NetWitness Platform Online Documentation

Browse the official NetWitness Platform Online documentation for helpful tutorials, step-by-step instructions, and other valuable resources.

Options

Subscribe to RSS Feed

Bookmark

Subscribe

Printer Friendly Page

Report Inappropriate Content

Versions

Collections

All Downloads

Add VARTYPE Support to CEF ParserAdd VARTYPE Support to CEF Parser

VARTYPE added in 11.0 and later versions provide type and pattern validation for variables. While the variables are parsed, NetWitness has added the ability to condition them to match a certain format.

CEF Parser format logs with CEF:0 and will use CEF parsers without any further identification. Some CEF sources have structured data embedded in variables. This data requires further processing. To direct parse rules scanning of the data, support for scanned variables is required for the CEF parser. Scanned variables are supported during the VARTYPE implementation.

To add VARTYPE support to CEF parser:

Load VARTYPE from CEF parser (cef.xml and cef-custom.xml) successfully.
Load all existing CEF parsers and parse the data successfully.
Enable VARTYPE to validate the header information.
Enable VARTYPE to fine parse CEF variable (MetaName).
Ensure that VARTYPE is working fine with custom CEF parser.

NetWitness Community

Table of Contents

Product Resources

Add VARTYPE Support to CEF ParserAdd VARTYPE Support to CEF Parser

On this page