This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Help with Custom Parser

MyronEstibeiro
Beginner
Beginner

‎2016-10-24 07:04 AM

Hi, I'm trying to create a custom parser for an appliance that generates log messages in JSON format. Can anyone please  help me point at any resource that can help?

I have created custom parsers earlier that generated txt files, but I'm having difficulties in parsing the JSON text.

0 Likes
5 REPLIES 5

ArthurCostigan1
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2016-10-26 10:34 AM

Myron

 

JSON, while being arguably an excellent logging format for applications, it logs in a multi line format.  Netwitness for Logs can only parse single line logs. So in order to accurately parse JSON format, you will need to pre-process the logs into a single line format.  This would involve looking for "braced" ({ }) lines and other delimiters and concatenating multiple entries into a single line.  

0 Likes

MyronEstibeiro
Beginner
Beginner

‎2016-10-29 02:00 AM

Thank you for the insight Oj2tqPhEV7pi5mR8EY3PQXHtgPuI9Vk2SNDA9WW6hKQ=‌. I appreciate  it. Do you recommend to use LUA for the parsing or ESI?

If you could you please provide any existing parsers that process JSON file, it would be of tremendous help. Could you please help?

0 Likes

MyronEstibeiro
Beginner
Beginner

‎2016-11-07 02:13 AM

I finally managed to create  a parser to process json based logs through ESI tool; however, I'm looking forward in developing all future parsers via LUA. Could someone please guide me to the resources available for LUA parsing development?

0 Likes

DavidWaugh1
Employee
Employee

‎2016-11-09 05:48 AM

The best way I found of learning LUA is by looking at some existing parsers and then modifying them.

There are some examples in the community is you search for LUA.

 

I'm very interested how you parsed your JSON logs. Would it be possible to paste some of your sample logs, you script to pre process the logs into single lines and your parser?

 

The think to remember in LUA is that each of our tokens can only contains 256 characters, so you will still need to split your logs into meta with an XML parser before you process them with a LUA parser.

0 Likes

ArthurCostigan1
Frequent Contributor Frequent Contributor
Frequent Contributor
In response to MyronEstibeiro

‎2016-11-10 03:13 PM

Myron, this is a good starting point...The Programming Language Lua  and  lua-users.org 

© 2022 RSA Security LLC or its affiliates. All rights reserved.