This tab contains details about the rules for the default log parser, as well as any other custom rules and log parsers that have been defined.
The default log parser parses logs that do not match any installed log parsers. The information contained in such a log is processed against the default log parser's rules, and metadata is then extracted by those rules and is available for Enrichment, Investigation, Reporting, and Alerting. This provides immediate visibility into logs from custom or unsupported sources.
You can also add or extend a log parser. For example, you may need to parse certain fields differently than in the manner provided by the log parser for a particular event source. You can add rules that change the way meta information is extracted from the logs for the event source.
Finally, you can view and test sample log messages and rules for your log parsers, including the default log parser.
The Log Parser Rules tab displays information about log parsers that use dynamic log parser rules. This includes the following:
- The default log parser that parses logs that are not associated with a particular log parser
- Native XML-defined device parsers that have been extended with dynamic log parser rules, and
- User-created custom device parsers used to parse unsupported custom event sources
This tab contains the following information:
- You can view the rules for a particular event source type, including the default parser.
- You can view the Names, Literals, patterns, and meta for each configured log parser.
- You can add log parsers
- You can add, edit, and delete custom rules for log parsers
To access this tab, go to CONFIGURE > Log Parser Rules.
This workflow shows processes available from the Log Parser Rules view.
*You can perform this task here.
The Log Parser Rules tab organizes and displays information about the configured log parsers in your system. This tab consists of three panels: Log Parsers list, Details for the selected log parser, and Rules for the selected log parser.
Log Parsers Panel
The Log Parsers Panel lists the configured log parsers.
The Add Dynamic Log Parser dialog box allows you to add a custom log parser.
When you are adding a log parser, the following parameters are available.
The details panel shows the three pieces for the selected rule:
- Tokens: one or more tokens to match in the message. For example, the Any Port rule looks for the following strings to match against: port , port:, port=, and others.
Values: the value that follows the token. This is a string that is captured as meta. For example, assume a log contains the following string:
The Any Port rule has a token that matches "port ". When it encounters that string, it assigns the token value, "12345" to a meta key.
- Meta: the meta keys to which the value is mapped. For example, the Any Port rule maps the port value to the port meta key.
Essentially, a rule says, "when you are parsing a message, if you match one of my tokens, assign the value that follows the token to the meta key that I want it stored as."
The bottom section of the Details panel contains sample log messages, and how they would be parsed for the selected log parser.
Displays the name of the selected log parser, and the buttons for deploying, saving, and discarding changes. This value changes when you select a different parser.
Displays the name of the selected rule. This value changes when you select a different rule for this parser.
Displays the list of tokens defined for the selected rule.
Displays the type and pattern of the value matching for the selected parser. The values here are determined by the type of the selected value. You can also use the Regex option to define a custom regular expression.
Displays the NetWitness meta to which the selected rule maps any matched tokens. The values here are determined by the selected Rule.
Displays a sample log message, and highlights strings that match tokens in the selected log parser. You can edit this field, and add in your own logs to preview how the selected parser will parse your logs.
For example, consider the following scenario:
- The default parser is selected.
- The Any Domain rule is selected.
- The Tokens matching list displays all of the tokens that are matched when found in a log message: Domain, Domain Name, domain, ADMIN_DOMAIN, and so on.
- The Meta list displays the NetWitness meta to which the value for the token is mapped: domain.
So, let's say the sample log message area has the following text:
Below are sample log messages:
May 5 2010 15:55:49 switch : %ACE-4-400000: IDS:1000 IP Option Bad Option List by user firstname.lastname@example.org from 10.100.229.59 to 184.108.40.206 on port 12345.
Apr 29 2010 03:15:34 pvg1-ace02: %ACE-3-251008: Health probe failed for server 220.127.116.11:81, connectivity error: server open timeout (no SYN ACK) domain google.com with mac 06-00-00-00-00-00.
In this case, the Sample Log Message area looks like this:
Note that some strings are highlighted, and that there are two "pairs" of highlight colors:
Dark blue and light blue highlighting is applied to the strings that match the currently selected rule.
- Dark Blue highlighted strings match a token in the selected rule. In this case, domain is the token that is matched for the Any Domain rule.
- Light Blue highlighted strings are the values that correspond to the tokens in dark blue. For example, google.com is highlighted in light blue, because it corresponds to the domain token.
Orange and yellow highlighting is applied to the strings that match rules for the current parser that are not currently selected.
- Orange highlighted strings match a token in a rule that is not currently selected.
- Yellow highlighted strings are the values that correspond to the tokens in orange. For example, the user token matches the Username rule (which is not currently selected).
In this example, the domain meta would be assigned a value of google.com for this log message, if it was parsed using the default log parser.
The Rules panel displays the list of rules used by the selected log parser. When you select a rule, you change the values that are displayed in both the Tokens and Values areas of the panel.
Note the highlighted rules:
Other notes for the Rules panel:
Disable log Parser Rules
You can disable log parser rules, so that none of them are processed by the Log Decoder. You might have your log parsers working as you like, and do not want any extra processing that you do not need.
You disable them from the reference Log Decoder.
- Go toADMIN > Services.
The Services Config view is displayed with the General tab open.
Under Parsers Configuration, look at the Config Value for PARSERULESCAN.
If it is Enabled, log parser rules are processed. If it is Disabled, they are not processed.
If the rules are Enabled, click Enabled and select Disabled to disable the log parser rules.
To save the changes, click Apply.