CEF format support
SAYMON supports sending security messages in the CEF format.
The message uses the following format:
CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
where:
-
Version
— CEF format version. SAYMON uses the version0
. -
Device Vendor
– ROSSINNO -
Device Product
– SAYMON -
Device Version
– SAYMON Version. -
Signature ID
— unique security event ID. -
Name
— security event name. -
Severity
— event severity. -
Extension
- additional information about security event.
Extension field
Extension field contains the following fields:
Identifying fields
-
dproc
– textsaymon-server
|auth.log
-
suser
– subject of an action -
src
– subject’s IP-address -
shost
– subject’s DNS name -
dst
– IP-address of the saymon-server -
dhost
– DNS name of the saymon-server
Action result
-
outcome
- textFailure
|Success
-
msg
- additional information about the action in the JSON format
Optional fields
The table below lists optional event-specific fields.
Field | Description | Events |
---|---|---|
|
Session ID |
AAA,AAC,AAF,AAK,AAE,AAO |
|
Number |
AAA,AAC,AAF,AAK,AAE,AAO |
|
Object ID |
OCA,OCD,OCH |
|
Login of the affected user |
CUA,CUP,CUD,PAR |
|
Error reason |
Events from |
|
Password text |
PCH,PAR |
Example
Example of security messages in the CEF format.
Exit the shell on the SAYMON server:
CEF:0|ROSSINNO|SAYMON|3.12.86|AA-CLI|CRON|6|dproc=auth.log end=1709205421000 msg="pam_unix(cron:session): session closed for user root"
Login via SAYMON web interface:
CEF:0|ROSSINNO|SAYMON|3.12.86|AAA|Session is opened|3|dproc=saymon-server end=1709194963050 outcome=Success suser= src=10.0.2.2 shost=_gateway dst=127.0.0.1 dhost=127.0.0.2 cn1=23e57682f98e0cebe1b1979e6c0b71a9 cn3=3 msg={"startTime":1709194963011,"expiredAt":1709198563011,"userId":"5e4cd4668f7a9c6f9a128e16","login":"admin","sessionId":"23e57682f98e0cebe1b1979e6c0b71a9"}
Add new object:
CEF:0|ROSSINNO|SAYMON|3.12.86|OCA|Adding an object|3|dproc=saymon-server end=1709194977890 outcome=Success suser=admin src=10.0.2.2 shost=_gateway dst=127.0.0.1 dhost=127.0.0.2 fname=65e03ee10b298625a3a9fae1 msg={"entityType":"Object","entityId":"65e03ee10b298625a3a9fae1","kind":"Object"}
Delete object:
CEF:0|ROSSINNO|SAYMON|3.12.86|OCD|Deleting an object|8|dproc=saymon-server end=1709195003861 outcome=Success suser=admin src=10.0.2.2 shost=_gateway dst=127.0.0.1 dhost=127.0.0.2 fname=65e03ee10b298625a3a9fae1 msg={"entityType":"Object","entityId":"65e03ee10b298625a3a9fae1","kind":"Object"}
Change user permissions:
CEF:0|ROSSINNO|SAYMON|3.12.86|CPU|Change user permissions|3|dproc=saymon-server end=1709195023216 outcome=Success suser=admin src=10.0.2.2 shost=_gateway dst=127.0.0.1 dhost=127.0.0.2 msg={"entityType":"User","entityId":"65a527d3679b6d24f8fce0d1","changes":{"permissions":["read-security-log"]},"action":"user props changing","details":{"login":"dgu_user"}}
Administrator resets user’s password:
CEF:0|ROSSINNO|SAYMON|3.12.86|PAR|Reset user password by admin|3|dproc=saymon-server end=1709195040369 outcome=Success suser=admin src=10.0.2.2 shost=_gateway dst=127.0.0.1 dhost=127.0.0.2 duser=dgu_user cs1=Password msg={"entityType":"User","entityId":"65a527d3679b6d24f8fce0d1","changes":{"changePasswordOnNextLogin":true},"action":"user props changing","details":{"login":"dgu_user"}}
Authentication error:
CEF:0|ROSSINNO|SAYMON|3.12.86|AAF|Authorization error|8|dproc=saymon-server end=1709195078104 outcome=Failure suser= src=10.0.2.2 shost=_gateway dst=127.0.0.1 dhost=127.0.0.2 cn3=3 reason="User not found" msg={"remoteAddress":"10.0.2.2","login":"badUser","message":"User not found"}
Password change is required during login:
CEF:0|ROSSINNO|SAYMON|3.12.86|AAF|Authorization error|8|dproc=saymon-server end=1709195096722 outcome=Failure suser=dgu_user src=10.0.2.2 shost=_gateway dst=127.0.0.1 dhost=127.0.0.2 cn3=3 reason="Password change is required." msg={"errorCode":31,"message":"Password change is required."}
User changes password:
CEF:0|ROSSINNO|SAYMON|3.12.86|PCH|Password change by user|3|dproc=saymon-server end=1709195114624 outcome=Success suser=dgu_user src= shost= dst= dhost= cs1=Password msg={"entityType":"User","entityId":"65a527d3679b6d24f8fce0d1","changes":{"passwordHash":"**","changePasswordOnNextLogin":false},"action":"user props changing","details":{"login":"dgu_user"}}