This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Parsing CEF within Windows Events

MaximilianoCitt
Frequent Contributor
Frequent Contributor

‎2018-08-14 09:04 AM

Hi people! I have a customer who has an event source that writtes it events into Application Channel of Windows Events. We don't have any problem to collect those events but, Netwitness try to parse them as Windows Events. I wonder if there is any way to take the value of one metadata (let's say "msg") and process it as a CEF message.

Any sugestions?

0 Likes
8 REPLIES 8

EricPartington
Employee
Employee

‎2018-08-14 09:13 AM

any sample events you can provide?

0 Likes

MaximilianoCitt
Frequent Contributor
Frequent Contributor
In response to EricPartington

‎2018-08-14 09:34 AM

Sure, here is an export of one event

 

%NICWIN-4-Application_1_SWIFT: Application,rn=30861 cid=0 eid=1,Mon Jul 30 17:53:39 2018,1,SWIFT,,Information,JUST.A.FDQN,No category file,,No description string found. string-data=[CEF:0|SWIFT|Alliance Access|7.2.0|BSA-3001|Signoff|Low|cn1=2147483450 cn1Label=Event Sequence ID cs1=13782e0f-bf93-4033-831a-86f46ec0159b cs1Label=Instance UUID cs2=54f5a672-a658-491b-89b5-59463d51e7b2 cs2Label=Correlation ID cat=Operator msg=Operator PARTNER : signed off from the terminal '172.34.34.34'. suid=PARTNER dvchost=SRVSWIFTAA-TEST dvc=172.33.33.33 dvcmac=00:FF:56:A0:86:BB deviceProcessName=WS_appsrv src=172.34.34.34 dtz=America/Buenos_Aires rt=1532973219000 ]

0 Likes

EricPartington
Employee
Employee
In response to MaximilianoCitt

‎2018-08-14 10:04 AM

is the CEF string always in the string-data= field? and always ending

0 Likes

MaximilianoCitt
Frequent Contributor
Frequent Contributor
In response to EricPartington

‎2018-08-14 10:28 AM

Yes sir!

0 Likes

EricPartington
Employee
Employee
In response to MaximilianoCitt

‎2018-08-14 10:47 AM

I have a lua parser that was designed for something else that might work here.  It doesn't specifically parse CEF but does work on a specific text anchor to pull out data from a raw message and parse out further details.  The issue with this message is that event.desc gets the full text and hits a limit at 256 characters which then truncates the values.  So you can't just parse event.desc for these events to get the details, you need some anchor to find these messages and re-parse the section of string-data=\[ ..\] to get the values you need.

 

are there specific values from that string that you need vs. want... i can see if i can get you started with a few items.

0 Likes

MaximilianoCitt
Frequent Contributor
Frequent Contributor
In response to EricPartington

‎2018-08-15 10:39 AM

Eric, thank you for your time, could you please share the link of that lua parser so I can take a look at it?

Thanks!

0 Likes

Afgan
New Contributor
New Contributor

‎2021-04-27 03:17 AM - edited ‎2021-04-27 03:28 AM

Hi,

I have same issue, RSA NetWitness platform parse logs as a windows log, but 'cef' logs are not parsed from RSA NetWitness platform. Can you help me with this problem.

@MaximilianoCitt @EricPartington 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.