Attached is a log parser that will allow Security Analytics to consume its own logs and properly parse them. Also included are some sample system alerts that fire when capture has stopped on packet/log decoders, aggregation has stopped on broker/concentrator, packet/log decoder rules modification, index custom xml file modification, and decoder online/offline toggle in concentrator. There is also a “cannot allocate” memory alert thrown in too.
This was created with a larger environment in mind however a small system can still gain some benefit, you will get the alert after the fact, but you can run reports on the data collected.
If you have log samples of something I didn’t have (like errors in the log), send them to me and I will add them.
Security Analytics log entries will have the following format. If it does not have this format it is not a Security Analytics log entry and cannot be parsed or added to the parser.
Month Day Time devicehostname nw[#####]: [AAAAAA] [AAAAAAA] message
Example Log entry using the format described above.
Dec 3 13:56:46 appliance21548 nw: [Decoder] [info] Capture is stopping
Device name is “rsasecurityanalytics”.
Meta keys used in Investigation:
Parsers to enable in the Log Decoder.