This is my first written attempt of explaining a log parser, still working on a document to push out to the community, so this is my somewhat high level explanation of how parsers work....So, first I would reach out to RSA to gather their ESI tool. Its a legacy envision tool that is currently by end users to create their own parsers within SA. Supposedly they will have a parser tool that is fully supported by SA by Q3,Q4 2015. The current ESA tool is available on the SCOL site. The main concepts of a custom parser are as such:
Security Analytics Parsers are ALL static text, and dont support pattern matching within their parsers for some reason (they support limited pattern matching within a message parser, not the message parser itself). Which means that depending on how you create/plan for you parser, you will need to know ALL types of the event types that you will want to identify. To completely identify all the events that come across for said parser, you will need to run reports, and/or do checks against the endpoint to identify which events arent being identified properly (device.type=unknown, and / or device.type=DEVICE AND msg.id !exists). This process is done after you implement, its sort of like a rinse/repeat process, as the static text limits you to identifying all of the events as necessary. You will want as many logs as you can possibly gather. The ESI tool currently supports up to only 10MB files, so you will need to chunk these into separate files as needed.
The two main portions of a parser are as follows : Header parser -- This is the first (top) portion of the xml document, which uniquely identifies the endpoint as the (device.type). Message parser -- The is the second, (bottom) portion of the xml document that exactly "tags" the events as needed. Everything that you will want tagged, is encapsulated with "<>", which in the parser code, is translated in xml as "<"(<), and ">"(>) . You can gather already existing parsers from RSA Live, find the log device, click download, and unzip the "envision" package which breaks it into a folder structure. The parsers are held/maintained on the log decoders here : /etc/netwitness/ng/envision/etc/devices/ . In each folder you will see two files, one xml, and one ini. The xml is the parser file that contains the code that runs as explained above. The other ini file, from what I understand, is more less legacy as it used to identify specific envision tables that this source would be using. RSA may need to step in here to help further explain the ini file, but I believe it still is used to help identify the log source as it comes in. It may sound tedious, but I would get a hold of the ESI tool, and run through a couple examples of custom parsing, until you are comfortable with coding your own parser.
Ur explanation cleared all my doubts. 
