Build Your Own Integration

Document created by Mitch Hanks Employee on Sep 25, 2019Last modified by Mitch Hanks Employee on Nov 5, 2020
Version 6Show Document
  • View in full screen mode

This document will serve to aggregate useful how-to information for "Do-It-Yourself" creation of parsers and integrations for RSA NetWitness Platform.  Please follow the page for updates using the Actions menu above as we will be adding more content frequently.  Also, please feel free to add comments below or click the Send Feedback button to provide feedback, request new content or to let us know about any new posts which would be useful to reference here.


Using Parse Rules (Overview)A primer on the new parse rules capabilities added in v11.2
Log Parser (Parse Rules) Customization for 11.2+In-depth documentation for using parse rules in 11.2+
Customizing OOTB XML Parsers (10.6.5+)How to customize RSA-supported XML parsers while still preserving future updates from RSA Live (as of 10.6.5+)
Customizing the CEF ParserHow to customize the RSA-supported parser for CEF-formatted logs
JSON Development Guide Collecting JSON logs via file collection method (available as of 11.3)
Custom (File Collection) TypespecDetailed instructions and specifications for creating a typespec to transform file-based log sources for proper parsing.
Custom File and ODBC Typespec Demo VideoWalkthrough video on creating your own typespec for collecting file and ODBC log sources.  NOTE: This video is a bit old, but still gives a good demonstration of how the process works.
Log Parser Tool DownloadsDownload the free tool for creating full XML parsers for your custom event sources
Log Parser Tool v1.1 User GuideInstructional guide on XML log parser structure, syntax and how to use the Log Parser Tool
Event Time Function UsageUsing the Event Time function within an XML parser to parse different date formats into TimeT type.
A Treatise on Writing Packet Parsers for the RSA NetWitness PlatformThe definitive guide for writing Lua parsers for the RSA NetWitness Platform.
RSA Training: Lua Parsers for LogsLua parsers aren't just for packets.  Take in-depth training from RSA on how to leverage Lua to solve challenging log parsing problems.
Plugins Development GuideDetailed instructions and specifications for creating a Plugin to collect and transform cloud-based, API-accessible log sources for proper parsing.


Managing Meta


Custom Table-Map MaintenanceInstructions on properly configuring the custom table map to manage keys populated by log parsers.  NOTE: The index-concentrator-custom.xml files will sometimes also need to be modified to achieve indexing and full searchability of meta keys.
Core Database Tuning Guide: Index Customization Official documentation on maintaining index configuration for meta keys.
Maintaining Table Map and Service Index files An excellent post that further explains the relationship between table map and index.
Validate your custom index files with xmllint Some good tips on validating your XML configuration files before deployment.


RSA NetWitness Platform Open API


Official List of API Guides including the CLI tool (NwConsole) Official Table of Contents with reference to several versions of the API, including the REST API and the CLI tool (NwConsole).
REST API: Access in NetWitness Enabling the REST API in NetWitness
RSA NWUC 2012 - No Rest for the Weary An older, but still relevant intro presentation into the REST API
CLI: RSA Security Analytics Console Official 10.6 guides for using the CLI tool (NwConsole)
GitHub - netwitness/ng-rest-client This is a sample python app that demonstrates how to use the RESTful API on NetWitness Core Services.  For a background on how this tool came to be (and some useful explanations of the API functions), see this post: NetWitness NextGen RESTful Python Test App 




You can also leave feedback in the comments below.  Help us enable you to find creative solutions to your integration goals!