NetWitness Community

JeremyKerwin · ‎2021-02-01

We use Menlo Security platform for our web proxy and have built a custom lua parser to process the CEF based logs. (Menlo allows for QRadar and Splunk formatted logs but we chose CEF)

We're not entirely sure that it's properly working or if what we did is the best performance for NetWitness.

I've attached the parser and a sample log file, I was wondering if someone with more experience in writing log parser could look over it and see if there are any improvements we could make or if the way we took wasn't the correct one.

Thanks.

DaveGlover · ‎2021-02-01

Jeremy

I will take a look at what you have. However my $.02 I would use the LEEF (qradar) over CEF. The format is so much easier to work with.

Dave

JeremyKerwin · ‎2021-02-01

Thanks Dave, I appreciate the help.

DaveGlover · ‎2021-02-01

Jeremy I just looked this over and I can not get it to work at all. Is the default CEF parser not parsing this device at all?

Are you putting the entire message into "msghold"?

content="<param_event_time><msghold>"/>

JeremyKerwin · ‎2022-02-14

Hi Dave, sorry for the almost year delay, must've lost track of this one.

I think you're correct. I didn't write the original parser, however I think the intent was in the log file there are fields on sessions and browser ids so the goal was to match those together and I don't think the CEF parser won't processing it properly.

NetWitness Community

Menlo Security Custom Log Parser - Opinion Sought