This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Help needed in creating Log Parser with LPT

Anonymous
Not applicable

‎2022-11-20 06:22 PM

Hello,

I'm attempting to create a log parser for our web proxy that doesn't have a parser already for it. 

I've watched the YouTube series on log parser creation created by @DaveGlover .

In the section about creating the header I need some assistance in determine where I would create the header for my particlar log file.

It's in CEF format and I've attached some sample logs.

If I remember correctly the header should be created at the point where the log entry differs. 

In my example that would be after the 2.0|1|<event_type>|5, in the YT video it was dealing with name value pairs so I'm a little confused as to how to deal with this one.

JeremyKerwin_0-1668986487550.png 

 

0 Likes
5 REPLIES 5

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2022-11-20 06:34 PM

Jeremy. If you had the CEF parser enabled, that log should have automatically been parsed.  Did you try that route before creating a new parser?

 

0 Likes

Anonymous
Not applicable
In response to DaveGlover

‎2022-11-20 07:23 PM

Yeah, we've tried that path but it's not parsing everything correctly. While the vendor says this is CEF I suspect they've customised the format for their own needs.

0 Likes

Anonymous
Not applicable
In response to Anonymous

‎2022-11-20 07:53 PM

Actually maybe I can use the CEF parser. I just opened the cef_v2.xml file from one of my decoders in the LPT tool and then opened a sample of log files. It seems to map the header correctly.

I guess the next question would be, what's the next step to map all the fields to netwitness meta keys.

JeremyKerwin_0-1668991968930.png

 

0 Likes

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2022-11-20 07:56 PM

That looks not like a traditional CEF parser but something that was written outside the CEF engine.  If you want to email the parser and a log sample I can take a look 

0 Likes

Anonymous
Not applicable
In response to DaveGlover

‎2022-11-20 07:58 PM - edited ‎2022-11-20 08:13 PM

I just download the file cef.xml that was located in "/etc/netwitness/ng/envision/etc/devices/cef/"

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.