NetWitness Community

JayShah · ‎2017-08-21

The RSA NetWitness Log Parser Content team has cleaned all the log parsers to remove RSA EnVision (Legacy Product) footprint from the parsers.

These enhancements are part of a strategic initiative to clean all the parsers and remove the enVision footprint resulting in a more manageable, maintainable and flexible parser.

Modifications to the parser to achieve a cleaned parser:

1. Following tags from parser were removed:

level
parse
parsedefvalue
tableid
summary
vid
vidx
devts
enVision tag

Before:
<MESSAGE
level="6"
parse="1"
parsedefvalue="1"
tableid="90"
id1="addmember"
id2="addmember"
eventcategory="1701010000"
content="<@ec_theme:Configuration><@msg:*PARMVAL($MSG)><@event_time:*EVNTTIME($HDR,'%B %F %N:%U:%O %W',hmonth,hdate,htime,hyear)><@:*SYSVAL($MSGID,$ID1)><@action:addmember>addmember for <username> from <daddr> for group <group> exited with <disposition>"/>

After:
<MESSAGE
id1="addmember"
id2="addmember"
eventcategory="1701010000"
functions="<@ec_theme:Configuration><@msg:*PARMVAL($MSG)><@event_time:*EVNTTIME($HDR,'%B %F %N:%U:%O %W',hmonth,hdate,htime,hyear)><@:*SYSVAL($MSGID,$ID1)><@action:addmember>"
content="addmember for <username> from <daddr> for group <group> exited with <disposition>" />

2. Seperate out function from the content line and create two tags function and content for each message id:

Before:
content="<@ec_theme:Configuration><@msg:*PARMVAL($MSG)><@event_time:*EVNTTIME($HDR,'%B %F %N:%U:%O %W',hmonth,hdate,htime,hyear)><@:*SYSVAL($MSGID,$ID1)><@action:addmember>addmember for <username> from <daddr> for group <group> exited with <disposition>"/>

After:
functions="<@ec_theme:Configuration><@msg:*PARMVAL($MSG)><@event_time:*EVNTTIME($HDR,'%B %F %N:%U:%O %W',hmonth,hdate,htime,hyear)><@:*SYSVAL($MSGID,$ID1)><@action:addmember>"
content="addmember for <username> from <daddr> for group <group> exited with <disposition>" />

3.Removed the duplicate functions from the content line:
In certain log parsers, a few duplicate function were prevalent, which were removed.

Before:

<MESSAGE
id1="000004"
id2="Access"
eventcategory="1001000000"
functions="<@saddr:*HDR(hfld0)><@event_type:VPN><@event_time:*EVNTTIME($HDR,'%W%G%F %H:%U:%O',hfld31,hfld32,hfld33,time)><@:*SYSVAL($MSGID,$ID1)><@msg:*PARMVAL($MSG)><@realm:*HDR(hfld1)><@group:*HDR(hgroup)><@username:*HDR(husername)><@domain:*HDR(hdomain)><@action:access blocked><@username:*HDR(husername)>"
content="Access blocked after DNS lookup. Check Web ACL settings - Host: <hostip>, Request: {<web_method> <webpage> <fld1> | <url>}" />

After:

<MESSAGE
id1="000004"
id2="Access"
eventcategory="1001000000"
functions="<@saddr:*HDR(hfld0)><@event_type:VPN><@event_time:*EVNTTIME($HDR,'%W%G%F %H:%U:%O',hfld31,hfld32,hfld33,time)><@:*SYSVAL($MSGID,$ID1)><@msg:*PARMVAL($MSG)><@realm:*HDR(hfld1)><@group:*HDR(hgroup)><@username:*HDR(husername)><@domain:*HDR(hdomain)><@action:access blocked><@username:*HDR(husername)>"
content="Access blocked after DNS lookup. Check Web ACL settings - Host: <hostip>, Request: {<web_method> <webpage> <fld1> | <url>}" />

4.Removes EE collisions: (RSA enVision (Legacy Product) Concept)
We removed EE_collisions which was an enVision concept

Before:

<MESSAGE
id1="chpasswd"
id2="chpasswd"
eventcategory="1701020000"
functions="<@ec_subject:Password><@ec_theme:Configuration><@msg:*PARMVAL($MSG)><@event_time:*EVNTTIME($HDR,'%B %F %N:%U:%O %W',hmonth,hdate,htime,hyear)><@:*SYSVAL($MSGID,$ID1)><@action:chpasswd><@fld61:*PARMVAL(disposition)>"
content="chpasswd for <username> from <daddr> exited with <disposition>" />

After:

<MESSAGE
id1="chpasswd"
id2="chpasswd"
eventcategory="1701020000"
functions="<@ec_subject:Password><@ec_theme:Configuration><@msg:*PARMVAL($MSG)><@event_time:*EVNTTIME($HDR,'%B %F %N:%U:%O %W',hmonth,hdate,htime,hyear)><@:*SYSVAL($MSGID,$ID1)><@action:chpasswd><@fld61:*PARMVAL(disposition)>"
content="chpasswd for <username> from <daddr> exited with <disposition>" />

5. INI migration for future usage:
During this parser cleaning process we have also pulled needed tags from ini into the parser, this move is to remove dependency on INI file in the future

All the changes made to the parsers during this cleaning project will have no backward compatibility impact.

We have already posted a few such cleaned parsers to live during our pilot project (15 parsers were posted to live). To take advantage of these improvements, you will need to download the latest versions of the Log Parsers which will be released to NetWitness Live Portal by 1st September 2017.

Note: For customized parsers merge your customizations to the parser from live just like before, but make sure you get rid of the obsolete tags(mentioned above) and split up the functions and content tag. It will continue to work even otherwise, but you will not have a cleaned parser.

NetWitness Community

Netwitness Log Parser Cleaning Project

The RSA NetWitness Log Parser Content team has cleaned all the log parsers to remove RSA EnVision (Legacy Product) footprint from the parsers.

Modifications to the parser to achieve a cleaned parser: