Splunk® App for CEF

Deploy and Use Splunk App for CEF

Download manual as PDF

This documentation does not apply to the most recent version of CEFapp. Click here for the latest version.
Download topic as PDF

How the Splunk App for CEF works

The diagram and table summarize how the Splunk App for CEF, and the Splunk Add-on for CEF Output that it produces, map data to the common event format and forward it to a third-party syslog receiver for processing.

CEF-data-flow-final-compressor.png

Step Summary Details
Cef-number1.png Splunk admin installs the Splunk App for CEF on a search head. A Splunk user uses the app to select a data model, map fields to common event format, and define output groups. For information about installing the app, see Install the Splunk App for CEF.
For information about using the app, see Define CEF mappings and output groups with the Splunk App for CEF.
Cef-number2.png The Splunk App for CEF creates the Splunk Add-on for CEF Outputs containing the output instructions for the indexers. See Finish and export the Splunk Add-on for CEF Output.
Cef-number3.png Splunk admin installs the Splunk Add-on for CEF Outputs to the indexer tier. The indexers perform the CEF mapping searches. Add indexers to scale horizontally. See Deploy the Splunk Add-on for CEF Output to indexers.
Cef-number4.png The indexers process the search jobs and use a custom command to output data to the syslog receivers in common event format over TCP. See Technical implementation.

Technical implementation

The Splunk App for CEF uses a data model search to filter and map fields to the pipe-delimited key-value pairs required by the CEF standard. For each subset of data, the app user defines the following:

  • the data model and specific dataset within that data model that describes the data
  • the attribute to CEF field mapping for all required fields
  • the addresses of the syslog receivers

The first two items that the user defines create the CEF mapping search. When you preview this search in the Save Search step, it looks like the following example.

| datamodel DLP DLP_Incidents search | eval _raw=if(isnotnull(strftime('_time',"%b %d %H:%M:%S")),
strftime('_time',"%b %d%H:%M:%S"),strftime(time(),"%b%d%H:%M:%S"))."".case(mvcount('host')>=1,
mvindex('host',0),mvcount('host')>=1,mvindex('host',0),1=1,"unknown")." "."CEF:".if(isnum(0),0,0).
"|".case(mvcount('vendor')>=1 AND mvindex('vendor',0)!="unknown",mvindex('vendor',0),mvcount
('sourcetype')>=1,mvindex('sourcetype',0),1=1,"unknown")."|".case(mvcount('product')>=1 AND 
mvindex('product',0)!="unknown",mvindex('product',0),mvcount('sourcetype')>=1,
mvindex('sourcetype',0),1=1,"unknown")."|".if(mvcount('product_version')
>=1,mvindex('product_version',0),"unknown")."|".if(mvcount('signature_id')>=1,
mvindex('signature_id',0),"unknown")."|".case(mvcount('DLP_Incidents.signature')>=1,
mvindex('DLP_Incidents.signature',0),mvcount('name')>=1,mvindex('name',0),
1=1,"unknown")."|".`get_cef_severity_fieldmap(DLP_Incidents.severity)`."|".
`get_cef_ip(DLP_Incidents.src,src)`.`get_cef_mac(DLP_Incidents.src,smac)
`.`get_cef_host(DLP_Incidents.src,shost)`.`get_cef_ip(DLP_Incidents.dest,dst)
`.`get_cef_mac(DLP_Incidents.dest,dmac)`.`get_cef_host(DLP_Incidents.dest,
dhost)`.`get_cef_ip(DLP_Incidents.dvc,dvc)`.`get_cef_mac(DLP_Incidents.dvc,
deviceMacAddress)`.`get_cef_host(DLP_Incidents.dvc,dvchost)
`.if(mvcount('DLP_Incidents.category')>=1,"cat=".mvjoin('DLP_Incidents.category',"\n")." 
","").if(mvcount('DLP_Incidents.app')>=1,"app=".mvjoin('DLP_Incidents.app',"\n")." 
","").if(mvcount('DLP_Incidents.action')>=1,"act=".mvjoin('DLP_Incidents.action',"\n")." 
","").if(mvcount('DLP_Incidents.src_user')>=1,"suser=".mvjoin('DLP_Incidents.src_user',"\n")." 
","").if(mvcount('DLP_Incidents.user')>=1,"duser=".mvjoin('DLP_Incidents.user',"\n")." ","") 
| fields +_raw

When you save this search, it runs immediately to filter and map data in real time. The running search is appended with the following command:

| cefout routing=<name_of_your_routing_group>

cefout is a custom streaming command that takes a single parameter, routing. The custom streaming command allows the search to perform summary indexing directly on indexers and then routes the output to the destination specified by the routing parameter.

The Splunk Add-on for CEF Output supplies the value for this parameter in its outputs.conf file. The app generates the add-on package to pass output routing instructions to the indexers. This add-on package contains the following configuration files.

app.conf Contains packaging and basic information about the add-on.
indexes.conf Performs read-only routing for CEF event output. Not used for data storage.
inputs.conf Manages the batching and routing of CEF events.
outputs.conf Defines the server addresses referenced by the output group names.
props.conf Parses events into CEF-compliant event structure.
PREVIOUS
Support and resources for the Splunk App for CEF
  NEXT
Installation and configuration overview for the Splunk App for CEF

This documentation applies to the following versions of Splunk® App for CEF: 2.0.0, 2.0.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters