This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Log Parser file

SonamSingla
Contributor
Contributor

‎2018-03-14 07:03 AM

Is there any documentation for understanding Log parser xml file.

E.g what is the meaning of missField, functions and how can we generate the same output means please tell me the steps in ESA tool so that while creating a parser I can make the changes and this is generated in xml file. I mean to say tagval, missField, functions.

<MESSAGE
  id1="CISE_AD_Connector"
  id2="CISE_AD_Connector"
  eventcategory="########"
  tagval="true"
  missField="true"
  functions="<@msg:*PARMVAL($MSG)><@:*SYSVAL($ID1)><@event_time:*EVNTTIME($HDR,'%W%G%F %H%U%O',hyear,hmonth,hday,hhour,hmin,hsec)><@timezone:*HDR(hfld8)><@hostname:*HDR(hnode)><@id:*HDR(hfld4)><@id1:*HDR(hfld5)><@id2:*HDR(hfld6)><@operation_id:*HDR(hfld10)><@severity:*HDR(hseverity)><@category:*HDR(hfld11)><@event_description:*HDR(hevent_description)>"
  content="AD-Domain=<domain>, AD-Domain-Controller=<ac>, AD-IP-Address=<hostip>, AD-Log-Id=<li>, AD-Site=<as>,AD-Trusted-Domain=<at>,AD-Forest=<af>,AD-Error-Details=<result>,AD-Account-Name=<username>,AD-Hostname=<hostname>,AD-Srv-Query=<an>,AD-Srv-Record=<am>"/>

0 Likes
5 REPLIES 5

david_waugh
Beginner
Beginner

‎2018-03-14 08:14 AM

Tagval means that the message is made up of a=1, b=2,c=3 type values.

missField means that if one or more of these entries is missing then it will still parse.

 

Eg this parser will work on

a=1,c=3

b=2,c=3 

a=1

 

type messages.

0 Likes

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2018-03-14 09:18 AM

Let me add a little more on to what David had said

 

Tagval is a special function that allows the parser to parse key value pair messages.

 

For example:  user=bob, ip=1.2.3.4, host=globalDC

 

We could very easily create a standard parser for the above, however with some devices they may not send the "ip" key if there is no value.  If that was the case you would get:

 

user=bob, host=globalDC.

 

If the above case, using a standard parser, the message would not parse as it is missing "ip="

 

If we use the Tagval function we get two benefits.

 

   1. The Keys can be missing or not.

   2. the Keys can come in any order.

 

There is one issue however..  The parser has to be built for all possible keys that are sent.

 

So in our above example-- if we send more keys that what was defined, such as --

 

user=bob, ip=1.2.3.4, host=globalDC, location=USA

 

That message would not parse as we have no definition for "location=" 

 

By adding the flag of "missfields"  This allows the parser to skip over "location=" and still parse the message.  The "location=" will no go anywhere, and it will no parse.

 

The right thing to do is to build the parser with all possible variations.  The missfields is a stop gap until you can.

 

Hope that helps

 

Dave

david_waugh
Beginner
Beginner
In response to DaveGlover

‎2018-03-14 11:36 AM

Thanks Dave! Your answer was much more complete!

0 Likes

SonamSingla
Contributor
Contributor
In response to david_waugh

‎2018-03-15 01:03 AM

Thanks David and Dave, need some more clarification on functions variable and also key-value checkbox is disabled in ESI tool, how to enable that. Please explain functions variable meaning as well. Any documentation on understanding xml parser.

0 Likes

SonamSingla
Contributor
Contributor
In response to SonamSingla

‎2018-03-15 06:58 AM

Also let me know how to edit existing parser as it is not giving option to edit the message.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.