• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

SIEM Log Ingest - Log File Field Definitions

New Here ,
Nov 18, 2021 Nov 18, 2021

Copy link to clipboard

Copied

Good day,

I would like to know if there is documentation that explains the field headers in CF2021 so that I may better ingest them into our SIEM Solution.  I have no experience with CF in past and am finding it difficult to locate information about what is being conveyed in the various logs.  Any information is appreciated.


Best regards,

Greg

Views

275

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Nov 19, 2021 Nov 19, 2021

Copy link to clipboard

Copied

You're embarking on an interesting trek, Greg. Let me share some "thoughts from the trail". 

 

First, to be clear, there are no "field headers" for CF logs (which is its own challenge for any log ingestion). No cf logs have them as their first line to identify cols, nor are they available separately. 

 

But maybe you meant simply, "fields", and as such you'd be OK with a mere discussion somewhere of what cols are in each log file. I'm not aware of that, either.

 

Even then, the next challenge is that cf's logs are not all csv formatted, etc. with one line per event. Some cf logs have multiple lines per event--without any identifier to connect the multiple lines together. That will be especially challenging. But of course some log ingestion tools will try to handle that. (But being a multi-threaded app server, log lines for multiple events could be written at once, interleaving with one another. Grr. ) 

 

As for the coldfusion-out.log in particular, it can be valuable as the console log, but it also aggregates most of the other cf logs, which adds to the burden of that last challenge, with still more things "interleaved".

 

Last, as for the "S" in seim, there's precious little about security specifically that's logged by cf. There's no specific security log, nor even security-specific entries in most of the cf logs.  To be sure, cf does logs

quite a bit--in its several different logs--just little that would seem really to serve an seim solution well.

 

But perhaps someone else, including yourself, may have a different perspective. 

 

In conclusion it bears noting that like many older apps, cf has been doing some things "its way" for decades. And while SOME facets of cf have indeed kept up with the times, this (modern logging practices) is one of those areas that has NOT gotten the attention it deserves. Perhaps you could help spark that. You could file feature requests at tracker.adobe.com, as you may trip over things. 

 

I will say finally, Greg, that if you want more direct help, I work with the cf logs daily in assisting people in troubleshooting as an independent consultant, so I know them very well. Just as I work with them in as little as 15 mins, I could help you as well if you may prefer more direct assistance. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Nov 19, 2021 Nov 19, 2021

Copy link to clipboard

Copied

Charlie,

 

Thank you for your response.  That wasn't as encouraging as I had hoped lol, but thank you nonetheless.  I know the app_access.log seems to resemble a normal Apache Access Log... just not exactly, so I will start there.  As for the others I will try to reach back to our local CF Admins as needed.

 

Best regards,

Greg

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Nov 19, 2021 Nov 19, 2021

Copy link to clipboard

Copied

Ok, but to be clear, cf has no access log by default. Whatever app_access.log you may see must be a custom one. And if it logs all requests, great. (There is an optional tomcat access valve that can be enabled but again is not by default. And it would not be per cf app but per instance. But it csn be extended to log more than it would by default, if enabled. Here's a blog post on that enabling that in CF.)

 

I will add that Fusionreactor is a monitor for CF that itself adds many logs, including its own request log (tracking all cf requests). For some seim needs, what logging it adds may warrant considering its implementation.

 

I gather you're saying that as you may have more needs/questions, you'll look to your cf admin folks to help. I'll say that since I help such folks daily (in about 200 orgs per year) , most are just not into this sort of stuff (thus needing my help). But if yours may give you all you need, that's great. 🙂 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Nov 20, 2021 Nov 20, 2021

Copy link to clipboard

Copied

LATEST

ColdFusion makes use of the following configuration files to define and format its log files:

C:\ColdFusion2021\cfusion\lib\log4j.properties (As you can tell, ColdFusion uses Log4j)

C:\ColdFusion2021\cfusion\lib\logger.xml

C:\ColdFusion2021\cfusion\lib\logging.properties

C:\ColdFusion2021\cfusion\lib\neo-logging.xml

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation