Parser in Netwitness
Please let me know how parser works in netwitness, means when a log file comes what is the process it goes through to go to the actual parser.. Means there are n number of parsers so how a log file travels to parser , how parser parses the file, it matches headers first or headers and payload both, means how exactly it matches the events to the definitions.
- Community Thread
- Forum Thread
- log parser community
- RSA NetWitness
- RSA NetWitness Platform
Parsers are matched to devices based on internal scoring from header matches.
The log gets matched to a header first.
You can force match a device with parser using device mapping.
For more details, refer:https://community.rsa.com/docs/DOC-83456
Thanks Twinkle, can u explain more on matches means first headers are matched then how it matches the payload data, and how different payloads are matched to headers, headers and messages in xml file, how they are linked.
An event consists of header, message id & payload.
The logic behind choosing the message ID is to group events together and analyze which value makes each event unique.
The Header is used to help identify the Event Source by identifying and defining the main theme in its Event log format.
The header identifies what the message is and where does it start.
Then the payload is parsed based on the id1, id2 defined on the parser.
For better understanding, go through the video created by Dave Glover: https://www.youtube.com/watch?v=7w7fAbJVk64