Log Parser Customize: Add or Delete a Log Parser

Document created by RSA Information Design and Development on Jul 25, 2018Last modified by RSA Information Design and Development on Sep 20, 2018
Version 4Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.2 and later.

For version 11.2, RSA has added the ability to add log parsers through the UI. You can also delete log parsers, as long as they have never been deployed to a Decoder. You can create a new log parser definition from scratch, or extend an existing one.

You can add a log parser to extend the functionality for an existing parser. For example, if you have some unknown messages for the Cisco Pix parser, you could add rules to match your unknowns.

IMPORTANT: If you are adding a new log parser, for example when onboarding an event source, you must map the event source IP to the new log parser in order for messages to be parsed. For details, see "Acknowledging and Mapping Event Sources" in the Event Source Management User Guide.

Add a Log Parser

  1. In the NetWitness Platform UI, navigate to CONFIGURE > Log Parser Rules.
  2. From the Log Parsers pane, click Add Parser.

    The Add Dynamic Log Parser dialog box is displayed.

  3. Fill in details for this dialog box. For details, see Add Dynamic Log Parser Parameters below.
  4. Click Save to save the new log parser.

    This updates the definition file in the file system. It does not deploy the changes.

  5. To deploy your changes to all of your Decoders, click Deploy.

Delete a Log Parser using the UI

You can use the UI to delete a log parser that has never been deployed.

To delete a log parser:

Note: You cannot delete a log parser through the UI, if it has ever been deployed to a Decoder.

  1. In the NetWitness Platform UI, navigate to CONFIGURE > Log Parser Rules.
  2. From the Log Parsers pane, select a log parser.

    Delete Parser dialog box is displayed.

  3. Click Delete to remove the log parser from the system.

Delete a Log Parser Manually

To manually delete a log parser that has been deployed at any time, you can use NwConsole.

To delete a log parser that has been deployed:

  1. Access the RSA NetWitness Console, using the NwConsole command. For details, see "Access NwConsole and Help" in the NwConsole User Guide.
  2. Run the following command:

    [localhost:50002] /decoder/parsers> send . delete file=filename.xml type=device

    where filename is the name of the XML file for the log parser. For example, to delete the log parser for Oracle Access Manager, run the following command:

    [localhost:50002] /decoder/parsers> send . delete file=oracleam.xml type=device

Notes about the log parser filename:

  • Log parser files are located on the Log Decoder in the following path:

    /etc/netwitness/ng/envision/etc/devices

  • Each log parser has its own sub-folder. For example, the Cisco ASA parser files are in the following folder:

    /etc/netwitness/ng/envision/etc/devices/ciscoasa

  • Some log parser file names begin with v20_, while others do not—the only way to tell is by examining the devices folders. For Cisco ASA, the log parser file name is v20_ciscoasamsg.xml. However, in the previous command, when you specify the filename, do not use the v20_ prefix.

Add Dynamic Log Parser Parameters

When you are adding a log parser, the following parameters are available.

                               
FieldDetails
select log parser

Select NEW, or choose an existing log parser.

By choosing an existing log parser, you can add rules to that parser, essentially extending its parsing capabilities.

Note: If you select an existing log parser, the remaining fields are auto-filled based on the values for selected log parser.

device type

Enter a string to define the device type. The name must be between 3 and 30 alphanumeric characters (including underscores), and must not match the name of any existing log parsers.

device display name

Enter the display name for the log parser.

Note: The display name must be 64 characters or fewer, and must not match the name of any other device display name.

device class

Select a device class.

clone dynamic parser rules from

Leave blank to start with no rules, or select one of the existing log parsers to clone its rules.

Previous Topic:Log Parser Rules Tab
You are here
Table of Contents > Add or Delete Log Parser

Attachments

    Outcomes