Q1Labs LEEF format uses the Syslog message protocol as a transport mechanism.

The format of the message is:

Date-Time hostname LEEF:Version|Vendor|Product|Version|EventID|
Key1=Value1<tab>Key2=Value2<tab>...<tab>KeyN=ValueN

Each message includes a common prefix consisting of the message date and time, the hostname of the server from which it was sent, and "LEEF:" plus the version of LEEF format. Following the prefix, the message includes fields describing the product sending the message and an event identifier. The remainder of the message is formatted into an event-specific series of key value pairs delimited by a tab character. Characters in the message are UTF-8 encoded.

The following example illustrates a LEEF-formatted message using Syslog output from App Control, with “<tab>“substituted where actual tabs are used in the message:

Jan 18 11:07:53 198.76.5.4 LEEF:1.0|VMware Carbon_Black|App Control|
8.6.0.155<tab>|NEW_PORT_DISCOVERD|src=172.5.6.67<tab>dst=172.50.123.1<tab>
sev=5<tab>cat=anomaly<tab>msg=there are spaces in this message