Skip to main content
G
Greg218231240y1e
New Participant
November 18, 2021
Question

SIEM Log Ingest - Log File Field Definitions

  • November 18, 2021
  • 2 replies
  • 787 views

Good day,

I would like to know if there is documentation that explains the field headers in CF2021 so that I may better ingest them into our SIEM Solution.  I have no experience with CF in past and am finding it difficult to locate information about what is being conveyed in the various logs.  Any information is appreciated.


Best regards,

Greg

    This topic has been closed for replies.

    2 replies

    BKBK
    BKBK
    Community Expert
    November 20, 2021

    ColdFusion makes use of the following configuration files to define and format its log files:

    C:\ColdFusion2021\cfusion\lib\log4j.properties (As you can tell, ColdFusion uses Log4j)

    C:\ColdFusion2021\cfusion\lib\logger.xml

    C:\ColdFusion2021\cfusion\lib\logging.properties

    C:\ColdFusion2021\cfusion\lib\neo-logging.xml

     

    Charlie Arehart
    Charlie Arehart
    Community Expert
    November 19, 2021

    You're embarking on an interesting trek, Greg. Let me share some "thoughts from the trail". 

     

    First, to be clear, there are no "field headers" for CF logs (which is its own challenge for any log ingestion). No cf logs have them as their first line to identify cols, nor are they available separately. 

     

    But maybe you meant simply, "fields", and as such you'd be OK with a mere discussion somewhere of what cols are in each log file. I'm not aware of that, either.

     

    Even then, the next challenge is that cf's logs are not all csv formatted, etc. with one line per event. Some cf logs have multiple lines per event--without any identifier to connect the multiple lines together. That will be especially challenging. But of course some log ingestion tools will try to handle that. (But being a multi-threaded app server, log lines for multiple events could be written at once, interleaving with one another. Grr. ) 

     

    As for the coldfusion-out.log in particular, it can be valuable as the console log, but it also aggregates most of the other cf logs, which adds to the burden of that last challenge, with still more things "interleaved".

     

    Last, as for the "S" in seim, there's precious little about security specifically that's logged by cf. There's no specific security log, nor even security-specific entries in most of the cf logs.  To be sure, cf does logs

    quite a bit--in its several different logs--just little that would seem really to serve an seim solution well.

     

    But perhaps someone else, including yourself, may have a different perspective. 

     

    In conclusion it bears noting that like many older apps, cf has been doing some things "its way" for decades. And while SOME facets of cf have indeed kept up with the times, this (modern logging practices) is one of those areas that has NOT gotten the attention it deserves. Perhaps you could help spark that. You could file feature requests at tracker.adobe.com, as you may trip over things. 

     

    I will say finally, Greg, that if you want more direct help, I work with the cf logs daily in assisting people in troubleshooting as an independent consultant, so I know them very well. Just as I work with them in as little as 15 mins, I could help you as well if you may prefer more direct assistance. 

    /Charlie (troubleshooter, carehart. org)
    G
    Greg218231240y1eAuthor
    New Participant
    November 19, 2021

    Charlie,

     

    Thank you for your response.  That wasn't as encouraging as I had hoped lol, but thank you nonetheless.  I know the app_access.log seems to resemble a normal Apache Access Log... just not exactly, so I will start there.  As for the others I will try to reach back to our local CF Admins as needed.

     

    Best regards,

    Greg

    Charlie Arehart
    Charlie Arehart
    Community Expert
    November 19, 2021

    Ok, but to be clear, cf has no access log by default. Whatever app_access.log you may see must be a custom one. And if it logs all requests, great. (There is an optional tomcat access valve that can be enabled but again is not by default. And it would not be per cf app but per instance. But it csn be extended to log more than it would by default, if enabled. Here's a blog post on that enabling that in CF.)

     

    I will add that Fusionreactor is a monitor for CF that itself adds many logs, including its own request log (tracking all cf requests). For some seim needs, what logging it adds may warrant considering its implementation.

     

    I gather you're saying that as you may have more needs/questions, you'll look to your cf admin folks to help. I'll say that since I help such folks daily (in about 200 orgs per year) , most are just not into this sort of stuff (thus needing my help). But if yours may give you all you need, that's great. 🙂 

    /Charlie (troubleshooter, carehart. org)
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices