|
Field type |
Field name |
Description |
Example value |
|---|---|---|---|
|
CEF header |
CEF:Version |
CEF version. |
CEF:0 |
|
Device Vendor |
Product vendor. |
UserGate |
|
|
Device Product |
Product type. |
NGFW |
|
|
Device Version |
Product version. |
7 |
|
|
Source |
Log name. |
dns |
|
|
Name |
Source type. |
log |
|
|
Threat level |
Threat level. |
Available values: from 1 to 10 (the set threat level multiplied by 2). |
|
|
CEF [extension] |
rt |
Time when the event was received (in milliseconds since January 1, 1970). |
1701085036026 |
|
deviceExternalId |
The unique name of the device that generated the event. |
||
|
act |
Action taken by the device according to the configured policies. |
block |
|
|
reason |
The reason why the event was created, e.g. the URL category on which the rule was triggered. |
{"url_cats":[{"id":37,"name":"Search Engines & Portals","threat_level":1}]} |
|
|
app |
Application layer protocol |
DNS |
|
|
suser |
The username. |
user1 (Unknown, if the user is unknown) |
|
|
cs1Label |
Indicates the triggered rule. |
Rule |
|
|
cs1 |
Name of the rule triggered to cause the event. |
Rule1 |
|
|
dhost |
The destination host name, whose address is determined using the DNS server. |
||
|
proto |
Level 4 protocol used. |
UDP |
|
|
src |
Traffic source IPv4 address. |
10.10.0.11 |
|
|
spt |
Source port |
Values: 0-65535. |
|
|
smac |
Source MAC address. |
FA:16:3E:65:1C:B4 |
|
|
cs2Label |
Indicates the source zone. |
Source Zone |
|
|
cs2 |
Source zone name. |
Trusted |
|
|
cs3Label |
Indicates the source country. |
Source Country |
|
|
cs3 |
Source country name. |
AE (a two-letter country code is displayed) |
|
|
dst |
IPv4 address of the traffic destination. |
194.226.127.130 |
|
|
dpt |
Destination port |
Values: 0-65535. Port 53 is normally used for DNS. |
|
|
cs4Label |
Indicates the destination zone. |
Destination Zone |
|
|
cs4 |
Destination zone name. |
Untrusted |
|
|
cs5Label |
Indicates the destination country. |
Destination Country |
|
|
cs5 |
Destination country name. |
AE (a two-letter country code is displayed) |
|
|
cs6Label |
Indicates the data being transmitted. |
Data. |
|
|
cs6 |
The transmitted data. |
{"question":[{"domain":"google.com","type":"A","class":"IN"}], "answer":[{"domain":"google.com","type":"TXT","class":"IN","ttl":5,"data":"Blocked"},{"domain":"google.com","type":"A","class":"IN","ttl":5,"data":"10.10.0.1"}]} |
|
|
flexString1Label |
Indicates the category of the requested URL. |
URL Categories |
|
|
flexString1 |
URL category. |
Search Engines & Portals |
Differences in the CEF Compact format:
-
The following fields are missing:
-
cs3Label=Source Country; cs3=$src_country;
-
cs5Label=Destination Country; cs5=$dst_country;
-
-
The following fields have been changed:
-
cs2Label=SrcZone;
-
cs3Label=DstZone; cs3=$dst_zone_name;
-
cs4Label=Data; cs4=$data;
-
flexString1Label=URLCats;
-
-
Some field values are truncated to 80 characters, this is a general rule for the compact format. For example, a list of URL categories, URL, username, rule name, zone name, etc.