NetWitness Community

SureshThanikach · ‎2018-07-19

Hi All,

We are currently exploring the new option in Event source ---> Log Parser in Netwitness 11.1.0.1, Can any one provide us more details on the usage, there is no related doc available. We are trying to streamline all the events source and get the exact value out of this.

* How to populate the unknown logs in this field?

* How does this filed help us to streamline the event logs ?

* What is meant by Log Parsers on the left and Rules on the right ?

SureshThanikach · ‎2018-07-22

As per the comments from Kevin we have deployed the default parser and the "Rule" tab under Log Parser rule got populated, now let us know the next process how to extract the logs which is currently parsing under "unknown " and then do the parsing to get the exact value?

EricPartington · ‎2018-07-22

There is nothing else for you to do. Any log messages that arrive at the log decoder where the default parser is enabled will parse additional meta into the relevant keys as defined by the default parse and the visible regex patterns.

You should be able to copy and paste sample unknown messages into the box at the bottom of that screen to see how the tokens apply to that message if you want to see what it does. There will be additional tokens that will be added to different parsers as releases are pushed out by RSA, but for now, its hands off from the analyst part.

Enable the default parser, any tokens that match unknown messages will parse out automatically.

Eric

NetWitness Community

New Features Of Log Parser in Netwitness 11.1.0.1