Adding support for CEF, LEEF, and other message formats


The SAP Adapter and agent support CEF and LEEF formats (for those SIEM devices that support this special format). Additional formats, such as those supported by splunk and other SIEM vendors, are also available. You enable this feature by adding a MessageFormat statement to the agent configuration file. 

Use the following procedure to enable special message formatting.

Note

If you do not require a special message format, you should skip this procedure because these formats are not easily human readable. Instead, where possible, use the standard SAP agent formatting, which provides maximum interoperability with programs and devices. (The exception is SIEMS that actually require special message formats for their normal operation.)

  Such as, splunk can receive and process messages without a MessageFormat statement, as can other popular SIEM systems.

  1. Open the CO-sysmsg.cnf agent configuration file (located in the same folder as the CO-sysmsg.exe Windows agent program). 
  2. Add one of the following MessageFormat statements between the MessagePort statement and the first EventLog specification (or replace the MessagePort statement with the MessageFormat statement).
    You can add only one MessageFormat statement to the file:
    • To format messages in CEF, add this statement:

      MessageFormat CEF
    • To format messages in LEEF, add this statement:

      MessageFormat LEEF
  3. To make the change take effect, stop and restart the BMC Defender Syslog message service.

    The agent will now transmit all event logs and SAP messages into CEF or LEEF format.

For reference, a typical SAP message in CEF format is as follows:

Oct 1 13:05:47 myhost CEF:0|CorreLog|SAP Agent|5-5-3|AU5|RFC/CPIC logon successful|1|deviceFacility=audit
cat=RFC/CPIC suser=MyUser msg=AU5 - SAP Audit Time: 2015/10/01 13:05:47 - Data: 00000000D0 - Terminal:
183.245. - SAP User: MyUser Report: SAPMSSY1 - Client Flag: 1 - Client ID: 200 - Args: R&0 10.1.1.2 - Audit
Class: RFC/CPIC Logon - Severity: Info - Descr: RFC/CPIC logon successful.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*