One of the more common log formats you’ll run into when importing data into Splunk is the ArcSight Common Event Format (CEF). A unique feature of CEF is its ability to support custom extensions, which allows for vendor flexibility when looking to log data that is otherwise not handled by a defined field in CEF. This flexibility, however, does require some additional Splunk configuration (or an addition to a Splunk app) in order for the field names and values to match up properly.
What it looks like in Splunk
For this example, I’ll be using Check Point firewall logs, which I’ll send in CEF format via the Check Point Log Exporter since it’s a data source available in our lab environment. That said, this approach will work for most products that log in CEF format.
When looking at these logs, you’ll see a few fields that begin with “cs”: