Custom Security Analytics Log Parsers
Just curious, Id like a general consensus on how companies are leveraging security analytics for custom log formats, and custom parsers that they need? Are you guys writing your own parsers? If so, are you using the legacy envision tool? Or are relying on RSA to modify/create them? Please advise.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
We are using all of the above. For the RSA "canned" parser that need to be updated, we are having RSA modify them. We are also in the process of creating some custom parsers for some applications we have built in-house.
I work for a large company with tons of custom apps that need to be integrated into SA. I write them all manually in a simple text editor, but I use the ESI tool to validate and troubleshoot my work before deploying. I've had to scrap and re-write a few pre-canned parsers from RSA, but I don't touch the big, complex ones. For those, I ask RSA's development team to fix.
Modify the canned parser, you must be very careful, and then ask the RSA Content team to do the update (the take about 2-3 months to do any changes). I haven't used it but the ESI tool seems the way to go if you have unkown devices.
All of the above here too. We mostly use the ESI tool for writing parsers.
We also have some custom scripts that pull XML log files from hosts and write them to single-line formatted files to be picked up by the standard sasftpagent script, and also our own custom file reader and ODBC configurations.
Another technique we have used is to write a supplementary parser for some devices - we call it an overlay parser, to pick up messages that are missed by the standard parser.