NetWitness Community

CraigCameronWei · ‎2016-10-17

Can this be done? I'd like to modify the Live parser for a specific device type (varonisprobe) to include additional meta (specifically a rule name). I've downloaded the varonisprobe.netwitness file from Live, but when I try and import it into ESI, there are no defined headers or messages visible in the tool.

I could create a whole new parser from scratch, but that seems pretty stupid if all I need is a small modification.

DavidWaugh1 · ‎2016-10-17

Hi the file you downloaded can be extracted as a zip file.

Within the contents you can find the parser xml file

Sent from my iPhone

CraigCameronWei · ‎2016-10-17

ESI's import function looks for .zip and .netwitness fles. Then it opens the xml file you're referring to. My problem is that the tool doesn't show the headers/messages for the parser when the file is opened.

Anonymous · ‎2016-10-18

Are you trying to using ESI on Windows 7?, also you can try moving parser xml on C:/ path and try againg.

AndreasFunk · ‎2016-10-19

Hi Craig,

you can open the varonisprobe.envision file with 7-Zip or WinZip. In the /etc/devices subfolder, extract the varonisprobe folder to your hard disk C: (the complete folder). Then you can open (not import) the v20_varonisprobemsg.xml file in the ESI tool.

Importing will also work with the .envision extension. When I go to headers and messages, I see values. The resulting parser files should be in the C:\ drive however and the folder should not be too nested within the system.

Hope that helps.

NetWitness Community

Exporting parsers to edit with ESI?