Custom CEF Parser - Own Directory
I've built a custom parser for an event source which sends logs in CEF format. To make it a bit more portable, I'd prefer not to require modifying cef-custom.xml (as per the guide - Custom CEF Parser). Is it possible to copy the logic from the cef.xml file and create new directory? This way it can be packaged and not require users to work around any existing modifications they may have already made to this file.
I can see my event source is using header.id 0002 from the cef file - could I just copy this logic? How would I then get the event source to match this one rather than the default CEF parser?
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
If you do not want to be reliant on the CEF parser, you need to build a whole new stand alone parser. Once you do that you would need to map it in the log decoder parser mappings. It’s not very difficult to do, and I just did this with another device that I wanted to change around
Cool, so in theory I can just copy the relevant sections from cef.xml into a new folder, and manually map the source to the new parser?
Additionally, if I'm copying content from the CEF parser there is a risk all the existing CEF event sources will start matching my parser not the default one right?
Actually that’s not how it works with the CEF parser. The CEF parsing engine works very differently than the regular parsers.
A regular xml parser will need to be written.
Reach out to me directly if you need assistance