000038021 - AmazonVPC logs not being parsed correctly in RSA NetWitness Platform

Document created by RSA Customer Support Employee on Oct 14, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038021
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 11.x
O/S Version: CentOS7
 
IssueCustomers on 1.6.x or 11.x not being able to parse amazonvpc events correctly and getting the below instead:

User-added image
CauseThe issue can be caused because the xml typespec file on the decoder under: /etc/netwitness/ng/logcollection/content/transform/cmdscript/amazonvpc_transform.xml does not have execution permissions.
Workaround
  1. Check the configuration for the amazon vpc event source and make sure everything is fine, check that test connection is good.
  2. Make sure that CEF parser is deployed and enabled on the log decoder.
  3. Restart the nwlogcollector service on the VLC or Local Collector to make sure the above takes effect.
  4. If that doesn't make any chance, eventually check the xml typespec file on the decoder under:
    /etc/netwitness/ng/logcollection/content/transform/cmdscript/amazonvpc_transform.xml

    and make sure the file has execution permissions.
     
  5. If it doesn't have it, give permission with:
    # chmod +x /etc/netwitness/ng/logcollection/content/transform/cmdscript/amazonvpc_transform.xml
     
  6. Restart the nwlogcollector service on the VLC or Local Collector after assigning the permission to the file and double-check the issue is fixed after that.

Attachments

    Outcomes