On occasion, you may need to modify one or more of your log parsers. For example, you may need to fix an unknown message, or to parse certain fields differently than in the manner provided by default.
Log Parser Customization allows you to add new parser elements or modify existing ones. All customizations reside in a separate file that does not get removed or overwritten by Log Decoder upgrades or the updating parsers through the RSA Live.
Note: This feature is only available in 10.6.5 and later (including NetWitness 11.x)
Loading Order
The default parser file is loaded before the custom file (if a custom file exists). This allows users to override elements, as shown in the examples below that modify items that exist in the default file.
File Location and Naming
Log parser files are located on the Log Decoder in the following path:
/etc/netwitness/ng/envision/etc/devices
Each log parser has its own sub-folder. For example, the ciscoasa parser files are in the following folder:
/etc/netwitness/ng/envision/etc/devices/ciscoasa
Custom log parser files are located in the same folder as the corresponding system-provided files. For naming, you use the name of the XML file, followed by -custom.xml
For example, the ciscoasa parser consists of two files: ciscoasa.ini and v20_ciscoasamsg.xml. If you create a custom file, you need to name it v20_ciscoasamsg-custom.xml, and add it to the same folder, /etc/netwitness/ng/envision/etc/devices/ciscoasa.
Header and Message Duplication
When you customize a parser, make sure to duplicate only those headers and messages that you want to customize. That is, we recommend that you do not simply copy everything from the default parser file and then paste it into your custom XML file. Also, note that if you duplicate headers and messages that exist in the default parser, you will not be using the default versions, even if RSA updates them in the future.
Examples
The following sections contain examples for adding or modifying portions of a log parser.
All the examples use the Oracle Access Manager (oracleam) log parser.
Example Code
Cod examples are broken down into two areas:
Additionally, insertBefore and insertAfter describes the usage of the insertBefore and insertAfter commands, for use when adding a new item.
Common Steps
The common steps, which are the same in all of the examples, are as follows:
Use an SSH tool, such as WinSCP, to navigate to the following folder on your Log Decoder:
/etc/netwitness/ng/envision/etc/devices/oracleam
- Copy the oracleammsg.xml file to your local system.
Note the Device Messages and Version information, which comprise the first several lines of the oracleammsg.xml file. You need to copy these lines into your custom parser file.
<DEVICEMESSAGES
name="oracleam"
displayname="Oracle Access Manager"
group="Access Control"><VERSION
xml="60"
checksum="110c39794680bdedfabb5a73339d38eb"
revision="104"
device="2.0"/>Using a text editor, create a file named oracleammsg-custom.xml, and add custom text, after the introductory text specified in the previous step. The specific custom text is supplied in each of the following examples.
- Save the custom file as oracleammsg-custom.xml, and using your SSH tool, upload it to /etc/netwitness/ng/envision/etc/devices/oracleam on your Log Decoder.
Add a New Item
When you add an item, you use a new identifier, and optionally, an insertBefore or insertAfter command.
You can add any of the following items:
Add New Header
Using a text editor, create a file named oracleammsg-custom.xml, and add the following text:
<DEVICEMESSAGES
name="oracleam"
displayname="Oracle Access Manager"
group="Access Control">
<VERSION
xml="60"
checksum="110c39794680bdedfabb5a73339d38eb"
revision="104"
device="2.0"/>
<!-- VERSION info copied from oracleammsg.xml -->
<HEADER
id1="0044"
id2="0044"
insertBefore="0005"
content="%ORACLEAM-<hfld1>: <hdate> <htime> *<htimezone> - <messageid> <!payload:messageid>" />
</DEVICEMESSAGES>
Note the insertBefore="0005" line. This instructs the system to insert the new header before existing header number 0005.
Add New Message
Using a text editor, create a file named oracleammsg-custom.xml, and add the following text:
<DEVICEMESSAGES
name="oracleam"
displayname="Oracle Access Manager"
group="Access Control">
<VERSION
xml="60"
checksum="110c39794680bdedfabb5a73339d38eb"
revision="104"
device="2.0"/>
<!-- VERSION info copied from oracleammsg.xml -->
<MESSAGE
id1="AUTHZ_SUCCESS:03"
id2="AUTHZ_SUCCESS"
eventcategory="1302000000"
insertAfter="AUTHZ_SUCCESS:01"
functions="<@ec_theme:Authentication><@ec_outcome:Success><@event_time:*EVNTTIME($HDR,'%G/%F/%W %N:%U:%O',hdate,htime)><@msg:*PARMVAL($MSG)><@:*SYSVAL($MSGID,$ID1)>"
content="<event_type> - <web_method> - <hostname><fld1>- <saddr> - {<web_domain>%<fld27><fld2>|<url><fld2>} - cn=<username>,<fld3> - <fld4> - <protocol> - <obj_type><fld6> - <context> - <id> - cn=<fld7>,cn1=<fld23>, uid=<uid>" />
</DEVICEMESSAGES>
Note the insertAfter="AUTHZ_SUCCESS:01" line. This instructs the system to insert the new message after existing message with ID AUTHZ_SUCCESS:01.
Add New Valuemap
For the remaining examples, the introductory lines are not included. Add the following code after the introductory VERSION information.
<VALUEMAP
name="getDisposition"
default="$NONE"
keyvaluepairs="0='Failure'|1='Success'" />
<MESSAGE
id1="AUTHZ_SUCCESS:03"
id2="AUTHZ_SUCCESS"
eventcategory="1302000000"
insertBefore="AUTHZ_SUCCESS:01"
functions="<@ec_theme:Authentication><@ec_outcome:Success><@event_time:*EVNTTIME($HDR,'%G/%F/%W %N:%U:%O',hdate,htime)><@msg:*PARMVAL($MSG)><@:*SYSVAL($MSGID,$ID1)>"
content="<event_type> - <web_method> - <hostname><fld1>- <saddr> - {<web_domain>%<fld27><fld2>|<url><fld2>} - cn=<username>,<fld3> - <fld4> - <protocol> - <obj_type><fld6> - <context> - <id> - cn=<fld7>,cn1=<fld23>, uid=<uid>" />
</DEVICEMESSAGES>
Add New Tagval
Add the following code after the introductory VERSION information.
<TAGVALMAP
pairdelimiter="^^" encapsulator=""" />
<VALUEMAP
name="getDisposition"
default="$NONE"
keyvaluepairs="0='Failure'|1='Success'" />
<MESSAGE
id1="ORACLEAM_TVM"
id2="ORACLEAM_TVM"
eventcategory="1901000000"
tagval="true"
missField="true"
functions="<@msg:*PARMVAL($MSG)><@event_time:*EVNTTIME($MSG,'%W-%G-%F %H:%T:%S',fld3)><@disposition:*getDisposition(fld12)><@msg_id:*PARMVAL(event_type)><@vid:*PARMVAL(event_type)><@event_id:*STRCAT(event_type,_,disposition)><@event_cat:*getEventLegacyCategory(event_id)><@event_cat_name:*getEventLegacyCategoryName(event_cat)>"
content="IAU_EVENTTYPE=<event_type>^^IAU_EVENTCATEGORY=<category>^^IAU_COMPONENTTYPE=<event_source>^^IAU_HOSTID=<dhost>^^IAU_HOSTNWADDR=<daddr>^^IAU_AGENTID=<fld1>^^IAU_PROCESSID=<process_id>^^IAU_SESSIONID=<sessionid>^^IAU_SSOSESSIONID=<sessionid1>^^IAU_APPLICATIONNAME=<application>^^IAU_APPLICATIONDOMAINNAME=<fld2>^^IAU_EVENTSTATUS=<fld12>^^IAU_TSTZORIGINATING=<fld3>^^IAU_THREADID=<fld4>^^IAU_INITIATOR=<username>^^IAU_USERID=<uid>^^IAU_MESSAGETEXT=<event_description>^^IAU_REMOTEIP=<saddr>^^IAU_RESOURCE=<fld5>^^IAU_DOMAINNAME=<domain>^^IAU_SERVERNAME=<hostname>^^IAU_INSTANCENAME=<instance>^^IAU_AUTHORIZATIONPOLICYID=<policy_id>^^IAU_AUTHENTICATIONPOLICYID=<policy_id>^^IAU_RESOURCEHOST=<shost>^^IAU_RESOURCEURI=<url>^^IAU_ADDITIONALINFO=<fld7>" />
</DEVICEMESSAGES>
Note the tagval="true" code in the message. We are adding this message that uses the new Tagval map.
insertBefore and insertAfter
As shown in some of the previous examples, the insertBefore and insertAfter commands instruct the system about where to place the new items when combining the standard and custom XML definition files, as it creates a unified parser during processing.
Note: If both insertBefore and insertAfter are defined, insertBefore will be used, and a warning will be logged. If neither is specified, the header or message is added at the end of the combined parser definition.
Modify an Existing Item
To modify an existing element, you use the same identifiers as an existing item, and change the contents. See the examples to modify any of the following items:
Modify Header
This example replaces the Header that has an ID of 0004. Add the following code after the introductory VERSION information.
<HEADER
id1="0004"
id2="0004"
content="%ORACLEAM-<hfld1>: <hdate> <htime> *<htimezone> - <messageid> <!payload:messageid>" />
</DEVICEMESSAGES>
Modify Message
This example replaces the Message that has an ID of AUTHZ_SUCCESS:01. Add the following code after the introductory VERSION information.
<MESSAGE
id1="AUTHZ_SUCCESS:01"
id2="AUTHZ_SUCCESS"
eventcategory="1302000000"
functions="<@ec_theme:Authentication><@ec_outcome:Success><@event_time:*EVNTTIME($HDR,'%G/%F/%W %N:%U:%O',hdate,htime)><@msg:*PARMVAL($MSG)><@:*SYSVAL($MSGID,$ID1)>"
content="<event_type> - <web_method> - <hostname><fld1>- <saddr> - {<web_domain>%<fld27><fld2>|<url><fld2>} - cn=<username>,<fld3> - <fld4> - <protocol> - <obj_type><fld6> - <context> - <id> - cn=<fld7>,cn1=<fld23>, uid=<uid>" />
</DEVICEMESSAGES>
Modify Valuemap
This example replaces the getDisposition Valuemap. Add the following code after the introductory VERSION information.
<VALUEMAP
name="getDisposition"
default="$NONE"
keyvaluepairs="0='Failure'|1='Success'|3='Test'" />
</DEVICEMESSAGES>
In this example, we are assuming the device XML, oracleammsg.xml, includes a Valuemap named getDisposition, and that we are changing the existing information, for example we might be adding a new key value pair, 3='Test&apos.
Modify Tagval
This example replaces the existing Tagval. Add the following code after the introductory VERSION information.
<TAGVALMAP
pairdelimiter="^^^" encapsulator=""" />
<MESSAGE
id1="ORACLEAM_TVM"
id2="ORACLEAM_TVM"
eventcategory="1901000000"
tagval="true"
missField="true"
functions="<@msg:*PARMVAL($MSG)><@event_time:*EVNTTIME($MSG,'%W-%G-%F %H:%T:%S',fld3)><@disposition:*getDisposition(fld12)><@msg_id:*PARMVAL(event_type)><@vid:*PARMVAL(event_type)><@event_id:*STRCAT(event_type,_,disposition)><@event_cat:*getEventLegacyCategory(event_id)><@event_cat_name:*getEventLegacyCategoryName(event_cat)>"
content="IAU_EVENTTYPE=<event_type>^^^IAU_EVENTCATEGORY=<category>^^^IAU_COMPONENTTYPE=<event_source>^^^IAU_HOSTID=<dhost>^^^IAU_HOSTNWADDR=<daddr>^^^IAU_AGENTID=<fld1>^^^IAU_PROCESSID=<process_id>^^^IAU_SESSIONID=<sessionid>^^^IAU_SSOSESSIONID=<sessionid1>^^^IAU_APPLICATIONNAME=<application>^^^IAU_APPLICATIONDOMAINNAME=<fld2>^^^IAU_EVENTSTATUS=<fld12>^^^IAU_TSTZORIGINATING=<fld3>^^^IAU_THREADID=<fld4>^^^IAU_INITIATOR=<username>^^^IAU_USERID=<uid>^^^IAU_MESSAGETEXT=<event_description>^^^IAU_REMOTEIP=<saddr>^^^IAU_RESOURCE=<fld5>^^^IAU_DOMAINNAME=<domain>^^^IAU_SERVERNAME=<hostname>^^^IAU_INSTANCENAME=<instance>^^^IAU_AUTHORIZATIONPOLICYID=<policy_id>^^^IAU_AUTHENTICATIONPOLICYID=<policy_id>^^^IAU_RESOURCEHOST=<shost>^^^IAU_RESOURCEURI=<url>^^^IAU_ADDITIONALINFO=<fld7>" />
</DEVICEMESSAGES>
Table of Contents > Content Development > Procedures > Log Parsers > Log Parser Customization
On this page
