Saket Bajoria

Log Parser Improvements

Blog Post created by Saket Bajoria Employee on Oct 12, 2016

The RSA Live Content team has published updates for 15 Log Parsers that generate the largest number of, “Unknown Message Defect” support cases.

 

These enhancements are part of a strategic initiative to drive improvements to Log Parsers.

 

Benefits from these improvements result in:

  • Fewer Unknown Messages
  • Improved Device Discovery
  • Better Adaptability to newer versions of an Event Source
  • Reduced Parser Maintenance

 

To take advantage of these improvements you will need to download the latest versions of the parsers listed below from the Live Portal.

 

 

S.No.

Event Source

Log Parser

Improvements

1

Microsoft Windows using Event Collection

winevent_nic

This parser can now identify all Windows Security, System and Application log events. 

 

Note: Application channel events are parsed with the standard fields needed for basic analytics. Some applications are parsed in more detail for specific use-cases.

2

Microsoft Windows using Adiscon Event Reporter

winevent_er

This parser can now identify all Windows Security, System and Application log events. 

 

Note: Application channel events are parsed with the standard fields needed for basic analytics. Some applications are parsed in more detail for specific use-cases.

3

Microsoft Windows using Intersect Alliance Snare

winevent_snare

This parser can now identify all Windows Security, System and Application log events. 

 

Note: Application channel events are parsed with the standard fields needed for basic analytics. Some applications are parsed in more detail for specific use-cases.

4

FireEye Web Malware Protection System

fireeyewebmps

This event source has a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

5

McAfee Network Security Platform

intrushield

Certain types of events generated by this event source has a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

6

Voltage Secure Data

voltagesecuredata

This parser has been redesigned to parse all event ids generated by the event source. It has been made future proof to parse newer event ids that may be introduced in newer versions of the product. It can also accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

7

Cisco IronPort Web Security Appliance (WSA)

ciscoiportwsa

This parser has been improved to parse all web methods for Squid and Apache log formats.  It has been improved to accommodate New/Unknown tags as well, which significantly reduces the number of unknown messages.

8

Cisco Adaptive Security Appliance

ciscoasa

This parser can now support all event ids from the event source. 

 

The log format is semi-structured and the event source registers a unique ID for each type of event. We do detailed parsing for most of the documented event ids. It has been made future proof to identify newer event ids that may be introduced in newer versions of the product.

9

Cisco Identity Services Engine & Cisco Secure Access Control Server

ciscosecureacs

This event source has a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

10

Microsoft Internet Information Services

microsoftiis

This event source has a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

11

UnboundID Identity Data Store

unboundidids

This event source has a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages. It has also been made future proof to parser new types of events that may be introduced in newer versions of the product.

12

IBM WebSphere

ibmwebsphere

Certain types of events generated by this event source have a structured log format. The parser has been improved to identify and parse newer events of that log format.

13

IBM iSeries AS400

iseries

This event source has a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

14

Blue Coat ProxySG SGOS

cacheflowelff

This event source has 2 types of logs. Web Logs and Audit Logs.

 

Web logs follows a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

 

Audit logs have a semi-structured format and we do a detailed parsing of most of the audit events. It has also been made future proof to parser new types of audit events that may be introduced in newer versions of the product.

15

Juniper Networks SSL VPN

junipervpn

This event source has a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

 

RSA Live Content team will be powering similar improvements for more parsers over the next two quarters.

 

Outcomes