AnsweredAssumed Answered

Modifying device parsers XML only

Question asked by RSA Admin Employee on May 21, 2015
Latest reply on Jun 3, 2015 by RSA Admin

I need to define a few extra fields in the vmware_view parser...specifically the DesktopPID field, PoolID, and DesktopDisplayName.  In the CEF parser, it is pretty easy to define and get your additional fields to parse correctly.  When I look at the vmware_view.xml parser, I do not see anywhere I can define what fields are going to be parsed out.  I have the ESI tool and that does not seem to aid me in defining these fields...which leads me to believe that there is a "master" parser that defines these fields (much like the CEF parser). 

 

If I am correct in my assumption that there is a master parser, what is its location and file name?

 

This brings up a second question:  If the CEF parser is used to parser out CEF logs (specifically McAfee Web Gateway) what is the need for the other parser in Live:  McAfee Web Gateway?

 

Is there any XML device parser specific information out there that I can read...other than ESI_Overview or the help file?

 

Thanks,

Eric

Outcomes