CEF format support

SAYMON supports sending security messages in the CEF format.

The message uses the following format:

CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

where:

  • Version — CEF format version. SAYMON uses the version 0.

  • Device Vendor – ROSSINNO

  • Device Product – SAYMON

  • Device Version – SAYMON Version.

  • Signature ID — unique security event ID.

  • Namesecurity event name.

  • Severity — event severity.

  • Extension - additional information about security event.

Extension field

Extension field contains the following fields:

Identifying fields

  • dproc – text saymon-server | auth.log

  • suser – subject of an action

  • src – subject’s IP-address

  • shost – subject’s DNS name

  • dst – IP-address of the saymon-server

  • dhost – DNS name of the saymon-server

Action result

  • outcome - text Failure | Success

  • msg - additional information about the action in the JSON format

Optional fields

The table below lists optional event-specific fields.

Field Description Events

cn1

Session ID

AAA,AAC,AAF,AAK,AAE,AAO

cn3

Number 3

AAA,AAC,AAF,AAK,AAE,AAO

fname

Object ID

OCA,OCD,OCH

duser

Login of the affected user

CUA,CUP,CUD,PAR

reason

Error reason

Events from faults channel

cs1

Password text

PCH,PAR

Example

Example of security messages in the CEF format.

Exit the shell on the SAYMON server:

CEF:0|ROSSINNO|SAYMON|3.12.86|AA-CLI|CRON|6|dproc=auth.log end=1709205421000 msg="pam_unix(cron:session): session closed for user root"

Login via SAYMON web interface:

CEF:0|ROSSINNO|SAYMON|3.12.86|AAA|Session is opened|3|dproc=saymon-server end=1709194963050 outcome=Success suser= src=10.0.2.2 shost=_gateway dst=127.0.0.1 dhost=127.0.0.2 cn1=23e57682f98e0cebe1b1979e6c0b71a9 cn3=3  msg={"startTime":1709194963011,"expiredAt":1709198563011,"userId":"5e4cd4668f7a9c6f9a128e16","login":"admin","sessionId":"23e57682f98e0cebe1b1979e6c0b71a9"}

Add new object:

CEF:0|ROSSINNO|SAYMON|3.12.86|OCA|Adding an object|3|dproc=saymon-server end=1709194977890 outcome=Success suser=admin src=10.0.2.2 shost=_gateway dst=127.0.0.1 dhost=127.0.0.2 fname=65e03ee10b298625a3a9fae1  msg={"entityType":"Object","entityId":"65e03ee10b298625a3a9fae1","kind":"Object"}

Delete object:

CEF:0|ROSSINNO|SAYMON|3.12.86|OCD|Deleting an object|8|dproc=saymon-server end=1709195003861 outcome=Success suser=admin src=10.0.2.2 shost=_gateway dst=127.0.0.1 dhost=127.0.0.2 fname=65e03ee10b298625a3a9fae1  msg={"entityType":"Object","entityId":"65e03ee10b298625a3a9fae1","kind":"Object"}

Change user permissions:

CEF:0|ROSSINNO|SAYMON|3.12.86|CPU|Change user permissions|3|dproc=saymon-server end=1709195023216 outcome=Success suser=admin src=10.0.2.2 shost=_gateway dst=127.0.0.1 dhost=127.0.0.2  msg={"entityType":"User","entityId":"65a527d3679b6d24f8fce0d1","changes":{"permissions":["read-security-log"]},"action":"user props changing","details":{"login":"dgu_user"}}

Administrator resets user’s password:

CEF:0|ROSSINNO|SAYMON|3.12.86|PAR|Reset user password by admin|3|dproc=saymon-server end=1709195040369 outcome=Success suser=admin src=10.0.2.2 shost=_gateway dst=127.0.0.1 dhost=127.0.0.2 duser=dgu_user cs1=Password  msg={"entityType":"User","entityId":"65a527d3679b6d24f8fce0d1","changes":{"changePasswordOnNextLogin":true},"action":"user props changing","details":{"login":"dgu_user"}}

Authentication error:

CEF:0|ROSSINNO|SAYMON|3.12.86|AAF|Authorization error|8|dproc=saymon-server end=1709195078104 outcome=Failure suser= src=10.0.2.2 shost=_gateway dst=127.0.0.1 dhost=127.0.0.2 cn3=3 reason="User not found"  msg={"remoteAddress":"10.0.2.2","login":"badUser","message":"User not found"}

Password change is required during login:

CEF:0|ROSSINNO|SAYMON|3.12.86|AAF|Authorization error|8|dproc=saymon-server end=1709195096722 outcome=Failure suser=dgu_user src=10.0.2.2 shost=_gateway dst=127.0.0.1 dhost=127.0.0.2 cn3=3 reason="Password change is required."  msg={"errorCode":31,"message":"Password change is required."}

User changes password:

CEF:0|ROSSINNO|SAYMON|3.12.86|PCH|Password change by user|3|dproc=saymon-server end=1709195114624 outcome=Success suser=dgu_user src= shost= dst= dhost= cs1=Password  msg={"entityType":"User","entityId":"65a527d3679b6d24f8fce0d1","changes":{"passwordHash":"**","changePasswordOnNextLogin":false},"action":"user props changing","details":{"login":"dgu_user"}}