Pieter,
You can always create jira issues for things that you think are wrong or
missing in the existing parsers, and maybe that work can get done.
There are also things ‘in the pipeline’ that you may want to think about.
- There is a new regex parser that just landed.
- There is a syslog 3164 pa
Hi,
Thank you for the welcome! The concepts behind Metron are nice, very nice.
Finally network log / data analysis is possible using different approaches.
It has been a few years since I used tools such as Suricata, Bro, Snort,
OSSEC, PF_RING. But the integration of some of those at scale... nice
Hi Pieter,
Welcome to the Metron community.
The logic used by the CEF parser right now is to populate the timestamp
field as follows:
1. if the rt field exists, use that.
2. if there is a field matching the syslogTime pattern (either the old
pattern of 5424)
3. If neither are present, it uses cur
Hi,
For correlation & profiling the presense of a correct timestamp / eventtime
is important,
what to do with a device implementing CEF output, but not properly
providing the rt field?
Also syslogTime is not parsed by the CEF parser.
There is another field present, how can I assure this field is
