This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How to create custom parser in security analytics

RSAAdmin
Beginner
Beginner

‎2013-11-12 05:38 AM

How to create custom parser in security analytics

0 Likes
9 REPLIES 9

Anonymous
Not applicable

‎2013-11-12 08:39 AM

Are you asking how to create a customer parser?  There are a bunch of threads on the Community talking about creating custom parsers such as this one:

 

There is also documentation on this on the docs.netwitness site here: http://docs.netwitness.com/1-RSA_Security_Analytics_User_Guide/50_Administration_Module/1_The_Devices_View/3_Device_Config_View/04_Config_View_Decoder/5_Parsers

0 Likes

Anonymous
Not applicable
In response to Anonymous

‎2013-12-16 03:28 PM

These links tell you how to upload a parser, I would like to know where the tool to build the parser is in SA?

0 Likes

RSAAdmin
Beginner
Beginner

‎2013-12-17 10:39 AM

The parsers themselves are built in your favorite text editor. I personally use notepad++ and add the parser extension into the XML language category for syntax highlighting. Alternatively, if you prefer you can use C:\Users\All Users\NetWitness\parsers\parsers.xsd in a text editor that supports it. I personally prefer the new Lua parser language over the older flex language. These are also created in a text editor.

0 Likes

RSAAdmin
Beginner
Beginner

‎2013-12-18 12:39 PM

Basically, go back and read the Envision documentation on this. It's no different. I do know that RSA has a parser tool similar to Arcsight's, that allows you to import your logs and it will parse like 80% of it. It's a back office tool so you need to really push to get it, but it's there. There is no "Security Analytics" documentation on creating custom parsers, and if you look at the SA docs on configuration of devices, there are about 21 docs. So don't hold your breath waiting for anything to help you out. Best of luck

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-02-04 12:50 AM

Have any idea about that parser tool, from where we can get this?

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2015-02-03 12:35 PM

I would also be interested in this parser..I havent been able to find much regarding this yet..

0 Likes

Anonymous
Not applicable

‎2015-02-03 04:18 PM

have you read this?

Parsers Book.zip

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2015-02-04 10:49 AM

Thanks, That document appears to be dedicated towards packet parsers, not log parsers.

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2015-02-04 01:42 PM

That is correct. I spoke with Will, who wrote that book, and he doesn't have an equivalent version for logs.  The good news is that partially due to this thread we've identified this as a need, the bad news is we don't have immediate documentation that can help. 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.