Log Event Extended Format (LEEF)
The Log Event Extended Format (LEEF) is a customized event format for JSA.
Any vendor can use this documentation to generate LEEF events.
JSA can integrate, identify, and process LEEF events. LEEF events must use UTF-8 character encoding.
You can send events in LEEF output to by using the following protocols:
File import with the Log File Protocol
Before JSA can use LEEF events, you must complete Universal LEEF configuration tasks. For more information about configuring the log file protocol to collect Universal LEEF events, see the Juniper Secure Analytics Configuring DSMs Guide.
The method that you select to provide LEEF events determines whether the events can be automatically discovered in JSA. When events are automatically discovered the level of manual configuration that is needed in JSA is reduced.
As LEEF events are received, JSA analyzes the event traffic in an attempt to identify the device or appliance. This process is referred to as traffic analysis. It typically takes at least 25 LEEF events to identify and create a new log source in JSA. Until traffic analysis identifies the event source, the initial 25 events are categorized as SIM Generic Log DSM events and the event name is set as Unknown Log Event. After the event traffic is identified, JSA creates a log source to properly categorize and label any events that are forwarded from your appliance or software. Events that are sent from your device are viewable in JSA on the Log Activity tab.
When a log source cannot be identified after 1,000 events, JSA creates a system notification and removes the log source from the traffic analysis queue. JSA is still capable of collecting the events, but a user must intervene and create a log source manually to identify the event type.