000037969 - Information Needed for Log Parsing Issues in RSA NetWitness Platform

Document created by RSA Customer Support Employee on Oct 29, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037969
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: NetWitness UI, Log Decoder, Log Collector, RSA Live
RSA Version/Condition: 10.x, 11.x
Platform: CentOS
O/S Version: 6, 7
TasksPlease provide the following information when reporting log parsing issues in RSA NetWitness:
  1. Event Source Name (the name of the device that is sending the logs):
  2. Event Source Version (the version of the device that is sending the logs):
  3. Collection Method:
  4. Version of RSA NetWitness you are running:
  5. Parser Name:
  6. Parser Version: You can confirm the parser version by opening the .xml log parser file on the Log Decoder(s) in question and checking the version information at the top of the file:

    # cd /etc/netwitness/ng/envision/etc/devices/<parser name>
    # cat <parser name>.xml

    This will display the following information.


    1. Verify if the parser in question is enabled in your environment: 
      1. Navigate to the RSA NetWitness UI > Admin/Administration > Services > Log Decoder in question > View > Config > "Service Parsers Configuration"
      2. Make sure that there is a checkmark under "Config Value" next to the parser in question.
      3. If there is not, check the box, press "Apply," and restart the Log Decoder service on which you made the change.
    2. Verify if you are running the latest version of the parser in question: navigate to RSA Live to find the parser in question, using Steps 1-2 in either of the links below:
    3. In either case, once you have found the parser, double click the parser search result. In the description field, it will display a "Parser Version" and an "Event Source Update" version. Make sure that the following fields match:
      • The value of the "xml" field in the parser file and the "Parser Version" value in RSA Live
      • The value of the "revision" field in the parser file and the "Event Source Update" value in RSA Live
    4. If the values between the parser xml file and the parser information in RSA Live do not match, you will need to deploy the latest version of the parser in question: How to update a parser using RSA Live in RSA NetWitness
    5. f the issue still persists after deploying the latest version of the parser, please provide all of the requested information in this KB to Support.
  7. A list of all parsers that are enabled on the Log Decoder(s) in question: 
    • Navigate to the "Service Parsers Configuration": in the UI as shown above and make a list of every parser that has a check mark next to it under "Config Value."
  8. Screenshots from the "Event Reconstruction" view of the logs in question displaying the issue
  9. An export of the logs in question - for more information on how to export events, review the following: Investigate: Export Events in the Events View
    • The logs can be uploaded directly into the case, the RSA SFTP site, or you can request a temporary FTP link from Support. 
NotesIf this does not solve your issue, please open a case with RSA Technical Support and reference this article so that we may better assist you.