AnsweredAssumed Answered

How to parse an "XML" kind of format log into SA?

Question asked by Erika Szabo on May 26, 2017
Latest reply on May 31, 2017 by Erika Szabo

Like • Show 0 Likes0
Comment • 3

Hi All!

I should create a new custom netwitness log parsers for a database from syslog, but the format is like XML, so the esi tool can not cope with the <> characters.

Log Sample:

May 25 07:21:32 db db: <ROW><DB_NAME>db045</DB_NAME><ACTION_NAME>LOGOFF</ACTION_NAME><RETURN_CODE>0</RETURN_CODE>

May 25 07:21:32 db db: <ROW><DB_NAME>db045</DB_NAME><ACTION_NAME>LOGON</ACTION_NAME><RETURN_CODE>0</RETURN_CODE>

I set to bold the variables we need to parse. The other part of the log is static. Is there a way to do this?

Thank You, Erika

No one else has this question

Outcomes

3 Replies

Arthur Costigan May 27, 2017 9:26 AM
Mark Correct
Correct Answer
Erika

Take a look at this code. It's simple (and untested obviously) but I think it will help point you in the right direction on how to use the ESI tool for this format log.
Attachments
- v20_newdevicexmlmsg.xml.zip452 bytes
1 person found this helpful
Like • Show 0 Likes0
Actions
- Erika Szabo @ Arthur Costigan on May 30, 2017 4:07 AM
  Mark Correct
  Correct Answer
  Thank You Arthur,
  in this case will the ESI tool parse the event?
  I created a parser, which looks fine in the ESI tool, but the log events are not parsed. I put the xml and the data sample as well (I could not attache ). Maybe you could have a look at it.
  Thank You, Erika
  
  May 25 07:21:32 oracle oracle: <ROW><DB_NAME>db046</DB_NAME><ACTION_NAME>LOGON</ACTION_NAME><RETURN_CODE>0</RETURN_CODE>
  May 25 07:21:32 oracle oracle: <ROW><DB_NAME>db046</DB_NAME><ACTION_NAME>LOGOFF</ACTION_NAME><RETURN_CODE>0</RETURN_CODE>
  
  
  <HEADER
    id1="HDR1"
    id2="HDR1"
    content="<hmonth><hday><htime> oracle oracle: <<ROW><<DB_NAME><db_name><<DB_NAME><<ACTION_NAME><messageid><<!payload:$START>"/>
  <MESSAGE
    id1="LOGON"
    id2="LOGON"
    eventcategory="1401040000"
    content="<hmonth><hday><htime> oracle oracle: <<ROW><<DB_NAME><db_name><<DB_NAME><<ACTION_NAME><messageid><</ACTION_NAME><<RETURN_CODE><result><</RETURN_CODE>"/>
  Like • Show 0 Likes0
  Actions
  - Erika Szabo @ Erika Szabo on May 31, 2017 5:28 AM
    Mark Correct
    Correct Answer
    Hi all, now it is working. There was a < missing from the header. So the correct header is:
    content="<hmonth><hday><htime> oracle oracle: <<ROW><<DB_NAME><db_name><<DB_NAME><<ACTION_NAME><messageid><<<!payload:$START>"/>
    Thank You Arthur for the help.
    Like • Show 0 Likes0
    Actions

How to parse an "XML" kind of format log into SA?

Outcomes

Attachments

Related Content

Recommended Content