10.6.5.x and 11.1 now have the ability to apply -custom.xml log parser files to reduce the need for forking a parser to customize log parsing for a particular device. This means that you no longer have to remove a parser from the auto-update RSA Live flow just to add a custom entry or modify one event id to suit a specific use case.
Documentation on how this is done can be seen here:Log Parser Customization
Here is how it was implemented to provide enhanced functions to LOGBinder events without breaking the existing log parsing provided by RSA.
LOGBinder is available from here: LOGbinder
I also noticed this application for Splunk that had some interesting events to pay attention to that was the basis for the additional parsing created in this example: LOGbinder Solutions - Active Directory Change Auditing
Sample events were gathered and replayed against the stock RSA Live msexchange parser in NetWitness.
Locate the events in investigation (device.type='msexchange')
Reviewing the splunk app savedsearches.conf and macros.conf I could see that many of the rules were reference.id driven however there were a few that were more complicated and might require more parsing work to get the needed values.
Those events included ones found from this drill:
device.type='msexchange' && category='exchange' && reference.id ='25001','25002','25003','25004','25005','25006','25007','25008','25009','25010','25011'
An Application rule helped locate these in my testing:
Looking at the event.description fields we can see that some of the events appear to have more data in them than they should and the values we want to extract are not parsed out.
We are looking to extract the following values logonType,client,client ip and process name as well as reduce the event description to something shorter.
Steps to solve:
- Extract raw logs of the events that require additional work
- Download the msexchange parser from github - nw-logparsers/devices/msexchange at master · netwitness/nw-logparsers · GitHub
- Review the Event information for the event we are working on in this case 25008 - Exchange Mailbox Audit Log Event ID 25008 - Operation SendAs - Send message using Send As Exchange mailbox permissions
- Open the parser xml in the Log Parser Tool (LPT) and locate the event:
- Load the sample logs into LPT and review the 25008 event so that we can modify the last part to extract more information
- To create the entries in the -custom.xml file we will duplicate the message line, move it above the existing line and then modify it to look like this (following the sample message structure provided here in case additional customization is required - Exchange Mailbox Audit Log Event ID 25008 - Operation SendAs - Send message using Send As Exchange mailbox permissions ).
- Do this for the other message.id that we need to modify (25008 and 25403 so far)
- Save the updated log parser xml
- Follow the instructions in the RSA Link post to create the skeleton -custom.xml file, referenced above.
- Open the saved Log parser file and locate the three modified message lines, copy them and paste them in the -custom.xml file
- Add the following to each message entry to indicate that you want to add the modified message above the default - insertBefore="LOGbndEX_25008_LOGbndEX" (add this below the eventcategory line on each message)
- Save and copy the -custom.xml to the log decoder folder for msexchange and reload the parsers from the explore menu (decoder > parsers > reload - submit)
- Replay the events and see the extra parsing goodness
- Now we have the events extracted
- The message.id of this matches the name (:01) in the -custom.xml file -
The custom xml file is attached which you can use in your environment.
The benefit of this is that the RSA Live parser is updated and the custom entries are maintained and eventually if the modifications are rolled into the RSA Parser the -custom can be removed in the future to use only the OOTB Parser.
Look out for a future blog post with content for RSA NetWitness LOGBinder events.