Menlo Security Custom Log Parser - Opinion Sought
We use Menlo Security platform for our web proxy and have built a custom lua parser to process the CEF based logs. (Menlo allows for QRadar and Splunk formatted logs but we chose CEF)
We're not entirely sure that it's properly working or if what we did is the best performance for NetWitness.
I've attached the parser and a sample log file, I was wondering if someone with more experience in writing log parser could look over it and see if there are any improvements we could make or if the way we took wasn't the correct one.
Jeremy I just looked this over and I can not get it to work at all. Is the default CEF parser not parsing this device at all?
Are you putting the entire message into "msghold"?