This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base Archive
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA Security Analytics - Working with Custom Keys in the CEF Parser

Article Number

000032757

Applies To

RSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics Server
 

Issue

The CEF format allows the use of custom keys such as cs1 and cs1Label.

In a CEF log you may see the following:
 
Jan 27 10:43:51 PROXYNAME  CEF:0|Bluecoat|Proxy|1.0|OBSERVED|OBSERVED|5|date=2016-01-27 time=10:43:51 ip.src=192.168.10.86 action=TCP_MISS ip.dst=192.168.11.252 cat=Content Servers requestMethod=GET dhost=eu-irl-00001.s3.amazonaws.com request=http://eu-irl-00001.s3.amazonaws.com/yKalk5gBT169iwsB8XFS?x-client-request-id=71445322-c4dd-11e5-b2dd-f23c91a872ff&Expires=1453892409&byte-range=4912-4943&AWSAccessKeyId=AKIAI3LLM7P3DRGCUSIA&bin=203000001&Signature=I0XwajzJOFKdFmj4wQ0%2B4vH7C%2Fo%3D dport=80 useragent=backupd (unknown version) CFNetwork/548.1.4 Darwin/11.0.0 out=418 outcome=206 in=484 errorcode=OBSERVED content=application/octet-stream daddr=54.231.133.9 dvchost=AE44PCCPWPXY02 sport=80 Version=HTTP/1.1 hostname=eu-irl-00001.s3.amazonaws.com cs1=com cs1Label=tld directory=/ path=/yKalk5gBT169iwsB8XFS filename=yKalk5gBT169iwsB8XFS

Here we are using the custom keys cs1 and cs1Label to hold the Top Level Domain (TLD).

We want to parse this meta into the TLD meta key.

Resolution

Add the following lines to the CEF parser (normally located on the log decoder at /etc/netwitness/ng/envision/etc/devices/cef/cef.xml) 

<ExtensionKey cefName="cs1" metaName="cs_fld" > 
<device2meta device="trendmicrodsa" metaName="context"/> 
<device2meta device="bluecat" metaName="action" label="query"/> 
<device2meta device="websense" metaName="policyname" label="Policy"/> 
<device2meta device="mcafeewg" metaName="virusname" label="Virus Name"/> 
<device2meta device="bluecoat_proxy" metaName="tld" label="tld" /> 
</ExtensionKey>
In your table-map-custom.xml file add the following: 

<mapping envisionName="tld" nwName="tld" flags="None" format="Text"/>

What this means is that if we have a device type of bluecoat_proxy and cs1label=tld then put the meta into meta key tld.

Notes

The meta key for custom extensions can be selected in 3 different ways.

The following example has the meaning:
  • If the device type is rsaecat and the cs1Label field is vlanName then put the value of cs1 into the meta vlan
  • If the device type is rsaecat and the cs1Label field has value rsasubject then put the value of cs1 into the meta key subject
  • If the device type is rsaflow then always put the value of cs1 into the meta key subject
  • Otherwise put the value of cs1 into metakey context.

ExtensionKey cefName="cs1" metaName="context">
<device2meta device="rsaecat" metaName="vlan" label="vlanName"/>
<device2meta device="rsaecat" metaName="subject" label="rsasubject"/>
<device2meta device="rsaflow" metaName="subject"/>
</ExtensionKey>
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-04-23 10:22 AM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.