Common Event Format (CEF) is a log output structure standard that was introduced by HP Arcsight and was proposed in order to promote and facilitate the communication between devices and applications that generate, consume or manipulate logs, and is currently supported by a variety of vendors and software platforms.
A CEF Message consists of what could be interpreted as a CEF Header (The Message header) delimited by a “|” character and a CEF Extension (the Message body) that consist of keyvalue pairs. The Message is broken down in the following logical fields.
CEF:<Version>|<Device Vendor>|<Device Product>|<Device Version>|<Signature ID>|<Name>|<Severity>|<Extensions>
** Note: Common Event Format is a syntax standard, so interpretation of the fields in place is not strictly enforced, so in between implementations and vendors, header field usage and type may vary, like Signature ID which can be seen as Subtype and Name which can be seen as Type.
Those fields are listed and described in the reference links below, though their name, content and meaning may vary depending on the event type and/or vendor implementation.
There is also the option of custom pairs of vendor/customerapplied fields, with one of them holding the name of the attribute the field describes and the other holding the value of said attribute.
There are maximum 6 custom string fields, 3 custom numerical, and 2 custom flexstring/flexnumber ones.
They should be appropriately converted to standard keyvalue pairs, before being further processed (renaming, altering, etc).
There is also the possibility of encountering user/vendordefined Custom Extensions in the proposed form of VendorNameProductNameExplanatoryKeyName (i.e. PanOSPacketsSent for PANOS 5.0). Those Custom Extensions should adhere to the following rules: