Log Parser Customize: Add a Log Parser Rule

Document created by RSA Information Design and Development on Jul 25, 2018Last modified by RSA Information Design and Development on Sep 20, 2018
Version 4Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.2 and later.

For version 11.2, RSA has added the ability to create custom rules for log parsers. You can create rules to change how meta values are parsed for a particular log parser. Prior to version 11.2, you could only view the out-of-the-box log parser rules.

About Log Parser Rules

Parsers are described within their XML files. Each log parser has an XML file that contains rules on how to parse messages for that parser. The out-of-the-box rules are contained within these XML files. For details, see the Log Parser Customization topic in the RSA Link space for RSA Content.

Custom Log Parser Rules

When you create a new log parser rule, it is saved to another XML definition file for the parser. These files are known as token files. This is important, since the out-of-the-box rules are overwritten if you update the parser through RSA Live, but any custom log parser rules are not overwritten, since Live does not update the token files for log parsers.

To create a custom log parser rule:

  1. In the NetWitness Platform UI, navigate to CONFIGURE > Log Parser Rules.
  2. From the Log Parsers pane, select a log parser.
  3. From the Rules pane, click Add.

    The Add Rules dialog box is displayed.

    IMPORTANT: If you click outside of the Add Rule dialog box before you save your rule, your changes will be lost.

  4. Add at least one meta key and a value to match, in order to create a valid rule.
  5. Click Save to save your new rule.

    This updates the definition file in the file system. It does not deploy the changes.

  6. To deploy your changes to all of your Decoders, click Deploy.

Guidelines for Custom Rules

When you are creating a custom rule, keep in mind the following:

  • For the list of tokens that match strings from the log file, very short tokens are not useful. For example, a one- or two-character string can match more items than desired.
  • Remember to add the delimiter (especially if it is a space) as part of the token. For example "domain=" or "email ".
  • When constructing regular expressions, the more complexity you add, the more performance overhead added to the system to compare against the rule.
  • To see examples of good tokens and regular expressions, examine the rules that are provided for the default log parser.
You are here
Table of Contents > Create Custom Log Parser Rules

Attachments

    Outcomes