Add or Delete a Log Parser Rule

Note: The information in this topic applies to NetWitness Version 11.2 and later.

For version 11.2, NetWitness has added the ability to create custom rules for log parsers. You can create rules to change how meta values are parsed for a particular log parser. Prior to version 11.2, you could only view the out-of-the-box log parser rules.

About Log Parser Rules

Parsers are described within their XML files. Each log parser has an XML file that contains rules on how to parse messages for that parser. The out-of-the-box rules are contained within these XML files. For details, see the Log Parser Customization topic in the Link space for NetWitness Content.

Custom Log Parser Rules

When you create a new log parser rule, it is saved to another XML definition file for the parser. These files are known as token files. This is important, since the out-of-the-box rules are overwritten if you update the parser through Live, but any custom log parser rules are not overwritten, since Live does not update the token files for log parsers.

To create a custom log parser rule:

  1. In the NetWitness UI, navigate to netwitness_configureicon_24x21.png (Configure) > Log Parser Rules.
  2. From the Log Parsers pane, select a log parser, then Dynamic Rules.
  3. From the Rules pane, click Add Rule.

    The Add Rules dialog box is displayed.


    IMPORTANT: If you click outside of the Add Rule dialog box before you save your rule, your changes will be lost.

  4. Enter a name for the new rule, and click Add New Rule.
  5. Add at least one meta key and a value to match, in order to create a valid rule.
  6. Click Save to save your new rule.

    This updates the definition file in the file system. It does not deploy the changes.

  7. To deploy your changes to all of your Decoders, click Deploy.

Guidelines for Custom Rules

When you are creating a custom rule, keep in mind the following:

  • For the list of tokens that match strings from the log file, very short tokens are not useful. For example, a one- or two-character string can match more items than desired.
  • Remember to add the delimiter (especially if it is a space) as part of the token. For example "domain=" or "email ".
  • When constructing regular expressions, the more complexity you add, the more performance overhead added to the system to compare against the rule.
  • To see examples of good tokens and regular expressions, examine the rules that are provided for the default log parser.