vue-cef-viewer

Parse a raw Common Event Format (CEF) log message and show it in a tabular view using Vue.js.

Performs the following validations:

• User-defined extension name format
• String length
• Integer value range
• Long value range
• MAC Address format
• IPv4 and IPv6 format

Try it online at https://klasen.github.io/vue-cef-viewer/.

Sample

Field	Value	Comment
Input
Raw	Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|Detected a =\\\||10|src=10.0.0.1 shost=10.0.0.1 msg=Detected a \=\\|.\n No action needed dmac=00-0D-60-AF-1B-61 cs2=WIFI cs2Label=SSID art=1 threatAttackID=T1132
CEF Header
Version	0
DeviceVendor	security
DeviceProduct	threatmanager
DeviceVersion	1.0
SignatureID	100
Name	Detected a =\|
Severity	10
CEF Extensions
art	1	agentReceiptTime Time Stamp The time at which information about the event was received by the ArcSight connector. Consumer extension from CEF specification 0.1 1970-01-01T00:00:00.001Z
cs2	WIFI	deviceCustomString2 Producer extension from CEF specification 0.1 String[4000] One of the six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
cs2Label	SSID	deviceCustomString2Label Producer extension from CEF specification 0.1 String[1023] All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
dmac	00-0D-60-AF-1B-61	deviceMacAddress Producer extension from CEF specification 0.1 MAC Address Six colon-separated hexadecimal numbers. Example: “00:0D:60:AF:1B:61” Invalid format
msg	Detected a =\|. No action needed	message Producer extension from CEF specification 0.1 String[1023] An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator.
shost	10.0.0.1	sourceHostName Producer extension from CEF specification 0.1 String[1023] Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (DQDN) associated with the source node, when a mode is available. Examples:  “host” or “host.domain.com”.
src	10.0.0.1	sourceAddress Producer extension from CEF specification 0.1 IPv4 Address Identifies the source that an event refers to in an IP network. The format is an IPv4 address. Example: “192.168.10.1”.
threatAttackID	T1132	Threat Attack ID String[32] A full ID of a threat or attack as defined in the security framework in frameworkName. Consumer extension from CEF specification 1.2
CEF Extensions by Label
SSID	WIFI

Project setup

npm install

Scrape CEF meta-data

Scrape CEF implementation standard and save producer and consumer extension dictionaries as JSON and CSV.

node ./docs/scrape.js > ./docs/fixes.txt

Compare CEF Implementation Standard and Flexconn Devguide

Generate a html side by side comparison of the CSV files for both documents using diff2html-cli.

On the spec-vs-devguide branch:

1. Scrape metadata
2. Commit /docs/*.csv
3. Copy docs/extensions-dictionary-flexconn_devguide-for-comparison.csv to docs/extensions-dictionary-for-comparison.csv
4. Create diff

node ./docs/scrape.js > ./docs/fixes.txt
git commit -m "Update scraped metadata" docs/*.html docs/*.csv docs/fixes.txt src/components/extension-dictionary.json
cp ./docs/extension-dictionary-flexconn_devguide-for-comparison.csv ./docs/extension-dictionary-for-comparison.csv
diff2html --style side --title "CEF Implementation Standard vs. Flexconn Devguide" --matchWordsThreshold 0.1 --fileContentToggle false --file docs/cef-implementation-standard_vs_flexconn-devguide.html

Compiles and hot-reloads for development

npm run dev

Compiles and minifies for production

npm run build

Deploy to production

# initial
git subtree push --prefix dist origin gh-pages
# on updates
npm run deploy