This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Extend CEF Parser for particular event source

Anonymous
Not applicable

‎2024-01-23 03:18 AM

I have an event source (Airlock) that when configured is supposed to use the CEF Event Parser. However I've noticed that not all information is being parsed out of the event log.

 

Is it possible to use the default CEF parser and then extend it with additional rules or do I need to build a complete new parser for it?

 

Thanks.

0 Likes
1 REPLY 1

matteogardini
New Contributor New Contributor
New Contributor

‎2024-01-29 04:32 AM

You can customize the CEF parser.

You can use the follwing article as a reference: Custom CEF Parser - NetWitness Community - 677921

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.