This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How to parse an "XML" kind of format log into SA?

Anonymous
Not applicable

‎2017-05-26 05:38 AM

Hi All! 

I should create a new custom #netwitness log parsers for a database from syslog, but the format is like XML, so the #esi tool can not cope with the <> characters. 

Log Sample: 

May 25 07:21:32 db db: <ROW><DB_NAME>db045</DB_NAME><ACTION_NAME>LOGOFF</ACTION_NAME><RETURN_CODE>0</RETURN_CODE>

May 25 07:21:32 db db: <ROW><DB_NAME>db045</DB_NAME><ACTION_NAME>LOGON</ACTION_NAME><RETURN_CODE>0</RETURN_CODE>

I set to bold the variables we need to parse. The other part of the log is static. Is there a way to do this? 

Thank You, Erika

0 Likes
3 REPLIES 3

ArthurCostigan1
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2017-05-27 09:25 AM

Erika

 

Take a look at this code.  It's simple (and untested obviously) but I think it will help point you in the right direction on how to use the ESI tool for this format log.

v20_newdevicexmlmsg.xml.zip

Anonymous
Not applicable
In response to ArthurCostigan1

‎2017-05-30 04:07 AM

Thank You Arthur,

in this case will the ESI tool parse the event? 

I created a parser, which looks fine in the ESI tool, but the log events are not parsed. I put the xml and the data sample as well (I could not attache ). Maybe you could have a look at it. 

Thank You, Erika

 

May 25 07:21:32 oracle oracle:  <ROW><DB_NAME>db046</DB_NAME><ACTION_NAME>LOGON</ACTION_NAME><RETURN_CODE>0</RETURN_CODE>
May 25 07:21:32 oracle oracle:  <ROW><DB_NAME>db046</DB_NAME><ACTION_NAME>LOGOFF</ACTION_NAME><RETURN_CODE>0</RETURN_CODE>

 

 <!--SA=True-->
 <HEADER
  id1="HDR1"
  id2="HDR1"
  content="&lt;hmonth&gt;&lt;hday&gt;&lt;htime&gt; oracle oracle:  &lt;&lt;ROW&gt;&lt;&lt;DB_NAME&gt;&lt;db_name&gt;&lt;&lt;DB_NAME&gt;&lt;&lt;ACTION_NAME&gt;&lt;messageid&gt;&lt;&lt;!payload:$START&gt;"/>

 <MESSAGE
  id1="LOGON"
  id2="LOGON"
  eventcategory="1401040000"
  content="&lt;hmonth&gt;&lt;hday&gt;&lt;htime&gt; oracle oracle:  &lt;&lt;ROW&gt;&lt;&lt;DB_NAME&gt;&lt;db_name&gt;&lt;&lt;DB_NAME&gt;&lt;&lt;ACTION_NAME&gt;&lt;messageid&gt;&lt;&lt;/ACTION_NAME&gt;&lt;&lt;RETURN_CODE&gt;&lt;result&gt;&lt;&lt;/RETURN_CODE&gt;"/>

0 Likes

Anonymous
Not applicable
In response to Anonymous

‎2017-05-31 05:28 AM

Hi all, now it is working. There was a &lt; missing from the header. So the correct header is: 

  content="&lt;hmonth&gt;&lt;hday&gt;&lt;htime&gt; oracle oracle:  &lt;&lt;ROW&gt;&lt;&lt;DB_NAME&gt;&lt;db_name&gt;&lt;&lt;DB_NAME&gt;&lt;&lt;ACTION_NAME&gt;&lt;messageid&gt;&lt;&lt;&lt;!payload:$START&gt;"/>

Thank You Arthur for the help. 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.