LEEF Format Log Fields Forwarded by SMC

LEEF Format Log Fields Forwarded by SMC

Summary
The article provides details on the log forwarding using the LEEF format.
Information

The SMC Log Server can be configured to forward log entries received from NGFW engines to external SIEM or syslog servers. SMC log forwarding support several different formats like CSV, CEF and LEEF. This article describes which log fields are forwarded in the LEEF format.

Note For instructions how to configure log forwarding, see How to forward SMC log and audit data to external syslog or SIEM servers and the Forwarding log data from Log Servers to external hosts section from the latest NGFW Online Help.
 

LEEF Header

The log entries forwarded in the LEEF format start with the header: 

LEEF:Version|Vendor|Product|Version|EventID

  • LEEF:Version defines the LEEF version
  • Vendor tells the device vendor name
  • Product specifies the type of the device that generated the log entry
  • Version shows the device version
  • EventID identifies the event type

Example of the LEEF header:

LEEF:1.0|FORCEPOINT|Firewall|6.10.6|Connection_Allowed
 

LEEF Time Format Definition

The header is followed by the time format (devTimeFormat) definition. The format used be SMC is MMM dd yyyy HH:mm:ss.
 

LEEF default fields

After the time format, the LEEF forwarded entries list the predefined event attributes:

LEEF fieldNGFW fieldNotes
devTimeRECEPTION_TIMEUses the format set with devTimeFormat attribute
protoPROTOCOL_IDIP protocol
sevALERT_SEVERITYSeverity of the alert entry
srcSOURCE_ADDRESSSource IP address of the connection
dstDESTINATION_ADDRESSDestination IP address of the connection
srcPortSOURCE_PORTSource port of the connection
dstPortDESTINATION_PORTDestination port of the connection
srcPostNATNAT_SOURCE_ADDRESSSource IP address after NAT is applied
dstPostNATNAT_DESTINATION_ADDRESSDestination IP address after NAT is applied
usrNameUSERNAMEName of the user
srcMACMAC_SOURCESource MAC address 
dstMACMAC_DESTINATIONDestination MAC address
srcPostNATPortNAT_SOURCE_PORTSource port after NAT is applied
dstPostNATPortNAT_DESTINATION_PORTDestination port after NAT is applied
urlHTTP_REQUEST_URIThe detected HTTP request URI


Note Each entry will include only the fields that were populated in the log entry received from the NGFW engine.
 

LEEF Custom Fields

When LEEF format is used, additional fields can be included. Since SMC version 6.5.2, the list of additional fields can be customized like this:

  1. Open a command line session on the Log Server host.
  2. Navigate to <smc_installation directory>/data/fields/additional_fields directory.

Note The default path on a Windows installation is C:\ProgramData\Forcepoint\SMC\data\fields\additional_fields.

  1. Make a copy of the leef_additional_fields_template.xml template file and open the custom file in the text editor of your choice.

Note All the default templates are overwritten during a SMC upgrade and therefore it is suggested to edit a custom file.

  1. Remove and replace the fields listed in the file with the additional log fields you wish to include in the forwarded log entries. As an example, this custom file (leef_custom_fields.xml) defines LEEF logs to include Rule Tag and NAT Rule Tag fields:
<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>
<!DOCTYPE datatypeinfo SYSTEM "datadefinitions.dtd">

<datatypeinfo>
    <exportable_field_list>
        <version>1</version>
        <name>Export list - LEEF Additional Fields</name>
        <fieldreflist>
            <fieldref field_name="RuleID">RULE_ID</fieldref>
            <fieldref field_name="NatRuleId">NAT_RULE_ID</fieldref>
        </fieldreflist>
    </exportable_field_list>
</datatypeinfo>

Note For the list of exportable log fields, see NGFW and SMC Exportable Log Fields. However, the SIEM/syslog server receiving LEEF format logs will likely accept only some of the possible fields. For the list of fields supported by the server, contact the server vendor.
  1. Save the changes.
  2. Open <installation directory>/data/LogServerConfiguration.txt for editing.
  3. Add a line to refer to the customized template file listing the LEEF additional fields:
LEEF_ADDITIONAL_FIELDS_CONF_FILE=<leef_conf_file>

For example:

LEEF_ADDITIONAL_FIELDS_CONF_FILE=/usr/local/forcepoint/smc/data/fields/additional_fields/leef_custom_fields.xml
  1. Save the LogServerConfiguration.txt file.
  2. Restart the Log Server service.
    • Windows: Open the Services panel from start menu, select "Forcepoint NGFW Log Server" and click Restart.
    • Linux: Open a terminal and issue the command systemctl restart sgLogServer 

    • Related Articles

    • SMC Web Access Authentication Timeout Change in Version 7.0

      Summary SMC version 7.0 and later use a new Webswing framework which by default changes the authentication process timeout to 7 seconds when an administrator uses Web Access. This can cause Web Access login page to show a "Server is not available" ...

    • Log Database Cleanup (Web and Email)

      In order to resolve the issue for Web and Email products, follow the steps below. Log on to the Forcepoint Security Manager (formerly Triton). Click Settings > Reporting > Log Database. Scroll down to the particular partitions you want to Delete or ...

    • How to Locate Secure SD-WAN Engine and SMC License Details in the Forcepoint Customer Hub

      Summary The article provides steps how to locate FlexEdge Secure SD-WAN (previously NGFW) license details via the Forcepoint Customer Hub. Notes and Warnings Note After April 11th 2022, newly purchased Secure SD-WAN and NGFW Appliances will be ...

    • More than 100 files in the Log Server cache directory

      Normally, Log Server ODBC cache files or BCP files are moved to the Log Database at a steady rate. If temporary files are accumulating on the Log Server machine, current Internet usage information is not being sent to the Log Database and, with ...

    • Forcepoint NGFW Security Management Center 6.10.x Resolved and Known Issues

      Summary Resolved and known issues for Forcepoint NGFW Security Management Center (SMC) 6.10 releases. Problem This article is divided into two sections: Known Issues – Important information about known issues of high or medium rating that are ...