The Log Parser Rules tab displays information about individual log parsers, as well as the default, "parse all" parser that can parse logs that are not associated with a particular log parser.
To access this tab, go to ADMIN > Event Sources > Log Parser Rules.
This tab contains the following information:
- You can view the rules for a particular event source type, including the default parser.
- You can view the Names, Literals, patterns, and meta for each configured log parser.
This workflow is separate from the overall process for configuring event sources.
*You can perform this task here.
The Log Parser Rules tab organizes displays information about the configured log parsers in your system. This tab consists of three panels: Log Parsers list, Details for the selected log parser, and Rules for the selected log parser.
Log Parsers List Panel
The Log Parsers Panel lists the configured log parsers. Select a specific log parser to view its details in the Details and Rules panels.
The details panel shows the token matching, value matching, and mapping information for the selected log parser. Additionally, it shows how a sample log message is parsed.
Displays the name of the selected log parser, and the currently selected rule. This value changes when you select a different rule for this parser.
Displays the token matching for the selected log parser. The values here are determined by the selected Rule.
Displays the type and pattern of the value matching for the selected parser. The values here are determined by the selected Rule.
Displays the NetWitness meta to which the selected rule maps any matched tokens. The values here are determined by the selected Rule.
Displays a sample log message, and highlights strings that match tokens in the selected log parser. You can edit this field, and add in your own logs to preview how the selected parser will parse your logs.
For example, consider the following scenario:
- The default parser is selected.
- The Any Domain rule is selected.
- The Tokens matching list displays all of the tokens that are matched when found in a log message: Domain, Domain Name, domain, ADMIN_DOMAIN, and so on.
- The Meta list displays the NetWitness meta to which the value for the token is mapped: domain.
So, let's say the sample log message area has the following text:
Below are sample log messages:
May 5 2010 15:55:49 switch : %ACE-4-400000: IDS:1000 IP Option Bad Option List by user firstname.lastname@example.org from 10.100.229.59 to 22.214.171.124 on port 12345.
Apr 29 2010 03:15:34 pvg1-ace02: %ACE-3-251008: Health probe failed for server 126.96.36.199:81, connectivity error: server open timeout (no SYN ACK) domain google.com with mac 06-00-00-00-00-00.
In this case, the Sample Log Message area looks like this:
Note that some strings are highlighted, and that there are two "pairs" of highlight colors:
Dark blue and light blue highlighting is applied to the strings that match the currently selected rule.
- Dark Blue highlighted strings match a token in the selected rule. In this case, domain is the token that is matched for the Any Domain rule.
- Light Blue highlighted strings are the values that correspond to the tokens in dark blue. For example, google.com is highlighted in light blue, because it corresponds to the domain token.
Orange and yellow highlighting is applied to the strings that match rules for the current parser that are not currently selected.
- Orange highlighted strings match a token in a rule that is not currently selected.
- Yellow highlighted strings are the values that correspond to the tokens in orange. For example, the user token matches the Username rule (which is not currently selected).
In this example, the domain meta would be assigned a value of google.com for this log message, if it was parsed using the default log parser.
The Rules panel displays the list of rules used by the selected log parser. When you select a rule, you change the values that are displayed in both the Tokens and Values areas of the panel.