Eric Partington

How To Customize a Log Parser - LOGBinder Example

Blog Post created by Eric Partington Employee on Apr 3, 2018

10.6.5.x and 11.1 now have the ability to apply -custom.xml log parser files to reduce the need for forking a parser to customize log parsing for a particular device.  This means that you no longer have to remove a parser from the auto-update RSA Live flow just to add a custom entry or modify one event id to suit a specific use case.

 

Documentation on how this is done can be seen here:Log Parser Customization 

 

Here is how it was implemented to provide enhanced functions to LOGBinder events without breaking the existing log parsing provided by RSA.

 

LOGBinder is available from here:  LOGbinder

 

I also noticed this application for Splunk that had some interesting events to pay attention to that was the basis for the additional parsing created in this example:  LOGbinder Solutions - Active Directory Change Auditing 

 

Sample events were gathered and replayed against the stock RSA Live msexchange parser in NetWitness.

 

Locate the events in investigation (device.type='msexchange')

Reviewing the splunk app savedsearches.conf and macros.conf I could see that many of the rules were reference.id driven however there were a few that were more complicated and might require more parsing work to get the needed values.

 

Those events included ones found from this drill:

device.type='msexchange' && category='exchange' && reference.id ='25001','25002','25003','25004','25005','25006','25007','25008','25009','25010','25011'

 

An Application rule helped locate these in my testing:

Looking at the event.description fields we can see that some of the events appear to have more data in them than they should and the values we want to extract are not parsed out.

 

We are looking to extract the following values logonType,client,client ip and process name as well as reduce the event description to something shorter.

 

Steps to solve:

  • Do this for the other message.id that we need to modify (25008 and 25403 so far)
  • Save the updated log parser xml
  • Follow the instructions in the RSA Link post to create the skeleton -custom.xml file, referenced above.
  • Open the saved Log parser file and locate the three modified message lines, copy them and paste them in the -custom.xml file
  • Add the following to each message entry to indicate that you want to add the modified message above the default - insertBefore="LOGbndEX_25008_LOGbndEX" (add this below the eventcategory line on each message)
  • Save and copy the -custom.xml to the log decoder folder for msexchange and reload the parsers from the explore menu (decoder > parsers > reload - submit)
  • Replay the events and see the extra parsing goodness
  • Now we have the events extracted 
  •   
  • The message.id of this matches the name (:01) in the -custom.xml file - 

 

The custom xml file is attached which you can use in your environment.

GitHub - epartington/rsa_nw_log_LOGBinder: LOGBinder custom parser and application rule content 

 

The benefit of this is that the RSA Live parser is updated and the custom entries are maintained and eventually if the modifications are rolled into the RSA Parser the -custom can be removed in the future to use only the OOTB Parser.

 

Look out for a future blog post with content for RSA NetWitness LOGBinder events.

Outcomes