We use Menlo Security platform for our web proxy and have built a custom lua parser to process the CEF based logs. (Menlo allows for QRadar and Splunk formatted logs but we chose CEF)
We're not entirely sure that it's properly working or if what we did is the best performance for NetWitness.
I've attached the parser and a sample log file, I was wondering if someone with more experience in writing log parser could look over it and see if there are any improvements we could make or if the way we took wasn't the correct one.
Hi Dave, sorry for the almost year delay, must've lost track of this one.
I think you're correct. I didn't write the original parser, however I think the intent was in the log file there are fields on sessions and browser ids so the goal was to match those together and I don't think the CEF parser won't processing it properly.