Hello,
I've built a custom parser for an event source which sends logs in CEF format. To make it a bit more portable, I'd prefer not to require modifying cef-custom.xml (as per the guide - Custom CEF Parser). Is it possible to copy the logic from the cef.xml file and create new directory? This way it can be packaged and not require users to work around any existing modifications they may have already made to this file.
I can see my event source is using header.id 0002 from the cef file - could I just copy this logic? How would I then get the event source to match this one rather than the default CEF parser?
Cheers
If you do not want to be reliant on the CEF parser, you need to build a whole new stand alone parser. Once you do that you would need to map it in the log decoder parser mappings. It’s not very difficult to do, and I just did this with another device that I wanted to change around