On occasion, you may need to modify one or more of your log parsers. For example, you may need to fix an unknown message, or to parse certain fields differently than in the manner provided by default.
Log Parser Customization allows you to add new parser elements or modify existing ones. All customizations reside in a separate file that does not get removed or overwritten by Log Decoder upgrades or the updating parsers through the RSA Live.
Note: This feature is only available in 10.6.5 and later (including NetWitness 11.x)
The default parser file is loaded before the custom file (if a custom file exists). This allows users to override elements, as shown in the examples below that modify items that exist in the default file.
File Location and Naming
Log parser files are located on the Log Decoder in the following path:
Each log parser has its own sub-folder. For example, the ciscoasa parser files are in the following folder:
Custom log parser files are located in the same folder as the corresponding system-provided files. For naming, you use the name of the XML file, followed by -custom.xml
For example, the ciscoasa parser consists of two files: ciscoasa.ini and v20_ciscoasamsg.xml. If you create a custom file, you need to name it v20_ciscoasamsg-custom.xml, and add it to the same folder, /etc/netwitness/ng/envision/etc/devices/ciscoasa.
Header and Message Duplication
When you customize a parser, make sure to duplicate only those headers and messages that you want to customize. That is, we recommend that you do not simply copy everything from the default parser file and then paste it into your custom XML file. Also, note that if you duplicate headers and messages that exist in the default parser, you will not be using the default versions, even if RSA updates them in the future.
The following sections contain examples for adding or modifying portions of a log parser.
All the examples use the Oracle Access Manager (oracleam) log parser.
Using a text editor, create a file named oracleammsg-custom.xml, and add custom text, after the introductory text specified in the previous step. The specific custom text is supplied in each of the following examples.
Save the custom file as oracleammsg-custom.xml, and using your SSH tool, upload it to /etc/netwitness/ng/envision/etc/devices/oracleam on your Log Decoder.
Add a New Item
When you add an item, you use a new identifier, and optionally, an insertBefore or insertAfter command.
Note the tagval="true" code in the message. We are adding this message that uses the new Tagval map.
insertBefore and insertAfter
As shown in some of the previous examples, the insertBefore and insertAfter commands instruct the system about where to place the new items when combining the standard and custom XML definition files, as it creates a unified parser during processing.
Note: If both insertBefore and insertAfter are defined, insertBefore will be used, and a warning will be logged. If neither is specified, the header or message is added at the end of the combined parser definition.
Modify an Existing Item
To modify an existing element, you use the same identifiers as an existing item, and change the contents. See the examples to modify any of the following items:
In this example, we are assuming the device XML, oracleammsg.xml, includes a Valuemap named getDisposition, and that we are changing the existing information, for example we might be adding a new key value pair, 3='Test&apos.
This example replaces the existing Tagval. Add the following code after the introductory VERSION information.