For many use cases there is content in live. For instance, there's an 'alert.id = "access:remote-success"' used by SA report "Successful Remote Access Details". If you have a live subscription try deploying rules and reports related to "remote access". Then do a remote logins with the services that you like to monitor and see how the results are presented in SA.
Only if the rules/parsers/reports from live don't suffice (or if you don't have a subscription), you should start writing your own rules/parsers/reports.
In general you only write parsers if you want to extract metadata that NW doesn't already generate. So for example if clients submit extra information in a special HTTP header or you use a special proxy authentication scheme. Give an example of an HTTP request made by a client and I might show you how to write a parser.
Once you have the metadata (say in "username") you can create an SA report based on a rule like
SELECT ip.src, username WHERE alias.host = logmein.com, gotomypc.com, ...
But again, chances are that live already provides some parts of what you like to achieve.
