The Log Event Extended Format (LEEF) was developed for use with IBM’s QRadar analytics software; however, LEEF is an open standard that can be, and is, used by other SIEM platforms. An Identity Cloud-generated LEEF file looks similar to this:
LEEF:2.0|Janrain|Janrain Identity Cloud|1.0|traditional_signin|sev=3 proto=HTTPS cat=identity url=https://myapp.janrain.com/oauth/auth_native_traditional src=127.0.0.1 devTime=Dec 29 2016 00:26:40 devTimeFormat=MMM dd yyyy HH:mm:ss usrName=2b565a0c-a863-11e7-abc4-cec278b6b50a role=user userAgent=Mozilla/5.0 (X11; Fedora; Linux x86_64) janrainApp=abc123abc123def456def456gh janrainClient=abc123abc123def456def456ghi789gh origin=https://ui.janrain.com forward_headers=[{'name': 'header_name', 'value': 'header_value'}]
The LEEF file is explained in the following table:
File Data |
LEEF Field Name |
Description |
---|---|---|
LEEF:2.0 |
LEEF Version |
Log Event Extended Format version number used to construct the data file. Analytics programs use the LEEF Version when uploading and parsing a file. |
Janrain |
Vendor |
Vendor responsible for producing the LEEF file. |
Janrain Identity Cloud |
Product Name |
Name of the product that produced the LEEF file. |
1.0 |
Product Version |
Version number of the product. |
traditional_signin |
EventID |
Unique identifier for the event. For a complete list of event types, see SIEM Event Types. |
sev=3 |
sev |
Importance of the event. Severities can be any integer value from 0 to 10 (inclusive), with 0 representing the least important event and 10 the most important event. Severities are commonly grouped as follows: Severities 0-3 = Low; Severities 4-6 = Medium; Severities 7-8 = High; Severities 9-10 = Very High. |
proto=HTTPS |
proto |
Application level protocol associated with the event; for example, HTTP, HTTPS, Telnet, POP, IMAP, etc. |
cat=admin |
cat |
Category assigned to the event by the device product. There is no universal standard for event categories; categories are typically product-specific. |
url=https://myapp.janrain.com/oauth/ |
url |
URL accessed at the time that the event occurred. |
src=127.0.0.1 |
src |
IP address of the computer where the event occurred. |
devTime=Jan 01 1979 18:00:00 | devTime | Format used when expressing datetime values. For Identity Cloud SIEM Integration, the datetime format is MMM dd yyyy HH:mm:dd(Month Day Year Hour:Minute:Seconds). |
devFormat=MMM dd yyyy HH:mm:ss |
devTimeFormat |
Date and time when the event occurred. |
usrName=2b565a0c-a863-11e7-abc4-cec278b6b50a |
usrName |
UUID of the user responsible for the event. |
role=user |
Role associated with the user responsible for the event. Allowed values are:
|
|
userAgent=Mozilla/5.0 (X11; |
userAgent |
User agent for the client application employed when the event occurred. For Akamai events, the user agent typically identifies the web browser in use when the event took place. |
janrainApp=abc123abc123def456def456gh |
ID of the Akamai application in use when the event occurred. |
|
janrainClient=abc123abc123def456def456 |
ID of the API client in use when the event occurred. |
|
origin=https://ui.janrain.com |
Originating server. |
|
forward_headers=[{'name': 'header_name', 'value': 'header_value'}] |
Message header information. |