Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Log Parser Customize: Add or Delete a Log Parser

Document created by RSA Information Design and Development Employee on Jul 25, 2018Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 10Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness Platform Version 11.2 and later.

For version 11.2, RSA has added the ability to add log parsers through the UI. You can also delete log parsers, as long as they have never been deployed to a Decoder. You can create a new log parser definition from scratch, or extend an existing one.

You can add a log parser to extend the functionality for an existing parser. For example, if you have some unknown messages for the Cisco Pix parser, you could add rules to match your unknowns.

IMPORTANT: If you are adding a new log parser, for example when onboarding an event source, you must map the event source IP to the new log parser in order for messages to be parsed. For details, see "Acknowledging and Mapping Event Sources" in the Event Source Management User Guide.

Add a Log Parser

  1. In the NetWitness Platform UI, navigate to (Configure) > Log Parser Rules.
  2. From the Log Parsers pane, click Add Parser.

    The Add Dynamic Log Parser dialog box is displayed.

    Add Dynamic Log Parser

  3. Fill in details for this dialog box. For details, see Add Dynamic Log Parser Parameters below.
  4. Click Save to save the new log parser.

    This updates the definition file in the file system. It does not deploy the changes.

  5. To deploy your changes to all of your Decoders, click Deploy.

Delete a Log Parser

You can use the UI to delete a log parser.

To delete a log parser:

  1. In the NetWitness Platform UI, navigate to (Configure) > Log Parser Rules.
  2. From the Log Parsers pane, select a log parser, then click Delete.

    Delete Parser dialog box is displayed.

  3. Click Delete Parser to remove the log parser from the system.

Note: If you have encounter any issues when you attempt to delete a parser, see the Troubleshooting section, Delete a Log Parser Manually.

Add Dynamic Log Parser Parameters

When you are adding a log parser, the following parameters are available.

                               
FieldDetails
select log parser

Select NEW, or choose an existing log parser.

By choosing an existing log parser, you can add rules to that parser, essentially extending its parsing capabilities.

Note: If you select an existing log parser, the remaining fields are auto-filled based on the values for selected log parser.

device type

Enter a string to define the device type. The name must be between 3 and 30 alphanumeric characters (including underscores), and must not match the name of any existing log parsers.

device display name

Enter the display name for the log parser.

Note: The display name must be 64 characters or fewer, and must not match the name of any other device display name.

device class

Select a device class.

clone dynamic parser rules from

Leave blank to start with no rules, or select one of the existing log parsers to clone its rules.

You are here
Table of Contents > Add or Delete Log Parser

Attachments

    Outcomes