I need to define a few extra fields in the vmware_view parser...specifically the DesktopPID field, PoolID, and DesktopDisplayName. In the CEF parser, it is pretty easy to define and get your additional fields to parse correctly. When I look at the vmware_view.xml parser, I do not see anywhere I can define what fields are going to be parsed out. I have the ESI tool and that does not seem to aid me in defining these fields...which leads me to believe that there is a "master" parser that defines these fields (much like the CEF parser).
If I am correct in my assumption that there is a master parser, what is its location and file name?
This brings up a second question: If the CEF parser is used to parser out CEF logs (specifically McAfee Web Gateway) what is the need for the other parser in Live: McAfee Web Gateway?
Is there any XML device parser specific information out there that I can read...other than ESI_Overview or the help file?