CEF is an extensible, text-based format designed to support multiple device types by offerring the most relevant information. Message syntaxes are reduced to work with ESM normalization. Specifically, CEF defines a syntax for log records comprised of a standard header and a variable extension, formatted as key-value pairs.
rust
Sep 19 08:26:10 host CEF:0|Security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232
You can start using it by first adding it to your Cargo.toml:
toml
[dependencies]
serde_derive = "1.0"
serde_cef = "0.1"
Then, create a structure which implement serde::Serialize / serde::Deserialize traits and
use the structure as extention in the serde_cef::CefRecord.
```rust extern crate serde_cef;
extern crate serde_derive;
use serdecef::{CefRecord, CefSeverity, CefSignatureId,tostring, from_str};
struct Foo { a: String, b: u64, }
fn main() {
let rec = CefRecord {
headers: None,
version: 0,
devicevendor: "Fake".tostring(),
deviceproduct: "Product".tostring(),
deviceversion: "0.1".tostring(),
signatureid: CefSignatureId::U64(0),
signature: "Nothing".tostring(),
severity: CefSeverity::U8(6),
extensions: Foo { a: "subtest".into(), b: 695217 },
};
let asstring = tostring(&rec).unwrap();
println!("{}", &asstring);
println!("{:?}", fromstr::
**Output**:
CEF:0|Fake|Product|0.1|0|Nothing|6|a:subtest b:695217
CefRecord { headers: None, version: 0, devicevendor: "Fake", deviceproduct: "Product", deviceversion: "0.1", signature_id: U64(0), signature: "Nothing", severity: U8(6), extensions: Foo { a: "subtest", b: 695217 } }
```
The feature ovh-ldp allow to suffix fields names to suits to the LDP naming conventions.
In your Cargo.toml, set:
toml
[dependencies]
serde_value_flatten = { version = "0.1", features = ["ovh-ldp"] }
Re-run the previous example, and now the output will be like :
CEF:0|Fake|Product|0.1|0|Nothing|6|a:subtest b_double:695217
License: BSD-3-Clause