This tab displays information about pattern matching and rules for the parsers in your system. The features on this tab apply to all log parsers, , including the Default Log Parser
Default Log Parser
The NetWitness Suite default log parser is used to parse logs coming from the Log Decoder that do not match any of the configured log parsers. This default parser parses these logs by using a default set of rules and tokens.
You can view the default log parser and its details by going to ADMIN > Event Sources > Log Parser Rules and selecting default from the Log Parsers panel.
This is a view of the Log Parser Rules tab, showing the Default Log Parser and Any Domain rule selected:
The Log Parser Rules Tab topic describes the items available for the Log Parsers tab.
Highlight Matching Patterns
You can paste logs into the Log Messages text box, and the system highlights the matching literals and patterns for the rules for the selected event source type. Use this feature to confirm that the parser is behaving as expected.
- In the NetWitness Suite UI, navigate to ADMIN > Event Sources > Log Parser Rules.
- From the Log Parsers pane, select a log parser.
From the Rules pane, select a rule.
For example, this screen shows the Any Port rule for the cisopix log parser:
- Add text or paste in a sample log message.
Strings that match tokens for the selected rule are highlighted in blue. Strings that match other rules for the parser (and the rules themselves) are highlighted in orange.
For example, in the previous screen, note:
- The source email address, matching the from token, is highlighted in blue. The token is in dark blue, and the matching string is highlighted in light blue. This is because the Source Email Address is the currently selected Rule.
- The strings highlighted in orange match tokens for rules for Any MacAddress, Any Port and Source Port. This is because they are in rules for the ciscopix parser that are not currently selected.