Supported CEF Meta Keys

Supported CEF Meta KeysSupported CEF Meta Keys

This topic describes the Common Event Format (CEF) meta keys that NetWitness global audit logging supports.

Global audit logging templates that you define for a Log Decoder use Common Event Format (CEF) and must meet the following specific standard requirements:

Include the CEF headers in the template.
Use only the extensions and custom extensions in a (Key=Value) format from the meta key table below.
Ensure that the extensions and custom extensions are in the key=%{string} key=%{string} format.

For third-party syslog servers, you can define your own format (CEF or non-CEF).

Procedures related to this table are described in Define a Template for Global Audit Logging and Configure Global Audit Logging.

Supported Common Event Format (CEF) Meta KeysSupported Common Event Format (CEF) Meta Keys

The following table describes the CEF Syslog meta keys that NetWitness global audit logging supports. The Datetime and Hostname fields in the Syslog Prefix are not configurable and not included in the template, but they are prepended to every log message by default. The CEF Header is required to conform to the CEF standard and for any CEF parser. The Extensions and Custom Extensions are optional. The Default Audit CEF Template contains many of the fields in this table. You can add any of the Extensions and Custom Extensions listed to the global audit logging template that you define.

CEF Field: Syslog Prefix
String:
Description:
NW Meta Keys:
Index in Log Decoder:

CEF Field: Datetime
String: Not Configurable
Description: Syslog Header date time
NW Meta Keys: event.time.str
Index in Log Decoder: Transient

CEF Field: Hostname
String: Not Configurable
Description: Syslog Header hostname
NW Meta Keys: alias.host
Index in Log Decoder: None

CEF Field: CEF Header
String:
Description: The CEF Header fields are required to conform to the CEF standard and for any CEF parser.
NW Meta Keys:
Index in Log Decoder:

CEF Field: CEF:Version
String: CEF:0
Description: CEF Header
NW Meta Keys: --STATIC--
Index in Log Decoder: N/A

CEF Field: DeviceVendor
String: %{deviceVendor}
Description: The product vendor, NetWitness
NW Meta Keys: -
Index in Log Decoder: N/A

CEF Field: DeviceProduct
String: %{deviceProduct}
Description: The product family. This is always NetWitness Audit.
NW Meta Keys: product
Index in Log Decoder: Transient

CEF Field: DeviceVersion
String: %{deviceVersion}
Description: Host/Service version
NW Meta Keys: version
Index in Log Decoder: Transient

CEF Field: Signature ID
String: %{category}
Description: Identifier of the audit event. It specifies the the category of the audit event.
NW Meta Keys: event.type
Index in Log Decoder: None

CEF Field: Name
String: %{operation}
Description: Description of the event
NW Meta Keys: event.desc
Index in Log Decoder: None

CEF Field: Severity
String: %{severity}
Description: Severity of the audit event
NW Meta Keys: severity
Index in Log Decoder: Transient

CEF Field: Extensions
String:
Description:
NW Meta Keys:
Index in Log Decoder:

CEF Field: deviceExternalId
String: %{deviceExternalId}
Description: Unique ID of the host or service generating the audit event
NW Meta Keys: hardware.id
Index in Log Decoder: Transient

CEF Field: deviceFacility
String: %{deviceFacility}
Description: Syslog facility used when writing the event to syslog daemon. For example, authpriv.
NW Meta Keys: cs.devfacility
Index in Log Decoder: Custom

CEF Field: deviceProcessName
String: %{deviceProcessName}
Description: Name of the executable corresponding to dvcpid
NW Meta Keys: process
Index in Log Decoder: None

CEF Field: dpt
String: %{destinationPort}
Description: Destination Port
NW Meta Keys: ip.dstport
Index in Log Decoder: None

CEF Field: dst
String: %{destinationAddress}
Description: Destination IP Address
NW Meta Keys: ip.dst
Index in Log Decoder: None

CEF Field: dvcpid
String: %{deviceProcessId}
Description: ID of the process generating the event, which is the process ID of the NetWitness service
NW Meta Keys: process.id
Index in Log Decoder: Transient

CEF Field: msg
String: %{text}
Description: Free text, extra information, or actual description for the event
NW Meta Keys: msg
Index in Log Decoder: Transient

CEF Field: outcome
String: %{outcome}
Description: Outcome of the operation performed corresponding to the audit event
NW Meta Keys: result
Index in Log Decoder: Transient

CEF Field: tpt
String: %{transportProtocol}
Description: Network protocol used
NW Meta Keys: protocol
Index in Log Decoder: Transient

CEF Field: userAgent
String: %{userAgent}
Description: Browser detail of the user accessing the page
NW Meta Keys: user.agent
Index in Log Decoder: Transient

CEF Field: rt
String: %{timestamp}
Description: Time at which the event is reported
NW Meta Keys: event.time
Index in Log Decoder: None

CEF Field: sourceServiceName
String: %{deviceService}
Description: The service that is responsible for generating this event
NW Meta Keys: service.name
Index in Log Decoder: Transient

CEF Field: spt
String: %{sourcePort}
Description: Source Port
NW Meta Keys: ip.srcport
Index in Log Decoder: Transient

CEF Field: userRole
String: %{userRole}
Description: User role permissions assignment. For example:
admin.owner, appliance.manage,
connections.manage, everyone, logs.manage, services.manage,
storedproc.execute,
storedproc.manage,
sys.manage, users.manage
NW Meta Keys: user.role
Index in Log Decoder: Transient

CEF Field: src
String: %{sourceAddress}
Description: Source IP Address
NW Meta Keys: ip.src
Index in Log Decoder: None

CEF Field: suser
String: %{identity}
Description: Identity of the logged on user responsible for generating the audit event
NW Meta Keys: user.dst
Index in Log Decoder: None

CEF Field: Custom Extensions
String:
Description:
NW Meta Keys:
Index in Log Decoder:

CEF Field: params
String: %{parameters}
Description: API and Operation parameters, which capture specific parameters about a query
NW Meta Keys: index
Index in Log Decoder: Transient

CEF Field: paramKey
String: %{key}
Description: A configuration item key. It is the config param for which the audit event is captured.
For example: /sys/config/stat.interval
NW Meta Keys: obj.name
Index in Log Decoder: None

CEF Field: paramValue
String: %{value}
Description: A configuration value. It is the value captured during the update.
NW Meta Keys: no meta key
Index in Log Decoder: Custom

CEF Field: userGroup
String: %{userGroup}
Description: Role assignment. For example:
Administrators, Analysts, MalwareAnalysts,
Malware_Analysts, Operators,
PRIVILEGED_CONNECTION_
AUTHORITY,
SOC_Managers
NW Meta Keys: group
Index in Log Decoder: None

CEF Field: referrerURL
String: %{referrer}
Description: The parent URL that refers to the current URL
NW Meta Keys: referer
Index in Log Decoder: None

CEF Field: sessionId
String: %{sessionId}
Description: Session or connection identifier
NW Meta Keys: log.session.id
Index in Log Decoder: Transient

CEF Field: remoteAddress
String: %{remoteAddress}
Description: Ip address of the destination
NW Meta Keys: ip.src
Index in Log Decoder: None

CEF Field: reasonForFailure
String: %{reasonForFailure}
Description: reason for failure for the certain action performed
NW Meta Keys: result
Index in Log Decoder: None

CEF Field: reason
String: %{reason}
Description: Reason for certain action performed
NW Meta Keys: result
Index in Log Decoder: None

CEF Field: addRole
String: %{Add.Role}
Description: User role Assignment
NW Meta Keys: user.role
Index in Log Decoder: Transient

CEF Field: id
String: %{id}
Description: Incident id or host id
NW Meta Keys: no meta key
Index in Log Decoder: Transient

CEF Field: arguments
String: %{arguments}
Description: Value passes between programs or functions
NW Meta Keys: index
Index in Log Decoder: Transient

CEF Field: uri
String: %{uri}
Description: Directory
NW Meta Keys: directory
Index in Log Decoder: None

CEF Field: user
String: %{User}
Description: Name of the user from the source or destination
NW Meta Keys: user.dst
Index in Log Decoder: None

CEF Field: accountProvider
String: %{AccountProvider}
Description: Authentication account for the user. For example, PAM, and PKI.
NW Meta Keys: index
Index in Log Decoder: Transient

CEF Field: file
String: %{file}
Description: Name of the content file used for deployment
NW Meta Keys: filename
Index in Log Decoder: File

CEF Field: deviceIDs
String: %{deviceIDs}
Description: Device id for the particular service
NW Meta Keys: hardware.id
Index in Log Decoder: Transient

CEF Field: role
String: %{Role}
Description: User role assignment
NW Meta Keys: user.role
Index in Log Decoder: Tran ,,,,,,, ,,,,,,, "Value":"HR12". In this example, hours format is changed to 12 hours.
Column 6: no meta key
Column 7: Custom

CEF Field: alert
String: %(alert}
Description: Id of the alert, For example, id:5ce457afec6c0f02ffb85ace
NW Meta Keys: alert
Index in Log Decoder: Transient

CEF Field: moduleSettings
String: %{ModuleSettings}
Description: Message or name of a setting
NW Meta Keys: index
Index in Log Decoder: Transient

CEF Field: incident
String: %{incident}
Description: Id of the incident. For example, INC-313
NW Meta Keys: context
Index in Log Decoder: None

CEF Field: action
String: %{action}
Description: Action performed by the user. For example, service.stop
NW Meta Keys: action
Index in Log Decoder: None

CEF Field: notificationBinding
String: %{NotificationBinding}
Description: Type of notification. For example, incident created, alert ,,,,,,, all meta keys are not indexed. In the above table, the Index in Log Decoder column shows the state of the flags keyword (Transient, None, and Custom). If a key is set to Transient, it is parsed but not stored in the database. If it is set to None, it is indexed and stored in the database. A key listed as "Custom" does not exist in the table-map.xml file and, therefore, it is not stored or parsed at all. see the following documentation:,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,,