IBM Security QRadar

Log Event Extended Format (LEEF)

Version 2

IBM
 Note
Before using this information and the product that it supports, read the information in Notices on page 13.

Product information
This document applies to IBM Security QRadar Security Intelligence Platform V7.2.5 and subsequent releases unless
superseded by an updated version of this document.
Copyright IBM Corporation 2013, 2016.
US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Introduction to QRadar LEEF . . . . . . . . . . . . . . . . . . . . . . . . . . v

Log Event Extended Format (LEEF) . . . . . . . . . . . . . . . . . . . . . . . . 1

LEEF event components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Predefined LEEF event attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Custom event keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Best practices Guidelines for LEEF events . . . . . . . . . . . . . . . . . . . . . . . . 10
Custom event date format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Privacy policy considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Copyright IBM Corp. 2013, 2016 iii

iv Log Event Extended Format (LEEF)
Introduction to QRadar LEEF
The IBM Security QRadar Log Event Extended Format (LEEF) Guide provides
information about how to construct and implement syslog events for QRadar
products in Log Event Extended Format (LEEF).

Intended audience

This guide is intended for all QRadar users who are responsible for investigating
and managing network security. To use this information, you must have access to
QRadar products and a knowledge of your corporate network and networking
technologies.

Technical documentation

To find IBM Security QRadar product documentation on the web, including all
translated documentation, access the IBM Knowledge Center (http://
www.ibm.com/support/knowledgecenter/SS42VS/welcome).

For information about how to access more technical documentation in the QRadar
products library, see Accessing IBM Security Documentation Technical Note
(www.ibm.com/support/docview.wss?rs=0&uid=swg21614644).

Contacting customer support

For information about contacting customer support, see the Support and
Download Technical Note (http://www.ibm.com/support/docview.wss?rs=0
&uid=swg21612861).

Statement of good security practices

IT system security involves protecting systems and information through
prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed,
misappropriated or misused or can result in damage to or misuse of your systems,
including for use in attacks on others. No IT system or product should be
considered completely secure and no single product, service or security measure
can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful comprehensive security
approach, which will necessarily involve additional operational procedures, and
may require other systems, products or services to be most effective. IBM DOES
NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE
IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Please Note:

Use of this Program may implicate various laws or regulations, including those
related to privacy, data protection, employment, and electronic communications
and storage. IBM Security QRadar may be used only for lawful purposes and in a
lawful manner. Customer agrees to use this Program pursuant to, and assumes all
responsibility for complying with, applicable laws, regulations and policies.

Copyright IBM Corp. 2013, 2016 v

 Licensee represents that it will obtain or has obtained any consents, permissions, or
licenses required to enable its lawful use of IBM Security QRadar.

vi Log Event Extended Format (LEEF)

Log Event Extended Format (LEEF)
The Log Event Extended Format (LEEF) is a customized event format for IBM
Security QRadar.

Any vendor can use this documentation to generate LEEF events.

QRadar can integrate, identify, and process LEEF events. LEEF events must use
UTF-8 character encoding.

You can send events in LEEF output to QRadar by using the following protocols:
v Syslog
v File import with the Log File Protocol

Important: Before QRadar can use LEEF events, you must complete Universal
LEEF configuration tasks. For more information about configuring the log file
protocol to collect Universal LEEF events, see the IBM Security QRadar DSM
Configuration Guide.

The method that you select to provide LEEF events determines whether the events
can be automatically discovered in QRadar. When events are automatically
discovered the level of manual configuration that is needed in QRadar is reduced.

As LEEF events are received, QRadar analyzes the event traffic in an attempt to
identify the device or appliance. This process is referred to as traffic analysis. It
typically takes at least 25 LEEF events to identify and create a new log source in
QRadar. Until traffic analysis identifies the event source, the initial 25 events are
categorized as SIM Generic Log DSM events and the event name is set as Unknown
Log Event. After the event traffic is identified, QRadar creates a log source to
properly categorize and label any events that are forwarded from your appliance
or software. Events that are sent from your device are viewable in QRadar on the
Log Activity tab.

Important: When a log source cannot be identified after 1,000 events, QRadar
creates a system notification and removes the log source from the traffic analysis
queue. QRadar is still capable of collecting the events, but a user must intervene
and create a log source manually to identify the event type.

LEEF event components

The Log Event Extended Format (LEEF) is a customized event format for IBM
Security QRadar that contains readable and easily processed events for QRadar.
The LEEF format consists of the following components.

Syslog header

The syslog header is an optional field. The syslog header contains the timestamp
and IPv4 address or host name of the system that is providing the event. The
syslog header is an optional component of the LEEF format. If you include the
syslog header, you must separate the syslog header from the LEEF header with a
space.

Copyright IBM Corp. 2013, 2016 1

 Examples:
v Date<space>IP address
v Jan 18 11:07:53 192.168.1.1
v Jan 18 11:07:53 myhostname

LEEF header

The LEEF header is a required field for LEEF events. The LEEF header is a pipe
delimited (|) set of values that identifies your software or appliance to QRadar.

Examples:
v LEEF:Version|Vendor|Product|Version|EventID|
v LEEF:1.0|Microsoft|MSExchange|4.0 SP1|15345|
v LEEF:2.0|Lancope|StealthWatch|1.0|41|^|

Event attributes

The event attributes identify the payload information of the event that is produced
by your appliance or software. Every event attribute is a key and value pair with a
tab that separates individual payload events. The LEEF format contains a number
of predefined event attributes, which allow QRadar to categorize and display the
event.

Example:
v key=value<tab>key=value<tab>key=value<tab>key=value<tab>.
v src=7.5.6.6 dst=172.50.123.1 sev=5 cat=anomaly srcPort=81 dstPort=21
usrName=joe.black

Use the DelimiterCharacter in the LEEF 2.0 header to specify an alternate

delimiter to the attributes. You can use a single character or the hex value for that
character. The hex value can be represented by the prefix 0x or x, followed by a
series of 1-4 characters (0-9A-Fa-f).
Table 1. Attribute Delimiter Character examples for LEEF 2.0
Delimiter Header
Caret ( ^ ) LEEF:2.0|Vendor|Product|Version|EventID|^|
Caret (hex LEEF:2.0|Vendor|Product|Version|EventID|x5E|
value)
Broken vertical LEEF:2.0|Vendor|Product|Version|EventID|xa6|
bar ( )

The following table provides descriptions for LEEF formats.

2 Log Event Extended Format (LEEF)

Table 2. LEEF format descriptions
Type Entry Delimiter Description
Syslog IP address Space The IP address or the host name of the software or
Header appliance that provides the event to QRadar.
Example:

192.168.1.1

myhostname

The IP address of the syslog header is used by

QRadar to route the event to the correct log source
in the event pipeline. It is not recommended that
your syslog header contain an IPv6 address. QRadar
cannot route an IPv6 address present in the syslog
header for the event pipeline. Also, an IPv6 address
might not display properly in the Log Source
Identifier field of the user interface.

When an IP address of the syslog header cannot be

understood by QRadar, the system defaults to the
packet address to properly route the event.
LEEF Header LEEF:version Pipe The LEEF version information is an integer value
that identifies the major and minor version of the
LEEF format that is used for the event.

For example,
LEEF:1.0|Vendor|Product|Version|EventID|
LEEF Header Vendor or Pipe Vendor is a text string that identifies the vendor or
manufacturer manufacturer of the device that sends the syslog
name events in LEEF format.

For example,
LEEF:1.0|Microsoft|Product|Version|EventID|

The Vendor and Product fields must contain unique

values when specified in the LEEF header.
LEEF Header Product name Pipe The product field is a text string that identifies the
product that sends the event log to QRadar.

For example,
LEEF:1.0|Microsoft|MSExchange|Version|EventID|

The Vendor and Product fields must contain unique

values when specified in the LEEF header.
LEEF Header Product version Pipe Version is a string that identifies the version of the
software or appliance that sends the event log.

For example, LEEF:1.0|Microsoft|MSExchange|4.0

SP1|EventID|

Log Event Extended Format (LEEF) 3

 Table 2. LEEF format descriptions (continued)
Type Entry Delimiter Description
LEEF Header EventID Pipe EventID is a unique identifier for an event in the
LEEF header.

The purpose of the EventID is to provide a fine

grain, unique identifier for an event without the
need to examine the payload information. An
EventID can contain either a numeric identified or a
text description.

Examples:
v LEEF:1.0|Microsoft|MSExchange|2007|7732|
v LEEF:1.0|Microsoft|MSExchange|2007|Logon
Failure|

Restrictions:

The value of the event ID must be a consistent and

static across products that support multiple
languages. If your product supports multi-language
events, you can use a numeric or textual value in the
EventID field, but it must not be translated when the
language of your appliance or application is altered.
The EventID field cannot exceed 255 characters.
LEEF Header Delimiter Pipe Use the DelimiterCharacter in the LEEF 2.0 header
Character to specify an alternate delimiter to the attributes. You
can use a single character or the hex value for that
character. The hex value can be represented by the
prefix 0x or x, followed by a series of 1-4 characters
(0-9A-Fa-f).
Event Predefined Key Tab Event attribute is a set of key value pairs that
Attributes Entries provide detailed information about the security
Delimiter event. Each event attribute must be separated by tab
Character or the delimiter character, but the order of attributes
is not enforced.

For example, src=172.16.77.100

Predefined LEEF event attributes

The Log Event Extended Format (LEEF) supports a number of predefined event
attributes for the event payload.

LEEF uses a specific list of name-value pairs that are predefined LEEF event
attributes. These keys outline fields that are identifiable to IBM Security QRadar.
Use these keys on your appliance when possible, but your event payloads are not
limited by this list. LEEF is extensible and you can add more keys to the event
payload for your appliance or application.

The following table describes the predefined event attributes.

4 Log Event Extended Format (LEEF)

Table 3. Pre-defined event attributes
Normalized
Value event field?
Key type Yes/No Description
cat String Yes
An abbreviation for event category is used to extend the
EventID field with more specific information about the LEEF
event that is forwarded to QRadar.

Cat and the EventID field in the LEEF header help map your
appliance event to a QRadar Identifier (QID) map entry. The
EventID represents the first column and the category
represents the second column of the QID map.
Restriction: The value of the event category must be
consistent and static across products that support multiple
languages. If your product supports multi-language events,
you can use a numeric or textual value in the cat field, but it
must not be translated when the language of your appliance or
application is altered.
String Yes
cat (continued) Example 1: Use the cat key to extend the EventID with
additional information to describe the event. If the EventID is
defined as a User Login event, use the category to further
categorize the event, such as a success or failed login. You can
define your EventIDs further with the cat key, and the extra
detail from the event can be used to distinguish between
events when the same EventID is used for similar event types,
for example,

LEEF:1.0|Microsoft|Exchange|2013|Login Event|cat=Failed

LEEF:1.0|Microsoft|Exchange|2013|Login Event|cat=Success

Example 2: Use the cat key to define a high-level event

category and use the EventID to define the low-level. This
situation can be important when the EventID doesn't match
any value in the QID map. When the EventID doesn't match
any value in the QID map, QRadar can use the category and
other keys to further determine the general nature of the
event. This "fallback" prevents events from being identified as
unknown and QRadar can categorize the events based on the
known information from the key attribute fields of the event
payload, for example,

LEEF:1.0|Microsoft|Endpoint|2015|

Conficker_worm|cat=Detected
devTime Date Yes
The raw event date and time that is generated by your
appliance or application that provides the LEEF event.

QRadar uses the devTime key, along with devTimeFormat to

identify and properly format the event time from your
appliance or application.

The devTime and devTimeFormat keys must be used together to

ensure that the time of the event is accurately parsed by
QRadar.

When present in the event payload, devTime is used to identify

the event time, even when the syslog header contains a date
and timestamp. The syslog header date and timestamp is a
fallback identifier, but devTime is the preferred method for
event time identification.
devTimeFormat String No
Applies formatting to the raw date and time of the devTime
key.

The devTimeFormat key is required if your event log contains

devTime. For more information, see Custom event date
format on page 10.

Log Event Extended Format (LEEF) 5

 Table 3. Pre-defined event attributes (continued)
Normalized
Value event field?
Key type Yes/No Description
proto Integer or Yes
Keyword Identifies the transport protocol of the event.

For a list of keywords or integer values, see the Internet

Assigned Numbers Authority website,

http://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xml
sev Integer Yes
Indicates the severity of the event.

1 is the lowest event severity.

10 is the highest event severity.

Attribute Limits: 1-10

src IPv4 or Yes
IPv6 The IP address of the event source.
Address
dst IPv4 or Yes
IPv6 The IP address of the event destination.
Address
srcPort Integer Yes
The source port of the event.

Attribute Limits: 0 - 65535

dstPort Integer Yes
The destination port of the event.

Attribute Limits: 0 - 65535

srcPreNAT IPv4 or Yes
IPv6 The source IP address of the event message before Network
Address Address Translation (NAT).
dstPreNAT IPv4 or Yes
IPv6 The destination address for the event message before Network
Address Address Translation (NAT).
IPv4 or Yes
srcPostNAT IPv6 The source IP address of the message after Network Address
Address Translation (NAT) occurred.
dstPostNAT IPv4 or Yes
IPv6 The destination IP address of the message after Network
Address Address Translation (NAT) occurred.
usrName String Yes
The user name that is associated with the event.

Attribute Limits: 255

srcMAC MAC Yes
Address The MAC address of the event source in hexadecimal. The
MAC address is made up of six groups of two hexadecimal
digits, which are colon-separated, for example,

11:2D:67:BF:1A:71
dstMAC MAC Yes
Address The MAC address of the event destination in hexadecimal. The
MAC address is composed of six groups of two hexadecimal
digits, which are colon-separated, for example,

11:2D:67:BF:1A:71
srcPreNATPort Integer Yes
The port number of the event source before Network Address
Translation (NAT).

Attribute Limits: 0 - 65535

6 Log Event Extended Format (LEEF)

Table 3. Pre-defined event attributes (continued)
Normalized
Value event field?
Key type Yes/No Description
dstPreNATPort Integer Yes
The port number of the event destination before Network
Address Translation (NAT).

Attribute Limits: 0 - 65535

srcPostNATPort Integer Yes
The port number of the event source after Network Address
Translation (NAT).

Attribute Limits: 0 - 65535

dstPostNATPort Integer Yes
The port number of the event destination after Network
Address Translation (NAT).

Attribute Limits: 0 - 65535

identSrc IPv4 or Yes
IPv6 Identity source represents an extra IPv4 or IPv6 address that
Address can connect an event with a true user identify or true
computer identity.

Example 1: Connecting a person to a network identity.

User X logs in from their notebook and then connects to a

shared system on the network. When their activity generates
an event, then the identSrc in the payload can be used to
include more IP address information. QRadar uses the
identSrc information in the event along with the payload
information, such as username, to identify that user X is
bob.smith.

The following identity keys depend on identSrcs presence in

the event payload:

identHostName

identNetBios

identGrpName

identMAC
identHostName String Key
Host name information that is associated with the identSrc to
further identify the true host name that is tied to an event.

The identHostName parameter is usable by QRadar only when

your device provides both the identSrc key and
identHostName together in an event payload.

Attribute Limits: 255

identNetBios String Yes
NetBIOS name that is associated with the identSrc to further
identify the identity event with NetBIOS name resolution.

The identNetBios parameter is usable by QRadar only when

your device provides both the identSrc key and identNetBios
together in an event payload.

Attribute Limits: 255

identGrpName String Yes
Group name that is associated with the identSrc to further
identify the identity event with Group name resolution.

The identGrpName parameter is usable by QRadar only when

your device provides both the identSrc key and identGrpName
together in an event payload.

Attribute Limits: 255

Log Event Extended Format (LEEF) 7

 Table 3. Pre-defined event attributes (continued)
Normalized
Value event field?
Key type Yes/No Description
identMAC MAC Yes
Address Reserved for future use in the LEEF format.
vSrc IPv4 or No
IPv6 The IP address of the virtual event source.
Address
vSrcName String No
The name of the virtual event source.

Attribute Limits: 255

accountName String No
The account name that is associated with the event.

Attribute Limits: 255

srcBytes Integer No
Indicates the byte count from the event source.
dstBytes Integer No
Indicates the byte count to the event destination.
srcPackets Integer No
Indicates the packet count from the event source.
dstPackets Integer No
Indicates the packet count to the event destination.
Integer No
totalPackets Indicates the total number of packets that are transmitted
between the source and destination.
role String No
The type of role that is associated with the user account that
created the event, for example, Administrator, User, Domain
Admin.
realm String No
The realm that is associated with the user account. Depending
on your device, can be a general grouping or based on region,
for example, accounting, remote offices.
policy String No
A policy that is associated with the user account. This policy
is typically the security policy or group policy that is tied to
the user account.
resource String No
A resource that is associated with the user account. This
resource is typically the computer name.
url String No
URL information that is included with the event.
groupID String No
The groupID that is associated with the user account.
domain String No
The domain that is associated with the user account.
isLoginEvent Boolean No
string Identifies if the event is related to a user login, for example,

isLoginEvent=true

isLoginEvent=false

This key is reserved in the LEEF specification, but not

implemented in QRadar.

Attribute Limits: true or false

8 Log Event Extended Format (LEEF)

 Table 3. Pre-defined event attributes (continued)
Normalized
Value event field?
Key type Yes/No Description
isLogoutEvent Boolean No
string Identifies if the event is related to a user logout, for example,

isLogoutEvent=true

isLogoutEvent=false

This key is reserved in the LEEF specification, but not

implemented in QRadar.

Attribute Limits: true or false

identSecondlp IPv4 or No
IPv6 Identity second IP address represents an IPv4 or IPv6 address
Address that is used to associate a device event that includes a
secondary IP address. Secondary IP addresses can be in events
by routers, switches, or virtual LAN (VLAN) device events.

This key is reserved in the LEEF specification, but not

implemented in QRadar.
calLanguage String No
Identifies the language of the device time (devTime) key to
Attribute Limits: 2 allow translation and to ensure that QRadar correctly parses
the date and time of events that are generated in translated
languages.

The calLanaguage field can include two alphanumeric

characters to represent the event language for the device time
of your event. All calLanguage alphanumeric characters follow
the ISO 639-1 format, for example,

calLanguage=fr devTime=avril 09 2014 12:30:55

calLanguage=de devTime=Di 30 Jun 09 14:56:11

This key is reserved in the LEEF specification, but not

implemented currently in QRadar.

Attribute Limits: 2
calCountryOrRegion String No
Extends the calLanguage key to provide more translation
information that can include the country or region for the
event device time (devTime). The key calCountryOrRegion must
be used with the calLanguage key.

The calCountryOrRegion field can include two alphanumeric

characters to represent the event country or region for the
device time of your event. All calCountryOrRegion
alphanumeric characters follow the ISO 3166 format, for
example,

calLanguage=de calCountryOrRegion=DE devTime=Di 09 Jun

2014 12:30:55

calLanguage=en calCountryOrRegion=US devTime=Tue 30 Jun

09

This key is reserved in the LEEF specification, but not

implemented in QRadar.

Attribute Limits: 2

Custom event keys

Vendors and partners can define their own custom event keys and include them in
the payload of the LEEF format.

Log Event Extended Format (LEEF) 9

 Use custom key value-pair attributes in an event payload when there is no default
key to represent information about an event for your appliance. Create custom
event attributes only when there is no acceptable mapping to a predefined event
attribute. For example, if your appliance monitors access, you can require the file
name that is accessed by a user where no file name attribute exists in LEEF by
default.

Note: Event attribute keys and values can appear one time only in each payload.
Using a key-value pair twice in the same payload can cause IBM Security QRadar
to ignore the value of the duplicate key.

Custom event keys are non-normalized, which means that any specialized key value
pairs you include in your LEEF event are not displayed by default on the Log
Activity tab of QRadar. To view custom attributes and non-normalized events on the
Log Activity tab of QRadar, you must create a custom event property.
Non-normalized event data is still part of your LEEF event, is searchable in QRadar,
and is viewable in the event payload. For more information about creating a
custom event property, see the IBM Security QRadar Administration Guide.

Best practices Guidelines for LEEF events

LEEF is flexible and can create custom key value pairs for events, but you must
follow some best practices to avoid potential parsing issues.

Items that are marked Allowed can be included in a key or value, and is not in
violation of LEEF but these items are not good practice when you create custom
event keys.

The following list contains custom key and value general guidelines:
v Use alphanumeric (A-Z, a-z, and 0-9) characters, but avoid tab, pipe, or caret
delimiters in your event payload keys and values (key=value).
Correct - usrName=Joe.Smith
Incorrect - usrName=Joe<tab>Smith
v Contain a single word for the key attribute (key=value).
Correct - file name=pic07720.gif
Allowed - file name=pic07720.gif
Allowed - file name =pic07720.gif
v A user-defined key cannot use the same name as a LEEF predefined key. For
more information, see Predefined LEEF event attributes on page 4.
v Key values must be human readable, if possible, to help you to investigate event
payloads.
Correct - deviceProcessHash=value
Correct - malwarename=value
Allowed - EBFDFBE14D4=value

Custom event date format

To create a customized event format, your device must supply the raw date format
by using the devTime event attribute in the payload of the event.

Use the devTimeformat to format the devTime event attribute to display the event in
IBM Security QRadar. The suggested devTimeFormat patterns are listed in the
following table:

10 Log Event Extended Format (LEEF)

Table 4. devTimeFormat suggested patterns
devTimeFormat Pattern Result
devTimeFormat=MMM dd yyyy HH:mm:ss Jun 06 2015 16:07:36
devTimeFormat=MMM dd yyyy Jun 06 2015 16:07:36.300
HH:mm:ss.SSS
devTimeFormat=MMM dd yyyy Jun 06 2015 02:07:36.300 GMT
HH:mm:ss.SSS z

For more information about specifying a date format, see the SimpleDateFormat
information on the Java Web Page(http://docs.oracle.com/javase/7/docs/api/
java/text/SimpleDateFormat.html).

Log Event Extended Format (LEEF) 11

12 Log Event Extended Format (LEEF)
Notices
This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant you
any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing

IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte character set (DBCS) information,

contact the IBM Intellectual Property Department in your country or send
inquiries, in writing, to:

Intellectual Property Licensing

Legal and Intellectual Property Law
IBM Japan Ltd.
19-21, Nihonbashi-Hakozakicho, Chuo-ku
Tokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS

PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.

This information could include technical inaccuracies or typographical errors.

Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.

Copyright IBM Corp. 2013, 2016 13

 IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:

IBM Corporation
170 Tracer Lane,
Waltham MA 02451, USA

Such information may be available, subject to appropriate terms and conditions,

including in some cases, payment of a fee.

The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement or any equivalent agreement
between us.

Any performance data contained herein was determined in a controlled

environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of

those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.

All statements regarding IBM's future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subject
to change without notice. Dealer prices may vary.

This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.

If you are viewing this information softcopy, the photographs and color
illustrations may not appear.

14 Log Event Extended Format (LEEF)

Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the Web at "Copyright and
trademark information" at www.ibm.com/legal/copytrade.shtml.

Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.

Privacy policy considerations

IBM Software products, including software as a service solutions, (Software
Offerings) may use cookies or other technologies to collect product usage
information, to help improve the end user experience, to tailor interactions with
the end user or for other purposes. In many cases no personally identifiable
information is collected by the Software Offerings. Some of our Software Offerings
can help enable you to collect personally identifiable information. If this Software
Offering uses cookies to collect personally identifiable information, specific
information about this offerings use of cookies is set forth below.

Depending upon the configurations deployed, this Software Offering may use
session cookies that collect each users session id for purposes of session
management and authentication. These cookies can be disabled, but disabling them
will also eliminate the functionality they enable.

If the configurations deployed for this Software Offering provide you as customer
the ability to collect personally identifiable information from end users via cookies
and other technologies, you should seek your own legal advice about any laws
applicable to such data collection, including any requirements for notice and
consent.

For more information about the use of various technologies, including cookies, for
these purposes, See IBMs Privacy Policy at http://www.ibm.com/privacy and
IBMs Online Privacy Statement at http://www.ibm.com/privacy/details the
section entitled Cookies, Web Beacons and Other Technologies and the IBM
Software Products and Software-as-a-Service Privacy Statement at
http://www.ibm.com/software/info/product-privacy.

Notices 15
16 Log Event Extended Format (LEEF)
IBM

Printed in USA