FireEye EX appliances produce two categories of logs, each with it’s own respective format.
System logs, which contain information about various modules and processes, formatted as
<module>[<pid>]: <thread-id>: [<module>:<severity-level>] free text log details
Alert logs, which contain incident details and support the following formats: CEF, LEEF, CSV, JSON, XML, PLAINTEXT with optional verbosity levels for specific formats.
MOREAL currently supports CEF-formatted Alert logs that follow the below structure
CEF:0|<vendor>|<product name>|<version>|<cef event type>|<event-name>|<severity>|<extension>