Article Content
Article Number | 000032757 |
Applies To | RSA Product Set: Security Analytics RSA Product/Service Type: SA Security Analytics Server |
Issue | The CEF format allows the use of custom keys such as cs1 and cs1Label. In a CEF log you may see the following: Jan 27 10:43:51 PROXYNAME CEF:0|Bluecoat|Proxy|1.0|OBSERVED|OBSERVED|5|date=2016-01-27 time=10:43:51 ip.src=192.168.10.86 action=TCP_MISS ip.dst=192.168.11.252 cat=Content Servers requestMethod=GET dhost=eu-irl-00001.s3.amazonaws.com request=http://eu-irl-00001.s3.amazonaws.com/yKalk5gBT169iwsB8XFS?x-client-request-id=71445322-c4dd-11e5-b2dd-f23c91a872ff&Expires=1453892409&byte-range=4912-4943&AWSAccessKeyId=AKIAI3LLM7P3DRGCUSIA&bin=203000001&Signature=I0XwajzJOFKdFmj4wQ0%2B4vH7C%2Fo%3D dport=80 useragent=backupd (unknown version) CFNetwork/548.1.4 Darwin/11.0.0 out=418 outcome=206 in=484 errorcode=OBSERVED content=application/octet-stream daddr=54.231.133.9 dvchost=AE44PCCPWPXY02 sport=80 Version=HTTP/1.1 hostname=eu-irl-00001.s3.amazonaws.com cs1=com cs1Label=tld directory=/ path=/yKalk5gBT169iwsB8XFS filename=yKalk5gBT169iwsB8XFS Here we are using the custom keys cs1 and cs1Label to hold the Top Level Domain (TLD). We want to parse this meta into the TLD meta key. |
Resolution | Add the following lines to the CEF parser (normally located on the log decoder at /etc/netwitness/ng/envision/etc/devices/cef/cef.xml)<ExtensionKey cefName="cs1" metaName="cs_fld" > In your table-map-custom.xml file add the following: <mapping envisionName="tld" nwName="tld" flags="None" format="Text"/> What this means is that if we have a device type of bluecoat_proxy and cs1label=tld then put the meta into meta key tld. |
Notes | The meta key for custom extensions can be selected in 3 different ways. The following example has the meaning:
ExtensionKey cefName="cs1" metaName="context"> |