10.6.5.x and 11.1 now have the ability to apply -custom.xml log parser files to reduce the need for forking a parser to customize log parsing for a particular device. This means that you no longer have to remove a parser from the auto-update RSA Live flow just to add a custom entry or modify one event id to suit a specific use case.
Documentation on how this is done can be seen here:Log Parser Customization
Here is how it was implemented to provide enhanced functions to LOGBinder events without breaking the existing log parsing provided by RSA.
LOGBinder is available from here: LOGbinder
I also noticed this application for Splunk that had some interesting events to pay attention to that was the basis for the additional parsing created in this example: LOGbinder Solutions - Active Directory Change Auditing
Sample events were gathered and replayed against the stock RSA Live msexchange parser in NetWitness.
Locate the events in investigation (device.type='msexchange')
Reviewing the splunk app savedsearches.conf and macros.conf I could see that many of the rules were reference.id driven however there were a few that were more complicated and might require more parsing work to get the needed values.
Those events included ones found from this drill:
device.type='msexchange' && category='exchange' && reference.id ='25001','25002','25003','25004','25005','25006','25007','25008','25009','25010','25011'
An Application rule helped locate these in my testing:
Looking at the event.description fields we can see that some of the events appear to have more data in them than they should and the values we want to extract are not parsed out.
We are looking to extract the following values logonType,client,client ip and process name as well as reduce the event description to something shorter.
Steps to solve:
The custom xml file is attached which you can use in your environment.
GitHub - epartington/rsa_nw_log_LOGBinder: LOGBinder custom parser and application rule content
The benefit of this is that the RSA Live parser is updated and the custom entries are maintained and eventually if the modifications are rolled into the RSA Parser the -custom can be removed in the future to use only the OOTB Parser.
Look out for a future blog post with content for RSA NetWitness LOGBinder events.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.