on - edited on by
jobichan
This document will serve to aggregate useful how-to information for "Do-It-Yourself" creation of parsers and integrations for RSA NetWitness Platform. Please follow the page for updates using the Actions menu above as we will be adding more content frequently. Also, please feel free to add comments below or click the Send Feedback button to provide feedback, request new content or to let us know about any new posts which would be useful to reference here.
Parsers, Plugins and Custom Log Collection
| Resource | Description |
|---|---|
| Using Parse Rules (Overview) | A primer on the new parse rules capabilities added in v11.2 |
| Log Parser (Parse Rules) Customization for 11.2+ | In-depth documentation for using parse rules in 11.2+ |
| Customizing OOTB XML Parsers (10.6.5+) | How to customize RSA-supported XML parsers while still preserving future updates from RSA Live (as of 10.6.5+) |
| Customizing the CEF Parser | How to customize the RSA-supported parser for CEF-formatted logs |
| JSON Development Guide | Collecting JSON logs via file collection method (available as of 11.3) |
| Custom (File Collection) Typespec | Detailed instructions and specifications for creating a typespec to transform file-based log sources for proper parsing. |
| Custom File and ODBC Typespec Demo Video | Walkthrough video on creating your own typespec for collecting file and ODBC log sources. NOTE: This video is a bit old, but still gives a good demonstration of how the process works. |
| Log Parser Tool Downloads | Download the free tool for creating full XML parsers for your custom event sources |
| Log Parser Tool v1.1 User Guide | Instructional guide on XML log parser structure, syntax and how to use the Log Parser Tool |
| Event Time Function Usage | Using the Event Time function within an XML parser to parse different date formats into TimeT type. |
| A Treatise on Writing Packet Parsers for the RSA NetWitness Platform | The definitive guide for writing Lua parsers for the RSA NetWitness Platform. |
| RSA Training: Lua Parsers for Logs | Lua parsers aren't just for packets. Take in-depth training from RSA on how to leverage Lua to solve challenging log parsing problems. |
| Plugins Development Guide | Detailed instructions and specifications for creating a Plugin to collect and transform cloud-based, API-accessible log sources for proper parsing. |
Managing Meta
| Resource | Description |
|---|---|
| Custom Table-Map Maintenance | Instructions on properly configuring the custom table map to manage keys populated by log parsers. NOTE: The index-concentrator-custom.xml files will sometimes also need to be modified to achieve indexing and full searchability of meta keys. |
| Core Database Tuning Guide: Index Customization | Official documentation on maintaining index configuration for meta keys. |
| Maintaining Table Map and Service Index files | An excellent post that further explains the relationship between table map and index. |
| Validate your custom index files with xmllint | Some good tips on validating your XML configuration files before deployment. |
RSA NetWitness Platform Open API
| Resource | Description |
|---|---|
| Official List of API Guides including the CLI tool (NwConsole) | Official Table of Contents with reference to several versions of the API, including the REST API and the CLI tool (NwConsole). |
| REST API: Access in NetWitness | Enabling the REST API in NetWitness |
| RSA NWUC 2012 - No Rest for the Weary | An older, but still relevant intro presentation into the REST API |
| CLI: RSA Security Analytics Console | Official 10.6 guides for using the CLI tool (NwConsole) |
| GitHub - netwitness/ng-rest-client | This is a sample python app that demonstrates how to use the RESTful API on NetWitness Core Services. For a background on how this tool came to be (and some useful explanations of the API functions), see this post: NetWitness NextGen RESTful Python Test App |
You can also leave feedback in the comments below. Help us enable you to find creative solutions to your integration goals!
