CEF Alert Event Logs

Views:

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF: 0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Deep Discovery Analyzer
Header (pver)	Appliance version	Example: 6.0.0.1001
Header (eventid)	Event ID	300105
Header (eventName)	Description	ALERT_EVENT
Header (severity)	Severity	2: Informational 6: Important 8: Critical
dvc	Appliance IP address	Example: IPV4: 192.168.10.1 IPv6: 2620:0101:4009:0401::1
devmac	Appliance MAC address	Example:00:0D:60:AF:1B:61
dvchost	Appliance host name	Example: DDAN
deviceExternalId	Appliance GUID	Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
rt	Event logged	Example: Mar 03 2016 16:28:20 GMT+08:00
cs1Label	Rule name label	"ruleName"
cs1	Rule name	Example: High Memory Usage
cs2Label	Affected Appliance label	"affectedAppliance"
cs2	Affected Appliance	Example: DDAN.com ( 10.204.1.2 \| FE80:: 29FF:29FF: 29FF: 29FF )
cs3Label	Subject label	"subject"
cs3	Subject	Example: DDAN Important Alert - High Memory Usage
cs4Label	Message label	"ruleContent"
cs4	Message	Message content

Log sample:

CEF: 0|Trend Micro|Deep Discovery Analyzer|6.0.0.1119|300105
|ALERT_EVENT|6|rt=Nov 07 2017 08:39:54 GMT+00:00 dvc=10.204.
1.1 dvchost=DDAN dvcmac=00:0C:29:2F:3B:6B deviceExternalId=4
23E63AA-D466-406E-A15F-6AC6F3CEE50A cs1Label=ruleName cs1=Hi
gh CPU Usage cs2Label=affectedAppliance cs2=DDAN ( 10.204.19
1.1 | FE80::20C:29FF:FE2F:3011 ) cs3Label=subject cs3=DDAN I
mportant Alert - High CPU Usage cs4Label=ruleContent cs4=The
 average CPU usage in the last 5 minutes exceeded the thresh
old of 90%.\n\nAverage CPU usage: 96%\nAffected appliance: D
DAN (10.204.191.1 | FE80::20C:29FF:FE2F:3011)\n\nReduce the 
number of Virtual Analyzer instances, or add a secondary app
liance to improve performance.\n\n\=\=\=\=\=\=\=\=\=\=\=\=\=
\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\nAlert time: 20
17-11-07 08:39:54\nManagement console: https://10.204.191.1/
 | https://[FE80::20C:29FF:FE2F:3011]/