...
Enable the CEF logging feature to make Lumeta Lumeta compile all subscribed event notifications to a logging server. Here's an example of how to enable logging to a HP ArcSight console via the Lumeta graphical user interface (GUI) or the Lumeta command-line interface (CLI).
Configure CEF Server via GUI
- Log in Lumeta Lumeta.
- Select Settings > Lumeta Systems.
- Click the CEF Notifications tab.
- Identify the logging server to which you want to send event notifications.
Protocol: Type TCP-IPv4, UDP-IPv4, TCP-IPv6, UDP-IPv6
Note: Use TCP-IPv4 or UDP-IPv4 for HP ArcSight.)Host Name or IP Address: Must be an IPv4-type IP address
Port number: Must be a valid integer
- When you are ready to send CEF-formatted event notifications, click the CEF Enabled checkbox.
- Click Submit.
A message displays, indicating that your configuration settings were saved.
Lumeta Lumeta is now configured to display CEF-formatted syslog output in your ArcSight console.
...
- Log in the Command-Line Interface (CLI).
- Open a host or server that supports SSH.
- At the prompt, type ssh admin@<yourservername> and press Enter.
- Enter your password (i.e., admin) and press Enter.
- At the command prompt, type
log cefserver <enable/disable> <protocol> <IP address> <port number> and press Enter.
Protocol: Type TCP-IPv4, UDP-IPv4, TCP-IPv6, UDP-IPv6 (Note: Use TCP-IPv4 or UDP-IPv4 for HP ArcSight.)
IP Address: Must be an IPv4-type IP address
Port number: Must be a valid integer
Enable: Enables the CEFserver
Disable: Disables the CEFserver
Lumeta Lumeta is now configured to display CEF-formatted syslog output in your HP ArcSight console.
...
Following is a CEF notification and how it maps to custom fields in Lumeta Lumeta.
0|Lumeta|Lumeta|3.2.4.9086|DEVICE_DISCOVERED| Device Discovered |5|msg=Device stealth:c:3038:1 created. cat= DISCOVERY dvchost=CCM-AMC rt=Nov 02 2017 13:19:55 cn1=1 cn1Label=Facility Zone1 dhost= c6a3= mac=
...