Create Custom Typespec

Create Custom Typespec for ODBC CollectionCreate Custom Typespec for ODBC Collection

NetWitness uses type specification (typespec) files for ODBC and file collection. These files act on raw log files, and are used for two main purposes:

• Define where in the log file data resides. For instance, some log files contain header information that is not considered data to be parsed.
• Replace certain types of characters that the log parser cannot parse correctly. For instance, the tab character can sometimes cause problems.

This topic tells you how to create a custom typespec for the Log Collector. The topic includes:

• Create Custom typespec procedure
• ODBC Collection typespec syntax
• Sample ODBC Collection typespec files

Create Custom TypespecCreate Custom Typespec

To create a custom typespec file:

1. Open an SFTP client (for example, WinSCP) and connect to a Log Collector or remote Log Collector.
2. Navigate to /etc/netwitness/ng/logcollection/content/collection/odbc, and copy an existing file, for example bit9.xml.
3. Modify the file according to your requirements. See ODBC Collection Typespec Syntax for details.
4. Rename and save the file to the same directory.
5. Restart the Log Collector.

Note: You will not be able to see new Event Source type in NetWitness until you restart the Log Collector.

ODBC Collection Typespec SyntaxODBC Collection Typespec Syntax

The following table describes the typespec parameters.

Sample ODBC Collection Typespec FilesSample ODBC Collection Typespec Files

The following sample is the typespec file for the IBM ISS SiteProtector event source.

The following sample is the typespec file for the Bit9 Security Platform event source.