Adding support for CEF, LEEF, and other message formats
The SAP Adapter and agent support CEF and LEEF formats (for those SIEM devices that support this special format). Additional formats, such as those supported by splunk and other SIEM vendors, are also available. You enable this feature by adding a MessageFormat statement to the agent configuration file.
Use the following procedure to enable special message formatting.
Such as, splunk can receive and process messages without a MessageFormat statement, as can other popular SIEM systems.
- Open the CO-sysmsg.cnf agent configuration file (located in the same folder as the CO-sysmsg.exe Windows agent program).
- Add one of the following MessageFormat statements between the MessagePort statement and the first EventLog specification (or replace the MessagePort statement with the MessageFormat statement).
You can add only one MessageFormat statement to the file:To format messages in CEF, add this statement:
MessageFormat CEFTo format messages in LEEF, add this statement:
MessageFormat LEEF
To make the change take effect, stop and restart the BMC Defender Syslog message service.
The agent will now transmit all event logs and SAP messages into CEF or LEEF format.
For reference, a typical SAP message in CEF format is as follows:
cat=RFC/CPIC suser=MyUser msg=AU5 - SAP Audit Time: 2015/10/01 13:05:47 - Data: 00000000D0 - Terminal:
183.245. - SAP User: MyUser Report: SAPMSSY1 - Client Flag: 1 - Client ID: 200 - Args: R&0 10.1.1.2 - Audit
Class: RFC/CPIC Logon - Severity: Info - Descr: RFC/CPIC logon successful.