Lumeta superusers can use the CEF logging feature to send syslog output to an external viewer in a common-event format. By enabling it, all event notifications to which the superuser has subscribed can be displayed in one preferred Security Information and Event Management (SIEM) viewer such as HP ArcSight, Splunk, or QRadar.
CEF Notifications are either system-related or device-related. The system-related notifications are global and pertain to all of Lumeta. Device notifications pertain to a particular zone. Subscribe to receive notifications at Settings > Lumeta Systems > CEF Notifications > System and Device tabs.
- System notices report when an Agent, Collector, Scout, or Zone has been created, started or stopped. They also alert on license status (e.g., reminder, warning, and violation).
- Device notices report findings about your network architecture such as when a device, edge, or node has been discovered, updated, or removed.
This section provides an example of integrating to the representative event manager HP ArcSight.
Configure CEF Server
Enable the CEF logging feature to make Lumeta compile all subscribed event notifications to a logging server. Here's an example of how to enable logging to a HP ArcSight console via the Lumeta graphical user interface (GUI) or the Lumeta command-line interface (CLI).
Configure CEF Server via GUI
- Log in Lumeta.
- Select Settings > Lumeta Systems.
- Click the CEF Notifications tab.
- Identify the logging server to which you want to send event notifications.
Protocol: Type TCP-IPv4, UDP-IPv4, TCP-IPv6, UDP-IPv6
Note: Use TCP-IPv4 or UDP-IPv4 for HP ArcSight.)
Host Name or IP Address: Must be an IPv4-type IP address
Port number: Must be a valid integer
- When you are ready to send CEF-formatted event notifications, click the CEF Enabled checkbox.
- Click Submit.
A message displays, indicating that your configuration settings were saved.
Lumeta is now configured to display CEF-formatted syslog output in your ArcSight console.
Configure CEF Server via CLI
- Log in the Command-Line Interface (CLI).
- Open a host or server that supports SSH.
- At the prompt, type ssh admin@<yourservername> and press Enter.
- Enter your password (i.e., admin) and press Enter.
- At the command prompt, type
log cefserver <enable/disable> <protocol> <IP address> <port number> and press Enter.
Protocol: Type TCP-IPv4, UDP-IPv4, TCP-IPv6, UDP-IPv6 (Note: Use TCP-IPv4 or UDP-IPv4 for HP ArcSight.)
IP Address: Must be an IPv4-type IP address
Port number: Must be a valid integer
Enable: Enables the CEFserver
Disable: Disables the CEFserver
Lumeta is now configured to display CEF-formatted syslog output in your HP ArcSight console.
Configuring CEF-Formatted Syslog Output
- On the CEF Notifications tab, click the tab for the type of CEF Notifications to which you want to subscribe: either System or Device.
- To edit the prioritization of the event and whether you subscribe to it, click Edit and update the form.
- Subscribed: Indicates whether or not you've opted to send notifications of the particular event type.
- Name: Name of the event
- Priority: Indicates level of severity: informational, alert, or warning.
- Event Type: The Event Type is the predefined category of event.
- To Add a device notification, click Add and update the form.
- To apply additional filters to your device notifications, update this form:
<syslogheader> CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity
22 Jul 2014 13:28:59 grog CEF:0|Lumeta|Lumeta|126.96.36.19986|DEVICE_DISCOVERED|Device Discovered|5
msg=Device stealth:c:3038:1 created.
The message is followed by Lumeta specific custom fields mapped to CEF attributes. All custom fields are appended after "msg."
CEF Event Mapping
Following is a CEF notification and how it maps to custom fields in Lumeta.
0|Lumeta|Lumeta|188.8.131.5286|DEVICE_DISCOVERED| Device Discovered |5|msg=Device stealth:c:3038:1 created. cat= DISCOVERY dvchost=CCM-AMC rt=Nov 02 2017 13:19:55 cn1=1 cn1Label=Facility Zone1 dhost= c6a3= mac=
|Lumeta Custom Fields|
CEF Key Name
Mapping to a notification from Lumeta
2.1 (version of Lumeta)
String or integer
1, 5, 10
Nov 02 2017 13:19:55
CEF Event Type
A connection was created between discovery-agent and lumeta-webapp
Discovery Agent Connected
Displays one of the following Agent and that it has started: TCP Port Scanner|Host Discovery|Snmp Hunter|Snmp Scanner|Path Scanner|Broadcast Discovery|CIFSScanner|DNSScanner|Http Scanner|Leak Discovery
Host Discovery (or any other agent name) Started
Agents: TCP Port Scanner|Host Discovery|Snmp Hunter|Snmp Scanner|Path Scanner|Broadcast Discovery|CIFSScanner|DNSScanner|Http Scanner|Leak Discovery
Displays the Agent Name (to show that the Agent is currently running): TCP Port Scanner|Host Discovery|Snmp Hunter|Snmp Scanner|Path Scanner|Broadcast Discovery|CIFSScanner|DNSScanner|Http Scanner|Leak Discovery
Host Discovery (or any other agent name)
Displays one of the following Agent and that it has stopped: TCP Port Scanner|Host Discovery|Snmp Hunter|Snmp Scanner|Path Scanner|Broadcast Discovery|CIFSScanner|DNSScanner|Http Scanner|Leak Discovery
Host Discovery (or any other agent name) Stopped
New Lumeta Collector created containing device discovery configuration
Collector <> created
Indicated existing Lumeta Collector has been removed
Collector <> removed
Updated discovery configuration was applied to a Lumeta Collector
Collector <> Config Inserted
Discovered device’s status has changed from active to inactive (or vice versa)
Device <> became active. Earlier state : inactive OR
Device <> became inactive. Earlier state : active
New entry for a Device discovered. Multiple entries for each scan technique
Discovered device’s profile information has changed. Profile information includes device type, operating system, operating system version and vendor.
Discovered device has become inactive and removed
Discovered Device has been updated with new information. Multiple entries for each scan technique.
Discovered device has been identified as a forwarding device based on TTL
Displays status of a background job that was deployed on the Lumeta box (example: importing pattern file, importing zone attributes)
Job Success ( jobId : 1, jobName : importPatterns-job )
Displays initialization of a background job that was deployed on the Lumeta box (example: importing pattern file, importing zone attributes)
Job Started (jobId : 1, jobName : importPatterns-job)
Lumeta has identified a potential Leak Path to / from a protected network
User notification that the Lumeta license is about to expire
License expiration imminent –
User notification that the Lumeta license has exceeded the IP Count
User notification that the Lumeta license is approaching the IP Count limit
Path has been discovered between two IPs
Log level has been changed to INFO/WARN/DEBUG
Service <> log level set to <>
Displays the Notification ID that was acknowledged by the user on Lumeta System’s map.
All Notifications on Lumeta System’s map have been acknowledged for a specific priority.
Discovered Device has been found with an open port
Discovered Device is now profiled as a router
Discovered Device that was profiled as a router has now been removed
User notification that a connection has been created between CC <-> Portal, CC <-> Scout
Peer connection established (<> <-> <>)
User notification that a disconnection occured between CC <-> Portal, CC <-> Scout
Peer connection closed (<> <-> <>)
New Lumeta user was created
User <> created
Lumeta user was deleted
User <> removed
Changes were made to an existing Lumeta user
User <> updated
New Lumeta Zone created containing device discovery configuration
Created zone. (name <>, description = <>,
Indicated existing Lumeta Zone has been removed
Deleted zone. (name = <>, description = <>,
Updated discovery configuration was applied to a Lumeta Zone
Zone <> CIDRs Updated