessName= shost=XXX-XX-XX src=xxx.xxx.1.xx dtz=Europe/Moscow rt=1539584429000 outcome=Success "}}

My question is the any way to parse such CEF event stored in the Windows Event field without manual regex parsing? Can i somehow to apply standard CEF parser for content of EventData field?

I have extracted CEF event from EventData field and assing the value to eventRaw fileld but raw event is not parsed as CEF anyway.

4 REPLIES
Honored Contributor.. mr_ergene Honored Contributor..
Honored Contributor..

Re: How to process CEF in custom Windows Event Log events (SWIFT Alliance Application Log)

I'm attaching a Protect document related to Creating Custom Windows Parsers. I hope it helps.

Highlighted
alexeynl Honored Contributor.
Honored Contributor.

Re: How to process CEF in custom Windows Event Log events (SWIFT Alliance Application Log)

Hello

Thank you for you support. But my query is more about how to avoid a manual parsing of CEF events stored in Windows Event field. 

Honored Contributor.. mr_ergene Honored Contributor..
Honored Contributor..

Re: How to process CEF in custom Windows Event Log events (SWIFT Alliance Application Log)

Oh now I got it. This may sound strange but can be tried. Use a winc connector and parse the CEF log and map it to field. Then, add a csv file destination. With a second connector, read those csv files. and send them to logger or ESM. 

Knowledge Partner
Knowledge Partner

Re: How to process CEF in custom Windows Event Log events (SWIFT Alliance Application Log)

I do wonder, is writing the operation system log only possible towards the Windows Event Log?

Maybe it is possible to just store your operations log on file, in that way you preserve the CEF format, and all you have to do is pick it up with a FileConnector, so you do not have to do any manual parsing.

If it is parsing it to a Windows Event Format, while WINC is very good in grabbing these formats, it is quite tedious to create custom sub-parsers when the event is outside the standard format.

Top Contributors Last 30 Days