ESM: Log Parser Rules Tab

Document created by RSA Information Design and Development on Mar 2, 2018Last modified by RSA Information Design and Development on Mar 27, 2018
Version 3Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness® Suite Version 11.1 and later.

The Log Parser Rules tab displays information about individual log parsers, as well as the default, "parse all" parser that can parse logs that are not associated with a particular log parser. To access this tab, go to ADMIN > Event Sources > Log Parser Rules.

This tab contains the following information:

  • You can view the rules for a particular event source type, including the default parser.
  • You can view the Names, Literals, patterns, and meta for each configured log parser.

Workflow

This workflow is separate from the overall process for configuring event sources.

What do you want to do?

                                           
RoleI want to...Documentation
AdministratorView and modify event sources.Managing Event Source Groups
AdministratorAcknowledge and map events sources.Acknowledging and Mapping Event Sources

Administrator

Add and configure parser mappings for a Log Decoder.

Manage Parser Mappings

AdministratorView event source alarms.Viewing Event Source Alarms

Administrator

*View log parser rules.

Default Log Parser and Log Parser Rules

Administrator

Troubleshoot event source management.

ESM Troubleshooting & Appendix

*You can perform this task here.

Related Topics

Default Log Parser and Log Parser Rules

Creating Event Source Groups

Creating an Event Source and Editing Attributes

Viewing Logs from Pre-11.0 Log Decoder

Quick Look

Note: The list of log parsers is based on the first Log Decoder that is installed or registered by the Orchestration Server. If you have more than one Log Decoder, this tab only lists log parsers that configured on the first one.

The Log Parser Rules tab organizes displays information about the configured log parsers in your system. This tab consists of three panels: Log Parsers list, Details for the selected log parser, and Rules for the selected log parser.

         

Log Parsers List Panel

The Log Parsers Panel lists the configured log parsers. Select a specific log parser to view its details in the Details and Rules panels.

Details Panel

The details panel shows the token matching, value matching, and mapping information for the selected log parser. Additionally, it shows how a sample log message is parsed.

                         
1

Displays the name of the selected log parser, and the currently selected rule. This value changes when you select a different rule for this parser.

2

Displays the token matching for the selected log parser. The values here are determined by the selected Rule.

3

Displays the type and pattern of the value matching for the selected parser. The values here are determined by the selected Rule.

4

Displays the NetWitness meta to which the selected rule maps any matched tokens. The values here are determined by the selected Rule.

5

Displays a sample log message, and highlights strings that match tokens in the selected log parser. You can edit this field, and add in your own logs to preview how the selected parser will parse your logs.

For example, consider the following scenario:

  • The default parser is selected.
  • The Any Domain rule is selected.
  • The Tokens matching list displays all of the tokens that are matched when found in a log message: Domain, Domain Name, domain, ADMIN_DOMAIN, and so on.
  • The Meta list displays the NetWitness meta to which the value for the token is mapped: domain.

So, let's say the sample log message area has the following text:

       

Below are sample log messages:

May 5 2010 15:55:49 switch : %ACE-4-400000: IDS:1000 IP Option Bad Option List by user admin@test.com from 10.100.229.59 to 224.0.0.22 on port 12345.

Apr 29 2010 03:15:34 pvg1-ace02: %ACE-3-251008: Health probe failed for server 218.83.175.75:81, connectivity error: server open timeout (no SYN ACK) domain google.com with mac 06-00-00-00-00-00.

In this case, the Sample Log Message area looks like this:

Note that some strings are highlighted, and that there are two "pairs" of highlight colors:

  • Dark blue and light blue highlighting is applied to the strings that match the currently selected rule.

    • Dark Blue highlighted strings match a token in the selected rule. In this case, domain is the token that is matched for the Any Domain rule.
    • Light Blue highlighted strings are the values that correspond to the tokens in dark blue. For example, google.com is highlighted in light blue, because it corresponds to the domain token.
  • Orange and yellow highlighting is applied to the strings that match rules for the current parser that are not currently selected.

    • Orange highlighted strings match a token in a rule that is not currently selected.
    • Yellow highlighted strings are the values that correspond to the tokens in orange. For example, the user token matches the Username rule (which is not currently selected).

In this example, the domain meta would be assigned a value of google.com for this log message, if it was parsed using the default log parser.

Rules Panel

The Rules panel displays the list of rules used by the selected log parser. When you select a rule, you change the values that are displayed in both the Tokens and Values areas of the panel.

         

Note the highlighted rules:

  • The currently selected rule is highlighted in blue.
  • Other rules that match tokens in the sample log message area are highlighted in orange.
Previous Topic:Settings Tab
You are here
Table of Contents > References > Log Parser Rules Tab

Attachments

    Outcomes