Highlighted
dkeller Outstanding Contributor.
Outstanding Contributor.
384 views

Raw cef event in CORRE database

Hello,

Does anyone know if and where the raw cef string is stored in the corre database? I found two fields - arc_raw_event and arc_cef_others - which seemed good candidates, but both of them are emtpy.

Querying all the fields in the database event schema I did not find the entire raw event (CEF:0|...). here's what I got:

arc_deviceVendor | arc_deviceProduct | arc_deviceVersion | arc_deviceEventClassId                   | arc_name                            | arc_agentSeverity | arc_agentAddress | arc_agentHostName | arc_agentNtDomain | arc_agentType | arc_agentZoneURI | arc_applicationProtocol | arc_baseEventCount | arc_bytesIn | arc_bytesOut | arc_categoryBehavior  | arc_categoryDeviceGroup | arc_categoryObject     | arc_categoryOutcome | arc_categorySignificance | arc_categoryTechnique | arc_customerName | arc_destinationAddress | arc_destinationDnsDomain | arc_destinationHostName | arc_destinationMacAddress | arc_destinationNtDomain | arc_destinationPort | arc_destinationProcessName | arc_destinationServiceName | arc_destinationTranslatedAddress | arc_destinationUserId | arc_destinationUserName | arc_destinationUserPrivileges | arc_destinationZoneURI | arc_deviceAction | arc_deviceAddress | arc_deviceCustomDate1 | arc_deviceCustomDate1Label | arc_deviceCustomDate2 | arc_deviceCustomDate2Label | arc_deviceCustomNumber1 | arc_deviceCustomNumber1Label | arc_deviceCustomNumber2 | arc_deviceCustomNumber2Label | arc_deviceCustomNumber3 | arc_deviceCustomNumber3Label | arc_deviceCustomString1 | arc_deviceCustomString1Label | arc_deviceCustomString2 | arc_deviceCustomString2Label | arc_deviceCustomString3             | arc_deviceCustomString3Label | arc_deviceCustomString4 | arc_deviceCustomString4Label | arc_deviceCustomString5 | arc_deviceCustomString5Label | arc_deviceCustomString6 | arc_deviceCustomString6Label | arc_deviceEventCategory | arc_deviceExternalId | arc_deviceInboundInterface | arc_deviceHostName | arc_deviceOutboundInterface | arc_deviceSeverity | arc_deviceZoneURI | arc_endTime           | arc_deviceReceiptTime | arc_eventId | arc_externalId | arc_fileName | arc_filePath | arc_flexDate1 | arc_flexDate1Label | arc_flexNumber1 | arc_flexNumber1Label | arc_flexNumber2 | arc_flexNumber2Label | arc_flexString1 | arc_flexString1Label | arc_flexString2 | arc_flexString2Label | arc_message | arc_priority | arc_requestClientApplication | arc_requestContext | arc_requestMethod | arc_requestUrl | arc_requestUrlFileName | arc_requestUrlQuery | arc_sessionId | arc_sourceAddress | arc_sourceHostName | arc_sourceMacAddress | arc_sourceNtDomain | arc_sourcePort | arc_sourceProcessName | arc_sourceServiceName | arc_sourceTranslatedAddress | arc_sourceUserId | arc_sourceUserName | arc_sourceUserPrivileges | arc_sourceZoneURI | arc_startTime         | arc_transportProtocol | arc_type | arc_vulnerabilityExternalID | arc_vulnerabilityURI | arc_agentZone | arc_agentZoneName | arc_agentZoneResource | arc_destinationZone | arc_destinationZoneName | arc_destinationZoneResource | arc_deviceZone | arc_deviceZoneName | arc_deviceZoneResource | arc_sourceZone | arc_sourceZoneName | arc_sourceZoneResource | arc_agt_descriptor_id | arc_agt_trans_address | arc_agt_id                | arc_agt_mac_address | arc_agt_receipt_time    | arc_asset_criticality | arc_agt_time_zone   | arc_agt_version | arc_dvc_custom_ipv6_address1 | arc_dvc_custom_ipv6_address2 | arc_dvc_custom_ipv6_address3 | arc_dvc_custom_ipv6_address4 | arc_cat_custom_format_field | arc_cat_descriptor_id | arc_cat_device_type | arc_cat_tuple_description | arc_dvc_custom_floating_point1 | arc_dvc_custom_floating_point2 | arc_dvc_custom_floating_point3 | arc_dvc_custom_floating_point4 | arc_crypto_signature | arc_customer | arc_dest_asset_id | arc_dest_geo_id | arc_dest_trans_port | arc_dest_trans_zone | arc_dvc_descriptor_id | arc_dvc_direction | arc_dvc_domain | arc_dvc_payload_id | arc_dest_geo_latitude | arc_dest_geo_longitude | arc_domain | arc_dest_process_id | arc_dvc_time_zone   | arc_dvc_mac_address | arc_dvc_process_id | arc_event_outcome | arc_f_dvc_descriptor_id | arc_f_dvc_product | arc_f_dvc_vendor | arc_f_dvc_version | arc_f_dvc_asset_id | arc_f_dvc_dns_domain | arc_f_dvc_external_id | arc_f_dvc_facility | arc_f_dvc_inbound_interface | arc_f_dvc_nt_domain | arc_f_dvc_outbound_interface | arc_f_dvc_process_name | arc_f_dvc_trans_address | arc_f_dvc_trans_zone | arc_f_dvc_zone | arc_f_dvc_time_zone | arc_f_dvc_address | arc_f_dvc_host_name | arc_f_dvc_mac_address | arc_file_create_time | arc_file_hash | arc_file_id | arc_file_modification_time | arc_file_permission | arc_file_type | arc_file_size | arc_generator | arc_lbl_descriptor_id | arc_locality | arc_model_confidence | arc_manager_receipt_time | arc_o_agt_descriptor_id | arc_o_agt_asset_id        | arc_o_agt_dns_domain | arc_o_agt_nt_domain | arc_o_agt_trans_address | arc_o_agt_trans_zone | arc_o_agt_zone | arc_o_agt_address | arc_o_agt_host_name | arc_o_agt_id              | arc_o_agt_mac_address | arc_o_agt_type | arc_o_agt_time_zone | arc_o_agt_version | arc_old_file_create_time | arc_old_file_hash | arc_old_file_id | arc_old_file_modification_time | arc_old_file_name | arc_old_file_path | arc_old_file_permission | arc_old_file_type | arc_old_file_size | arc_originator | arc_persistence | arc_raw_event | arc_reason | arc_relevance | arc_request_cookies | arc_rule_thread_id | arc_severity | arc_src_geo_latitude | arc_src_geo_longitude | arc_src_asset_id | arc_src_dns_domain | arc_src_geo_id | arc_src_trans_port | arc_src_trans_zone | arc_src_process_id | arc_correlated_event_id | arc_base_event_ids | arc_src_geo_postal_code | arc_src_geo_country_code | arc_src_geo_region_code | arc_src_geo_location_info | arc_dest_geo_postal_code | arc_dest_geo_country_code | arc_dest_geo_region_code | arc_dest_geo_location_info | arc_agt_trans_zone | arc_agt_asset_id          | arc_agt_dns_domain | arc_dvc_facility | arc_dvc_dns_domain | arc_dvc_nt_domain | arc_dvc_trans_address | arc_dvc_trans_zone | arc_dvc_asset_id | arc_dvc_process_name | arc_lbl_string1_label | arc_lbl_string2_label | arc_lbl_string3_label | arc_lbl_string4_label | arc_lbl_string5_label       | arc_lbl_string6_label | arc_lbl_number1_label | arc_lbl_number2_label | arc_lbl_number3_label | arc_lbl_date1_label | arc_lbl_date2_label | arc_lbl_floating_point1_label | arc_lbl_floating_point2_label | arc_lbl_floating_point3_label | arc_lbl_floating_point4_label | arc_lbl_ipv6_address1_label | arc_lbl_ipv6_address2_label | arc_lbl_ipv6_address3_label | arc_lbl_ipv6_address4_label | arc_cef_others | arc__a | arc__b | arc__c | arc__d | arc__e | arc__f | arc__g | arc__h | arc__i | arc__j | arc__k | arc__l | arc__m | arc__n | arc__o | arc__p | arc__q | arc__r | arc__s | arc__t | arc__u | arc__v | arc__w | arc__x | arc__y | arc__z | arc__1 | arc__2 | arc__3 | arc__4 | arc__5 | arc__6 | arc__7 | arc__8 | arc__9 | arc__0 | arc__fs | arc__bs | arc__others | arc_eventTime           | arc_rowId                | arc_deviceName | arc_ROSrowId | arc_peerName | arc_receiver | arc_source | arc_sourceType

-----------------+-------------------+-------------------+------------------------------------------+-------------------------------------+-------------------+------------------+-------------------+-------------------+---------------+------------------+-------------------------+--------------------+-------------+--------------+-----------------------+-------------------------+------------------------+---------------------+--------------------------+-----------------------+------------------+------------------------+--------------------------+-------------------------+---------------------------+-------------------------+---------------------+----------------------------+----------------------------+----------------------------------+-----------------------+-------------------------+-------------------------------+------------------------+------------------+-------------------+-----------------------+----------------------------+-----------------------+----------------------------+-------------------------+------------------------------+-------------------------+------------------------------+-------------------------+------------------------------+-------------------------+------------------------------+-------------------------+------------------------------+-------------------------------------+------------------------------+-------------------------+------------------------------+-------------------------+------------------------------+-------------------------+------------------------------+-------------------------+----------------------+----------------------------+--------------------+-----------------------------+--------------------+-------------------+-----------------------+-----------------------+-------------+----------------+--------------+--------------+---------------+--------------------+-----------------+----------------------+-----------------+----------------------+-----------------+----------------------+-----------------+----------------------+-------------+--------------+------------------------------+--------------------+-------------------+----------------+------------------------+---------------------+---------------+-------------------+--------------------+----------------------+--------------------+----------------+-----------------------+-----------------------+-----------------------------+------------------+--------------------+--------------------------+-------------------+-----------------------+-----------------------+----------+-----------------------------+----------------------+---------------+-------------------+-----------------------+---------------------+-------------------------+-----------------------------+----------------+--------------------+------------------------+----------------+--------------------+------------------------+-----------------------+-----------------------+---------------------------+---------------------+-------------------------+-----------------------+---------------------+-----------------+------------------------------+------------------------------+------------------------------+------------------------------+-----------------------------+-----------------------+---------------------+---------------------------+--------------------------------+--------------------------------+--------------------------------+--------------------------------+----------------------+--------------+-------------------+-----------------+---------------------+---------------------+-----------------------+-------------------+----------------+--------------------+-----------------------+------------------------+------------+---------------------+---------------------+---------------------+--------------------+-------------------+-------------------------+-------------------+------------------+-------------------+--------------------+----------------------+-----------------------+--------------------+-----------------------------+---------------------+------------------------------+------------------------+-------------------------+----------------------+----------------+---------------------+-------------------+---------------------+-----------------------+----------------------+---------------+-------------+----------------------------+---------------------+---------------+---------------+---------------+-----------------------+--------------+----------------------+--------------------------+-------------------------+---------------------------+----------------------+---------------------+-------------------------+----------------------+----------------+-------------------+---------------------+---------------------------+-----------------------+----------------+---------------------+-------------------+--------------------------+-------------------+-----------------+--------------------------------+-------------------+-------------------+-------------------------+-------------------+-------------------+----------------+-----------------+---------------+------------+---------------+---------------------+--------------------+--------------+----------------------+-----------------------+------------------+--------------------+----------------+--------------------+--------------------+--------------------+-------------------------+--------------------+-------------------------+--------------------------+-------------------------+---------------------------+--------------------------+---------------------------+--------------------------+----------------------------+--------------------+---------------------------+--------------------+------------------+--------------------+-------------------+-----------------------+--------------------+------------------+----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------------+-----------------------+-----------------------+-----------------------+-----------------------+---------------------+---------------------+-------------------------------+-------------------------------+-------------------------------+-------------------------------+-----------------------------+-----------------------------+-----------------------------+-----------------------------+----------------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+--------+---------+---------+-------------+-------------------------+--------------------------+----------------+--------------+--------------+--------------+------------+---------------

Microsoft        | Microsoft Windows |                   | Microsoft-Windows-Security-Auditing:4735 | Microsoft-Windows-Security-Auditing |                 1 |        167772687 | WIN-JA593EGIH8U   |                   | windowsfg     |                  |                         |                  1 |             |              | /Authorization/Modify | /Operating System       | /Host/Operating System | /Success            | /Informational           |                       |                  |                        |                          | WIN-JA593EGIH8U         |                           |                         |                     |                            |                            |                                  |                       |                         |                               |                        |                  |                   |                       |                            |                       |                            |                         |                              |                         |                              |                         |                              |                         |                              |                   13826 |                              | Microsoft-Windows-Security-Auditing |                              |                         |                              |                         |                              |                         |                              | Security                |                      |                            | WIN-JA593EGIH8U    |                             | Audit_success      |                   | 2015-10-07 11:59:53.0 | 2015-10-07 11:59:53.0 |      754581 |           4735 |              |              |               |                    |                 |                      |                 |                      |                 |                      |                 |                      |             |            3 |                              |                    |                   |                |                        |                     |               |                   |                    |                      |                    |                |                       |                       |                             |                  |                    |                          |                   | 2015-10-07 11:59:53.0 |                       |        0 |                             |                      |          1298 |                   |                       |                     |                         |                             |                |                    |                        |                |                    |                        |                       |                       | 3NMpLRVABABCo+kP7Thv7CA== |                     | 2015-10-07 13:34:16.755 |                     0 | America/Los_Angeles | 7.0.4.7088.0    |                              |                              |                              | (

                                 `A             |                             |                       | Operating System    |                           |                                |                                |                                |                                |                      |              |                   |                 |                     |                     |                       |                   |                |                    |                       |                        |            |                     | America/Los_Angeles |                     |                    |                   |                         | Microsoft Windows | Microsoft        |                   |                    |                      |                       |                    |                             |                     |                              |                        |                         |                      |                | America/Los_Angeles |                   | WIN-JA593EGIH8U     |                       |                      |               |             |                            |                     |               |               |               |                       |            0 |                    0 | 2015-10-07 19:39:40.072  |                         | 4e-dMRVABABCpJ3IQuBxYlA== |                      |                     |                         |                      |           1298 |         167772687 | WIN-JA593EGIH8U     | 3NMpLRVABABCo+kP7Thv7CA== |                       | windowsfg      | America/Los_Angeles | 7.0.4.7088.0      |                          |                   |                 |                                |                   |                   |                         |                   |                   |              0 |                 |               |            |            10 |                     |                    |            0 |                      |                       |                  |                    |                |                    |                    |                    |                         |                    |                         |                          |                         |                           |                          |                           |                          |                            |                    | 4e-dMRVABABCpJ3IQuBxYlA== |                    |                  |                    |                   |                       |                    |                  |                      | Accesses              | EventlogCategory      | EventSource           | Reason or Error Code  | Authentication Package Name | Object Name           | LogonType             | New Process ID        |                       |                     |                     |                               |                               |                               |                               |                             |                             |                             | Agent IPv6 Address          |                |        |        |        |        |        |        |        |        |        |        |        |        |        |        |        |        |        |        |        |        |        |        |        |        |        |        |        |        |        |        |        |        |        |        |        |        |         |         |             | 2015-10-07 19:39:45.111 | 0000000000006D3E00000000 |                | 0-0          | 127.0.0.1    |              |            |              

Labels (3)
0 Likes
2 Replies
pbrettle Acclaimed Contributor.
Acclaimed Contributor.

Re: Raw cef event in CORRE database

Stupid response of the day - but did you turn on "Preserve Raw event" at the connector? If you have, the connector will parse the data, but then place it into the rawEvent field as needed. Otherwise the data field is left empty and hence not consume space.

Its off by default (so we dont consume space), but it doesnt necessarily work for all log sources though. For example structured data from a database connector may or may not actually get applied into the rawEvent field. Its structured so its not actually raw in the same definition as say a syslog message would be.

Hope this helps.

0 Likes
dkeller Outstanding Contributor.
Outstanding Contributor.

Re: Raw cef event in CORRE database

Stupid admission of the day - you are right!

Note to self: Bang head here --> X

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.