How the Splunk App for CEF works
The diagram and table summarize how the Splunk App for CEF, and the Splunk Add-on for CEF Output that it produces, map data to the common event format and forward it to a third-party syslog receiver for processing.
|Splunk admin installs the Splunk App for CEF on a search head. A Splunk user uses the app to select a data model, map fields to common event format, and define output groups.||For information about installing the app, see Install the Splunk App for CEF. |
For information about using the app, see Define CEF mappings and output groups with the Splunk App for CEF.
|The Splunk App for CEF creates the Splunk Add-on for CEF Outputs containing the output instructions for the indexers.||See Finish and export the Splunk Add-on for CEF Output.|
|Splunk admin installs the Splunk Add-on for CEF Outputs to the indexer tier. The indexers perform the CEF mapping searches. Add indexers to scale horizontally.||See Deploy the Splunk Add-on for CEF Output to indexers.|
|The indexers process the search jobs and use a custom command to output data to the syslog receivers in common event format over TCP.||See Technical implementation.|
The Splunk App for CEF uses a data model search to filter and map fields to the pipe-delimited key-value pairs required by the CEF standard. For each subset of data, the app user defines the following:
- the data model and specific dataset within that data model that describes the data
- the attribute to CEF field mapping for all required fields
- the addresses of the syslog receivers
The first two items that the user defines create the CEF mapping search. When you preview this search in the Save Search step, it looks like the following example.
| datamodel DLP DLP_Incidents search | eval _raw=if(isnotnull(strftime('_time',"%b %d %H:%M:%S")), strftime('_time',"%b %d%H:%M:%S"),strftime(time(),"%b%d%H:%M:%S"))."".case(mvcount('host')>=1, mvindex('host',0),mvcount('host')>=1,mvindex('host',0),1=1,"unknown")." "."CEF:".if(isnum(0),0,0). "|".case(mvcount('vendor')>=1 AND mvindex('vendor',0)!="unknown",mvindex('vendor',0),mvcount ('sourcetype')>=1,mvindex('sourcetype',0),1=1,"unknown")."|".case(mvcount('product')>=1 AND mvindex('product',0)!="unknown",mvindex('product',0),mvcount('sourcetype')>=1, mvindex('sourcetype',0),1=1,"unknown")."|".if(mvcount('product_version') >=1,mvindex('product_version',0),"unknown")."|".if(mvcount('signature_id')>=1, mvindex('signature_id',0),"unknown")."|".case(mvcount('DLP_Incidents.signature')>=1, mvindex('DLP_Incidents.signature',0),mvcount('name')>=1,mvindex('name',0), 1=1,"unknown")."|".`get_cef_severity_fieldmap(DLP_Incidents.severity)`."|". `get_cef_ip(DLP_Incidents.src,src)`.`get_cef_mac(DLP_Incidents.src,smac) `.`get_cef_host(DLP_Incidents.src,shost)`.`get_cef_ip(DLP_Incidents.dest,dst) `.`get_cef_mac(DLP_Incidents.dest,dmac)`.`get_cef_host(DLP_Incidents.dest, dhost)`.`get_cef_ip(DLP_Incidents.dvc,dvc)`.`get_cef_mac(DLP_Incidents.dvc, deviceMacAddress)`.`get_cef_host(DLP_Incidents.dvc,dvchost) `.if(mvcount('DLP_Incidents.category')>=1,"cat=".mvjoin('DLP_Incidents.category',"\n")." ","").if(mvcount('DLP_Incidents.app')>=1,"app=".mvjoin('DLP_Incidents.app',"\n")." ","").if(mvcount('DLP_Incidents.action')>=1,"act=".mvjoin('DLP_Incidents.action',"\n")." ","").if(mvcount('DLP_Incidents.src_user')>=1,"suser=".mvjoin('DLP_Incidents.src_user',"\n")." ","").if(mvcount('DLP_Incidents.user')>=1,"duser=".mvjoin('DLP_Incidents.user',"\n")." ","") | fields +_raw
When you save this search, it runs immediately to filter and map data in real time. The running search is appended with the following command:
| cefout routing=<name_of_your_routing_group>
cefout is a custom streaming command that takes a single parameter,
routing. The custom streaming command allows the search to perform summary indexing directly on indexers and then routes the output to the destination specified by the
The Splunk Add-on for CEF Output supplies the value for this parameter in its
outputs.conf file. The app generates the add-on package to pass output routing instructions to the indexers. This add-on package contains the following configuration files.
||Contains packaging and basic information about the add-on.|
||Performs read-only routing for CEF event output. Not used for data storage.|
||Manages the batching and routing of CEF events.|
||Defines the server addresses referenced by the output group names.|
||Parses events into CEF-compliant event structure.|
Support and resources for the Splunk App for CEF
Installation and configuration overview for the Splunk App for CEF
This documentation applies to the following versions of Splunk® App for CEF: 2.0.0, 2.0.1