ON THIS PAGE
Custom Event Keys
Vendors and partners can define their own custom event keys and include them in the payload of the LEEF format.
Use custom key value-pair attributes in an event payload when there is no default key to represent information about an event for your appliance. Create custom event attributes only when there is no acceptable mapping to a predefined event attribute. For example, if your appliance monitors access, you can require the file name that is accessed by a user where no file name attribute exists in LEEF by default.
Event attribute keys and values can appear one time only in each payload. Using a key-value pair twice in the same payload can cause JSA to ignore the value of the duplicate key.
Custom event keys are non-normalized, which means that any specialized key value pairs you include in your LEEF event are not displayed by default on the Log Activity tab of JSA. To view custom attributes and non-normalized events on the Log Activity tab of JSA, you must create a custom event property. Non-normalized event data is still part of your LEEF event, is searchable in JSA, and is viewable in the event payload. For more information about creating a custom event property, see the Juniper Secure Analytics Administration Guide.
Best Practices Guidelines for LEEF Events
LEEF is flexible and can create custom key value pairs for events, but you must follow some best practices to avoid potential parsing issues.
Items that are marked Allowed can be included in a key or value, and is not in violation of LEEF but these items are not good practice when you create custom event keys.
The following list contains custom key and value general guidelines:
Use alphanumeric (A-Z, a-z, and 0-9) characters, but avoid tab, pipe, or caret delimiters in your event payload keys and values (key=value).
Contain a single word for the key attribute (key=value).
Allowed—file name =pic07720.gif
A user-defined key cannot use the same name as a LEEF predefined key. For more information, see Predefined LEEF Event Attributes.
Key values must be human readable, if possible, to help you to investigate event payloads.