Sample CEF Connector
About the Sample CEF Connector
The Sample CEF Connector receives security events (in CEF format) in near real-time using the Cloud API. CEF is a standardized logging format introduced by ArcSight, Inc. and is compatible with many other SIEM solutions.
Older SIEM tools require the events to be available in syslog format. You can configure the connector to forward the security events’ data to the SIEM over UDP or TCP using the Syslog protocol.
Pre-requisites
Before installing and configuring the Sample CEF Connector, ensure that you have the following:
- Cloud storage access credentials & account key
- Syslog port & protocol details (Ensure port 443 is open for communication)
- Golang Version (>=1.21) Download here
- Supported Cloud Platforms: AWS & Azure
- Syslog support: TCP & UDP
Hardware Requirements
The application is designed to run on a Linux server (Ubuntu >20.x) with at least:
- 2 CPU cores
- 8 GB RAM
- 5 GB Free Disk Space
Whitelisting of Domains
Allow the following domains on the connector’s firewall based on your public cloud provider:
- AWS:
https://<bucket-name>.s3.amazonaws.com - Azure:
https://<account-name>.blob.core.windows.net
Download & Install the Sample CEF Connector
Download
Download the Sample CEF Connector package from the below URL:
Note: Replace
<domain url>with your specific domain name to form the correct URL for downloading the CEF Connector
https://artifacts.<domain url>/sample-siem-connector/sample-cef-connector.deb
Example, for ng.colortokens.com use:
wget https://artifacts.ng.colortokens.com/sample-siem-connector/sample-cef-connector.deb
Install
Ensure that all prerequisites are met before proceeding with installation.
-
Install the Debian package:
sudo dpkg -i sample-cef-connector.deb -
Provide cloud storage & syslog details: Edit the configuration file:
sudo nano /opt/colortokens/config/config.yamlExample configuration:
selected_cloud: "azure" # Options: "aws" or "azure"
aws:
access_key_id: "xxxxxxxx"
secret_access_key: "xxxxxx"
region: "xxxxx"
bucket_name: "xxxxx"
azure:
account_name: "xxxxxxx"
account_key: "xxxxxxxx"
container: "xxxxxxx"
syslog:
ip: xx.xx.xx.xx
port: xyz
protocol: "tcp" # Options: "tcp" or "udp" -
Start the Connector:
sudo systemctl start sample-cef-connector -
Check Service Status:
sudo systemctl status sample-cef-connector -
Monitor Logs: Logs are available at
/opt/colortokens/logs. Logs update based oninterval_minutesset by the user (default: 5 minutes). -
Stop the Connector:
sudo systemctl stop sample-cef-connector
Interpretation of CEF Data
Security events and logs generated in Xshield are saved in the Common Event Format (CEF):
Timestamp | Host | CEF:Version | Device Vendor | Device Product | Device Version | Device Event Class ID | Name | Severity | [Extension]
Common Fields
| Field | Description |
|---|---|
| Timestamp | The time when the event was generated. |
| Host | The hostname of the Xshield tenant. |
| Version | "1" |
| Device Vendor | "ColorTokens" |
| Device Product | "Xshield" |
| Device Version | "3.0" |
| Device Event Class ID | Events |
| Name | The event name configured in Xshield. |
| Severity | The severity level configured in Xshield. |
Extension Fields (Events)
| Key Name | Description |
|---|---|
| msg | Description of the event. Example: "Blocked communication attempt detected on host." |
| suser | Email of the user who generated the event. "System" if system-generated. |
| reportedResourceType | Type of resource generating the event (e.g., Agent, Policy). |
| cs1Label | "Asset Name" |
| cs1 | Hostname of the asset that triggered the event. |
| cs2Label | "Metadata" |
| cs2 | Metadata related to the event. |
Extension Fields (Alerts)
| Key Name | Description |
|---|---|
| msg | Description of the alert. Example: "Agent unreachable." |
| reportedResourceType | Type of resource generating the alert. |
| cs1Label | "Asset Name" |
| cs1 | Hostname of the asset generating the alert. |
| cs3Label | "Alert Status" |
| cs3 | Status of the alert (Pending or Dismissed). |
| cs4Label | "Closed By" |
| cs4 | Email of the user who closed the alert. |
Uninstall the CEF Connector
To remove the Sample CEF Connector from your system:
- Stop the Connector Service:
sudo systemctl stop sample-cef-connector - Uninstall the Connector:
sudo dpkg --purge sample-cef-connector
Additional Notes
- It is recommended to modify your Virtual Machine’s hostname to
<colortokens>for consistent log entries. - Upon initial onboarding, historical data alongside current data will be visible with timestamps reflecting the current runtime. Subsequent data will include only delta logs.
- There might be a variance in record count between syslog and object store due to the absence of coalescing at the object store level. This will be addressed in a future release.
For any further assistance, please contact support.