This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Lua Parser for Logs

OmarGarciaGilio
Beginner
Beginner

‎2017-08-29 03:19 PM

Hello.

I want make lua parser for this kind of message logs:

%AURIS: login|2017-08-26 17:20:00|ogarciag
%AURIS: logout|2017-08-26 16:22:00|ogarciag
%AURIS: failed|2017-08-26 16:25:00|ogarciag

 

So far I got this:

 

local AurisParser = nw.createParser("auris_parser", "Parser de prueba AURIS")
AurisParser:setKeys({
    nwlanguagekey.create("device.type"),
    nwlanguagekey.create("msg.id"),
    nwlanguagekey.create("event.time"),
    nwlanguagekey.create("user.dst"),
    nwlanguagekey.create("msg"),
})
function AurisParser:GetMetas(token, first, last)
    -- nw.logInfo("Log_Device_match")
    local sepchar = "|"
    -- Capturamos log raw
    local payload = nw.getPayload()
    -- meta device.type
    local mycad = payload:tostring(first + 1, last - 2)
    nw.createMeta(self.keys["device.type"],mycad)
    -- meta msg.id
    local myindx = payload:find(sepchar, last + 1)
    mycad = payload:tostring(last + 1, myindx - 1)
    nw.createMeta(self.keys["msg.id"],mycad)

    -- meta event.time
    mycad = payload:tostring(myindx + 1, payload:find(sepchar, myindx + 1) - 1)
    myindx = payload:find(sepchar, myindx + 1)
    nw.createMeta(self.keys["event.time"],mycad)
    -- meta user.dst
    mycad = payload:tostring(myindx + 1, payload:len())
    nw.createMeta(self.keys["user.dst"],mycad)

    -- meta msg
    mycad = payload:tostring(last + 1, payload:len())
    nw.createMeta(self.keys["msg"],mycad)
end
AurisParser:setCallbacks({
    ["^%%AURIS: "] = AurisParser.GetMetas,
})

I get the metas I want, even can make a report, but why still seen the "unknown" device?

02.png

03.png

I really appreciate your help.

0 Likes
2 REPLIES 2

Anonymous
Not applicable

‎2017-08-29 03:25 PM

I have seen this before, but don't have a solid understanding yet as to why the condition exists.  It was as if the log parsing engine was expecting to run and have a parser, but since it didn't, it listed it as 'unknown'.

 

However, a work around can be implemented by creating a very simple traditional XML log parser that uses the HEADER "%AURIS: ".  I believe that would be enough to populate 'device.type' correctly and have Lua still do the parsing it needs to do.  If the XML parser is properly writing the 'device.type' meta, then you should just comment out that section from the Lua parser.  Otherwise, 'device.type' would have 2 values.

 

By they way....nice job on writing your own parser.

 

Chris

0 Likes

ThomasJones1
Respected Contributor Respected Contributor
Respected Contributor

‎2017-08-29 03:27 PM

Hi Omar,

I think you need to add your device to the parser. As we discussed... you need to define your devices and message ids... then you can work on the parser.  Just an idea.

 

local devicetable = ({ -- table of device.type I may want to evaluate. In this case it is only one. 

 ["as400"] = true,
  
})

 

Tom J

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.