CEF format Reports
EventLog Analyzer collects log data in the CEF format and presents it in the form of graphical reportsFor the solution to start collecting this log data, the device has to be added as a threat source.
Adding a device with logs in the CEF format as a threat source:
To add the application that uses CEF as a threat source, the syslog service has to be configured.
- Login to the application or device which supports CEF log format.
- Go to syslog server configuration.
- In the field for Log Format, select CEF Format.
- In the Syslog Server IP address field, enter the <EventLog Analyzer IP address>.
- Enter the syslog port and save the configuration.
Once the threat source is added, EventLog Analyzer will start parsing the fields in the logs. This log data can now be viewed in the form of reports.
- In the EventLog Analyzer console, navigate to Settings > Configurations > Manage Threat Source > Add Source
- Click on Existing Host and select the device you had added from the list of existing devices.
- Select the Addon Type from the list.
- Click on Add.
The available reports are:
- CEF Format Overview
- Very High Severity Events
- High Severity Events
- Medium Severity Events
- Low Severity Events
- Top Events Based On Event Class ID
- Top Events Based On Event Name