Use Cases

This topic describes the procedures you use to either on board a new event source, or to extend the parsing capabilities for an existing log parser.

Use Case 1: On Board a New Event Source

In this case, a customer has an event source and wants to add it into the NetWitness. Perform the following tasks:

  1. For your event source, get examples of the logs.
  2. In the CONFIGURE > Log Parser Rules view, add the Log Parser.
  3. From your sample logs, paste applicable sections into the Sample Log Messages section of the Log Parser Rules screen.
  4. Use the sample area to understand which items are being parsed by the current parser, and note the items that are not being parsed.

  5. For anything that is not currently being parsed, add rules.

    • If the new rules apply to all parsers, you can add them to the Default parser.
    • If not, add them only to the new log parser you are creating.
  6. Save the new rules, and deploy them to all Log Decoders.
  7. Map the IP address for the newly added event source to the newly-created log parser. For details, see "Acknowledging and Mapping Event Sources" in the Event Source Management User Guide.

Use Case 2: Modify an Existing Parser

In this case, a customer wants to parse some items from the logs that are not currently being parsed by the existing log parser. Perform the following tasks:

  1. For your event source, get examples of the logs.
  2. In the CONFIGURE > Log Parser Rules view, add the Log Parser.
  3. From your sample logs, paste applicable sections into the Sample Log Messages section of the Log Parser Rules screen.
  4. Use the sample area to understand which items are being parsed by the current parser, and note the items that are not being parsed.
  5. For anything that is not currently being parsed, add rules.
  6. Save the new rules, and deploy them to all Log Decoders.

For a detailed walk through of some of the steps in these use cases, see Extend an Existing Log Parser Example.