Summary for Top 50 Event Sources
# of Log Parsers Released on Live
Number of Event Sources - IMPROVED & RELEASED
38 (as of 21 Jun 2017)
Number of Event Sources - CANNOT BE IMPROVED
A Look into the Details
50 Log Parsers were identified as the ones that were causing almost 80% of ALL the incoming requests for fixing unknown messages & minor defects. All of them were reviewed in detail and checked for scope of adding any improvements.
The team investigated the reasons behind generation of high volume of incoming unknown message tickets.
The factors considered were:
- Common patterns seen across all unknown message tickets for a particular event source.
- Certain Log formats that generate Unknown messages
- Were these logs result of a Configuration Error?
- Were these logs generated after upgrading to a newer version of the Event Source?
- Backwards Compatibility Impact of the modifications:
- If the solution is re-designing the parser in any way (re-writing a few or all message definitions or Header definitions) the 'after-effect' on the Meta Key Footprint should be nothing to very minimal.
Log Parsers were updated/Re-designed only If the Backwards Compatibility impact from above parameters were negligible.
Here is a brief highlight of the design improvements-
Here is the list of 38 Log Parsers that were Improved and released to NetWitness Live –
Log Parser Name
Bit9-Bit9 Security Platform
Blue Coat-Blue Coat ProxySG SGOS
Check Point-Check Point Security Suite, IPS-1
Cisco-Cisco Adaptive Security Appliance
Cisco-Cisco IronPort Email Security Appliance
Cisco-Cisco IronPort Web Security Appliance (WSA)
Cisco-Cisco Secure Access Control Server & Cisco-Cisco Identity Services Engine
Cisco-Cisco Secure IDS or IPS
Cisco-Cisco Wireless LAN Controller (2100 Series and 4400 Series)
F5-F5 Big-IP Application Security Manager
FireEye-FireEye Web Malware Protection System
IBM-IBM DB2 Universal Database
IBM-IBM iSeries AS400
IBM-IBM ISS SiteProtector
Juniper-Juniper Networks SSL VPN
McAfee-McAfee Email Gateway (formerly known as CipherTrust IronMail)
McAfee-McAfee Network Security Platform (Intrushield)
Microsoft-Microsoft Exchange Server
Microsoft-Microsoft Internet Information Services
Microsoft-Microsoft SQL Server
Microsoft-Microsoft Windows using Eventing Collection
Microsoft-Microsoft Windows using: Adiscon Event Reporter
Microsoft-Microsoft Windows using: Intersect Alliance SNARE
Oracle-Oracle Access Manager
Trend Micro-Trend Micro Control Manager
UnboundID - UnboundID Identity Data Store
Vmware-VMware vCenter Server
Websense-Websense Web Security
Here is the list of 12 Log Parsers that cannot be improved further -
Log Parser Name
Check Point-Check Point IPSO (nokiaipso)
F5-F5 Big IP (Local Traffic Manager)
Juniper-Juniper Networks JUNOS
McAfee-McAfee ePolicy Orchestrator
McAfee-McAfee Web Gateway
Palo Alto Networks-Palo Alto Networks Enterprise Firewall
Red Hat Linux (RHEL)
RSA Authentication Manager/UCM (rsaacesrv)
Symantec-Symantec Endpoint Protection
Most of these contain highly unstructured Log formats. Due to several Backwards Compatibility / Performance impact issues, these couldn't be improved.
Please note that these 12 Log Parsers are expected to generate unknown messages. The team depends on the incoming support requests for updating these parsers. Once these requests are received, the team will get them updated as soon as possible.
The RSA NetWitness Log Parsing team will be closely monitoring any incoming requests for the improved Log Parsers and further improve them as applicable. They will continue to power these improvements to other Supported Log parsers in the library.