Hi people! I have a customer who has an event source that writtes it events into Application Channel of Windows Events. We don't have any problem to collect those events but, Netwitness try to parse them as Windows Events. I wonder if there is any way to take the value of one metadata (let's say "msg") and process it as a CEF message.
Any sugestions?
Sure, here is an export of one event
%NICWIN-4-Application_1_SWIFT: Application,rn=30861 cid=0 eid=1,Mon Jul 30 17:53:39 2018,1,SWIFT,,Information,JUST.A.FDQN,No category file,,No description string found. string-data=[CEF:0|SWIFT|Alliance Access|7.2.0|BSA-3001|Signoff|Low|cn1=2147483450 cn1Label=Event Sequence ID cs1=13782e0f-bf93-4033-831a-86f46ec0159b cs1Label=Instance UUID cs2=54f5a672-a658-491b-89b5-59463d51e7b2 cs2Label=Correlation ID cat=Operator msg=Operator PARTNER : signed off from the terminal '172.34.34.34'. suid=PARTNER dvchost=SRVSWIFTAA-TEST dvc=172.33.33.33 dvcmac=00:FF:56:A0:86:BB deviceProcessName=WS_appsrv src=172.34.34.34 dtz=America/Buenos_Aires rt=1532973219000 ]
is the CEF string always in the string-data= field? and always ending
Yes sir!
I have a lua parser that was designed for something else that might work here. It doesn't specifically parse CEF but does work on a specific text anchor to pull out data from a raw message and parse out further details. The issue with this message is that event.desc gets the full text and hits a limit at 256 characters which then truncates the values. So you can't just parse event.desc for these events to get the details, you need some anchor to find these messages and re-parse the section of string-data=\[ ..\] to get the values you need.
are there specific values from that string that you need vs. want... i can see if i can get you started with a few items.
Eric, thank you for your time, could you please share the link of that lua parser so I can take a look at it?
Thanks!
any sample events you can provide?