Default Log Parser and Log Parser Rules

Note: The information in this topic applies to NetWitness Version 11.1 and later.

This tab displays information about pattern matching and rules for the parsers in your system. The features on this tab apply to all log parsers, including the Default Log Parser.

Default Log Parser

The NetWitness default log parser is used to parse logs coming from the Log Decoder that do not match any of the configured log parsers. This default parser parses these logs by using a default set of rules and tokens.

You can view the default log parser and its details by going to Admin > Event Sources > Log Parser Rules and selecting default from the Log Parsers panel.

Note: If you do not see the default log parser and its rules, you might need to go to Live and deploy the Content to your log decoders. Additionally, you must have at least one Log Decoder at version 11.2 to view the default log parser.

You can view the default log parser and its details, depending on your version:

  • For NetWitness version 11.1, go to Admin > Event Sources > Log Parser Rules, then select default from the Log Parsers panel.
  • For NetWitness version 11.2 and later, go to Configure > Log Parser Rules, then select default from the Log Parsers panel.

Note: The list of log parsers is based on the first Log Decoder that is installed or registered by the Orchestration Server. If you have more than one Log Decoder, this tab only lists log parsers that have been configured on the first one.

This is a view of the Log Parser Rules tab, showing the Default Log Parser and Any Domain rule selected:

122_defaultLogParser_1222.png

The Parser Rules Tab topic describes the items available for the Log Parsers tab.

Highlight Matching Patterns

You can paste logs into the Log Messages text box, and the system highlights the matching literals and patterns for the rules for the selected event source type. Use this feature to confirm that the parser is behaving as expected.

  1. In the NetWitness UI, navigate as follows, depending on your version:

    • For NetWitness version 11.1, go to Admin > Event Sources > Log Parser Rules.
    • For NetWitness version 11.2 and later, go to netwitness_configureicon_24x21.png (Configure) > Log Parser Rules.
  2. From the Log Parsers pane, select the Dynamic Rules entry for a log parser.
  3. From the Rules pane, select a rule.

    For example, this screen shows the Source Port rule for the Actiance Vantage log parser:

    122_logParserExample_1222.png

  4. Add text or paste in a sample log message.

Strings that match tokens for the selected rule are highlighted in blue. Strings that match other rules for the parser (and the rules themselves) are highlighted in orange.

122_logParserHighlighted_1222.png

For example, in the previous screen, note:

  • The destination domain address, matching the dstdomain token, is highlighted in blue. The token is in dark blue, and the matching string is highlighted in light blue. This is because the Destination Domain is the currently selected Rule.
  • The strings highlighted in orange match tokens for rules for Username, Source IP or IP:Port, Destination IP or IP:Port, Source Port, Source Email Address, and Destination Email Address. This is because they are in rules for the default parser that are not currently selected.

Highlight Overlapping Patterns

When you have patterns that overlap rules (that is, one pattern matches more than one rule), the behavior is as follows:

  • The pattern is displayed in a single color (yellow)
  • When you select one of the matching rules, the exactly-matched pattern is displayed in light and dark blue

For example, the pattern user: admin@test.com from 10.100.229.59 matches several rules.

122_highlightOverlap1_1222.jpg

When you select the hostip rule, the highlighting that matches only this rule is shown in dark and light blue.

122_highlightOverlap2_1222.png