Every identity platform claims an audit log. Most produce one in some custom JSON format and call it done. The trouble starts when the auditor asks for evidence in the format their tools accept — or when the security operations centre asks for events in the format their monitoring platform reads — and the answer is “we don’t do that.”
Three formats, three audiences
The three industry-standard formats — call them by their colloquial names, Common Event Format, Log Event Extended Format, and the Open Cybersecurity Schema — were each designed for a different audience.
Common Event Format is what the large enterprise monitoring platforms expect. Built originally for ArcSight in the early 2000s, it became the lingua franca for ingestion into Splunk, Microsoft Sentinel, and similar tools. A CEF line is a single record with a predictable prefix and a small set of well-defined fields, followed by a dictionary of extensions. It is verbose and structured, and an ingestion pipeline that supports it can parse it without custom code.
Log Event Extended Format is IBM QRadar’s preferred format — similar in structure to CEF but with subtly different field naming. If your organization runs QRadar, the SOC team will ask for LEEF.
Open Cybersecurity Schema Framework is the newer one, born of a 2022 industry collaboration that included AWS and Splunk. It’s a typed, hierarchical schema designed for cloud-scale security analytics. Where CEF and LEEF were optimised for single-line log emission, OCSF is optimised for nested events with rich metadata — and is the format most likely to be requested by a modern cloud-native security team.
The translation tax accrues quarterly
The reason this matters: an audit log that can only be exported in a custom JSON format becomes a translation problem at every audit and every SOC integration. The translation tax accrues quarterly, gets worse as the log volume grows, and tends to produce errors right before the auditor or the incident-response analyst needs the data most. Picking an identity platform whose audit export already matches the formats your tools read is one of the small decisions that compound, in security work, into the difference between a 30-minute response and a 30-day one.
Trustaige writes audit events into immutable storage and exports them in five formats — the three industry standards above, plus plain CSV and JSON for the cases where the consumer is a human or a one-off script. The exports can be downloaded on demand or streamed live; the live stream is what most security teams want, because it puts identity events alongside everything else the SOC is watching in the same console, in real time.
What to ask your identity vendor
- Which formats do you export, natively, without an integration product in between? “We have an API you can poll” is not the same answer as “we stream CEF to your collector.”
- How is the log made immutable, and how would you prove that to an auditor? Append-only storage, signed events, and an attestation chain are the answers a regulated buyer expects.
- Can you attribute every event to a specific person, or just to a session ID? A log that can’t name the actor is a log the auditor will reject.
These are small questions that take five minutes to ask and that sort serious identity platforms from the marketing kind.