Common Event Format (CEF)is an extensible, text-based format designed to support multiple device types. CEF defines a syntax for log records comprising a standard header and a variable extension, formatted as key-value pairs.

Most network and security systems support either Syslog or CEF as a means for sending data. Graylog provides the option to ingest CEF messages over UDP, TCP, or Kafka and AMQP as a queuing system.

CEF TCP

To launch a new CEF TCP input:

  1. Navigate to System > Inputs.

  2. Select CEF TCP from the input options and click the Launch new input  button.

  3. Enter your configuration parameters in the pop-up configuration form.

Configuration Parameters

  • Global

    • Select this check box to enable the input on all Graylog nodes, or keep it unchecked to enable the input on a specific node.

  • Title

    • Assign a title to the input. Example: “CEF TCP Input for XYZ Source”.

  • Bind address

    • Enter an IP address for this input to listen on. The source system/data sends logs to this IP/input.

  • Port

    • Enter a port to use in conjunction with the IP address.

  • Timezone

    • Select the timestamp configured on the system that is sending CEF messages. If the sender does not include the timezone information, you can configure the timezone applied to the messages on arrival. That configuration does not overwrite the timezone included in the timestamp; however, it is the assumed timezone for messages that do not include timezone information.

  • Receive Buffer Size (optional)

    • Depending on the amount of traffic being ingested by the input, this value should be large enough to ensure proper flow of data but small enough to prevent the system from spending resources trying to process the buffered data.

  • No. of worker threads

    • This setting controls how many concurrent threads are used to process incoming data. Increasing the number of threads can enhance data processing speed, resulting in improved throughput. The ideal number of threads to configure depends on the available CPU cores on your Graylog server. A common starting point is to align the number of worker threads with the number of CPU cores. However, it is crucial to strike a balance with other server demands.

Hint: The TLS-related settings that follow ensure that only valid sources can send messages to the input securely.

  • TLS cert file (optional)

    • The certificate file that is stored on a Graylog system. The value of this field is a path (/path/to/file) that Graylog should have access to.

  • TLS private key file (optional)

    • The certificate private key file that is stored on a Graylog system. The value of this field is a path (/path/to/file) that Graylog should have access to.

  • Enable TLS

    • Select this option if this input should use TLS.

  • TLS key password (optional)

    • The private key password.

  • TLS client authentication (optional)

    • If you want to require authentication, set this value to optional or required.

  • TLS Client Auth Trusted Certs (optional)

    • The path where client (source) certificates are located on a Graylog system. The value of this field is a path (/path/to/file) that Graylog should have access to.

  • TCP keepalive

    • Enable this option if you want the input to support TCP keep-alive packets to prevent idle connections.

  • Null frame delimeter

    • This option is typically left unchecked. New line is the delimiter for each message.

  • Maximum message size (optional)

    • The maximum message size of the message. The default value should suffice but can be modified depending on message length. Each input type usually has specifications that note the maximum length of a message.

  • Locale (optional)

    • This setting is used to determine the language of the message.

  • Use full field name

    • The CEF key name is usually used as the field name. Select this option if the full field name should be used.

CEF UDP

To launch a new CEF UDP input:

  1. Navigate to System > Inputs.

  2. Select CEF UDP  from the input options and click the Launch new input  button.

  3. Enter your configuration parameters in the pop-up configuration form.

Configuration Parameters

  • Global

    • Select this check box to enable the input on all Graylog nodes, or keep it unchecked to enable the input on a specific node.

  • Title

    • Assign a title to the input. Example: “CEF UDP Input for XYZ Source”.

  • Bind address

    • Enter an IP address for this input to listen on. The source system/data sends logs to this IP/input.

  • Port

    • Enter a port to use in conjunction with the IP address.

  • Timezone

    • Select the timestamp configured on the system that is sending CEF messages. If the sender does not include the timezone information, you can configure the timezone applied to the messages on arrival. That configuration does not overwrite the timezone included in the timestamp; however, it is the assumed timezone for messages that do not include timezone information.

  • Receive Buffer Size (optional)

    • Depending on the amount of traffic being ingested by the input, this value should be large enough to ensure proper flow of data but small enough to prevent the system from spending resources trying to process the buffered data.

  • No. of worker threads

    • This setting controls how many concurrent threads are used to process incoming data. Increasing the number of threads can enhance data processing speed, resulting in improved throughput. The ideal number of threads to configure depends on the available CPU cores on your Graylog server. A common starting point is to align the number of worker threads with the number of CPU cores. However, it is crucial to strike a balance with other server demands.

  • Locale (optional)

    • This setting is used to determine the language of the message.