Parser Microsoft IIS
I have messages from Microsoft IIS where cs-username contain username with domain prefix like cs-username="test.com\john.smith" (this from SA transformation). Somebody know how I can cut "test.com\" from the message? I tried do it through xml parser, but parser works very stranger, for example meta username not have &qout; and I don't know how cut slash symbol. Maybe someone has this experience.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
You can try and do the following :
essentially just placing a temporary value where the "test.com" is with the RSA xml usage of temporary value "fldX"
Did you see parser and raw logs from Microsoft IIS? When logs from Microsoft IIS go to SA via SFTP Agent - SA is transformate logs. After transformation in SA cs-username have value "test.com\john.smith". This value is quoted, but in parser not present " and by design this parser can't work, but he is works. I try use many combination of cuted test.com\ and your example was is first. No one combination not work. I also tried:
I pay attention to tagvalmap delimiter in XML file with value ", "". I guess this is root of issue when I can't use temporary field to cut off prefix domain name. I also saw parameter tagval in describe of POST message ID with value true. I guess need manipulate with this parameter to achive success. Maybe someone know how do it?