What you need to do is NOT ParseCEF in NiFi. Metron should handle be CEF parsing.
Just use NiFi to do the listen syslog (no need to parse in NiFi) then SplitText to get one line of CEF per kafka message (if your syslog is batching, this may not be necessary. Set up a sensor in Metron using the CEF parser and you should be fine. Simon > On 20 Jul 2018, at 09:39, Srikanth Nagarajan <[email protected]> wrote: > > Hi Farrukh, > > You can try using the Grok Parser and search for regular expression pattern > for your log. You can customize the regex to meet your needs. > > https://cwiki.apache.org/confluence/display/METRON/2016/04/25/Metron+Tutorial+-+Fundamentals+Part+1%3A+Creating+a+New+Telemetry > > Look at Step-5 on how to create a regex for grok parser. Grok parser also > allows to validate the fields. > > Good luck ! > > Thanks > Srikanth > >> On July 20, 2018 at 4:23 AM Farrukh Naveed Anjum <[email protected]> >> wrote: >> >> Hi, >> >> I am trying to index the Syslog using CEF Parser with Nifi. >> >> It does not give any error though, transport data to kafa without indexing >> it. It keepg giving FAILED in Spout. >> >> I believe indexing Syslog are most basic usecase for all. But metron fails >> to do it with each in standard format. >> >> I tried bro for it. But even it keeps giving PARSER Error. >> >> Any help ? Fast will be apperciated. >> >> >> >> >> -- >> With Regards >> Farrukh Naveed Anjum > > ______________________ > > Srikanth Nagarajan > Principal > > Gandiva Networks Inc > > 732.690.1884 Mobile > > [email protected] > > www.gandivanetworks.com > > Please consider the environment before printing this. NOTICE: The information > contained in this e-mail message is intended for addressee(s) only. If you > have received this message in error please notify the sender.
