Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Log Parser Customize: Log Parser Rules Introduction

Document created by RSA Information Design and Development Employee on Dec 18, 2019Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 4Show Document
  • View in full screen mode

Note: The JSON Mapping information in this guide applies to RSA NetWitness Platform Version 11.5 and later.

You use the Log Parser Rules view (available from the (Configure) view) to customize rules and to map meta for your log parsers.

The default log parser parses logs that do not match any installed log parsers. The information contained in such a log is processed against the default log parser's rules, and metadata is then extracted by those rules and is available for Enrichment, Investigation, Reporting, and Alerting. This provides immediate visibility into logs from custom or unsupported sources.

You can also add or extend a log parser. For example, you may need to parse certain fields differently than in the manner provided by the log parser for a particular event source. You can add rules that change the way meta information is extracted from the logs for the event source. And you can then map the extracted information to NetWitness Platform meta keys.

Finally, you can view and test sample log messages and rules for your log parsers, including the default log parser.

To access this tab, go to (Configure) > Log Parser Rules. For more details, see Parser Rules Tab.

Dynamic Rules

The Dynamic Rules entry for a log parser displays the following information:

  • The default log parser that parses logs that are not associated with a particular log parser
  • Native XML-defined device parsers that have been extended with dynamic log parser rules, and
  • User-created custom device parsers used to parse unsupported custom event sources

The dynamic parse rules are used to parse arbitrary values triggered by a literal token on the left hand side of the value in unstructured logs. Currently, this is used to parse name-value pairs.

Following are some examples (the token is in bold red):

src =
Source address is

JSON Mapping (BETA)

For NetWitness Platform 11.5, RSA has added beta functionality for working with JSON mappings.

The JSON Mappings entry for a log parser displays the following information:

  • Sample Log Messages:
  • The list of JSON Mappings: these are the names that represent the meta information.
  • Details of each mapping: for each mapping, the display name, path, NetWitness Platform meta key, and a text description.

The JSON mapping functionality is for strictly paring structured JSON logs, and mapping values from the log to meta or fine parsing. The parsing is not applied to arbitrary logs; only logs where we know the exact structure of the data.

For example:

{ “event”: { “source”: { “address”: ””, “port”:8080 } } }

NetWitness Platform knows the structure of logs when it knows the event source type, or when you add specific JSON mappings.

You are here
Table of Contents > Log Parser Rules Customization