Article Number
000002912
Applies To
RSA Product Set: Security Analytics, NetWitness
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 10.x
Platform: CentOS
O/S Version: 6
Issue
This article describes how to parse a tab delimited log file into the NetWitness Platform.
The log file is of the following form and is tab delimited: (
Note: the contents below should all be on a single line.)
#Fields: datatime c-ip x-ss-company-id cs(X-Forwarded-For) cs-username cs-method cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs(User-Agent)
cs(Content-Type) cs-bytes sc-bytes sc-status sc(Content-Type) s-ip x-ss-category x-ss-last-rule-name x-ss-last-rule-action x-ss-block-type x-ss-block-value
x-ss-external-ip x-ss-referer-host 2015-07-10 11:39:37 GMT 10.106.21.99 2164457336 10.106.21.99 CONNECT https www.ibm.com 443 / curl/7.19.7 (x86_64-redhat-linux-gnu)
libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 - 0 0 0 23.32.171.219 c:busi default block adv-rule-match No exception exists to allow
this web page 128.221.224.200 2015-07-10 11:41:40 GMT 10.106.21.99 2164457336 10.106.21.99 CONNECT https www.ibm.com 443 / curl/7.19.7 (x86_64-redhat-linux-gnu)
libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 - 0 0 0 23.32.171.219 c:busi default block adv-rule-match No exception exists to allow
this web page 168.159.213.199
Resolution
The parsing works because the log file is in a simple structured format.
This means that the parser only needs to expect one message.
This is defined as follows in the ciscowsctmmsg.xml file: (Note: the contents below should all be on a single line.)
content="<saddr>^^<xsscompanyid>^^<xforwardfor>^^<csusername>^^<csmethod>^^<csurischeme>^^<cshost>^^<csuriport>^^<csuripath>
^^<csuriquery>^^<csuseragent>^^<cscontenttype>^^<csbytes>^^<scbytes>^^<scstatus>^^<scontenttype>^^<daddr>^^<xsscategory>^^<
xssname>^^<xsslastruleaction>^^<xssblocktype>^^<xssblockvalue>^^<xssexternalip>^^<xssreferhost>"/>
The table-map-custom.xml file maps these fields into the NetWitness meta keys.