CEF Event Streams  ·  Syslog UDP

Real-Time Security Events
Your SIEM Will Love

OneFirewall Alliance emits six categories of structured security events in CEF (Common Event Format) over syslog UDP — covering network threats, enforcement decisions, agent lifecycle, and MITRE ATT&CK-mapped observations, ready for any SIEM platform.

Speak with OneFirewall Start a PoV
CEF Standard Syslog UDP MITRE ATT&CK Mapped 6 Event Types
F3D AGENT emits events CEF/Syslog UDP OFA EVENTS NET_EVENT PUT_DECISION ingest SIEM Splunk/ELK
6Event categories
CEFIndustry-standard format
UDPSyslog transport
0–10Severity scale
MITREATT&CK mapped
Real-timeEvent emission

Six CEF Event Types

Every significant platform action emits a structured CEF event. Your SIEM receives actionable, enriched telemetry with no additional parsing required.

APP_STATUS

Application Lifecycle

Triggered when the F3D Agent starts or changes operational state. Includes timestamp, version, and status metadata — essential for uptime monitoring and change detection.

NEW_AGENT / AGENT_DELETED

Agent Management

Tracks creation and removal of agents within your deployment. Captures user context and organisational metadata — critical for configuration audit trails.

IPV4_LIST

IPv4 List Generation

Generated when an IPv4 reputation list is produced for enforcement. Includes list size, plugin identifier, and timestamp — useful for tracking feed freshness.

FEEDBACK_UPDATED

Intelligence Feedback

Indicates updates to feedback, scoring, or enrichment data associated with specific agents or intelligence sources. Tracks how Alliance intelligence evolves over time.

NET_EVENT

Network Events (Primary)

The richest event type: observed network traffic enriched with OneFirewall intelligence. Includes source/destination IPs, ports, risk assessments, threat scores, geographic data, and MITRE ATT&CK technique mappings.

PUT_DECISION

Enforcement Decisions

Logs every enforcement action applied to an IP address — block, allow, or monitor. Captures the Crime Score at decision time, providing a complete audit log of automated blocking.

CEF NET_EVENT sample
# CEF Header (pipe-delimited)
CEF:0|OneFirewall|F3DAgent|4.0|NET_EVENT|
Network Threat Detected|8|

# CEF Extension (space-separated k=v)
rt=1740000000000
src=185.220.101.45
dst=10.0.1.100
spt=44281
dpt=22
act=BLOCK
cs1=847        # Crime Score
cs1Label=crime_score
cs2=T1110      # MITRE: Brute Force
cs2Label=mitre_ttp
cs3=RU         # Geo: Russia
cs3Label=src_country
msg="SSH brute-force; TOR exit node"

SIEM Integration in Minutes

CEF over syslog is the universal language of security event collection. Every major SIEM platform — Splunk, IBM QRadar, Microsoft Sentinel, Elastic SIEM — ingests it natively.

Splunk

Configure a UDP syslog input. OneFirewall events appear as parsed sourcetype=cef fields automatically.

Microsoft Sentinel

Use the CEF connector in Azure Monitor. NET_EVENT fields map directly to CommonSecurityLog schema.

Elastic SIEM

Filebeat syslog input with the CEF processor module. Events become ECS-compliant documents in Elasticsearch.

IBM QRadar

Add a Log Source of type Universal CEF. OneFirewall events are normalised and categorised automatically.

Connect OneFirewall to Your SIEM

Get Alliance threat events — enriched with Crime Scores, MITRE ATT&CK mappings, and geographic data — flowing into your SIEM. Talk to our team to configure your event stream.

Speak with OneFirewall Organize a Proof of Value