Exporting parsers to edit with ESI?
Can this be done? I'd like to modify the Live parser for a specific device type (varonisprobe) to include additional meta (specifically a rule name). I've downloaded the varonisprobe.netwitness file from Live, but when I try and import it into ESI, there are no defined headers or messages visible in the tool.
I could create a whole new parser from scratch, but that seems pretty stupid if all I need is a small modification.
- Community Thread
- custom log parser
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
ESI's import function looks for .zip and .netwitness fles. Then it opens the xml file you're referring to. My problem is that the tool doesn't show the headers/messages for the parser when the file is opened.
you can open the varonisprobe.envision file with 7-Zip or WinZip. In the /etc/devices subfolder, extract the varonisprobe folder to your hard disk C: (the complete folder). Then you can open (not import) the v20_varonisprobemsg.xml file in the ESI tool.
Importing will also work with the .envision extension. When I go to headers and messages, I see values. The resulting parser files should be in the C:\ drive however and the folder should not be too nested within the system.
Hope that helps.