Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Log Parser Customize: Log Parser Rules Introduction

Document created by RSA Information Design and Development Employee on Dec 18, 2019Last modified by RSA Information Design and Development Employee on Jan 31, 2020
Version 2Show Document
  • View in full screen mode

Note: The information in this topic applies to RSA NetWitness Platform Version 11.1 and later.

You use the Log Parser Rules view (available from the Configure view) to customize rules for your log parsers.

The default log parser parses logs that do not match any installed log parsers. The information contained in such a log is processed against the default log parser's rules, and metadata is then extracted by those rules and is available for Enrichment, Investigation, Reporting, and Alerting. This provides immediate visibility into logs from custom or unsupported sources.

You can also add or extend a log parser. For example, you may need to parse certain fields differently than in the manner provided by the log parser for a particular event source. You can add rules that change the way meta information is extracted from the logs for the event source.

Finally, you can view and test sample log messages and rules for your log parsers, including the default log parser.

The Log Parser Rules tab displays information about log parsers that use dynamic log parser rules. This includes the following:

  • The default log parser that parses logs that are not associated with a particular log parser
  • Native XML-defined device parsers that have been extended with dynamic log parser rules, and
  • User-created custom device parsers used to parse unsupported custom event sources

This tab contains the following information:

  • You can view the rules for a particular event source type, including the default parser.
  • You can view the Names, Literals, patterns, and meta for each configured log parser.
  • You can add log parsers
  • You can add, edit, and delete custom rules for log parsers

To access this tab, go to Configure > Log Parser Rules. For more details, see Log Parser Rules Tab.

You are here
Table of Contents > Log Parser Rules Customization