This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

New Features Of Log Parser in Netwitness 11.1.0.1

SureshThanikach
Beginner
Beginner

‎2018-07-19 02:17 AM

Hi All,

 

We are currently exploring the new option in Event source ---> Log Parser in Netwitness 11.1.0.1, Can any one provide us more details on the usage, there is no related doc available. We are trying to streamline all the events source and get the exact value out of this.

 

* How to populate the unknown logs in this field?

* How does this filed help us to streamline the event logs ?

* What is meant by Log Parsers on the left and Rules on the right ?

 

pastedImage_1.png

Labels:
0 Likes
11 REPLIES 11

someone
Contributor
Contributor

‎2018-07-19 04:16 AM

This should get you started ESM: Log Parser Rules Tab until RSA find time to fill up https://community.rsa.com/docs/DOC-93849 which sits like that for 20 days now (not sure if it will be any different or copy paste).

SureshThanikach
Beginner
Beginner
In response to someone

‎2018-07-19 04:32 AM

Hi Marinos,

 

Thanks for your response, But as the the snapshot attached in our console the Log parser as well as the rule tab is complete empty and am not able to get any logs populated in this fields, in the doc which you have pasted also has details on how to processed further after the logs in been sent to this place but we are stuck at the initial level.

 

Kindly advise    

0 Likes

Anonymous
Not applicable

‎2018-07-19 12:16 PM

Hi Suresh,

Please note that this functionality was very limited for 11.1. With the release of 11.2, which is rapidly approaching, this functionality is more fully fleshed out.

someone
Contributor
Contributor
In response to Anonymous

‎2018-07-19 12:57 PM

Logically, that's where the word "BETA" on both documentation and the ESM tab: Log Parser rules (exactly like the Settings tab in ESM) would come handy and save both sides from exchanging posts like this one and raising Support, DOC and BUG tickets.

Anonymous
Not applicable

‎2018-07-19 01:12 PM

Thank you for your comment. We'll take it under advisement.

EricPartington
Employee
Employee

‎2018-07-19 08:39 PM

check your log decoder, make sure default parser is enabled. 

pastedImage_3.png

That will get you the word default in the left log parsers box.

default only works with unknown messages

default brings with it a number of well know tags for strong tokens (hostname=, srcip= etc.)

tokens are listed in the tokens box

these were pulled from all our parsers to find the most confident tokens that could be extracted as meta

when you enable the default log parser on your log decoder you get values show up in the right box

when you click on those rules on the right you will see where they match in  the message at the bottom

if you have unknown messages and the default parser is enabled you will start to see meta extracted based on these tokens which means you will still get value from them rather than just word meta.

in some cases that will be sufficient to use those unknown messages if the values you need come from these well known tokens ( like searching for an IP address across all messages)

 

pastedImage_1.png

This isn't Beta

It works today as designed for this release and is being enhanced in subsequent releases.

EricPartington
Employee
Employee
In response to EricPartington

‎2018-07-19 09:00 PM

For instance this event

type=2407 audit(1531966179.348:21979): pid=11571 uid=0 auid=0 ses=2173 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac=(null) pfs=diffie-hellman-group-exchange-sha256 spid=11571 suid=0 rport=55711 laddr=192.168.254.23 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.252.22.92 terminal=? res=success'

 

Unknown message would normally have word meta only

pastedImage_1.png

Now you get values extracted

pastedImage_2.png

where the value is extracted to depends on the token and if context can be determined (is it a source IP or destination IP, if it cannot be determined from the token name then it goes into a generic key for that value)

KevinCole
Beginner
Beginner

‎2018-07-20 04:50 PM

I had the exact same problem.

 

no default.jpg

 

Then, I checked if the "Default Parser" was available by ...um... default on my v11.1 decoder(s). It wasn't. Aha!

 

default parser 6.PNG

 

So, I searched on Live for "default" and found the "Default Parser".

Downloaded the default.envision file.

Uploaded (deployed) to my decoders.

Reloaded my parsers.

 

 

default parser 5.PNG

 

 

Then went back to Admin - Event Sources - Log Parser Rules ...

And ... ta da!

 

default parser 4.png

SureshThanikach
Beginner
Beginner
In response to KevinCole

‎2018-07-22 03:19 AM

Hi Kevin,

 

Thanks, We deployed the default parser and the same page was populated in my console, But as per the above comments this is not fully accessible we have some limitations. 

 

If there is any work around for the same please let us know.  

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.