Security Analytics Log Parser

File uploaded by Leonard Chvilicek Employee on Feb 15, 2014Last modified by Leonard Chvilicek Employee on Mar 3, 2015
Version 3Show Document
  • View in full screen mode

Latest Version now available Security Analytics Log Parser



Attached is a log parser that will allow Security Analytics to consume its own logs and properly parse them.  Also included are some sample system alerts that fire when capture has stopped on packet/log decoders, aggregation has stopped on broker/concentrator, packet/log decoder rules modification, index custom xml file modification, and decoder online/offline toggle in concentrator.  There is also a “cannot allocate” memory alert thrown in too.


This was created with a larger environment in mind however a small system can still gain some benefit, you will get the alert after the fact, but you can run reports on the data collected.


If you have log samples of something I didn’t have (like errors in the log), send them to me and I will add them.


Security Analytics log entries will have the following format.  If it does not have this format it is not a Security Analytics log entry and cannot be parsed or added to the parser.


Month Day Time devicehostname nw[#####]: [AAAAAA] [AAAAAAA] message

Example Log entry using the format described above.

Dec  3 13:56:46 appliance21548 nw[15038]: [Decoder] [info] Capture is stopping


Device name is “rsasecurityanalytics”.


Meta keys used in Investigation:






Parsers to enable in the Log Decoder.