const Tab = '\x09';
const leefAttribs = Object.entries(this.attributes);
const leefAttribsLen = leefAttribs.length;
for (let attrib = 0; attrib < leefAttribsLen; attrib++) {
if (leefAttribs[attrib][1] !== null) {
fmtMsg += leefAttribs[attrib][0] + '=' + leefAttribs[attrib][1] + Tab;
}
}
resolve(fmtMsg);
});
}
send(options) {
return new Promise((resolve, reject) => {
this.buildMessage()
.then((result) => {
if (!this.server) {
this.server = new Syslog(options);
}
this.server.send(result)
.then((sendResult) => {
resolve(sendResult);
})
.catch((reson) => {
reject(reson);
});
});
});
}
}
class CEF {
constructor(options) {
this.constructor__ = true;
options = options || {};
this.deviceVendor = options.deviceVendor || 'Unknown';
this.deviceProduct = options.deviceProduct || 'Unknown';
this.deviceVersion = options.deviceVersion || 'Unknown';
this.deviceEventClassId = options.deviceEventClassId || 'Unknown';
this.name = options.name || 'Unknown';
this.severity = options.severity || 'Unknown';
this.extensions = options.extensions || {
deviceAction: null,
applicationProtocol: null,
deviceCustomIPv6Address1: null,
'deviceCustomIPv6 Address1Label': null,
deviceCustomIPv6Address3: null,
'deviceCustomIPv6Address3 Label': null,
'deviceCustomIPv6 Address4': null,
'deviceCustomIPv6 Address4Label': null,
deviceEventCategory: null,
deviceCustomFloatingPoint1: null,
'deviceCustom FloatingPoint1Label': null,
deviceCustomFloatingPoint2: null,
'deviceCustomFloatingPoint2 Label': null,
deviceCustomFloatingPoint3: null,
'deviceCustom FloatingPoint3Label': null,
deviceCustomFloatingPoint4: null,
'deviceCustom FloatingPoint4Label': null,
deviceCustomNumber1: null,
deviceCustomNumber1Label: null,
DeviceCustomNumber2: null,
deviceCustomNumber2Label: null,
deviceCustomNumber3: null,
deviceCustomNumber3Label: null,
baseEventCount: null,
deviceCustomString1: null,
deviceCustomString1Label: null,
deviceCustomString2: null,
deviceCustomString2Label: null,
deviceCustomString3: null,
deviceCustomString3Label: null,
deviceCustomString4: null,
deviceCustomString4Label: null,
deviceCustomString5: null,
deviceCustomString5Label: null,
deviceCustomString6: null,
deviceCustomString6Label: null,
destinationDnsDomain: null,
destinationServiceName: null,
'destinationTranslated Address': null,
destinationTranslatedPort: null,
deviceCustomDate1: null,
deviceCustomDate1Label: null,
deviceCustomDate2: null,
deviceCustomDate2Label: null,
deviceDirection: null,
deviceDnsDomain: null,
deviceExternalId: null,
deviceFacility: null,
deviceInboundInterface: null,
deviceNtDomain: null,
deviceOutboundInterface: null,
devicePayloadId: null,
deviceProcessName: null,
deviceTranslatedAddress: null,
destinationHostName: null,
destinationMacAddress: null,
destinationNtDomain: null,
destinationProcessId: null,
destinationUserPrivileges: null,
destinationProcessName: null,
destinationPort: null,
destinationAddress: null,
deviceTimeZone: null,
destinationUserId: null,
destinationUserName: null,
deviceAddress: null,
deviceHostName: null,
deviceMacAddress: null,
deviceProcessId: null,
endTime: null,
externalId: null,
fileCreateTime: null,
fileHash: null,
fileId: null,
fileModificationTime: null,
filePath: null,
filePermission: null,
fileType: null,
flexDate1: null,
flexDate1Label: null,
flexString1: null,
flexString1Label: null,
flexString2: null,
flexString2Label: null,
filename: null,
fileSize: null,
bytesIn: null,
message: null,
oldFileCreateTime: null,
oldFileHash: null,
oldFileId: null,
oldFileModificationTime: null,
oldFileName: null,
oldFilePath: null,
oldFileSize: null,
oldFileType: null,
bytesOut: null,
eventOutcome: null,
transportProtocol: null,
Reason: null,
requestUrl: null,
requestClientApplication: null,
requestContext: null,
requestCookies: null,
requestMethod: null,
deviceReceiptTime: null,
sourceHostName: null,
sourceMacAddress: null,
sourceNtDomain: null,
sourceDnsDomain: null,
sourceServiceName: null,
sourceTranslatedAddress: null,
sourceTranslatedPort: null,
sourceProcessId: null,
sourceUserPrivileges: null,
sourceProcessName: null,
sourcePort: null,
sourceAddress: null,
startTime: null,
sourceUserId: null,
sourceUserName: null,
type: null,
agentDnsDomain: null,
agentNtDomain: null,
agentTranslatedAddress: null,
'agentTranslatedZone ExternalID': null,
agentTranslatedZoneURI: null,
agentZoneExternalID: null,
agentZoneURI: null,
agentAddress: null,
agentHostName: null,
agentId: null,
agentMacAddress: null,
agentReceiptTime: null,
agentType: null,
agentTimeZone: null,
agentVersion: null,
customerExternalID: null,
customerURI: null,
'destinationTranslated ZoneExternalID': null,
'destinationTranslated ZoneURI': null,
destinationZoneExternalID: null,
destinationZoneURI: null,
'deviceTranslatedZone ExternalID': null,
deviceTranslatedZoneURI: null,
deviceZoneExternalID: null,
deviceZoneURI: null,
destinationGeoLatitude: null,
destinationGeoLongitude: null,
eventId: null,
rawEvent: null,
sourceGeoLatitude: null,
sourceGeoLongitude: null,
'sourceTranslatedZone ExternalID': null,
sourceTranslatedZoneURI: null,
sourceZoneExternalID: null,
sourceZoneURI: null,
};
if (options.server) {
if (options.server.constructor__) {
this.server = options.server;
} else {
this.server = new Syslog(options.server);
}
}
}
validate() {
return new Promise((resolve, reject) => {
const Extensions = {
deviceAction: {
key: 'act',
type: 'String',
len: 63,
discription: 'Action taken by the device.',
},
applicationProtocol: {
key: 'app',
type: 'String',
len: 31,
discription: 'Application level protocol, example values are HTTP, ' +
'HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on.',
},
deviceCustomIPv6Address1: {
key: 'c6a1',
type: 'String',
len: null,
discription: 'One of four IPv6 address fields available to map ' +
'fields that do not apply to any other in this dictionary. ' +
'TIP: See the guidelines under “User-Defined Extensions” for ' +
'tips on using these fields.',
},
'deviceCustomIPv6 Address1Label': {
key: 'c6a1Label',
type: 'String',
len: 1023,
discription: 'All custom fields have a corresponding label field. ' +
'Each of these fields is a string and describes the purpose of ' +
'the custom field.',
},
deviceCustomIPv6Address3: {
key: 'c6a3',
type: 'String',
len: null,
discription: 'One of four IPv6 address fields available to map ' +
'fields that do not apply to any other in this dictionary. ' +
'TIP: See the guidelines under “User-Defined Extensions” for ' +
'tips on using these fields.',
},
'deviceCustomIPv6Address3 Label': {
key: 'c6a3Label',
type: 'String',
len: 1023,
discription: 'All custom fields have a corresponding label field. ' +
'Each of these fields is a string and describes the purpose of ' +
'the custom field.',
},
'deviceCustomIPv6 Address4': {
key: 'c6a4',
type: 'String',
len: null,
discription: 'One of four IPv6 address fields available to map ' +
'fields that do not apply to any other in this dictionary. ' +
'TIP: See the guidelines under “User-Defined Extensions” for ' +
'tips on using these fields.',
},
'deviceCustomIPv6 Address4Label': {
key: 'C6a4Label',
type: 'String',
len: 1023,
discription: 'All custom fields have a corresponding label field. ' +
'Each of these fields is a string and describes the purpose of ' +
'the custom field.',
},
deviceEventCategory: {
key: 'cat',
type: 'String',
len: 1023,
discription: 'Represents the category assigned by the originating ' +
'device. Devices often use their own categorization schema to ' +
'classify event. Example: “/Monitor/Disk/Read”',
},
deviceCustomFloatingPoint1: {
key: 'cfp1',
type: 'Number',
len: null,
discription: 'One of four floating point fields available to map ' +
'fields that do not apply to any other in this dictionary.',
},
'deviceCustom FloatingPoint1Label': {
key: 'cfp1Label',
type: 'String',
len: 1023,
discription: 'All custom fields have a corresponding label field. ' +
'Each of these fields is a string and describes the purpose of ' +
'the custom field.',
},
deviceCustomFloatingPoint2: {
key: 'cfp2',
type: 'Number',
len: null,
discription: 'One of four floating point fields available to map ' +
'fields that do not apply to any other in this dictionary.',
},
'deviceCustomFloatingPoint2 Label': {
key: 'cfp2Label',
type: 'String',
len: 1023,
discription: 'All custom fields have a corresponding label field. ' +
'Each of these fields is a string and describes the purpose of ' +
'the custom field.',
},
deviceCustomFloatingPoint3: {
key: 'cfp3',
type: 'Number',
len: null,
discription: 'One of four floating point fields available to map ' +
'fields that do not apply to any other in this dictionary.',
},
'deviceCustom FloatingPoint3Label': {
key: 'cfp3Label',
type: 'String',
len: 1023,
discription: 'All custom fields have a corresponding label field. ' +
'Each of these fields is a string and describes the purpose of ' +
'the custom field.',
},
deviceCustomFloatingPoint4: {
key: 'cfp4',
type: 'Number',
len: null,
discription: 'One of four floating point fields available to map ' +
'fields that do not apply to any other in this dictionary.',
},
'deviceCustom FloatingPoint4Label': {
key: 'cfp4Label',
type: 'String',
len: 1023,
discription: 'All custom fields have a corresponding label field. ' +
'Each of these fields is a string and describes the purpose of ' +
'the custom field.',
},
deviceCustomNumber1: {
key: 'cn1',
type: 'Number',
len: null,
discription: 'One of three number fields available to map fields ' +
'that do not apply to any other in this dictionary. Use ' +
'sparingly and seek a more specific dictionary supplied field ' +
'when possible.',
},
deviceCustomNumber1Label: {
key: 'cn1Label',
type: 'String',
len: 1023,
discription: 'All custom fields have a corresponding label field. ' +
'Each of these fields is a string and describes the purpose of ' +
'the custom field.',
},
DeviceCustomNumber2: {
key: 'cn2',
type: 'Number',
len: null,
discription: 'One of three number fields available to map fields ' +
'that do not apply to any other in this dictionary. Use ' +
'sparingly and seek a more specific, dictionary supplied field ' +
'when possible.',
},
deviceCustomNumber2Label: {
key: 'cn2Label',
type: 'String',
len: 1023,
discription: 'All custom fields have a corresponding label field. ' +
'Each of these fields is a string and describes the purpose of ' +
'the custom field.',
},
deviceCustomNumber3: {
key: 'cn3',
type: 'Number',
len: null,
discription: 'One of three number fields available to map fields ' +
'that do not apply to any other in this dictionary. Use ' +
'sparingly and seek a more specific, dictionary supplied field ' +
'when possible.',
},
deviceCustomNumber3Label: {
key: 'cn3Label',
type: 'String',
len: 1023,
discription: 'All custom fields have a corresponding label field. ' +
'Each of these fields is a string and describes the purpose of ' +
'the custom field.',
},
baseEventCount: {
key: 'cnt',
type: 'Number',
len: null,
discription: 'A count associated with this event. How many times ' +
'was this same event observed? Count can be omitted if it is 1.',
},
deviceCustomString1: {
key: 'cs1',
type: 'String',
len: 4000,
discription: 'One of six strings available to map fields that do ' +
'not apply to any other in this dictionary. Use sparingly and ' +
'seek a more specific, dictionary supplied field when ' +
'possible. TIP: See the guidelines under “User-Defined ' +
'Extensions” for tips on using these fields.',
},
deviceCustomString1Label: {
key: 'cs1Label',
type: 'String',
len: 1023,
discription: 'All custom fields have a corresponding label field. ' +
'Each of these fields is a string and describes the purpose of ' +
'the custom field.',
},
deviceCustomString2: {
key: 'cs2',
type: 'String',
len: 4000,
discription: 'One of six strings available to map fields that do ' +
'not apply to any other in this dictionary. Use sparingly and ' +
'seek a more specific, dictionary supplied field when ' +
'possible. TIP: See the guidelines under “User-Defined ' +
'Extensions” for tips on using these fields.',
},
deviceCustomString2Label: {
key: 'cs2Label',
type: 'String',
len: 1023,
discription: 'All custom fields have a corresponding label field. ' +
'Each of these fields is a string and describes the purpose of ' +
'the custom field.',
},
deviceCustomString3: {
key: 'cs3',
type: 'String',
len: 4000,
discription: 'One of six strings available to map fields that do ' +
'not apply to any other in this dictionary. Use sparingly and ' +
'seek a more specific, dictionary supplied field when ' +
'possible. TIP: See the guidelines under “User-Defined ' +
'Extensions” for tips on using these fields.',
},
deviceCustomString3Label: {
key: 'cs3Label',
type: 'String',
len: 1023,
discription: 'All custom fields have a corresponding label field. ' +
'Each of these fields is a string and describes the purpose of ' +
'the custom field.',
},
deviceCustomString4: {
key: 'cs4',
type: 'String',
len: 4000,
discription: 'One of six strings available to map fields that do ' +
'not apply to any other in this dictionary. Use sparingly and ' +
'seek a more specific, dictionary supplied field when ' +
'possible. TIP: See the guidelines under “User-Defined ' +
'Extensions” for tips on using these fields.',
},
deviceCustomString4Label: {
key: 'cs4Label',
type: 'String',
len: 1023,
discription: 'All custom fields have a corresponding label field. ' +
'Each of these fields is a string and describes the purpose of ' +
'the custom field.',
},
deviceCustomString5: {
key: 'cs5',
type: 'String',
len: 4000,
discription: 'One of six strings available to map fields that do ' +
'not apply to any other in this dictionary. Use sparingly and ' +
'seek a more specific, dictionary supplied field when ' +
'possible. TIP: See the guidelines under “User-Defined ' +
'Extensions” for tips on using these fields.',
},
deviceCustomString5Label: {
key: 'cs5Label',
type: 'String',
len: 1023,
discription: 'All custom fields have a corresponding label field. ' +
'Each of these fields is a string and describes the purpose of ' +
'the custom field.',
},
deviceCustomString6: {
key: 'cs6',
type: 'String',
len: 4000,
discription: 'One of six strings available to map fields that do ' +
'not apply to any other in this dictionary. Use sparingly and ' +
'seek a more specific, dictionary supplied field when ' +
'possible. TIP: See the guidelines under “User-Defined ' +
'Extensions” for tips on using these fields.',
},
deviceCustomString6Label: {
key: 'cs6Label',
type: 'String',
len: 1023,
discription: 'All custom fields have a corresponding label field. ' +
'Each of these fields is a string and describes the purpose of ' +
'the custom field.',
},
destinationDnsDomain: {
key: 'destination DnsDomain',
type: 'String',
len: 255,
discription: 'The DNS domain part of the complete fully qualified ' +
'domain name (FQDN).',
},
destinationServiceName: {
key: 'destination ServiceName',
type: 'String',
len: 1023,
discription: 'The service targeted by this event. Example: “sshd”',
},
'destinationTranslated Address': {
key: 'Destination Translated Address',
type: 'String',
len: null,
discription: 'Identifies the translated destination that the event ' +
'refers to in an IP network. The format is an IPv4 address. ' +
'Example: “192.168.10.1”',
},
destinationTranslatedPort: {
key: 'Destination TranslatedPort',
type: 'Number',
len: null,
discription: 'Port after it was translated; for example, a ' +
'firewall. Valid port numbers are 0 to 65535.',
},
deviceCustomDate1: {
key: 'deviceCustom Date1',
type: 'String',
len: null,
discription: 'One of two timestamp fields available to map fields ' +
'that do not apply to any other in this dictionary. Use ' +
'sparingly and seek a more specific, dictionary supplied field ' +
'when possible. TIP: See the guidelines under “User-Defined ' +
'Extensions” for tips on using these fields.',
},
deviceCustomDate1Label: {
key: 'deviceCustom Date1Label',
type: 'String',
len: 1023,
discription: 'All custom fields have a corresponding label field. ' +
'Each of these fields is a string and describes the purpose of ' +
'the custom field.',
},
deviceCustomDate2: {
key: 'deviceCustom Date2',
type: 'String',
len: null,
discription: 'One of two timestamp fields available to map fields ' +
'that do not apply to any other in this dictionary. Use ' +
'sparingly and seek a more specific, dictionary supplied field ' +
'when possible. TIP: See the guidelines under “User-Defined ' +
'Extensions” for tips on using these fields.',
},
deviceCustomDate2Label: {
key: 'deviceCustom Date2Label',
type: 'String',
len: 1023,
discription: 'All custom fields have a corresponding label field. ' +
'Each of these fields is a string and describes the purpose of ' +
'the custom field.',
},
deviceDirection: {
key: 'deviceDirection',
type: 'Number',
len: null,
discription: 'Any information about what direction the observed ' +
'communication has taken. The following values are supported: ' +
'“0” for inbound or “1” for outbound',
},
deviceDnsDomain: {
key: 'deviceDns Domain',
type: 'String',
len: 255,
discription: 'The DNS domain part of the complete fully qualified ' +
'domain name (FQDN).',
},
deviceExternalId: {
key: 'device ExternalId',
type: 'String',
len: 255,
discription: 'A name that uniquely identifies the device ' +
'generating this event.',
},
deviceFacility: {
key: 'deviceFacility',
type: 'String',
len: 1023,
discription: 'The facility generating this event. For example, ' +
'Syslog has an explicit facility associated with every event.',
},
deviceInboundInterface: {
key: 'deviceInbound Interface',
type: 'String',
len: 128,
discription: 'Interface on which the packet or data entered the ' +
'device.',
},
deviceNtDomain: {
key: 'deviceNt Domain',
type: 'String',
len: 255,
discription: 'The Windows domain name of the device address.',
},
deviceOutboundInterface: {
key: 'Device Outbound Interface',
type: 'String',
len: 128,
discription: 'Interface on which the packet or data left the ' +
'device.',
},
devicePayloadId: {
key: 'Device PayloadId',
type: 'String',
len: 128,
discription: 'Unique identifier for the payload associated with ' +
'the event.',
},
deviceProcessName: {
key: 'deviceProcess Name',
type: 'String',
len: 1023,
discription: 'Process name associated with the event. An example ' +
'might be the process generating the syslog entry in UNIX.',
},
deviceTranslatedAddress: {
key: 'device Translated Address',
type: 'String',
len: null,
discription: 'Identifies the translated device address that the ' +
'event refers to in an IP network. The format is an IPv4 ' +
'address. Example: “192.168.10.1”',
},
destinationHostName: {
key: 'dhost',
type: 'String',
len: 1023,
discription: 'Identifies the destination that an event refers to ' +
'in an IP network. The format should be a fully qualified ' +
'domain name (FQDN) associated with the destination node, when ' +
'a node is available. Examples: “host.domain.com” or “host”.',
},
destinationMacAddress: {
key: 'dmac',
type: 'String',
len: null,
discription: 'Six colon-seperated hexadecimal numbers. Example: ' +
'“00:0D:60:AF:1B:61”',
},
destinationNtDomain: {
key: 'dntdom',
type: 'String',
len: 255,
discription: 'The Windows domain name of the destination address.',
},
destinationProcessId: {
key: 'dpid',
type: 'Number',
len: null,
discription: 'Provides the ID of the destination process ' +
'associated with the event. For example, if an event contains ' +
'process ID 105, 105” is the process ID.',
},
destinationUserPrivileges: {
key: 'dpriv',
type: 'String',
len: 1023,
discription: 'The typical values are “Administrator”, “User”, and ' +
'“Guest”. This identifies the destination user’s privileges. ' +
'In UNIX, for example, activity executed on the root user ' +
'would be identified with destinationUser Privileges of ' +
'“Administrator”.',
},
destinationProcessName: {
key: 'dproc',
type: 'String',
len: 1023,
discription: 'The name of the event’s destination process. ' +
'Example: “telnetd” or “sshd”.',
},
destinationPort: {
key: 'dpt',
type: 'Number',
len: null,
discription: 'The valid port numbers are between 0 and 65535.',
},
destinationAddress: {
key: 'dst',
type: 'String',
len: null,
discription: 'Identifies the destination address that the event ' +
'refers to in an IP network. The format is an IPv4 address. ' +
'Example: “192.168.10.1”',
},
deviceTimeZone: {
key: 'dtz',
type: 'String',
len: 255,
discription: 'The timezone for the device generating the event.',
},
destinationUserId: {
key: 'duid',
type: 'String',
len: 1023,
discription: 'Identifies the destination user by ID. For example, ' +
'in UNIX, the root user is generally associated with user ' +
'ID 0.',
},
destinationUserName: {
key: 'duser',
type: 'String',
len: 1023,
discription: 'Identifies the destination user by name. This is the ' +
'user associated with the event’s destination. Email addresses ' +
'are often mapped into the UserName fields. The recipient is a ' +
'candidate to put into this field.',
},
deviceAddress: {
key: 'dvc',
type: 'String',
len: null,
discription: 'Identifies the device address that an event refers ' +
'to in an IP network. The format is an IPv4 address. Example: ' +
'“192.168.10.1”.',
},
deviceHostName: {
key: 'dvchost',
type: 'String',
len: 100,
discription: 'The format should be a fully qualified domain name ' +
'(FQDN) associated with the device node, when a node is ' +
'available. Example: “host.domain.com” or “host”.',
},
deviceMacAddress: {
key: 'dvcmac',
type: 'String',
len: null,
discription: 'Six colon-separated hexadecimal numbers. Example: ' +
'“00:0D:60:AF:1B:61”',
},
deviceProcessId: {
key: 'dvcpid',
type: 'Number',
len: null,
discription: 'Provides the ID of the process on the device ' +
'generating the event.',
},
endTime: {
key: 'end',
type: 'String',
len: null,
discription: 'The time at which the activity related to the event ' +
'ended. The format is MMM dd yyyy HH:mm:ss or milliseconds ' +
'since epoch (Jan 1st1970). An example would be reporting the ' +
'end of a session.',
},
externalId: {
key: 'externalId',
type: 'String',
len: 40,
discription: 'The ID used by an originating device. They are ' +
'usually increasing numbers, associated with events.',
},
fileCreateTime: {
key: 'fileCreateTime',
type: 'String',
len: null,
discription: 'Time when the file was created.',
},
fileHash: {
key: 'fileHash',
type: 'String',
len: 255,
discription: 'Hash of a file.',
},
fileId: {
key: 'fileId',
type: 'String',
len: 1023,
discription: 'An ID associated with a file could be the inode.',
},
fileModificationTime: {
key: 'fileModification Time',
type: 'String',
len: null,
discription: 'Time when the file was last modified.',
},
filePath: {
key: 'filePath',
type: 'String',
len: 1023,
discription: 'Full path to the file, including file name itself. ' +
'Example: C:\Program Files \WindowsNT\Accessories\ wordpad.exe ' +
'or /usr/bin/zip',
},
filePermission: {
key: 'filePermission',
type: 'String',
len: 1023,
discription: 'Permissions of the file.',
},
fileType: {
key: 'fileType',
type: 'String',
len: 1023,
discription: 'Type of file (pipe, socket, etc.)',
},
flexDate1: {
key: 'flexDate1',
type: 'String',
len: null,
discription: 'A timestamp field available to map a timestamp that ' +
'does not apply to any other defined timestamp field in this ' +
'dictionary. Use all flex fields sparingly and seek a more ' +
'specific, dictionary supplied field when possible. These ' +
'fields are typically reserved for customer use and should not ' +
'be set by vendors unless necessary.',
},
flexDate1Label: {
key: 'flexDate1Label',
type: 'String',
len: 128,
discription: 'The label field is a string and describes the ' +
'purpose of the flex field.',
},
flexString1: {
key: 'flexString1',
type: 'String',
len: 1023,
discription: 'One of four floating point fields available to map ' +
'fields that do not apply to any other in this dictionary. Use ' +
'sparingly and seek a more specific, dictionary supplied field ' +
'when possible. These fields are typically reserved for ' +
'customer use and should not be set by vendors unless ' +
'necessary.',
},
flexString1Label: {
key: 'flexString1 Label',
type: 'String',
len: 128,
discription: 'The label field is a string and describes the ' +
'purpose of the flex field.',
},
flexString2: {
key: 'flexString2',
type: 'String',
len: 1023,
discription: 'One of four floating point fields available to map ' +
'fields that do not apply to any other in this dictionary. Use ' +
'sparingly and seek a more specific, dictionary supplied field ' +
'when possible. These fields are typically reserved for ' +
'customer use and should not be set by vendors unless ' +
'necessary.',
},
flexString2Label: {
key: 'flex String2Label',
type: 'String',
len: 128,
discription: 'The label field is a string and describes the ' +
'purpose of the flex field.',
},
filename: {
key: 'fname',
type: 'String',
len: 1023,
discription: 'Name of the file only (without its path).',
},
fileSize: {
key: 'fsize',
type: 'Number',
len: null,
discription: 'Size of the file.',
},
bytesIn: {
key: 'in',
type: 'Number',
len: null,
discription: 'Number of bytes transferred inbound, relative to the ' +
'source to destination relationship, meaning that data was ' +
'flowing from source to destination.',
},
message: {
key: 'msg',
type: 'String',
len: 1023,
discription: 'An arbitrary message giving more details about the ' +
'event. Multi-line entries can be produced by using \n as the ' +
'new line separator.',
},
oldFileCreateTime: {
key: 'oldFileCreate Time',
type: 'String',
len: null,
discription: 'Time when old file was created.',
},
oldFileHash: {
key: 'oldFileHash',
type: 'String',
len: 255,
discription: 'Hash of the old file.',
},
oldFileId: {
key: 'oldFileId',
type: 'String',
len: 1023,
discription: 'An ID associated with the old file could be the ' +
'inode.',
},
oldFileModificationTime: {
key: 'oldFile Modification Time',
type: 'String',
len: null,
discription: 'Time when old file was last modified.',
},
oldFileName: {
key: 'oldFileName',
type: 'String',
len: 1023,
discription: 'Name of the old file.',
},
oldFilePath: {
key: 'oldFilePath',
type: 'String',
len: 1023,
discription: 'Full path to the old fiWindowsNT\\Accessories le, ' +
'including the file name itself. Examples: c:\\Program ' +
'Files\\wordpad.exe or /usr/bin/zip',
},
oldFileSize: {
key: 'oldFileSize',
type: 'Number',
len: null,
discription: 'Size of the old file.',
},
oldFileType: {
key: 'oldFileType',
type: 'String',
len: 1023,
discription: 'Type of the old file (pipe, socket, etc.)',
},
bytesOut: {
key: 'out',
type: 'Number',
len: null,
discription: 'Number of bytes transferred outbound relative to the ' +
'source to destination relationship. For example, the byte ' +
'number of data flowing from the destination to the source.',
},
eventOutcome: {
key: 'outcome',
type: 'String',
len: 63,
discription: 'Displays the outcome, usually as ‘success’ or ' +
'‘failure’.',
},
transportProtocol: {
key: 'proto',
type: 'String',
len: 31,
discription: 'Identifies the Layer-4 protocol used. The possible ' +
'values are protocols such as TCP or UDP.',
},
Reason: {
key: 'reason',
type: 'String',
len: 1023,
discription: 'The reason an audit event was generated. For ' +
'example “badd password” or “unknown user”. This could also be ' +
'an error or return code. Example: “0x1234”',
},
requestUrl: {
key: 'request',
type: 'String',
len: 1023,
discription: 'In the case of an HTTP request, this field contains ' +
'the URL accessed. The URL should contain the protocol as ' +
'well. Example: “http://www/secure.com”',
},
requestClientApplication: {
key: 'requestClient Application',
type: 'String',
len: 1023,
discription: 'The User-Agent associated with the request.',
},
requestContext: {
key: 'requestContext',
type: 'String',
len: 2048,
discription: 'Description of the content from which the request ' +
'originated (for example, HTTP Referrer)',
},
requestCookies: {
key: 'requestCookies',
type: 'String',
len: 1023,
discription: 'Cookies associated with the request.',
},
requestMethod: {
key: 'requestMethod',
type: 'String',
len: 1023,
discription: 'The method used to access a URL. Possible values: ' +
'“POST”, “GET”, etc.',
},
deviceReceiptTime: {
key: 'rt',
type: 'String',
len: null,
discription: 'The time at which the event related to the activity ' +
'was received. The format is MMM dd yyyy HH:mm:ss or ' +
'milliseconds since epoch (Jan 1st 1970)',
},
sourceHostName: {
key: 'shost',
type: 'String',
len: 1023,
discription: 'Identifies the source that an event refers to in an ' +
'IP network. The format should be a fully qualified domain ' +
'name (DQDN) associated with the source node, when a mode is ' +
'available. Examples: “host” or “host.domain.com”.',
},
sourceMacAddress: {
key: 'smac',
type: 'String',
len: null,
discription: 'Six colon-separated hexadecimal numbers. Example: ' +
'“00:0D:60:AF:1B:61”',
},
sourceNtDomain: {
key: 'sntdom',
type: 'String',
len: 255,
discription: 'The Windows domain name for the source address.',
},
sourceDnsDomain: {
key: 'sourceDns Domain',
type: 'String',
len: 255,
discription: 'The DNS domain part of the complete fully qualified ' +
'domain name (FQDN).',
},
sourceServiceName: {
key: 'source ServiceName',
type: 'String',
len: 1023,
discription: 'The service that is responsible for generating this ' +
'event.',
},
sourceTranslatedAddress: {
key: 'source Translated Address',
type: 'String',
len: null,
discription: 'Identifies the translated source that the event ' +
'refers to in an IP network. The format is an IPv4 address. ' +
'Example: “192.168.10.1”.',
},
sourceTranslatedPort: {
key: 'source TranslatedPort',
type: 'Number',
len: null,
discription: 'A port number after being translated by, for ' +
'example, a firewall. Valid port numbers are 0 to 65535.',
},
sourceProcessId: {
key: 'spid',
type: 'Number',
len: null,
discription: 'The ID of the source process associated with the ' +
'event.',
},
sourceUserPrivileges: {
key: 'spriv',
type: 'String',
len: 1023,
discription: 'The typical values are “Administrator”, “User”, and ' +
'“Guest”. It identifies the source user’s privileges. In UNIX, ' +
'for example, activity executed by the root user would be ' +
'identified with “Administrator”.',
},
sourceProcessName: {
key: 'sproc',
type: 'String',
len: 1023,
discription: 'The name of the event’s source process.',
},
sourcePort: {
key: 'spt',
type: 'Number',
len: null,
discription: 'The valid port numbers are 0 to 65535.',
},
sourceAddress: {
key: 'src',
type: 'String',
len: null,
discription: 'Identifies the source that an event refers to in an ' +
'IP network. The format is an IPv4 address. Example: ' +
'“192.168.10.1”.',
},
startTime: {
key: 'start',
type: 'String',
len: null,
discription: 'The time when the activity the event referred to ' +
'started. The format is MMM dd yyyy HH:mm:ss or milliseconds ' +
'since epoch (Jan 1st 1970)',
},
sourceUserId: {
key: 'suid',
type: 'String',
len: 1023,
discription: 'Identifies the source user by ID. This is the user ' +
'associated with the source of the event. For example, in ' +
'UNIX, the root user is generally associated with user ID 0.',
},
sourceUserName: {
key: 'suser',
type: 'String',
len: 1023,
discription: 'Identifies the source user by name. Email addresses ' +
'are also mapped into the UserName fields. The sender is a ' +
'candidate to put into this field.',
},
type: {
key: 'type',
type: 'Number',
len: null,
discription: '0 means base event, 1 means aggregated, 2 means ' +
'correlation, and 3 means action. This field can be omitted ' +
'for base events (type 0).',
},
agentDnsDomain: {
key: 'agentDns Domain',
type: 'String',
len: 255,
discription: 'The DNS domain name of the ArcSight connector that ' +
'processed the event.',
},
agentNtDomain: {
key: 'agentNtDomain',
type: 'String',
len: 255,
discription: '',
},
agentTranslatedAddress: {
key: 'agentTranslated Address',
type: 'String',
len: null,
discription: '',
},
'agentTranslatedZone ExternalID': {
key: 'agentTranslated ZoneExternalID',
type: 'String',
len: 200,
discription: '',
},
agentTranslatedZoneURI: {
key: 'agentTranslated Zone URI',
type: 'String',
len: 2048,
discription: '',
},
agentZoneExternalID: {
key: 'agentZone ExternalID',
type: 'String',
len: 200,
discription: '',
},
agentZoneURI: {
key: 'agentZoneURI',
type: 'String',
len: 2048,
discription: '',
},
agentAddress: {
key: 'agt',
type: 'String',
len: null,
discription: 'The IP address of the ArcSight connector that ' +
'processed the event.',
},
agentHostName: {
key: 'ahost',
type: 'String',
len: 1023,
discription: 'The hostname of the ArcSight connector that ' +
'processed the event.',
},
agentId: {
key: 'aid',
type: 'String',
len: 40,
discription: 'The agent ID of the ArcSight connector that ' +
'processed the event.',
},
agentMacAddress: {
key: 'amac',
type: 'String',
len: null,
discription: 'The MAC address of the ArcSight connector that ' +
'processed the event.',
},
agentReceiptTime: {
key: 'art',
type: 'String',
len: null,
discription: 'The time at which information about the event was ' +
'received by the ArcSight connector.',
},
agentType: {
key: 'at',
type: 'String',
len: 63,
discription: 'The agent type of the ArcSight connector that ' +
'processed the event',
},
agentTimeZone: {
key: 'atz',
type: 'String',
len: 255,
discription: 'The agent time zone of the ArcSight connector that ' +
'processed the event.',
},
agentVersion: {
key: 'av',
type: 'String',
len: 31,
discription: 'The version of the ArcSight connector that processed ' +
'the event.',
},
customerExternalID: {
key: 'customer ExternalID',
type: 'String',
len: 200,
discription: '',
},
customerURI: {
key: 'customerURI',
type: 'String',
len: 2048,
discription: '',
},
'destinationTranslated ZoneExternalID': {
key: 'destination TranslatedZone ExternalID',
type: 'String',
len: 200,
discription: '',
},
'destinationTranslated ZoneURI': {
key: 'destination Translated ZoneURI',
type: 'String',
len: 2048,
discription: 'The URI for the Translated Zone that the destination ' +
'asset has been assigned to in ArcSight.',
},
destinationZoneExternalID: {
key: 'destinationZone ExternalID',
type: 'String',
len: 200,
discription: '',
},
destinationZoneURI: {
key: 'destinationZone URI',
type: 'String',
len: 2048,
discription: 'The URI for the Zone that the destination asset has ' +
'been assigned to in ArcSight.',
},
'deviceTranslatedZone ExternalID': {
key: 'device TranslatedZone ExternalID',
type: 'String',
len: 200,
discription: '',
},
deviceTranslatedZoneURI: {
key: 'device TranslatedZone URI',
type: 'String',
len: 2048,
discription: 'The URI for the Translated Zone that the device ' +
'asset has been assigned to in ArcSight.',
},
deviceZoneExternalID: {
key: 'deviceZone ExternalID',
type: 'String',
len: 200,
discription: '',
},
deviceZoneURI: {
key: 'deviceZoneURI',
type: 'String',
len: 2048,
discription: 'Thee URI for the Zone that the device asset has been ' +
'assigned to in ArcSight.',
},
destinationGeoLatitude: {
key: 'dlat',
type: 'Number',
len: null,
discription: 'The latitudinal value from which the ' +
'destination’s IP address belongs.',
},
destinationGeoLongitude: {
key: 'dlong',
type: 'Number',
len: null,
discription: 'The longitudinal value from which the destination’s ' +
'IP address belongs.',
},
eventId: {
key: 'eventId',
type: 'Number',
len: null,
discription: 'This is a unique ID that ArcSight assigns to each ' +
'event.',
},
rawEvent: {
key: 'rawEvent',
type: 'String',
len: 4000,
discription: '',
},
sourceGeoLatitude: {
key: 'slat',
type: 'Number',
len: null,
discription: '',
},
sourceGeoLongitude: {
key: 'slong',
type: 'Number',
len: null,
discription: '',
},
'sourceTranslatedZone ExternalID': {
key: 'source TranslatedZone ExternalID',
type: 'String',
len: 200,
discription: '',
},
sourceTranslatedZoneURI: {
key: 'source TranslatedZone URI',
type: 'String',
len: 2048,
discription: 'The URI for the Translated Zone that the destination ' +
'asset has been assigned to in ArcSight.',
},
sourceZoneExternalID: {
key: 'sourceZone ExternalID',
type: 'String',
len: 200,
discription: '',
},
sourceZoneURI: {
key: 'sourceZoneURI',
type: 'String',
len: 2048,
discription: 'The URI for the Zone that the source asset has been ' +
'assigned to in ArcSight.' },
};
if (typeof this.deviceVendor !== 'string'
|| typeof this.deviceProduct !== 'string'
|| typeof this.deviceVersion !== 'string'
) {
reject(new Error('TYPE ERROR: CEF Device Info must be a string'));
}
if (this.severity
&& (
(
typeof this.severity === 'string'
&& (
this.severity !== 'Unknown'
&& this.severity !== 'Low'
&& this.severity !== 'Medium'
&& this.severity !== 'High'
&& this.severity !== 'Very-High'
)
)
|| (
typeof this.severity === 'number'
&& (
this.severity < 0
|| this.severity > 10
)
)
)
) {
reject(new Error('TYPE ERROR: CEF Severity not set correctly'));
}
const cefExts = Object.entries(this.extensions);
const cefExtsLen = cefExts.length;
for (let ext = 0; ext < cefExtsLen; ext++) {
if (cefExts[ext][1] !== null) {
if (Extensions[cefExts[ext][0]]) {
if (typeof cefExts[ext][1] === Extensions[cefExts[ext][0]]
.type
.toLowerCase()) {
if (Extensions[cefExts[ext][0]].len > 0
&& typeof cefExts[ext][1] === 'string'
&& cefExts[ext][1].length > Extensions[cefExts[ext][0]].len){
let errMsg = 'FORMAT ERROR:';
errMsg += ' CEF Extention Key';
errMsg += ' ' + cefExts[ext][0];
errMsg += ' value length is to long;';
errMsg += ' max length is';
errMsg += ' ' + Extensions[cefExts[ext][0]].len;
reject(new Error(errMsg));
}
} else {
let errMsg = 'TYPE ERROR:';
errMsg += ' CEF Key';
errMsg += ' ' + cefExts[ext][0];
errMsg += ' value type was expected to be';
errMsg += ' ' + Extensions[cefExts[ext][0]].type.toLowerCase();
reject(new Error(errMsg));
}
}
}
}
resolve(true);
});
}
buildMessage() {
return new Promise((resolve,
reject) => {
let fmtMsg = 'CEF:0';
fmtMsg += '|' + this.deviceVendor;
fmtMsg += '|' + this.deviceProduct;
fmtMsg += '|' + this.deviceVersion;
fmtMsg += '|' + this.deviceEventClassId;
fmtMsg += '|' + this.name;
fmtMsg += '|' + this.severity;
fmtMsg += '|';
const cefExts = Object.entries(this.extensions);
const cefExtsLen = cefExts.length;
for (let ext = 0; ext < cefExtsLen; ext++) {
if (cefExts[ext][1] !== null) {
fmtMsg += cefExts[ext][0] + '=' + cefExts[ext][1] + ' ';
}
}
resolve(fmtMsg);
});
}
send(options) {
return new Promise((resolve,
reject) => {
this.buildMessage()
.then((result) => {
if (!this.server) {
this.server = new Syslog(options);
}
this.server.send(result)
.then((sendResult) => {
resolve(sendResult);
})
.catch((reson) => {
reject(reson);
});
});
});
}
}
module.exports = {
RgbToAnsi: rgbToAnsi,
RFC3164: RFC3164,
RFC5424: RFC5424,
LEEF: LEEF,
CEF: CEF,
Syslog: Syslog,
};