Add or Delete a Log ParserAdd or Delete a Log Parser
Note: The information in this topic applies to NetWitness Version 11.2 and later.
For version 11.2, NetWitness has added the ability to add log parsers through the UI. You can also delete log parsers, as long as they have never been deployed to a Decoder. You can create a new log parser definition from scratch, or extend an existing one.
You can add a log parser to extend the functionality for an existing parser. For example, if you have some unknown messages for the Cisco Pix parser, you could add rules to match your unknowns.
IMPORTANT: If you are adding a new log parser, for example when onboarding an event source, you must map the event source IP to the new log parser in order for messages to be parsed. For details, see "Acknowledging and Mapping Event Sources" in the Event Source Management User Guide.
Add a Log ParserAdd a Log Parser
- In the NetWitness UI, navigate to (Configure) > Log Parser Rules.
-
From the Log Parsers pane, click Add Parser.
The Add Dynamic Log Parser dialog box is displayed.
- Fill in details for this dialog box. For details, see Add Dynamic Log Parser Parameters below.
-
Click Save to save the new log parser.
This updates the definition file in the file system. It does not deploy the changes.
- To deploy your changes to all of your Decoders, click Deploy.
Delete a Log ParserDelete a Log Parser
You can use the UI to delete a log parser.
To delete a log parser:
- In the NetWitness UI, navigate to (Configure) > Log Parser Rules.
-
From the Log Parsers pane, select a log parser, then click Delete.
Delete Parser dialog box is displayed.
- Click Delete Parser to remove the log parser from the system.
Note: If you have encounter any issues when you attempt to delete a parser, see the Troubleshooting section, Delete a Log Parser Manually.
Add Dynamic Log Parser ParametersAdd Dynamic Log Parser Parameters
When you are adding a log parser, the following parameters are available.
Field | Details |
---|---|
select log parser |
Select NEW, or choose an existing log parser. By choosing an existing log parser, you can add rules to that parser, essentially extending its parsing capabilities. Note: If you select an existing log parser, the remaining fields are auto-filled based on the values for selected log parser. |
device type |
Enter a string to define the device type. The name must be between 3 and 30 alphanumeric characters (including underscores), and must not match the name of any existing log parsers. |
device display name |
Enter the display name for the log parser. Note: The display name must be 64 characters or fewer, and must not match the name of any other device display name. |
device class |
Select a device class. |
clone dynamic parser rules from |
Leave blank to start with no rules, or select one of the existing log parsers to clone its rules. |
Import or Export a Log ParserImport or Export a Log Parser
To import the log parser:
- In the NetWitness UI, navigate to (Configure) > Log Parser Rules.
-
From the Log Parsers panel, click Import.
- Select a log parser to import.
The log parser is imported successfully. This will import the selected log parser rules along with the JSON mapping (if any).
To export the log parser:
- In the NetWitness UI, navigate to (Configure) > Log Parser Rules.
- Select the log parser to export.
-
In the Log Parsers panel, click Export.
The selected parser is exported successfully in a .json format. This will export the selected log parser rules along with the JSON mapping (if any).