Fact

PhenixID Provisioning

Situation

The Common Event Format (CEF) is an open logging standard developed by ArcSight. Provisioning provides an option of writing log messages to a file, console or to a syslog receiver.

This document describes how to set up Common Event Format (CEF) logging for PhenixID Provisioning. The Custom Logger and it’s interface is described in PSD1064.

CEF support is implemented as a Log Handler that hooks in to the PhenixID Provisioning log subsystem and translates log messages to messages in Common Event Format.

Please note that CEF logging uses Log4j and requires manual setup that overrides the default log configuration (sample configuration is provided).

Solution

The configuration for external logging can be found in PhenixID Provisioning Configurator under General/Log settings. If the option “Use External Logging” is enabled, there are two choices, CEF and Custom Logger. This document will describe the CEF logging, the Custom Logger and it’s interface is described in PSD1064.

Installation of required files

1. Download and unzip provisioning-cef-logger.zip
2. Copy cef.properties and cef-config.xml to the PhenixID Provisioning root directory
   
3. In Service Log Settings: Check Use External Logging and select CEF
4. Restart PhenixID Provisioning service
   

Configure cef.properties

File names and locations can be changed in the cef.properties file.

CEF Mappings

Add your CEF mappings to cef-config.xml (located in the PhenixID Provisioning service  installation directory). Some example mappings are defined in cef-config.xml.

A mapping (cef-mapping) has the following attributes:

• An id that uniquely identifies the mapping and the CEF event-type (CEF: SignatureId)
• A regular expression pattern that matches the message to translate. Messages that doesn’t match any of the specified mapping patterns are ignored.
• A name representing a representing a human-readable and understandable description of the event
  (CEF: Name)
• A severity represented as an integer that reflects the importance of the event. Only numbers from 0 to 10 are allowed, where 10 indicates the most important event (CEF: Severity)
• A list of extensions, where each extension is a key-value pair containing detailed information describing the event (CEF: Extension)
  

Name, severity and extension can contain either static information specified using the value element or dynamic information extracted from pattern using a regular expression group number/id. The group number/id is specified using the group element. Note that regular expression groups starts from 1, left to right (group 0 represents the whole expression). If both a value and a group element is specified, the value element will be used and the group will be ignored.

Mapping example

<cef-mapping>

  <id>0003</id>

  <pattern><![CDATA[   Transaction number: “(.*)”]]></pattern>

  <name>

    <value>Transaction number:</value>

  </name>

  <severity>

    <value>2</value>

  </severity>

  <extensions>

    <extension>

      <key>dst</key>

      <group>1</group>

    </extension>

  </extensions>

</cef-mapping>

This mapping matches the PhenixID Provisioning message:
Transaction number:<any-text>
With the default mappings this message will be translated to the following Common Event:
CEF:0|PhenixID|CEF|1.0|0003|Transaction number:|2|transaction=<any-text>

Notes:

• The pattern is wrapped in CDATA to prevent the XML-parser to parse the content.
• The pattern contains one group ((.*)) that extracts the address in any format.
• Name and severity is static (specified using value) and will be the same for all event of this type
• Extension dst (destinationAddress) is dynamically extracted from the log message using the first (and only) regex group

Message Severity Mapping

The standard cef-config uses the following translation from Log4j log level to CEF Severity: