How to create custom parser in security analytics
There is also documentation on this on the docs.netwitness site here: http://docs.netwitness.com/1-RSA_Security_Analytics_User_Guide/50_Administration_Module/1_The_Devices_View/3_Device_Config_View/04_Config_View_Decoder/5_Parsers
The parsers themselves are built in your favorite text editor. I personally use notepad++ and add the parser extension into the XML language category for syntax highlighting. Alternatively, if you prefer you can use C:\Users\All Users\NetWitness\parsers\parsers.xsd in a text editor that supports it. I personally prefer the new Lua parser language over the older flex language. These are also created in a text editor.
Basically, go back and read the Envision documentation on this. It's no different. I do know that RSA has a parser tool similar to Arcsight's, that allows you to import your logs and it will parse like 80% of it. It's a back office tool so you need to really push to get it, but it's there. There is no "Security Analytics" documentation on creating custom parsers, and if you look at the SA docs on configuration of devices, there are about 21 docs. So don't hold your breath waiting for anything to help you out. Best of luck
That is correct. I spoke with Will, who wrote that book, and he doesn't have an equivalent version for logs. The good news is that partially due to this thread we've identified this as a need, the bad news is we don't have immediate documentation that can help.