Security Analytics Log Parser

File uploaded by Leonard Chvilicek Employee on Mar 2, 2015Last modified by Leonard Chvilicek Employee on Aug 1, 2017
Version 7Show Document
  • View in full screen mode


THE MOST CURRENT VERSION IS 2.3.99 published 8/1/17.


Netwitness Suite Log Parser 2.3.99 



This version 2.1 will now parse 763 events, focusing mainly on the audit events on both 10.3 and 10.4 generated from the SA server.

This was developed and tested on and 10.3.5.


This package includes:

  Broker/Concentrator Custom index

  Custom Table Map

  Installation Instructions 10.3/10.4

  Event Categories spreadsheet

  Variable and metakey info spreadsheet

  ESA alerts 10.3/10.4

  Investgation metakey group file

  SA Log Parser

  Reports 10.3/10.4


Please review the "Variable and Metakey info.xlsx" file to note the new metakeys.


I have changed some of the metakeys around and created new ones to keep the indexes for the metakeys small.

I have also removed some of the keys in the custom index file to prevent overriding the default values of the concentrator/broker index files.


To move from the 2.0 parser to the 2.1, please use the new custom table map and custom index files provided.

Also remove the old reports & ESA alerts and replace them with the new ones.


New parsing capabilities:


Event source monitoring – Events that are generated from the Event Source Monitoring regarding log sources not reporting will be parsed.

Archiver Monitoring – Aggregation Status,Storage Capacity/Time (sorry don't have storage connection)

Query Time – Query times are now parsed

Queue Time – Queued query times are now parsed

Queries – Queries are now parsed, so you can view the queries that users submit.


  SA Configuration Changes

  SA Live Content Update

  SA Login Activity

  SA Monitored Systems Archiver

  SA Monitored Systems Event Sources

  SA Query Performance Summary

  SA Service Stops and Starts

  SA User and Role Management

  SA User Query Activity


ESA Alerts

SA System Related Alerts

  Capture has started

  Capture has stopped

  Database configuration issue

  Lockbox Fingerprint has changed

  Monitored Log Source Failure

  RabbitMQ is stopping

  Device has been taken offline

  Device has been taken online

  System has stopped aggregation

SA User Related Alerts

  Initiated stop aggregation

  Initiated start aggregation

  User has created or deleted a group or role

  User has created or deleted a user account

  Has deleted a feed

  Has issued a parser reload

  Has merged application rules

  Has modified device configuration

  Has modified a user account or role

  Has replaced application rules

  Has requested an appliance reboot

  Has restarted service using GUI

  Has started capture

  Has stopped capture

  Has uploaded a log parser

  Has uploaded a feed