Common Event Format (CEF) Data

Common Event Format (CEF) is a standardized logging format developed by ArcSight (now part of Micro Focus), a security information and event management (SIEM) solution provider. CEF is designed to simplify the process of logging security-related events, making it easier to integrate logs from different sources into a single system.

CEF is a text-based log format that uses Syslog as its transport protocol—a standard for message logging supported by most network devices and operating systems. A full CEF message includes:

• Syslog header (prefix)

• CEF header

• CEF extension (a list of key-value pairs)

The extension supports both standard and user-defined key names.

CEF Standard and Custom Key

This table lists the CEF key names used in events, along with their full names, types, applicable modules, data types, length limits, and descriptions.

Note: The key name is what must be used in the actual event log.