ESM: Default Log Parser

Document created by RSA Information Design and Development on Mar 27, 2018
Version 1Show Document
  • View in full screen mode

Note: The information in this topic applies to RSA NetWitness® Suite Version 11.1 and later.

This tab displays information about pattern matching and rules for the parsers in your system. The features on this tab apply to all log parsers, , including the Default Log Parser

Default Log Parser

The NetWitness Suite default log parser is used to parse logs coming from the Log Decoder that do not match any of the configured log parsers. This default parser parses these logs by using a default set of rules and tokens.

You can view the default log parser and its details by going to ADMIN > Event Sources > Log Parser Rules and selecting default from the Log Parsers panel.

Note: The list of log parsers is based on the first Log Decoder that is installed or registered by the Orchestration Server. If you have more than one Log Decoder, this tab only lists log parsers that configured on the first one.

This is a view of the Log Parser Rules tab, showing the Default Log Parser and Any Domain rule selected:

The Log Parser Rules Tab topic describes the items available for the Log Parsers tab.

Highlight Matching Patterns

You can paste logs into the Log Messages text box, and the system highlights the matching literals and patterns for the rules for the selected event source type. Use this feature to confirm that the parser is behaving as expected.

  1. In the NetWitness Suite UI, navigate to ADMIN > Event Sources > Log Parser Rules.
  2. From the Log Parsers pane, select a log parser.
  3. From the Rules pane, select a rule.

    For example, this screen shows the Any Port rule for the cisopix log parser:

  4. Add text or paste in a sample log message.

Strings that match tokens for the selected rule are highlighted in blue. Strings that match other rules for the parser (and the rules themselves) are highlighted in orange.

For example, in the previous screen, note:

  • The source email address, matching the from token, is highlighted in blue. The token is in dark blue, and the matching string is highlighted in light blue. This is because the Source Email Address is the currently selected Rule.
  • The strings highlighted in orange match tokens for rules for Any MacAddress, Any Port and Source Port. This is because they are in rules for the ciscopix parser that are not currently selected.
Previous Topic:Log Parser Rules Tab
You are here
Table of Contents > References > Log Parsers and the Default Log Parser