Custom CEF Parser Custom CEF Parser

This topic discusses and describes the custom CEF parser (cef-custom.xml), that overrides the standard, base CEF (Common Event Format) parser.

ContextContext

Customers need the ability to customize the key mappings in the base CEF parser, based on their requirements. If they customize the base CEF parser, their changes will be lost when updating to the latest content.

The Custom CEF parser maintains the customizations separate from the base parser information.

Functionality and CharacteristicsFunctionality and Characteristics

The Custom CEF parser has the following capabilities:

• You can override the base mapping for a tag to a different meta key.
• You cannot override the base Header and Message Definitions
• The Custom CEF parser is a super set of the base CEF parser. This means:
  • Any new tags you define are appended to the set of existing tags in the base parser.
  • If there is a conflict (that is, if the custom parser has a different mapping for a given tag than the base parser), the custom parser "wins." For all such conflicts, the mapping defined for the custom parser overrides the mapping in the base parser.
• If the custom parser definition is invalid and throws an error, the base parser is used, and the error is reported.

DetailsDetails

RSA NetWitness Platform Log Decoders version 10.6.4 and newer support both the custom and base CEF parsers. Upon starting, a Log Decoder service will read both the base CEF parser and the custom CEF parser. It will override base parser behavior as described above. The Log Decoder service maintains the mappings in the custom CEF parser even when a newer version of the CEF parser is downloaded from Live.

The Custom CEF parser supports overriding and adding new entries for the following keys:

• VendorProducts key
• ExtentionKey
• device2meta key
• CN and CS keys

Create Custom CEF ParserCreate Custom CEF Parser

This section walks through examples for how to create a custom CEF parser.

Note: A sample CEF custom file is available on RSA Link here: https://community.rsa.com/docs/DOC-79227

Add Vendor, Product, Device, and Group DefinitionAdd Vendor, Product, Device, and Group Definition

To map a log of a product called Product1 from a vendor called Vendor1 to device name Device1 of Group1, create a new Vender2Device tag in the cef-custom.xml file as shown here:

<DEVICEMESSAGES>
<VendorProducts>
<Vendor2Device vendor="Vendor1" product="Product1" device="Device1" group="Group1"/>
</VendorProducts>
</DEVICEMESSAGES>

Override Existing Device DefinitionsOverride Existing Device Definitions

To change an existing Vender2Device definition, create an overriding Vender2Device tag in the cef-custom.xml file as shown below.

The following code is in cef.xml:

<VendorProducts>
<Vendor2Device vendor="RSA" product="Security Analytics NetFlow Collector" device="rsaflow" group="Switch"/>

To change the device name from rsaflow to My Own Device, add the following code to cef-custom.xml:

<DEVICEMESSAGES>
<VendorProducts>
<Vendor2Device vendor="RSA" product="Security Analytics NetFlow Collector" device="My Own Device" group="switch"/>
</VendorProducts>
</DEVICEMESSAGES>

Override Existing CEF Tag to NetWitness Meta Tag MappingOverride Existing CEF Tag to NetWitness Meta Tag Mapping

To change existing CEF tag to NetWitness Meta key mapping defined in ExtentionKey, create an overriding ExtentionKey tag in the cef-custom.xml file as shown below.

The following code is in cef.xml:

:
<ExtensionKey cefName="dst" metaName="daddr"/>
:

To change the CEF tag dst to be mapped to a new key, forward.ip, instead of the original daddr add the following code to cef-custom.xml:

<DEVICEMESSAGES>
<ExtensionKeys>
<ExtensionKey cefName="dst" metaName="forward.ip"/>
</ExtensionKeys>
</DEVICEMESSAGES>

Note: This change affect all devices.

How metaName WorksHow metaName Works

The metaName holds the name of the key that represents the log parser key name. The table map file maps the log parser key to the meta key. The log parser key is used in the parser, and the meta key is available in Investigator.

The Unified Data Model describes the NetWitness data model, as well as how meta flows through RSA NetWitness Platform.

Override Existing CEF Tag to NetWitness Meta Tag Mapping For a Specific DeviceOverride Existing CEF Tag to NetWitness Meta Tag Mapping For a Specific Device

To change existing CEF tag to NetWitness Meta key mapping defined in ExtentionKey for just one device, create a new or an overriding device2meta tag in cef-custom.xml as shown below.

The following code is in cef.xml:

:
<ExtensionKey cefName="proto" metaName="protocol">
<device2meta device="rsaflow" metaName="ip_proto"/>
</ExtensionKey>
:

To change the CEF tag proto to be mapped to a new key, proto1, instead of the original ip_proto for the rsaflow device, add the following code to cef-custom.xml:

<DEVICEMESSAGES>
<ExtensionKeys>
<ExtensionKey cefName="proto" metaName="protocol">
<device2meta device="rsaflow" metaName="proto1"/>
</ExtensionKey>
</ExtensionKeys>
</DEVICEMESSAGES>

In this case, you are changing CEF tag proto to be mapped to a new key, proto1, instead of the original, ip_proto, for device “rsaflow”.

Note: Use of this new meta key requires adjustment to the table-map-custom.xml. This change does not affect any devices other than rsaflow.

Deploy the Custom CEF ParserDeploy the Custom CEF Parser

Follow these steps to deploy the custom CEF parser.

1. Create and add mappings to the cef-custom.xml file.

2. Upload the custom CEF parser to your Log Decoder services. Upload the file to the following directory, overwriting the existing file:

   /etc/netwitness/ng/envision/etc/devices/cef

   Note: Use an SSH tool, for example WindSCP, to copy your custom file to the Log Decoder folder.

3. If necessary, update the table-map-custom.xml file.
4. Reload the CEF parser.