Where can I get the CEF key name for the ESM field name?
In the FortinetFortiGate CEF guide, there is a ArcSight ESM Field name for every FortiGate log. It only maps the ArcSight ESM Field and not the real CEF key name.
ArcSight ESM Field Device-Specific Field
Device Event Class ID One of (logid, log_id)
Device Event Category type plus subtype
File Name One of (file, msg)
How do I find the CEF Key Name for each ArcSight ESM Field name? What is the real CEF name ??
deviceEventCategory is cat. deviceEventClassId is taken from the Signature ID field in the header, this one's a little confusing as I don't think the guide actually spells it out anywhere.
Thanks Richard, that was the answer I was looking for. I also found the Logger Admin guide which is the missing link.
I dont mean to hijack the thread but the other major issue I am having is that ESM cannot handle commas in the msg field. Is there a recommendation on how comma's should be handled? Should they just be removed altogether from the message?
Not sure why there'd be an issue with commas. Testing it now ESM seems ok with a comma in the Message field when sent from the Replay connector. Strings in CEF are utf-8 encoded (not that commas are encoded differently in different character sets) and they're not a reserved character in CEF. What makes you think there's an issue?