I have an event source (Airlock) that when configured is supposed to use the CEF Event Parser. However I've noticed that not all information is being parsed out of the event log.
Is it possible to use the default CEF parser and then extend it with additional rules or do I need to build a complete new parser for it?
4 weeks ago
You can customize the CEF parser.
You can use the follwing article as a reference: Custom CEF Parser - NetWitness Community - 677921