NetWitness Community

DionStempfley · ‎2016-12-21

I am creating a parser for a device in Netwitness 10.6.2 and I need it to be able to skip over fields that don't appear in the log. For example, I have a category and event description separated by a , but occasionally there is not event description.

Examples:

File Integrity Change -- SRC_IP: ...

AV Policy violation, vulnerable Java version detected on SRC_IP -- SRC_IP: ...

My first cut at the content line in the parser doesn't account for the first option. Can I write a simple regex to exclude the event_description if it doesn't exist?

content="<category>,<event_description>-- SRC_IP: ...

Dion Stempfley
Cybersecurity Analyst
Institute for Defense Analyses

JohnKisner · ‎2017-01-16

Dion,

Why do you need to skip over a field? If the field doesn't exist at all on some logs coming from a single event source try creating another message header section in the log parser that looks specific for logs that are built without the event_description. The idea here is that if you look at existing log parsers there are multiple message headers that are used to tailor your parser to different formats of logs for a specific event source. If you aren't using the ESI Tool I highly suggest you try it out. This may help you get your parser to where you want it.

ESI Tool Demonstration - Video Link : 22579

ESI Tool Download - https://community.rsa.com/docs/DOC-41686

NetWitness Community

Custom log parser with optional fields