Versions Compared

Version Old Version 4 New Version 5
Changes made by

Juan Tomás Alonso Nieto (Deactivated)

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This article contains a complete list of technologies currently supported by Devo in CEF syslog Syslog format. 

About CEF

...

Syslog format

While we recommend sending data to Devo in syslog Syslog format whenever possible, we have provided support for the ingestion of events received in common event format (CEF) via syslog Syslog for some technologies. A prime example is when Arcsight is used as a log management solution and events are going to be forwarded from Arcsight directly to Devo in CEF syslog Syslog format.

This format is comprised of a syslog Syslog prefix containing the date/time stamp and the host, and a header that always starts with CEF :-  and is followed by a series of identifying fields , - all of which are required. The last component is the extension and while it's technically optional, it's generally where the real event payload resides. The extension contains data in key-value pairs. Here's a model of the format and a sample CEF syslog Syslog packet.

...

...

How does it work

You'll notice that the event contains no specific Devo tag. This is because Devo uses a different process to ingest these events. When a CEF syslog Syslog event is sent to the platform, Devo recognizes CEF as the tag, then it proceeds to read the device vendor and device product values from the event's header. The event is then saved to a table with the name cef0.device_vendor.device_product.

So, are we saying that you can send any data to Devo in CEF syslog Syslog format? Yes and no. Yes, because Devo will ingest the events and save them in a file determined by the date and key event fields. However, if Devo is not yet equipped with a parser for that specific event type, a table name will not subsequently appear in the Finder and you won't be able to access the data. So, yes Devo will ingest the data but a parser file is necessary in order to be able to access the data table and parse the events for display. 

Info

Contact us

If you have data you must send to Devo in CEF syslog Syslog format, and the source technology does not appear in the list below, contact Devo professional services so they can create a parser for the data.

Note

HTTP Ingestions

Note that it is not possible to ingest data to CEF tables using the HTTP ingestion method.

...

The following list of more than 100 technologies that Devo supports in CEF syslog Syslog is ordered alphabetically by vendor name. Each technology is listed along with its corresponding table name that will appear in the Devo data search Finder.

...