NetWitness Community

Anonymous · ‎2015-01-14

Is there a standard CEF Parser available in Security Analytics? We want to parse CEF over rsyslog.

I've extracted the cef:xml from RSA Live.

But there are just <Messages> sections for rsaecat, rsaflow, netwitnessspectrum & bit9.

What does the section <ExtensionKeys> achieve in that parser?

Does anybody has a good example for that CEF extensions?

Anonymous · ‎2015-01-14

Hi Davme,

We support CEF out of the box. Just point your CEF syslog to our Log Decoder or Log Collector accepting syslog and we will parse it. CEF is made up of a smallish header followed by extension keys which contain the bulk of the information. We already cover all the common keys.

If you have custom keys or want to have the device type in the CEF show up as something different in SA then you can edit the XML but in most cases that shouldn't be necessary.

Thanks,

Guy

View solution in original post

Anonymous · ‎2015-01-14

Hi Davme,

We support CEF out of the box. Just point your CEF syslog to our Log Decoder or Log Collector accepting syslog and we will parse it. CEF is made up of a smallish header followed by extension keys which contain the bulk of the information. We already cover all the common keys.

If you have custom keys or want to have the device type in the CEF show up as something different in SA then you can edit the XML but in most cases that shouldn't be necessary.

Thanks,

Guy

NetWitness Community

CEF Log Service Parser in Security Analytics