Hi All,
We are currently exploring the new option in Event source ---> Log Parser in Netwitness 11.1.0.1, Can any one provide us more details on the usage, there is no related doc available. We are trying to streamline all the events source and get the exact value out of this.
* How to populate the unknown logs in this field?
* How does this filed help us to streamline the event logs ?
* What is meant by Log Parsers on the left and Rules on the right ?
Hi Marinos,
Thanks for your response, But as the the snapshot attached in our console the Log parser as well as the rule tab is complete empty and am not able to get any logs populated in this fields, in the doc which you have pasted also has details on how to processed further after the logs in been sent to this place but we are stuck at the initial level.
Kindly advise
Hi Suresh,
Please note that this functionality was very limited for 11.1. With the release of 11.2, which is rapidly approaching, this functionality is more fully fleshed out.
Logically, that's where the word "BETA" on both documentation and the ESM tab: Log Parser rules (exactly like the Settings tab in ESM) would come handy and save both sides from exchanging posts like this one and raising Support, DOC and BUG tickets.
check your log decoder, make sure default parser is enabled.
That will get you the word default in the left log parsers box.
default only works with unknown messages
default brings with it a number of well know tags for strong tokens (hostname=, srcip= etc.)
tokens are listed in the tokens box
these were pulled from all our parsers to find the most confident tokens that could be extracted as meta
when you enable the default log parser on your log decoder you get values show up in the right box
when you click on those rules on the right you will see where they match in the message at the bottom
if you have unknown messages and the default parser is enabled you will start to see meta extracted based on these tokens which means you will still get value from them rather than just word meta.
in some cases that will be sufficient to use those unknown messages if the values you need come from these well known tokens ( like searching for an IP address across all messages)
This isn't Beta
It works today as designed for this release and is being enhanced in subsequent releases.
For instance this event
type=2407 audit(1531966179.348:21979): pid=11571 uid=0 auid=0 ses=2173 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac=(null) pfs=diffie-hellman-group-exchange-sha256 spid=11571 suid=0 rport=55711 laddr=192.168.254.23 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.252.22.92 terminal=? res=success'
Unknown message would normally have word meta only
Now you get values extracted
where the value is extracted to depends on the token and if context can be determined (is it a source IP or destination IP, if it cannot be determined from the token name then it goes into a generic key for that value)
As per the comments from Kevin we have deployed the default parser and the "Rule" tab under Log Parser rule got populated, now let us know the next process how to extract the logs which is currently parsing under "unknown " and then do the parsing to get the exact value?
I had the exact same problem.
Then, I checked if the "Default Parser" was available by ...um... default on my v11.1 decoder(s). It wasn't. Aha!
So, I searched on Live for "default" and found the "Default Parser".
Downloaded the default.envision file.
Uploaded (deployed) to my decoders.
Reloaded my parsers.
Then went back to Admin - Event Sources - Log Parser Rules ...
And ... ta da!
Hi Kevin,
Thanks, We deployed the default parser and the same page was populated in my console, But as per the above comments this is not fully accessible we have some limitations.
If there is any work around for the same please let us know.
There is nothing else for you to do. Any log messages that arrive at the log decoder where the default parser is enabled will parse additional meta into the relevant keys as defined by the default parse and the visible regex patterns.
You should be able to copy and paste sample unknown messages into the box at the bottom of that screen to see how the tokens apply to that message if you want to see what it does. There will be additional tokens that will be added to different parsers as releases are pushed out by RSA, but for now, its hands off from the analyst part.
Enable the default parser, any tokens that match unknown messages will parse out automatically.
Eric
This should get you started ESM: Log Parser Rules Tab until RSA find time to fill up Log Parser Rules Tab which sits like that for 20 days now (not sure if it will be any different or copy paste).