This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Modifying device parsers XML only

RSAAdmin
Beginner
Beginner

‎2015-05-21 01:26 PM

I need to define a few extra fields in the vmware_view parser...specifically the DesktopPID field, PoolID, and DesktopDisplayName.  In the CEF parser, it is pretty easy to define and get your additional fields to parse correctly.  When I look at the vmware_view.xml parser, I do not see anywhere I can define what fields are going to be parsed out.  I have the ESI tool and that does not seem to aid me in defining these fields...which leads me to believe that there is a "master" parser that defines these fields (much like the CEF parser). 

 

If I am correct in my assumption that there is a master parser, what is its location and file name?

 

This brings up a second question:  If the CEF parser is used to parser out CEF logs (specifically McAfee Web Gateway) what is the need for the other parser in Live:  McAfee Web Gateway?

 

Is there any XML device parser specific information out there that I can read...other than ESI_Overview or the help file?

 

Thanks,

Eric

0 Likes
1 REPLY 1

RSAAdmin
Beginner
Beginner

‎2015-06-03 09:08 AM

There is no master parser. The parsers are broken out by device type with CEF as the exception. Although, the CEF parser will register a device.type value depending on the log being received and parsed.

 

The CEF parser was added in 10.4 and is a special parser engine that handles logs from any event source that logs in CEF log format. You will find a device specific parser in Live as well as CEF for a specific device for a couple of reasons. One is that SA supported that device prior to 10.4 (when CEF was added) and/or because it is possible an event sources logs in multiple formats for different event types, system - non cef vs. audit - cef, for example.

 

Getting back to your original question on adding fields to a parser you first need to identify if those fields are being collected and how (syslog,odbc, filereader, etc...). if they are not being collected then you need to edit the log collection configuration to add those fields. Once that is done you can use that sample log with the ESI tool to update the parser.

 

Understandably, this requires some level of parser development and it not straightforward. We are working to make this an easier workflow in future releases.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.