Splunk® App for CEF

Deploy and Use Splunk App for CEF

Download manual as PDF

Download topic as PDF

How the Splunk App for CEF works

The diagram and table summarize how the Splunk App for CEF, and the Splunk Add-on for CEF Output that it produces, map data to the common event format and forward it to a third-party syslog receiver for processing.

CEF-data-flow-final-compressor.png

Step Summary Details
Cef-number1.png For Splunk Enterprise, a Splunk admin installs the Splunk App for CEF on a search head.

After installation, a Splunk user uses the app to select a data model, map fields to common event format, define output groups, and install an SSL certificate with a .pem extension.

For information about installing the app, see Install the Splunk App for CEF.

For information about using the app, see Define CEF mappings and output groups with the Splunk App for CEF.

Cef-number2.png The Splunk App for CEF creates the Splunk Add-on for CEF Outputs containing the output instructions for the indexers. See Finish and export the Splunk Add-on for CEF Output.
Cef-number3.png For Splunk Enterprise, a Splunk admin installs the Splunk Add-on for CEF Outputs to the indexer tier.

The indexers perform the CEF mapping searches. Add indexers to scale horizontally.

See Deploy the Splunk Add-on for CEF Output to indexers.
Cef-number4.png The indexers process the search jobs and use a custom command to output data to the syslog receivers in common event format over TCP. TCP over TLS is supported with the use of SSL certificates (optional for Splunk Enterprise). See Technical implementation.

See SSL certificate.

Technical implementation

The Splunk App for CEF uses a data model search to filter and map fields to the pipe-delimited key-value pairs required by the CEF standard. For each subset of data, the app user defines the following:

  • the data model and specific dataset within that data model that describes the data
  • the attribute to CEF field mapping for all required fields
  • the addresses of the syslog receivers

The first two items that the user defines create the CEF mapping search. When you preview this search in the Save Search step, it looks like the following example.

| datamodel DLP DLP_Incidents search | eval _raw=if(isnotnull(strftime('_time',"%b %d %H:%M:%S")),
strftime('_time',"%b %d%H:%M:%S"),strftime(time(),"%b%d%H:%M:%S"))."".case(mvcount('host')>=1,
mvindex('host',0),mvcount('host')>=1,mvindex('host',0),1=1,"unknown")." "."CEF:".if(isnum(0),0,0).
"|".case(mvcount('vendor')>=1 AND mvindex('vendor',0)!="unknown",mvindex('vendor',0),mvcount
('sourcetype')>=1,mvindex('sourcetype',0),1=1,"unknown")."|".case(mvcount('product')>=1 AND 
mvindex('product',0)!="unknown",mvindex('product',0),mvcount('sourcetype')>=1,
mvindex('sourcetype',0),1=1,"unknown")."|".if(mvcount('product_version')
>=1,mvindex('product_version',0),"unknown")."|".if(mvcount('signature_id')>=1,
mvindex('signature_id',0),"unknown")."|".case(mvcount('DLP_Incidents.signature')>=1,
mvindex('DLP_Incidents.signature',0),mvcount('name')>=1,mvindex('name',0),
1=1,"unknown")."|".`get_cef_severity_fieldmap(DLP_Incidents.severity)`."|".
`get_cef_ip(DLP_Incidents.src,src)`.`get_cef_mac(DLP_Incidents.src,smac)
`.`get_cef_host(DLP_Incidents.src,shost)`.`get_cef_ip(DLP_Incidents.dest,dst)
`.`get_cef_mac(DLP_Incidents.dest,dmac)`.`get_cef_host(DLP_Incidents.dest,
dhost)`.`get_cef_ip(DLP_Incidents.dvc,dvc)`.`get_cef_mac(DLP_Incidents.dvc,
deviceMacAddress)`.`get_cef_host(DLP_Incidents.dvc,dvchost)
`.if(mvcount('DLP_Incidents.category')>=1,"cat=".mvjoin('DLP_Incidents.category',"\n")." 
","").if(mvcount('DLP_Incidents.app')>=1,"app=".mvjoin('DLP_Incidents.app',"\n")." 
","").if(mvcount('DLP_Incidents.action')>=1,"act=".mvjoin('DLP_Incidents.action',"\n")." 
","").if(mvcount('DLP_Incidents.src_user')>=1,"suser=".mvjoin('DLP_Incidents.src_user',"\n")." 
","").if(mvcount('DLP_Incidents.user')>=1,"duser=".mvjoin('DLP_Incidents.user',"\n")." ","") 
| fields +_raw

When you save this search, it runs immediately to filter and map data in real time. The running search is appended with the following command:

| cefout routing=<name_of_your_routing_group>

cefout is a custom streaming command that takes a single parameter, routing. The custom streaming command allows the search to perform summary indexing directly on indexers and then routes the output to the destination specified by the routing parameter.

The Splunk Add-on for CEF Output supplies the value for this parameter in its outputs.conf file. The app generates the add-on package to pass output routing instructions to the indexers. This add-on package contains the following configuration files.

app.conf Contains packaging and basic information about the add-on.
indexes.conf Performs read-only routing for CEF event output. Not used for data storage.
inputs.conf Manages the batching and routing of CEF events.
outputs.conf Defines the server addresses referenced by the output group names. If you configure an SSL certificate for your output group, this file also contains a pointer to the $SPLUNK_HOME/etc/apps/Splunk_TA_cefout/auth/<cert-name>.pem file.
props.conf Parses events into CEF-compliant event structure.
<cert-name>.pem Contains the public components of the key and certificate details that match the target system, if you configure an SSL certificate for your output group.

SSL certificate

The Splunk App for CEF uses SSL certificates to support encrypted data flow. This is optional on Splunk Enterprise. The only supported SSL certificate format is the .pem file extension where the server certificate, server key, and server CA certificate are appended to a single file (in that order). The server certificate, server key, and server CA certificate are those that reside on the target system or output group host. The target system or output group host is, for example, a syslog receiver. You can buy a server CA certificate from any public certificate authority or generate one from your own private CA.

Procedure for creating the .pem file

  1. In a text editor, make a new file called <cert-name>.pem.
  2. Copy and paste the contents of your server certificate file into <cert-name>.pem.
  3. Copy and paste the contents of your server key file into <cert-name>.pem.
  4. Copy and paste the contents of your server CA file into <cert-name>.pem.
  5. Save <cert-name>.pem.

When creating the original server key file, you have the option of encrypting the key with a password. If your key is encrypted, then you need the password when creating an output group. See Use the Splunk App for CEF.

If you don't know whether the key is encrypted or not, you can view the .pem file and see that the RSA private key section looks like the following examples.

Example of an encrypted key

The RSA private key section contains Proc-Type and DEK-Info at the top if it is password-protected.

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,Encrypted
DEK-Info: DES-CBC, 2B60CKKEIE7JNGKLIW4623
o8p...
-----END RSA PRIVATE KEY-----

Example of an unencrypted key

The RSA private key section does not contain Proc-Type and DEK-Info if it is not password-protected.

-----BEGIN RSA PRIVATE KEY-----
o8p...
-----END RSA PRIVATE KEY-----
PREVIOUS
Support and resources for the Splunk App for CEF
  NEXT
Installation and configuration overview for the Splunk App for CEF

This documentation applies to the following versions of Splunk® App for CEF: 2.1.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters