This section describes some common issues that can occur when you customize log parsers and log parser rules.
You do not see any log parsing against a newly created parser.
You may have forgotten to map the new parser. To map a parser, go to Admin > Event Sources > Discovery tab. See the "Discovery Tab" topic in the Event Source Management Guide for details.
If you click Deploy to deploy a new or updated log parser, and it fails, you should check the log for your reference log decoder. You access this log in the following location on the NetWitness Server:
NwLogPlayer is a troubleshooting tool that simulates syslog traffic. NwLogPlayer.exe is a command line utility located on the Log Decoder host in /usr/bin.
At the command line, type nwlogplayer.exe -h to list the available options, as reproduced here:
Please note the following limitations when using the Log Parser Rules tab:
- Log Decoder must be at version 11.2: For the functionality in the Log Parser Rules tab to work, your installation must have at least one Log Decoder running NetWitness version 11.2.
- Mixed Mode: If any Log Decoders are at version 11.2, and the NetWitness Server is at version 11.2, the Log Decoders will have parseall rules enabled by default, and thus will begin to parse logs accordingly. However, the 11.2 NetWitness Server does not support Log Decoders with versions less than 11.2, so the Log Parser Rules tab in the UI stays blank.
- Meta key fields list refresh: If any new meta keys are added to the Log Decoder, they do not appear in the list of Meta in the Log Parser Rules tab immediately. They appear automatically after 24 hours, or you can restart the content server service to view them.
Field Restrictions: Note the following field restrictions:
- Rule name must be 64 characters or fewer.
- Parser Name must be between 3 and 30 alphanumeric characters (including underscores), and must not match the name of any existing log parsers.
- Parser Display Name must be 64 characters or fewer, and cannot match any other parser display name.
- Regex Expression must be 1-255 characters, and a valid regex (closed capture list allowed).
- Tags cannot be duplicates.
- Deploy only to 11.2 Log Decoders: The Deploy operation only deploys log parsers to version 11.2 Log Decoders.
- Cannot Remove Deployed Parsers: Once deployed, you cannot delete a log parser using the UI.
- See log for errors: Refer to content-server logs for more details on deploy failure details and log decoder names.