Absent Member.
Absent Member.
307 views

Where can I get the CEF key name for the ESM field name?

In the FortinetFortiGate CEF guide, there is a ArcSight ESM Field name for every FortiGate log. It only maps the ArcSight ESM Field and not the real CEF key name.

Example:

ArcSight ESM Field      Device-Specific Field

Device Event Class ID          One of (logid, log_id)
Device Event Category          type plus subtype

Message                                msg
File Name One of                 (file, msg)

How do I find the CEF Key Name for each ArcSight ESM Field name? What is the real CEF name ??

Labels (5)
0 Likes
7 Replies
Fleet Admiral
Fleet Admiral

There may be a later version floating around somewhere, but this should get you started

0 Likes
Absent Member.
Absent Member.

Thanks for your reply Richard,

I actually already have that but most of the ones I need are not found there.

0 Likes
Fleet Admiral
Fleet Admiral

Which ones are you after?


0 Likes
Absent Member.
Absent Member.

Device Event Class ID         

Device Event Category

Those are the two immediate ones.

Thanks in advance

0 Likes
Fleet Admiral
Fleet Admiral

deviceEventCategory is cat. deviceEventClassId is taken from the Signature ID field in the header, this one's a little confusing as I don't think the guide actually spells it out anywhere.

0 Likes
Absent Member.
Absent Member.

Thanks Richard, that was the answer I was looking for. I also found the Logger Admin guide which is the missing link.

I dont mean to hijack the thread but the other major issue I am having is that ESM cannot handle commas in the msg field. Is there a recommendation on how comma's should be handled? Should they just be removed altogether from the message?

0 Likes
Fleet Admiral
Fleet Admiral

Not sure why there'd be an issue with commas.  Testing it now ESM seems ok with a comma in the Message field when sent from the Replay connector. Strings in CEF are utf-8 encoded (not that commas are encoded differently in different character sets) and they're not a reserved character in CEF.  What makes you think there's an issue?

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.