|Tasks||Please provide the following information when reporting log parsing issues in RSA NetWitness:|
- Event Source Name (the name of the device that is sending the logs):
- Event Source information can be found here:
- Event Source Version (the version of the device that is sending the logs):
- Collection Method:
- Version of RSA NetWitness you are running:
- Parser Name:
- Parser Version: You can confirm the parser version by opening the .xml log parser file on the Log Decoder(s) in question and checking the version information at the top of the file:
# cd /etc/netwitness/ng/envision/etc/devices/<parser name>
# cat <parser name>.xml
This will display the following information.
- Verify if the parser in question is enabled in your environment:
- Navigate to the RSA NetWitness UI > Admin/Administration > Services > Log Decoder in question > View > Config > "Service Parsers Configuration"
- Make sure that there is a checkmark under "Config Value" next to the parser in question.
- If there is not, check the box, press "Apply," and restart the Log Decoder service on which you made the change.
- Verify if you are running the latest version of the parser in question: navigate to RSA Live to find the parser in question, using Steps 1-2 in either of the links below:
- In either case, once you have found the parser, double click the parser search result. In the description field, it will display a "Parser Version" and an "Event Source Update" version. Make sure that the following fields match:
- The value of the "xml" field in the parser file and the "Parser Version" value in RSA Live
- The value of the "revision" field in the parser file and the "Event Source Update" value in RSA Live
- If the values between the parser xml file and the parser information in RSA Live do not match, you will need to deploy the latest version of the parser in question: How to update a parser using RSA Live in RSA NetWitness
- f the issue still persists after deploying the latest version of the parser, please provide all of the requested information in this KB to Support.
- A list of all parsers that are enabled on the Log Decoder(s) in question:
- Navigate to the "Service Parsers Configuration": in the UI as shown above and make a list of every parser that has a check mark next to it under "Config Value."
- Screenshots from the "Event Reconstruction" view of the logs in question displaying the issue
- An export of the logs in question - for more information on how to export events, review the following: Investigate: Export Events in the Events View
- The logs can be uploaded directly into the case, the RSA SFTP site, or you can request a temporary FTP link from Support.