Rsa NW 11.x Log Parser Tool v1.1
Rsa NW 11.x Log Parser Tool v1.1
Rsa NW 11.x Log Parser Tool v1.1
User Guide
for Version 1.1
Copyright © 1994–2019 Dell Inc. or its subsidiaries. All Rights Reserved.
Contact Information
RSA Link at https://community.rsa.com contains a knowledgebase that answers common
questions and provides solutions to known problems, product documentation, community
discussions, and case management.
Trademarks
For a list of RSA trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm#rsa.
License Agreement
This software and the associated documentation are proprietary and confidential to EMC, are
furnished under license, and may be used and copied only in accordance with the terms of such
license and with the inclusion of the copyright notice below. This software and the
documentation, and any copies thereof, may not be provided or otherwise made available to any
other person.
No title to or ownership of the software or documentation or any intellectual property rights
thereto is hereby transferred. Any unauthorized use or reproduction of this software and the
documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment
by EMC.
Third-Party Licenses
This product may include software developed by parties other than RSA. The text of the license
agreements applicable to third-party software in this product may be viewed on the product
documentation page on RSA Link. By using this product, a user of this product agrees to be fully
bound by terms of the license agreements.
Distribution
EMC believes the information in this publication is accurate as of its publication date. The
information is subject to change without notice.
Contents
TAGVALMAP Feature 49
Using the TAGVALMAP Feature 49
Setting Up a Header and Creating a Message 50
NwLogPlayer 54
NetWitness Log Parser Tool
Parser Structure
The NetWitness Log Parser Tool uses the device type of the log parser to create the structure
for the parser. The NetWitness Log Parser Tool also appends the device type to the directory
that you specify for your parser.
When you create a log parser, you select a device type for it. The device type must start with a
letter. The RSA naming convention is to make the device type all lowercase and remove the
spaces. For example, Cisco ASA would have the device type ciscoasa. It is not necessary to
follow the RSA naming convention to use this tool.
In your log parser directory, the NetWitness Log Parser Tool creates two files with the correct
name for NetWitness:
l INI file. This is the parser configuration file. (Example: ciscoasa.ini)
l XML file. This is the log parser XML file that contains the parser definitions. (Example:
ciscoasamsg.xml). The device type is appended with msg.
files, but they cannot be imported directly in the NetWitness Log Decoder.
l Parser Package: .envision (In the main menu, select Actions > Export Parser). This option
creates an event source package that consists of the log parser XML and configuration INI
file. This format is used to import the event source to a Log Decoder directly.
l Live Resource: .zip (In the main menu, select Actions > Export Resource). This option
creates an event source package in a .zip format that consists of all the log parser XMLs and
configuration INI files. The .zip format can be used to deploy parsers through RSA Live. It
enables deployment of parsers to multiple Log Decoders simultaneously.
l To deploy a parser on a Log Decoder (In the main menu, select Actions > Deploy Parser).
This option enables you to deploy the parser directly to the Log Decoder. It also supports
deployment of parsers to multiple Log Decoders simultaneously. For more information, see
Deploying Parsers on a Log Decoder.
For more information, see the "Download Log Parsers from Live and Deploy from Local
Network" topic in the RSA Content and Resources on how to upload the event source log parsers
from your local network to the NetWitness Log Decoder.
For more information, see the "Resource Package Deployment Wizard" topic in the Live
Services Management Guide for Version 11.1 for information on how to upload the event source
log parsers from your local network to the NetWitness Log Decoder at the following location:
https://community.rsa.com/docs/DOC-79989
For more information, see the "Enable and Disable Parsers and Log Parsers" topic in the
Decoder and Log Decoder Configuration Guide for Version 11.x at the following location:
https://community.rsa.com/docs/DOC-80190.
RSA recommends that you compile a log file that contains all the unique events generated by the
event source that you want to integrate with NetWitness. While compiling the log file, ensure
that:
l All the events are from a single event source.
l The log file contains one or two instances of each unique event.
Note: The recommended maximum size of the log file is 25 MB. A larger file can be used,
but it will take more time to load and parse.
For events transmitted by Syslog, you can put the raw logs directly in the NetWitness Log Parser
Tool. For all other event formats, you need to get the log data from NetWitness.
To get log data from NetWitness, see Understanding Events.
Understanding Events
Typically an event consists of two main elements, a header and a payload. The following figure
shows an example of an event with a header and a payload.
Figure 1.
In some events, you may define the entire event as payload as shown in the following figure.
Figure 2.
In some events, you may define the payload to begin from the header, and the header and
payload may overlap.
Figure 3.
Header
The header consists of the following elements, which are common across multiple events:
MessageID. Indicates a unique identifier for the message in the event. In the examples in
the following figures, the MessageID is unique to the event.
Caution: If you create a header that is too generic and can be used to identify a wide variety
of logs, it could match logs that are currently parsed through other parsers.
. (Optional) Consists of the date and time when the event was generated by the event
source. Some events may not contain an event source time stamp.
Header Variable. (Optional) Contains a value in the event header that varies across similar
types of events. In the examples in the following figures, 4874 and 4921 are header variables
that indicate the session ID in the events.
Payload
The payload is everything in the event that is not the header. It contains detailed information
about the event. The payload is the message in the event. NetWitness uses this information for
analysis and reporting. The payload consists of message variables and static text.
A message variable is a value in the payload that varies across similar types of events. In the
examples in the following figures, Up and Down are message variables that indicate the link
status of the INTNAME interface.
Figure 4.
Figure 5.
NetWitness Log Parser Tool classifies all the values in the payload that are not message
variables as static text. The following figure shows an example of values that NetWitness Log
Parser Tool classifies as static text.
2. In the Investigate dialog, select a Log Decoder, Archiver, Concentrator, or Broker service
and click EventsIn the Events view, select the events and in the Actions menu, select
Export > Export All Logs.
3. In the Enter file name for extraction dialog, enter a name for your log file and click OK.
4. In the Export Log Format dialog, select Text and click Export.
You will receive a Scheduled Job notice.
5. Check the Job Notifications tray to view the status of the log file. Click the View link to go
the Jobs panel in the Profile view to download the log file.
l Defining a Header
l Defining a Message
Defining a Header
Define the header by assigning the values in the event to header elements. The purpose of
defining a header is to identify the event source from which the event is generated. When you
define a header with all its elements, the definition can parse similar types of events in the log
file.
RSA recommends that you define a generic header definition that will parse multiple events that
follow similar formats. The NetWitness Log Parser Tool generates a unique identifier, the
HeaderID, for each header definition to identify the header definitions available in the log parser
XML file. However, you can change the generated identifier to provide a unique HeaderID of
your choice.
You can include the following elements when defining how to locate the MessageID in the
header:
l MessageID, used in the Event ID lookup, which enables you to specify one of the following
options:
o MessageID variable
o Variable suffix
o Concatenation
Header Order
Header order determines the precedence of the headers. In general, headers should be ordered
from specific to generic (see Validating the Precedence of Pattern Definitions ).
A header's position can be changed by selecting the header and using Move Up/Down menu
items on the Edit menu (or using the keyboard shortcuts for the up and down arrow keys
(Ctrl+Up and Ctrl+Down ). You can also right click on a header or message to bring
up a popup Context menu that has options to move up and down.
For more information on these elements, see Understanding Events.
Defining a Message
Define the message by assigning the values in the payload to message variables and defining
message elements. A single message definition may parse one or more similar events in your log
file.
The following table lists the message elements that you must define.
MessageID
Indicates the identifier by which NetWitness identifies the event uniquely. The MessageID can
be defined in one of the following ways:
l Same as the event ID.
l A combination of the event ID defined in the header definition and a unique variant. For
example, if the event ID is 109801, the MessageID can be defined as 109801:02.
l A brief description that identifies the event. For example, in the following event, the event ID
is 187698, and the MessageID can be defined as CableFailover.
Event category
Indicates the category to which the event belongs, based on the NetWitness taxonomy.
Functions (Optional)
Define actions to be performed on variables in an event to generate user-defined values.
The following figure shows the list of functions supported by Log Parser Tool.
2. Click
Note: Make sure all the meta values are in lower case.
Message Order
All messages are displayed in order by message group. Messages with differing message group
values cannot be re-ordered. However, messages with the same group can be re-ordered, as
order determines the precedence within the group. In general, messages within a group should be
ordered from specific to generic (see Validating the Precedence of Pattern Definitions
When applicable, a message's position within its message group can be changed by selecting the
message and using the Move Up/Move Down menu items on the Edit menu (or using the
keyboard shortcuts for the up and down arrow keys (Ctrl+Up and Ctrl+Down ). You
can also right-click to open a context menu with the Move Up/Move Down options.
When creating a new message or editing the group of an existing message, the message is
(re)positioned based on the new message group value. If there are existing messages with that
group value, the message is positioned at the end of the message group.
l Message 10124 < A B C D >, where A, B, C, and D are elements in the message
If the order of the message definitions is as shown, NetWitness parses an A B C event from the
event source using the Message 10123 definition. NetWitness also parses an A B C D event
from the event source using the Message 10123 definition. The A B C D event must be parsed
against the Message 10124 definition, which is specific. Therefore, you must ensure that the
specific definition, Message 10124, appears before the generic definition, Message 10123, in the
log parser file, as follows:
l Message 10124 <A B C D>
After validating the log parser for data pattern warnings, you must validate the precedence of the
header and message definitions in the log parser file.
The NetWitness Log Parser Tool displays the errors that occur in the header and message
definition order. For better analysis and reporting, you must resolve all the precedence errors.
While defining the log parser, you can view parsed events and the associated header and
message definitions. For example, if you have defined two header definitions and one message
definition in the log parser file, you can view parsed events for these definitions, and then
continue to define more header and message definitions depending on the parsed events already
viewed.
GitHub members can contribute to the repository by adding or editing a log parser by raising a
Pull Request that is reviewed by NetWitness Engineers. As a member of the GitHub community,
you can create a new log parser for an event source that is not currently supported by
NetWitness and share it with the NetWitness community. You can also edit an existing log
parser to add or edit definitions for events, or to correct errors.
You may need to edit an log parser in one of the following situations:
l You upgrade to a new version of an event source that contains new, updated, or deprecated
event messages.
l You want to update the definition for an existing event in a log parser.
This workflow shows the procedures to install LPT and create a log parser.
Content Expert Customize a Log Parser (For 1.1 version) Creating a Custom Parser
Note: The Recent Parsers and Open Recent sections are empty, since this is a new installer.
Setting Preferences
The Preferences dialog allows you to provide paths for logs and parsers, and to select a parsing
mode for the application.
Note: The default path is your Documents folder and the default parsing mode is Auto.
l For MacOS systems: From the NetWitness Log Parser Tool menu, select Preferences.
The default paths and modes are explained in the following table.
Field Description
Preferred Device l Default directory that is opened when you open an existing parser.
Location l The default directory is the location where a new parser is created.
Preferred Log File Directory that the NetWitness Log Parser Tool opens when you want to
Location load a log file.
Parsing Mode By default, the NetWitness Log Parser Tool uses Continuous Parse
mode, which means the log file is reparsed whenever there is a change
to the parser.
Note: You can change the mode to Parse On Demand if you notice
that it is taking a while to parse the log file. A Play icon ( ) is dis-
played in the middle divider that can be used to parse the log when a suf-
ficient number of changes is complete. You can also use the F5
keyboard shortcut to facilitate log file parsing.
Field Description
(For 1.1 version) When this check box is enabled, all the changes in the log parser file
Save will be saved in custom parser file. This option will be ignored if the
Modifications to custom parser already exists and all the changes are saved in the
Custom Parser custom file.
Note: When a custom parser file is opened, the tool displays the merged entries of the log
parser and the custom parser.
Caution: A user cannot open a custom parser file when log parser file is not available.
Note: All parsers opened in the tool are automatically saved at 30 seconds intervals as serves
as a backup. You can view the last saved time in the Status Bar.
Note: Special characters are not allowed for the Device Type.
Note: The parser path that is set in the Preference page is auto-
populated here.
e. In the Log File field, select a log file. This field is optional and can be selected
at a later time.
3. Click Create to create a new parser, or click Cancel to return to the Welcome page.
The following screen is displayed after you select Create New Parser.
4. Click the Open/Change Log File icon ( ). Browse to find the log file that you want to open
and click Open.
For more information, see Opening a Log File
All the events in the selected log file are displayed, as shown in the following example.
Note: The custom parser is not deleted or overwritten during Log Decoder upgrades or RSA
Live Content updates.
Note: Custom Parser is not supported in 11.0 version and is available in 10.6.5 or later and
11.1 and later versions.
Make sure you have enabled "Save Modifications to Custom Parser". For more information see
Preferences section
For more information, see "Log Parser Customization" at https://community.rsa.com/docs/DOC-
83425
Note: If you opened your parser previously in the NetWitness Log Parser Tool, you can open
the parser from the Recent Parsers section of the Welcome screen.
2. Type or select the name of the parser that you want to edit and click Open. For example,
ciscoasamsg.xml.
3. Edit the parser entries such as headers, messages or tagval for customization.
4. Go to File and click Save.
Note: All the custom parsers entries are highlighted in blue color as displayed in the image
Parser Version
In the Parser Details section there is a Parser Version field. If there is a specific version
associated with the parser, that version is displayed in the Parser Version field. You can also
manually change the Parser Version in the Parser Version field.
3. Enter the IP address of the Log Decoder where you want to add the parser, along with the
credentials of the Log Decoder.
4. Click Deploy to add the parser to the Log Decoder, or click Cancel to return to the previous
screen. After you click Deploy, the parser is added to the Log Decoder. And subsequently,
all log parsers are reloaded.
Note: These entries are not retained, all the fields must be re-entered every time this dialog is
opened.
Note: The first time you open the log file for a parser, the location that is set in Preferences
is the default location.
In the Log Data section, do one of the following to add a log file for parsing:
l Click Open/Change Log File icon.
Note: When a log file is open, you can change to a different log file using the Open/Change
Log File icon.
The Log File Auto Splitting option allows you to split the size of a log file that exceeds 25 MB.
l If you select Create Chunks, the log file is split into smaller sized files without affecting the
original log file.
l If you select Load Original File, the log file may load slowly, because it exceeds the
recommended maximum size of 25 MB.
l If you select Cancel, you can select a different log file to load.
Note: If a file larger than 25 MB is used, it is recommended that you use On-Demand Parsing
so that the parser does not attempt to parse a large log file after every change.
Note: Each time you generate a Parsing Summary Report, the existing report is overwritten. If
you want to retain the existing report, it is recommended that you re-name the generated
report.
2. Open the log file that is associated with your selected parser. Note that if your log file is
extremely large, a dialog is displayed that asks if you want the log file broken into smaller
chunks.
Status Bar
Within the NetWitness Log Parser Tool user interface, there is a status bar located at the bottom
of the page that displays the following information:
l Header and Message count
The following example Status Bar shows the most recent time that a log file was auto-saved.
After you have defined a new parser or opened a parser to edit, work from the Log Data section
to define the headers and messages. Events move from Undefined (Header and Message not
defined) to Header Defined (Message not defined) and then to Completely Defined (Header
and Message defined).
Note: All defined Headers and Messages can be duplicated. This allows a simplified parser
development where a similar pattern is needed for a Message or Header.
4. If you want to change the log file, then click the Open/Change Log File icon.
5. To start the payload, select the text to be marked as payload, right-click, then click Set as
Payload. Alternatively, place your cursor at the start of the payload, right-click, and select
Set as Payload.
b. Press CTRL+K (COMMAND+K for MacOS). You can also right-click to get a context
menu that provides an option to create a variable. The background changes to orange,
c. Start typing the name of the variable in the variable field, use the down and up arrow
keys to select the variable, and press ENTER or you can also double-click the variable
to select it.
7. To change where the payload starts, or to start at the header, right-click a variable and select
Payload Rewind. For example, right-click the Level variable and select Payload Rewind.
a. Select Concatenation, type a generic text string in the text field, and press ENTER.
Note: Each Header needs a MessageID and a payload. Make sure to define a single
MessageID for each header.
Note: The Create Message button in the log section is only enabled when the MessageID and
Payload are defined.
Note: If you want to change your MessageID, you may need to delete the header and recreate
it.
2. In the message pattern, define variables for the values that you want to extract as meta. To
define a variable:
a. Highlight the text that you want to change to a variable and press CTRL+K
(COMMAND+K for MacOS). Or you can select the Create Variable option from the
context menu. The background changes to orange, which indicates a variable.
b. Start typing the name of variable in the variable field, use the down and up arrow keys to
select the variable, and press ENTER.
Note: The variables that you define create meta in the Log Decoder.
3. In the Event Category field, select a generic category for the message. For example,
Other.Default.
The Group field populates from the header. The event shows as completely defined in the
Select an Event section.
4. To save your changes, select File > Save or File > Save As, or press Ctrl+S
(COMMAND+S for MacOS).
5. After you complete and save your changes, retrieve the completed parser.
You have a choice of three formats:
l .envision (In the menu, select Actions > Export Parser) This option creates an event
source package that consists of the event source XML and configuration (INI) file.
l .zip (In the menu, select Actions > Export Resource) This option creates an event
source package in a .zip format that consists all the event source XMLs and configuration
INI files.
l Deploy the parser directly deployed from the Log Parser Tool to the Log Decoder.
From the main menu, select Actions > Deploy Parser.
6. Deploy the event source package in the NetWitness platform to integrate the event source.
RSA recommends that you first deploy the parser to a test system to verify that it parses log
traffic correctly.
2. In the value field, type the value that you want to assign to the variable.
3. In the Set Variable field, type the name of a variable that was not previously selected.
1. Right-click the box below the Group field and select Add Function > Event Time.
2. In the Set Value field, type the format that you want to assign to the time variable. For
example, %B %F %W %N:%U:%O, which appears in the format Jan 27 2015 23:55:29.
3. In the from field, select whether to parse event time in this format from the message (MSG)
or from the header (HDR).
4. Right-click the Select Variable fields and select a variable from the list. To add additional
variables as required, right-click a variable and select Add.
Event time example:
%R Full Month Name (in English language), fixed width field: January,
February, March, April, May, June, July, August, September,
October, November, December
%M Numeric Month, fixed width field: 01, 02, 03, 04, 05, 06, 07, 08, 09,
10, 11, 12
%D Numeric Month Day, fixed width field: 01, 02, 03, 04, 05, 06, 07, 08,
09, 10, ..... , 23, 24, 25, 26, 27, 28, 29, 31
%Q A.M./P.M.
%Y Year: 00-99
Note: If you changed the table mapping file (table-map.xml), or created a custom table
mapping file (table-map-custom.xml), you can upload this updated file to the NetWitness Log
Parser Tool.
Note: Before your file is overwritten, a confirmation message is displayed in the dialog box if
you have already created a custom table map with the same name. This message does not
display if you are a uploading a table-map-custom.xml file for the first time.
l Select a log you want to delete, right click and select Delete
l Select a message definition or header definition, you want to move up or move down, right
click and select Move Up or Move Down
l To duplicate a header or message, press Ctrl+D for Windows and Fn+Ctrl+D for Mac OS
or from the main menu, select Edit>Duplicate.
l Select a log you want to duplicate, right click and select Duplicate
l To Redo your changes, press CTRL + Y, or from the main menu, select Edit > Redo.
Logs Searches for the selected value for log search. Searches for any
log that contains the selected search text. For example, you can
search for Bangalore. Search results include any logs that con-
tain Bangalore as part of a log.
Meta Searches for any meta in the logs section. For example, you can
search for the term username. Search results include logs that
contain username as part of a log.
Regex Searches for the selected regex pattern in the logs section. For
example, you can search for \d+\.\d+.* and the search results
include logs that contain IP addresses as part of the logs.
Header ID Searches for the selected HeaderID. For example, you can
search for a HeaderID that is listed as 0008. The search results
include the number of headers that contain 008* defined as part
of the header.
Message ID Searches for the selected MessageID. For example, you can
search for a MessageID such as 04_TACACSAcc. The search
results include the number of messages that contain 04_
TACACSAcc* defined as part of the message.
The following example shows the search results for logs. The Search field and the Status Bar
Message Count fields are highlighted.
Literal Default search option that matches literals. This option searches
for any literal within the Header section. For example, you can
search for Bangalore with this option selected. The search results
include the number of headers that contain Bangalore as part of a
literal.
Variable Searches for any variable or meta defined in the Header section.
For example, you can search for saddr with this option selected.
The search results include the number of headers that contain
saddr defined as part of the header.
HeaderID Searches for the selected HeaderID. For example, you can search
for a HeaderID that is listed as 0008. The search results include
the number of headers that contain 008* defined as part of the
header.
All Searches for any selected text. For example, you can search for
the text syslog, and a search is performed on any literal, Head-
erID, or variable that matches the selected search text.
Literal Default search option that matches literals. Default selected value
for Message searches. This option searches for any literal within
the Message section. For example, you can search for Bangalore
with this option selected. The search results include the number of
messages that contain Bangalore as part of a literal.
Variable Searches for any variable or meta defined in the Message section.
For example, you can search for saddr with this option selected.
The search results include the number of messages that contain
saddr defined as part of the message.
Category Searches for a particular event category that is part of the selected
message. the search results include the number of messages that
contain Auth.Successful.* defined as part of the selected message.
MessageID Searches for the selected MessageID. For example, you can search
for a MessageID such as 04_TACACSAcc. The search results
include the number of messages that contain 04_TACACSAcc*
defined as part of the message.
Message Group Searches for the selected Message Group. For example, you can
search for the text syslog. The search results include any literal,
MessageID, variable, category, or Message Group that contain sys-
log.
All Searches for any selected text. For example, you can search for the
text
syslog, and a search is performed on any literal, MessageID,
variable, category, or Message Group that matches the selected
search text.
Note: When you are performing a combination search, it is an OR condition for the search.
The search begins after you press ENTER.
Note: The context menu for Headers and Messages has a new option called Parsed Logs that
displays all the logs parsing from the selected Header or Message.
Note: All search options listed below can be used individually, as well as with other search
options. The advanced search options can be used also be used in the logs section.
Note: When using the Advanced Search, you must select All from the Log Filter drop-down
menu.
Message
Description
Search Option
Header Search If you need to filter logs that parse with a specific header, use the @hid
option, followed by the HeaderID (for example, @hid:0001).
Message Search If you need to filter logs that parse with a specific header, use the @hid
option, followed by the HeaderID (for example, @hid:0001).
Variable Name If you want to filter logs that contain a specific variable or meta item,
Search use the @<Variable-name> @saddr option. This option lists all logs
that contain saddr meta keys.
Variable Value If you want to filter logs that have a specific variable value, use the
Search @<variable-name>:<variable-value> option (for example,
@dport:10). This option lists all logs with a value of meta key dport as
10.
Message
Description
Search Option
Regex Search If you want to search the logs using a regex, use the @regex option (for
example, @regex:\d+\.\d+.* This option displays all logs that contain
an IP address.
Free Text Search If you use this option, any text provided will be searched in the logs.
If two words are provided, both of them are searched separately
(similar to the way that Google performs text searches). As an
example, if you enter the words rsa bangalore, rsa and bangalore
are searched separately and all logs containing either word are
displayed.
Note: If you want to search on terms as though they are in a sentence, you need to enclose
your search query in quotation marks (for example, "rsa bangalore").
If the search query is not properly enclosed within quotation marks, the error is not
automatically corrected, and no error message is displayed.
Note that when you search on a header, message, variable name or variable value, by default all
searches only perform a contains match. For example, if you enter the search text @hid:0001,
all headers containing id 0001, 0001:01, 0001:02, and so on will be displayed. If you want an
exact match, the query should be entered as @hid:"0001" so that only logs that match header-
id 0001 are displayed.
Advanced Header
Description
Search Option
Advanced Header
Description
Search Option
@var: Searches for any variable or meta defined in the header section.
Syntax: @var:<variable>, where variable is the variable or meta
to search.
For example: @var:saddr displays the number of headers that
contain saddr defined as a part of the header that you can search.
Advanced Message
Description
Search Option
@var: Searches for any variable or meta defined in the header section.
Syntax: @var:<variable>, where variable is the variable or meta
to search.
For example: @var:saddr displays the number of headers that
contain saddr defined as a part of the header that you can search.
TAGVALMAP Feature
The <TAGVALMAP> feature is an advanced feature that enables easy parsing of event logs
using the <TAGVAL> format. The parsing of <TAGVAL> logs is different from other logs, as
the Log Decoder allows listing all Tag=value in a single MessageID where the tags can display
in any order in the log.
After you save the data, the corresponding XML file content looks similar to the following
example:
<TAGVALMAP
49 TAGVALMAP Feature
NetWitness Log Parser Tool
pairdelimiter=","
encapsulator="'"
valuedelimiter="="
escapeValueDelim=" "
escapePairDelim=" "/>
Create Message
When you create a message, the Name Value Pair check box should be checked in order for the
messages to be parsed. Note that if you do not select the Name Value Pair check box, the
parser does not parse <TAGVAL> messages with a different order. The Name Value Pair is
disabled by default and it is enabled for user input only if the message definitions satisfy the
<TAGVAL> format, as shown in the following examples.
The TAGVAL format is either:
<literal><valuedelimiter><variable><pairdelimiter>….<literal><valuedeli
miter><variable> format
Or
TAGVALMAP Feature 50
NetWitness Log Parser Tool
<literal><valuedelimiter><variable><pairdelimiter>….<literal><valuedeli
miter><variable><pairdelimiter> format
The Allow Missing Fields option is used to parse event logs that missed some <TAGVALUE>
pairs defined in the message definition. This means not all <TAGVALUE> pairs defined in the
message definition need to be parsed.
Listed below are sample payload parts of event logs that are parsed:
ConfigVersionId=29, Device IP Address=201.1.37.7, UserName=sgadmin,
Protocol=Radius,
ConfigVersionId=29, Device IP Address=201.1.37.7, UserName=sgadmin,
Authentication succeeded, UserName=sgadmin, ConfigVersionId=39, Device
IP Address=201.1.37.7, Protocol=Radius
51 TAGVALMAP Feature
NetWitness Log Parser Tool
Field Description
Default When there is no value relevant to a defined specific key, it will use default
Value value
Value Map It is a set of key value pair where a meta is found in the parser it is replaced by
the value.
VALUEMAPS can be edited as per the requirements, you can insert new VALUEMAPS
containing the default values and delete any unwanted VALUEMAPS.
To edit an existing VALUEMAPS click on it to make changes.
To delete an unwanted VALUEMAPS right click on the name column and select the “delete”
option you want to delete.
To Insert a new VALUEMAPS right click on the name column and select the Insert option you
want to insert.
New VALUEMAPS will be created with new name VALUEMAPS 1, VALUEMAPS 2 and so
on which will contain default values.
Option Description
(=stdin)
(=localhost)
(=514)
l 3 = auto detect
l 4 = enVision stream
l 5 = binary object
-m [ --memory ] arg Speed test mode. Read up to 1 Megabyte of messages from the file content and
replays.
--rate arg Number of events per second. This argument has no effect if rate > eps that the
program can achieve in continuous mode.
NwLogPlayer 54
NetWitness Log Parser Tool
Option Description
55 NwLogPlayer