NetWitness Community

Hi All,

I am forwarding my logs from ESA to hybrid in CEF format (using syslog) . I am extracting all available  information  from alerts. I have enabled cef.xml , but logs are going as rsa_securitanyaltics_esa. 

jun 29 07:27:46 localhost CEF:2.0|RSA|Security Analytics ESA|10.5.1.0|Module_7001_Alert--0|RSA_IGSOC_CitrixNetScaler_7001_Misuse_SSLVPN Connectivity Originated from same source by different Users|5|rt=2016-06-29T07:27Z id=7cd4c968-85f2-4cd1-9cd6-6fd7bb68c4f2 source=10.68.136.105:56005:484525335521 alert="rcf_test2" bytes_src="0" city_src="Hyderabad" country_dst="India" country_src="India" dclass_r1="0.00%" dclass_r1_str="Compression_ratio_send" dclass_r2="0.00%" dclass_r2_str="Compression_ratio_recv" device_class="Application Firewall" device_group="Citrix Netscalar" device_ip="10.68.100.134" device_type="citrixns" device_type_id="168" did="blrsiemdec1" disposition="Allowed" dtransaddr="10.67.252.6" dtransport="443" duration_str="00:00:00" endtime="1467185619" esa_time="1467185060412" event_byte_size="531" event_cat="1605000000" event_cat_name="System.Normal Conditions" event_desc="TCP connection related information for a connection belonging to a SSLVPN session" event_source_id="10.68.136.105:56005:484525335521" event_time="1467185619" global_alerting="citrixns.forward" group="N/A" header_id="0001" ip_addr="203.171.211.144" ip_dst="122.15.156.5" ip_dstport="47873" ip_src="203.27.235.106" ip_srcport="64303" latdec_dst="13" latdec_src="17" level="6" log_session_id="6515" longdec_dst="80" longdec_src="78" medium="32" msg_id="SSLVPN_TCPCONNSTAT" msg_vid="SSLVPN_TCPCONNSTAT" org_dst="Vodafone India" org_src="ICICIBANK Ltd, Banking, Mumbai" rbytes="346" rid="485773059317" sessionid="484525335521" severity="Informational" size="632" starttime="1467185619" stransaddr="10.68.100.135" time="1467185058" user_dst="venuskalra" alert="rcf_test2" bytes_src="0" city_src="Hyderabad" country_dst="India" country_src="India" dclass_r1="0.00%" dclass_r1_str="Compression_ratio_send" dclass_r2="0.00%" dclass_r2_str="Compression_ratio_recv" device_class="Application Firewall" device_group="Citrix Netscalar" device_ip="10.68.100.134" device_type="citrixns" device_type_id="168" did="blrsiemdec1" disposition="Allowed" dtransaddr="10.6

Please suggest the changes what I need to do in cef.xml  .Also please suggest do I need to do some work around in case of custom parsers.