10.6.5.x and 11.1 now have the ability to apply -custom.xml log parser files to reduce the need for forking a parser to customize log parsing for a particular device. This means that you no longer have to remove a parser from the auto-update RSA Live flow just to add a custom entry or modify one event id to suit a specific use case.
Sample events were gathered and replayed against the stock RSA Live msexchange parser in NetWitness.
Locate the events in investigation (device.type='msexchange')
Reviewing the splunk app savedsearches.conf and macros.conf I could see that many of the rules were reference.id driven however there were a few that were more complicated and might require more parsing work to get the needed values.
Do this for the other message.id that we need to modify (25008 and 25403 so far)
Save the updated log parser xml
Follow the instructions in the RSA Link post to create the skeleton -custom.xml file, referenced above.
Open the saved Log parser file and locate the three modified message lines, copy them and paste them in the -custom.xml file
Add the following to each message entry to indicate that you want to add the modified message above the default - insertBefore="LOGbndEX_25008_LOGbndEX" (add this below the eventcategory line on each message)
Save and copy the -custom.xml to the log decoder folder for msexchange and reload the parsers from the explore menu (decoder > parsers > reload - submit)
Replay the events and see the extra parsing goodness
Now we have the events extracted
The message.id of this matches the name (:01) in the -custom.xml file -
The custom xml file is attached which you can use in your environment.
The benefit of this is that the RSA Live parser is updated and the custom entries are maintained and eventually if the modifications are rolled into the RSA Parser the -custom can be removed in the future to use only the OOTB Parser.
Look out for a future blog post with content for RSA NetWitness LOGBinder events.