Spectre Lumeta superusers can use the CEF logging feature to send syslog output to an external viewer in a common-event format. By enabling it, all event notifications to which the superuser has subscribed can be displayed in one preferred Security Information and Event Management (SIEM) viewer such as HP ArcSight, Splunk, or QRadar.
CEF Notifications are either system-related or device-related. The system-related notifications are global and pertain to all of SpectreLumeta. Device notifications pertain to a particular zone. Subscribe to receive notifications at Settings > Spectre Lumeta Systems > CEF Notifications > System and Device tabs.
...
Enable the CEF logging feature to make Lumeta Spectre compile all subscribed event notifications to a logging server. Here's an example of how to enable logging to a HP ArcSight console via the Spectre Lumeta graphical user interface (GUI) or the Spectre Lumeta command-line interface (CLI).
Configure CEF Server via GUI
- Log in Lumeta Spectre.
- Select Settings > Spectre Lumeta Systems.
- Click the CEF Notifications tab.
- Identify the logging server to which you want to send event notifications.
Protocol: Type TCP-IPv4, UDP-IPv4, TCP-IPv6, UDP-IPv6
Note: Use TCP-IPv4 or UDP-IPv4 for HP ArcSight.)Host Name or IP Address: Must be an IPv4-type IP address
Port number: Must be a valid integer
- When you are ready to send CEF-formatted event notifications, click the CEF Enabled checkbox.
- Click Submit.
A message displays, indicating that your configuration settings were saved.
Lumeta Spectre is now configured to display CEF-formatted syslog output in your ArcSight console.
...
- Log in the Command-Line Interface (CLI).
- Open a host or server that supports SSH.
- At the prompt, type ssh admin@<yourservername> and press Enter.
- Enter your password (i.e., admin) and press Enter.
- At the command prompt, type
log cefserver <enable/disable> <protocol> <IP address> <port number> and press Enter.
Protocol: Type TCP-IPv4, UDP-IPv4, TCP-IPv6, UDP-IPv6 (Note: Use TCP-IPv4 or UDP-IPv4 for HP ArcSight.)
IP Address: Must be an IPv4-type IP address
Port number: Must be a valid integer
Enable: Enables the CEFserver
Disable: Disables the CEFserver
Lumeta Spectre is now configured to display CEF-formatted syslog output in your HP ArcSight console.
...
Header Sample
22 Jul 2014 13:28:59 grog CEF:0|Lumeta|SpectreLumeta|3.2.4.9086|DEVICE_DISCOVERED|Device Discovered|5
...
Following is a CEF notification and how it maps to custom fields in Lumeta Spectre.
0|Lumeta|SpectreLumeta|3.2.4.9086|DEVICE_DISCOVERED| Device Discovered |5|msg=Device stealth:c:3038:1 created. cat= DISCOVERY dvchost=CCM-AMC rt=Nov 02 2017 13:19:55 cn1=1 cn1Label=Facility Zone1 dhost= c6a3= mac=
Lumeta Custom Fields | ||||
---|---|---|---|---|
CEF Key Name | Full Name | DataType | Spectre Lumeta name | Mapping to a notification from SpectreLumeta |
Device Vendor |
|
| Lumeta | Lumeta |
Device Product |
|
| SpectreLumetaSpectre | Lumeta |
Device Version |
|
| 2.1 (version of SpectreLumeta) | 3.2.4 |
Signature ID |
| String or integer | Notification Type | DEVICE_DISCOVERED |
Name |
| String | NotificationName/NotificationType | Device Discovered |
Severity |
| Integer | 1, 5, 10 | 5 |
cat | deviceEventCategory | String | DISCOVERY("/discovery"), | DISCOVERY |
deviceMacAddress | deviceMacAddress | MAC Address | mac |
|
dvc | deviceAddress | IPV4 Address | ip |
|
rt | receiptTime | TimeStamp | event.getTimeStamp() | Nov 02 2017 13:19:55 |
dvchost | deviceHostName | String | systemName | CCM-AMC |
dhost | destinationHostName | String | ip | c6a3 |
c6a3 | destination format | IPv6 | ip |
|
suser | sourceUserName | String | userName |
|
cn1 | deviceCustomNumber1 | Long | zoneId | 1 |
cn1Label | deviceCustomNumber1Label | String | zoneName | Facility Zone1 |
...
CEF Event Type | Description | Sample Message |
---|---|---|
AGENT_CONNECTED | A connection was created between discovery-agent and lumeta-webapp | Discovery Agent Connected
|
AGENT_START | Displays one of the following Agent and that it has started: TCP Port Scanner|Host Discovery|Snmp Hunter|Snmp Scanner|Path Scanner|Broadcast Discovery|CIFSScanner|DNSScanner|Http Scanner|Leak Discovery | Host Discovery (or any other agent name) Started Agents: TCP Port Scanner|Host Discovery|Snmp Hunter|Snmp Scanner|Path Scanner|Broadcast Discovery|CIFSScanner|DNSScanner|Http Scanner|Leak Discovery |
AGENT_STATUS | Displays the Agent Name (to show that the Agent is currently running): TCP Port Scanner|Host Discovery|Snmp Hunter|Snmp Scanner|Path Scanner|Broadcast Discovery|CIFSScanner|DNSScanner|Http Scanner|Leak Discovery | Host Discovery (or any other agent name) |
AGENT_STOP | Displays one of the following Agent and that it has stopped: TCP Port Scanner|Host Discovery|Snmp Hunter|Snmp Scanner|Path Scanner|Broadcast Discovery|CIFSScanner|DNSScanner|Http Scanner|Leak Discovery | Host Discovery (or any other agent name) Stopped |
COLLECTOR_CREATED | New Spectre Lumeta Collector created containing device discovery configuration | Collector <> created |
COLLECTOR_REMOVED | Indicated existing Spectre Lumeta Collector has been removed | Collector <> removed |
COLLECTOR_UPDATED | Updated discovery configuration was applied to a Spectre Lumeta Collector | Collector <> Config Inserted |
DEVICE_ACTIVITY | Discovered device’s status has changed from active to inactive (or vice versa) | Device <> became active. Earlier state : inactive OR Device <> became inactive. Earlier state : active |
DEVICE_DISCOVERED | New entry for a Device discovered. Multiple entries for each scan technique | Device<>created |
DEVICE_PROFILED | Discovered device’s profile information has changed. Profile information includes device type, operating system, operating system version and vendor. | Device<>profileattributeschanged:DeviceType=<>,OS=<>,Vendor=<>,Version=<>|2017-11-0709:24:13.384338 |
DEVICE_REMOVED | Discovered device has become inactive and removed | Device<>removed |
DEVICE_UPDATED | Discovered Device has been updated with new information. Multiple entries for each scan technique. | Device<>updated.IPassignedto<>|IPchangedto<> |
FORWARDER_ | Discovered device has been identified as a forwarding device based on TTL | Device<>forwardstraffic |
JOB_COMPLETED | Displays status of a background job that was deployed on the Spectre Lumeta box (example: importing pattern file, importing zone attributes) | Job Success ( jobId : 1, jobName : importPatterns-job ) |
JOB_STARTED | Displays initialization of a background job that was deployed on the Spectre Lumeta box (example: importing pattern file, importing zone attributes) | Job Started (jobId : 1, jobName : importPatterns-job) |
LEAK_DISCOVERED | Spectre Lumeta has identified a potential Leak Path to / from a protected network |
|
LICENSE_REMINDER | User notification that the Spectre Lumeta license is about to expire | License expiration imminent – |
LICENSE_VIOLATION | User notification that the Spectre Lumeta license has exceeded the IP Count | License expired – new license required – contact support@lumeta.com | | IP count exceeded – contact support@lumeta.com |
LICENSE_WARNING | User notification that the Spectre Lumeta license is approaching the IP Count limit | License expired – contact support@lumeta.com | IP count exceeded – contact support@lumeta.com |
LINK_DISCOVERED | Path has been discovered between two IPs | Linkdiscoveredbetween<>and<> |
LOGLEVEL_UPDATED | Log level has been changed to INFO/WARN/DEBUG | Service <> log level set to <> |
NOTIFICATION_ | Displays the Notification ID that was acknowledged by the user on Spectre Lumeta System’s map. | Notification<notificationnumber>acknowledged |
NOTIFICATION_ | All Notifications on Spectre Lumeta System’s map have been acknowledged for a specific priority. | AllNotificationsacknowledgedforpriority |
OPENPORT_ | Discovered Device has been found with an open port |
|
ROUTER_DISCOVERED | Discovered Device is now profiled as a router |
|
ROUTER_REMOVED | Discovered Device that was profiled as a router has now been removed |
|
SYSTEM_CONNECT | User notification that a connection has been created between CC <-> Portal, CC <-> Scout | Peer connection established (<> <-> <>) |
SYSTEM_DISCONNECT | User notification that a disconnection occured between CC <-> Portal, CC <-> Scout | Peer connection closed (<> <-> <>) |
UPDATE_ERROR |
| |
UPDATE_REMOTE |
|
|
UPDATE_STEP |
| |
UPDATE_WARNING |
| |
USER_CREATED | New Spectre Lumeta user was created | User <> created |
USER_REMOVED | Spectre Lumeta user was deleted | User <> removed |
USER_UPDATED | Changes were made to an existing Spectre Lumeta user | User <> updated |
ZONE_CREATED | New Spectre Lumeta Zone created containing device discovery configuration | Created zone. (name <>, description = <>, |
ZONE_REMOVED | Indicated existing Spectre Lumeta Zone has been removed | Deleted zone. (name = <>, description = <>, |
ZONE_UPDATED | Updated discovery configuration was applied to a Spectre Lumeta Zone | Zone <> CIDRs Updated |
...