[GitHub] incubator-metron issue #451: METRON-157: Added CEF Parser

Sun, 12 Feb 2017 21:54:23 -0800 

Github user trixpan commented on the issue:

    https://github.com/apache/incubator-metron/pull/451
  
    @james-sirota these are synthetic but should cover all valid field types:
    
    
https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestParseCEF.java#L37
    
    
https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestParseCEF.java#L51
    
    And this may help you as well, although if I recall correctly, the fireeye 
CMS had some minor non compliances to the CEF spec.
    
    
https://github.com/apache/incubator-metron/blob/4a4cb8b117dbb66bbfb4915bca9d871a06682c28/metron-platform/metron-integration-test/src/main/sample/data/SampleInput/FireeyeExampleOutput#L6
    
    Worth of notice:
    
    1. Be mindfull that downstream ArcSight data will contain fields not 
present in the CEF specficiation. These are internal to ArcSight and to the 
best of my knowledge not openly documented. 
    
    An example of such fields can be found 
[here](https://my.vertica.com/docs/7.1.x/HTML/Content/Authoring/FlexTables/LoadCEFData.htm):
    
    ```
    CEF:0|ArcSight|ArcSight|6.0.3.6664.0|agent:030|Agent [test] type 
[testalertng] started|Low| 
    eventId=1 mrt=1396328238973 categorySignificance=/Normal 
categoryBehavior=/Execute/Start 
    categoryDeviceGroup=/Application catdt=Security Mangement 
categoryOutcome=/Success 
    categoryObject=/Host/Application/Service art=1396328241038 
cat=/Agent/Started 
    deviceSeverity=Warning rt=1396328238937 fileType=Agent 
    cs2=<Resource ID\="3DxKlG0UBABCAA0cXXAZIwA\=\="/> 
c6a4=fe80:0:0:0:495d:cc3c:db1a:de71 
    cs2Label=Configuration Resource c6a4Label=Agent 
    IPv6 Address ahost=SKEELES10 agt=888.99.100.1 agentZoneURI=/All 
Zones/ArcSight 
    System/Private Address Space 
    Zones/RFC1918: 888.99.0.0-888.200.255.255 av=6.0.3.6664.0 
atz=Australia/Sydney 
    aid=3DxKlG0UBABCAA0cXXAZIwA\=\= at=testalertng dvchost=SKEELES10 
dvc=888.99.100.1 
    deviceZoneURI=/All Zones/ArcSight System/Private Address Space 
Zones/RFC1918: 
    888.99.0.0-888.200.255.255 dtz=Australia/Sydney _cefVer=0.1
    ```
    
    
    2. Nearly every CEF extension field has both type and length requirements 
which we may want to address in due course. 
    



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

Reply via email to