User Audit Log in CEF Format
  • 8 Minutes to read
  • PDF

User Audit Log in CEF Format

  • PDF

About this document


SAFE records all the important user audit logs in the CEF format. This document contains the information about the user's audit log in the SAFE application.

CEF Log Format



DateTime hostname CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

Definitions of Prefix Fields


  • hostname is a name of the system on which log is generated
  • Version is an integer and identifies the version of the CEF format. This should be set to 0.
  • Device Vendor, Device Product, and Device Versionare strings that uniquely identify the type of sending device. No two products may use the same device-vendor and device-product pair. There is no central authority managing these pairs. Event producers have to ensure that they assign unique name pairs.
    • DeviceVendor = SAFE Security
    • DeviceProduct = SAFE
    • DeviceVersion = current cycle version
  • Signature ID is a unique identifier per event type. This can be a string or an integer. The signature ID identifies the type of event reported.
  • Name is a string representing a human-readable and understandable description of the event. The event name should not contain information that is specifically mentioned in other fields. For example: “Port scan from 10.0.0.1 targeting 20.1.1.1” is not a good event name. It should be: “port scan”. The other information is redundant and can be picked up from the other fields.
  • Severity is an integer and reflects the importance of the event. Only numbers from 0 to 10 are allowed, where 10 indicates the most important event. We can
  • Extension is a collection of key-value pairs. The keys are part of a predefined set.

Log format


Log format
<timestamp> <hostname> CEF:<version>|<device vendor>|<device product>|<DeviceVersion>|<signature id>|<signature name>|<severity>| <extra key=value> src=<user ip> suser=<email id> suserrole=<role> outcome=<success|failure>


Note
src , suser, suserrole, and outcome are mandatory key-value pairs and will get appended at the end of the logs

Example

The following example illustrates a CEF message for asset addition:

Success
Mar 09 2021 13:56:29 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|302|<signature name>|2| assetGroupName=smart list54 src=10.105.0.1 [email protected] suserrole=Admin outcome=success
Failure
Mar 09 2021 13:54:36 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|302|<signature name>|2| assetGroupName=smart list src=10.105.0.1 [email protected] suserrole=Admin outcome=failure reason=<reason>

Event Taxonomy


Signature Name

Example Log

Application Log

This signature ID is strictly reserved for internal logs and will not go on client Syslog

Control Status Changed To Qualified

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|1000|Control Status Changed To Qualified |2|log_level=info controlid=14120001 dvchost=MANOJMAC dvc=192.168.100.12 [email protected] suserrole=Admin

Control Status Changed To Failed

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|1001|Control Status Changed To Failed|4|log_level=info controlid=14120001 dvchost=MANOJMAC dvc=192.168.100.12 suser= [email protected] suserrole=Admin

Control Status Changed To Not Applicable

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|1002|Control Status Changed To Not Applicable|4|log_level=info controlid=14120001 dvchost=MANOJMAC dvc=192.168.100.12 suser= XXXXX @lucideustech.com suserrole=Admin

Control Status Changed To Not Assessed

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|1003|Control Status Changed To Not Assessed|4|log_level=info controlid=14120001 dvchost=MANOJMAC dvc=192.168.100.12 suser= XXXXX @lucideustech.com suserrole=Admin

Control Marked As Accepted Failed

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|1004|ControlStatus Changed To Accepted Failed|4|log_level=info controlid=14120001 dvchost=MANOJMAC dvc=192.168.100.12 suser= XXXXX @lucideustech.com suserrole=Admin

Control Policy Added

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|1051|Control Policy Added|2| src=10.0.0.1 suser= XXXXX@lucideustech.com suserrole=Admin ccp=hr_policy outcome=success

Control Policy Deleted

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|1052|Control Policy Deleted|2| src=10.0.0.1 suser= XXXXX@lucideustech.com suserrole=Admin ccp=hr_policy outcome=success

Control Policy 

Updated

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|1053|Control Policy Updated|2| src=10.0.0.1 suser= XXXXX@lucideustech.com suserrole=Admin ccp=hr_policy outcome=success

Control Policy 

Assigned

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|1054|Control Policy Assigned|4| src=10.0.0.1 suser= XXXXX @lucideustech.com suserrole=Admin ccp=hr_policy dvcgroup=puneassetsgroup outcome=success

Control Policy 

Unassigned

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|1055|Control Policy Unassigned|4| src=10.0.0.1 suser= XXXXX @lucideustech.com suserrole=Admin ccp=hr_policy dvcgroup=puneassetsgroup outcome=success

Manual VA Report Upload

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|1200|Manual VA Report Upload |2|log_level=info dvchost=MANOJMAC dvc=192.168.100.12 suser= [email protected] suserrole=Admin

Nessus Report Upload

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|1220|Nessus Report Upload|2|log_level=info suser= [email protected] suserrole=Admin

Qualys Report Upload

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|1240|Qualys Report Upload|2|log_level=info suser= [email protected] suserrole=Admin

Burp Report Upload

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|1260| Burp Report Upload |2|log_level=info suser= XXXXX @lucideustech.com suserrole=Admin

Asset Deleted

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|200|Asset Deleted|5|log_level=info dvchost=MANOJMAC dvc=192.168.100.12 suser= [email protected] suserrole=Admin

Asset Added

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|200|Asset Added|5|log_level=info dvchost=MANOJMAC dvc=192.168.100.12 suser= [email protected] suserrole=Admin

Asset Retired

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|200|Asset Retired|5|log_level=info dvchost=MANOJMAC dvc=192.168.100.12 suser= [email protected] suserrole=Admin

Asset Group Added

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|2050|Asset Group Added|2|dvcgroup=puneassetsgroup src=10.0.0.1 suser= [email protected] suserrole=Admin outcome=success

Asset Group Deleted

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|2051|Asset Group Deleted|2|dvcgroup=puneassetsgroup src=10.0.0.1 suser= [email protected] suserrole=Admin outcome=success

Asset Group Updated

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|2052|Asset Group Updated|2|src=10.0.0.1 suser= [email protected] suserrole=Admin dvcgroup=puneassetsgroup outcome=success

Login

Sep 19 2020 08:26:10 preview.lucideus.com CEF:0|SAFE Security|SAFE|1.7|3001|Login|2|log_level=info [email protected] outcome=failure reason=captcha failed

Sep 19 2020 08:26:10 preview.lucideus.com CEF:0|SAFE Security|SAFE|1.7|3001|Login|2|log_level=info [email protected] suserrole=Admin outcome=failure reason=Two factor authentication failed

Sep 19 2020 08:26:10 preview.lucideus.com CEF:0|SAFE Security|SAFE|1.7|3001|Login|2|log_level=info [email protected] outcome=failure reason=invalid credentials

Sep 19 2020 08:26:10 preview.lucideus.com CEF:0|SAFE Security|SAFE|1.7|3001|Login|2|log_level=info suser= XXXXX @lucideustech.com suserrole=Admin outcome=success

Logout

Sep 19 2020 08:26:10 preview.lucideus.com CEF:0|SAFE Security|SAFE|1.7|3002|Logout|2|log_level=info suser= XXXXX @lucideustech.com suserrole=Admin outcome=success

Login via SSO

Failure: Mar 09 2021 13:54:36 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|3003|Login via SSO|2| src=10.105.0.1 suser= XXXXX @lucideustech.com suserrole=Admin outcome=failure reason=<reason>

Success: Mar 09 2021 13:54:36 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|3003|Login via SSO|2| src=10.105.0.1 suser= XXXXX @lucideustech.com suserrole=Admin outcome=success

SSO User Added

Success: Mar 09 2021 13:54:36 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|4001|SSO User Added|2| src=10.105.0.1 suser= XXXXX @lucideustech.com suserrole=Admin outcome=success

SSO User Uploaded

Success: Mar 09 2021 13:54:36 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|4002|SSO User Uploaded|2| src=10.105.0.1 suser= XXXXX @lucideustech.com suserrole=Admin outcome=success

User Added

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|4010|User Added|2|src=10.0.0.1 [email protected] duserrole=Viewer suser= XXXXX @safe.security suserrole=Admin outcome=success

User Deleted

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|4011|User Deleted|2|src=10.0.0.1 [email protected] duserrole=Viewer suser= XXXXX @safe.security suserrole=Admin outcome=success

Reset User Password

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|4012|Reset User Password|2|src=10.0.0.1 [email protected] duserrole=Viewer suser= XXXXX @safe.security suserrole=Admin outcome=success

Reset Password

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|4013|Reset Password |2|src=10.0.0.1 suser= XXXXX @safe.security suserrole=Admin outcome=success

AWS Account Confirmed

Success: Mar 09 2021 13:54:36 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|6001|AWS Account Confirmed|10| accountId=457429430701 src=10.105.0.1 suser= XXXXX @lucideustech.com suserrole=Admin outcome=success

AWS Account Test Connection

Failure: Mar 09 2021 13:54:36 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|6003|AWS Account Test Connection|2| accountId=457429430701 src=10.105.0.1 suser= XXXXX @lucideustech.com suserrole=Admin outcome=failure reason=Incorrect Credentials

Success: Mar 09 2021 13:54:36 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|6003|AWS Account Test Connection|2| accountId=457429430701 src=10.105.0.1 suser= [email protected] suserrole=Admin outcome=success

AWS Account Added

Success: Mar 09 2021 13:54:36 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|6004|AWS Account Added|10| accountId=457429430701 src=10.105.0.1 suser= [email protected] suserrole=Admin outcome=success

AWS Account Edited

Success: Mar 09 2021 13:54:36 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|6005|AWS Account Edited|10| accountId=457429430701 src=10.105.0.1 suser= XXXXX @lucideustech.com suserrole=Admin outcome=success

AWS Account Removed

Success: Mar 09 2021 13:54:36 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|6006|AWS Account Removed|10| accountId=457429430701 src=10.105.0.1 suser= [email protected] suserrole=Admin outcome=success

AWS Account Linked Assets Auto-Retired

Success: Mar 09 2021 13:54:36 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|6007|AWS Account Linked Assets Auto-Retired|10| accountId=457429430701 src=10.105.0.1 suser= [email protected] suserrole=Admin outcome=success

AWS Account Scan Initiated

Success: Mar 09 2021 13:54:36 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|6008|AWS Account Scan Initiated|3| accountId=457429430701 src=10.105.0.1 suser= XXXXX @lucideustech.com suserrole=Admin outcome=success

AWS Auto-Scan Frequency Changed

Success: Mar 09 2021 13:54:36 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|6009|AWS Auto-Scan Frequency Changed|4| autoScanFrequency=2 src=10.105.0.1 suser= XXXXX @lucideustech.com suserrole=Admin outcome=success

Hooks Azure Subscription Confirmed

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|6101|Hooks Azure Subscription Confirmed|10|log_level=info Azure_Subscrition=Test-Subscription suser= XXXXX @lucideustech.com suserrole=Admin

Hooks Azure Subscription Removed

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|6102|Hooks Azure Subscription Removed|10|log_level=info Azure_Subscrition=Test-Subscription suser= XXXXX @lucideustech.com suserrole=Admin

Hooks Azure Test Connection

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|6103|Hooks Azure Test Connection|2|log_level=info suser= XXXXX @lucideustech.com suserrole=Admin

Hooks Azure Configuration Modified

Sep 19 2020 08:26:10 localhost CEF:0|SAFE Security|SAFE|1.7|6104|Hooks Azure Configuration Modified|7|log_level=info aws_account= 457429430701 suser= XXXXX @lucideustech.com suserrole=Admin

Activation Key Generated

Success: Mar 09 2021 13:54:36 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|7001|Activation Key Generated|4| friendlyName=My Activation Key 1 src=10.105.0.1 suser= XXXXX @lucideustech.com suserrole=Admin outcome=success

Asset Score Simulated

Success: Mar 09 2021 13:54:36 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|9001|Asset Score Simulated|2| dvchost=MANOJMAC dvc=192.168.100.12 src=10.105.0.1 suser= XXXXX @lucideustech.com suserrole=Admin outcome=success

Site Coordinator Name Changed

Success: Mar 09 2021 13:54:36 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|10001|Site Coordinator Name Changed|2| sitehost= sitecord.dev137 src=10.105.0.1 [email protected] suserrole=Admin outcome=success

Site Coordinator Deleted

Success: Mar 09 2021 13:54:36 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|10002|Site Coordinator Deleted|2| sitehost= sitecord.dev137 src=10.105.0.1 suser= XXXXX @lucideustech.com suserrole=Admin outcome=success

Initiate first-party scan

Failure:Mar 09 2021 13:56:29 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|11001|Initiate first party scan|2|stenant={tenantid}| scanId=09d1176e-24b1-46fc-a18b-74acd2a2b7e5 suser= XXXXX @safe.security suserrole=Admin outcome=failure

Success: Mar 09 2021 13:56:29 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|1100|Initiate first party scan|2|stenant={tenantid}| scanId=09d1176e-24b1-46fc-a18b-74acd2a2b7e5 suser= [email protected] suserrole=Admin outcome=success

Abort first-party scan

Failure:Mar 09 2021 13:56:29 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|11002|Abort first party scan|2|stenant={tenantid}| scanId=09d1176e-24b1-46fc-a18b-74acd2a2b7e5 suser= [email protected] suserrole=Admin outcome=failure

Success: Mar 09 2021 13:56:29 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|1100|Abort first party scan|2|stenant={tenantid}| scanId=09d1176e-24b1-46fc-a18b-74acd2a2b7e5 suser= [email protected] suserrole=Admin outcome=success

Download CSV for first-party

Failure:Mar 09 2021 13:56:29 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|11004|Download CSV for first party|2|stenant={tenantid}| suser= [email protected] suserrole=Admin outcome=failure

Success: Mar 09 2021 13:56:29 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|11004|Download CSV for first party|2|stenant={tenantid}| suser= [email protected] suserrole=Admin outcome=success

Download PDF for first-party

Failure:Mar 09 2021 13:56:29 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|11005|Download PDF for first party|2|stenant={tenantid}| suser= [email protected] suserrole=Admin outcome=failure

Success: Mar 09 2021 13:56:29 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|11005|Download PDF for first party|2|stenant={tenantid}| suser= [email protected] suserrole=Admin outcome=success

Add Third-party

Failure:Mar 09 2021 13:56:29 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|11006|Add Third Party|2|stenant={tenantid}| suser= [email protected] suserrole=Admin outcome=failure

Success: Mar 09 2021 13:56:29 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|11006|Addition of Third Party|2|stenant={tenantid}| suser= [email protected] suserrole=Admin outcome=success

Initiate Third-party scan

Failure:Mar 09 2021 13:56:29 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|11007|Initiate third party scan|2|stenant={tenantid}| suser= [email protected] suserrole=Admin outcome=failure

Success: Mar 09 2021 13:56:29 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|11007|Third party scan initiated|2|stenant={tenantid}| suser= [email protected] suserrole=Admin outcome=success

Abort Third-party scan

Failure:Mar 09 2021 13:56:29 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|11008|Abort third party scan|2|stenant={tenantid}| [email protected] suserrole=Admin outcome=failure

Success: Mar 09 2021 13:56:29 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|11008|Third party scan aborted|2|stenant={tenantid}| [email protected] suserrole=Admin outcome=success

Download CSV for Third-party

Failure:Mar 09 2021 13:56:29 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|11010|Download CSV for third party|2|stenant={tenantid}| [email protected] suserrole=Admin outcome=failure

Success: Mar 09 2021 13:56:29 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|11010|Download CSV for third party|2|stenant={tenantid}| [email protected] suserrole=Admin outcome=success

Download PDF for Third-party

Failure:Mar 09 2021 13:56:29 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|11011| Download PDF for third party|2|stenant={tenantid}| [email protected] suserrole=Admin outcome=failure

Success: Mar 09 2021 13:56:29 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|11011| Download PDF for third party|2|stenant={tenantid}| [email protected] suserrole=Admin outcome=success

Remove Third-Party

Failure:Mar 09 2021 13:56:29 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|11012|Remove Third Party|2|stenant={tenantid}| [email protected] suserrole=Admin outcome=failure

Success: Mar 09 2021 13:56:29 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|11012| Removal of Third Party|2|stenant={tenantid}| [email protected] suserrole=Admin outcome=success

Save SAFE ID

Success: Mar 09 2021 13:54:36 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|12001| Save |2|[email protected] suserrole=Admin outcome=success

Failure: Mar 09 2021 13:54:36 localhost CEF:0|SAFE Security|SAFE|1.2.9.6|12001|Safe ID saved successfully|2|[email protected] suserrole=Admin outcome=failure

Key-Value Pairs


Key Name

Full Name

Data Type

Length

Meaning

dvchost

deviceHostName

String

100

Identifies the name of an asset Example: MANOJMAC

dvc

deviceAddress

IPV4 Address

16

Identifies the IP address of an asset Example: 192.168.10.1

dvcgroup

deviceGroupName

String

100

Identifies the asset group name 

Example: PuneAssetGroup

suser

sourceUserName

String

1023

Identifies the user who has initiated action. For example xxxxxxxx@lucideustech.com

suserrole

sourceUserRole

String

1023

identifies the role of the user who has initiated action. 

For example Admin

duser

destinationUserName

String

1023

Identifies the user by destination. This is the user associated with the events destination.  Example: [email protected]

duser

destinationUserRole

String

1023

Identifies the role of the destination user. Example: Admin/Viewer/Auditor

controlid

controlid

Integer


Identified the control id of the control 

Example: 14120001

outcome

outcome

String

100

The outcome of an event where required

Example: Success or Failure

reason

reason

string

1024

Captcha Failed

container

container

string

100

Identifies the container id

Example: php[300]

src

SourceAddress

String


Identifies the IP from which the request is made

accountId

awsAccountId

String


Identifies the AWS account ID

Example: 457429430701

autoScanFrequency

awsAutoScanFrequency

Integer


Identifies the number of days set as Global AWS Auto Scan Frequency

Example: 2

friendlyName

activationKeyFriendlyName

String


Identifies the Activation key by its friendly name

Example: My Activation Key 1

sitehost

siteHostname



Identifies the site coordinator hostname

Example: sitecord.dev137

from_scan_time

fromScanTime



Identifies the “from” value in scan time in agent global policy

Example: 3:00pm

to_scan_time

toScanTime



Identifies the “to” value in scan time in agent global policy

Example: 4:00pm

log_level

logLevel



Identifies the log level set in agent global policy

Example: DEBUG

udp

udpHeartbeat



Identifies the UDP heartbeat interval in agent global policy

Example: 30

http

httpHeartbeat



Identifies the HTTP heartbeat interval in agent global policy

Example: 30

syslog

syslog



Identifies Syslog value in agent global policy

Example: enabled

roaming

roaming



Identifies roaming value in agent global policy

Example: enabled

services

servicesDetection



Identifies services detection value in agent global policy

Example: enabled

agent_update

agentUpdate



Identifies automatic agent update value in agent global policy

Example: enabled

content_update

contentUpdate



Identifies automatic content update value in agent global policy

Example: enabled

stenant

tenantId

String

32

Identifies the user Id of the safe-enterprise API user.

Example: safeentuseralphanumeric32

scanId

scanId

String

100

Identifies the unique token for the assessment, which links to the associated AWS resources.

Example: 09d1176e-24b1-46fc-a18b-74acd2a2b7

ccp

custom control policy 

String

32

Identifies the name of custom control policy. 

Example: HR_Policy, Dev_Policy




Was this article helpful?