Add or Update Supported Event Source Log Parsers

Document created by RSA Information Design and Development on May 25, 2016Last modified by RSA Information Design and Development on Aug 16, 2018
Version 154Show Document
  • View in full screen mode
 

This topic tells you how to add supported Event Source Log Parsers or update existing Event Source Log Parsers by downloading them from Live and deploying them to a Log Decoder.

Caution: When you deploy Event Source Log Parsers to the Log Decoder, RSA NetWitness Platform overwrites earlier versions of these parsers.

Goal

After reading this how-to, you will know how to:

  • Deploy Event Source Log Parsers from Live.
  • Download Event Source Log Parsers from Live and deploy them from your local network.
  • Enable a Log Parser in RSA NetWitness.
  • Download the RSA enVision configuration files (table-map.xml, ipaddr.tab, and  ecat.ini).

Note: You can either deploy event source log parsers directly from Live, or download them first, and then deploy them from your local network. RSA recommends that you deploy them directly from Live.

Deploy Event Source Log Parsers from Live

To deploy Event Source Log Parsers, depending on your version, see:

Download Log Parsers from Live and Deploy from Local Network

To download Event Source Log Parsers and deploy them from your local network:

  1. Depending on your version:

    • For NetWitness 11.x: Go to CONFIGURE > Live Content.
    • For Security Analytics 10.x: From the Security Analytics menu, select Live > Search.
  2. Browse Live for the Event Source Log Parsers that you wish add or update using the following Resource Type, depending on your version:

    • For NetWitness 11.x: Log Device
    • For Security Analytics 10.x: RSA Log Device.

    Note: To deploy all parser files and log collection files, search using Bundle as the Resource Type, and select the Log Parser Pack.

  3. In the Live Matching Resources toolbar, click Package > Create.

    The system creates a zip file (for example, resourceBundle3795741728163995331.zip) with the Event Source Log Parsers that you selected and downloads that zip file to your default local directory.

    Note: To deploy all parser files and log collection files,

  4. Upload the Event Source Log Parsers from your local network to the Log Decoder:

    1. Depending on your version:

      • For NetWitness 11.x: Go to ADMIN > Services.
      • For Security Analytics 10.x: From the Security Analytics menu, select Administration > Services.
    2. Select a Log Decoder service and click View > Config.
    3. Select the Parsers tab.
    4. Click ..

      The Upload Parser dialog is displayed. In the Upload Parser dialog, you can review the existing Event Source Log Parsers on the Log Decoder and the dates when they were uploaded.

    5. Click , go to the folder on your local network, and select the Event Source Log Parser file.

      You see the selected Event Source Log Parsers from the file under File Name in the Upload Parsers dialog box.

    6. Click .

      The Event Source Log Parsers are uploaded to the Log Decoder overwriting any earlier versions of these parsers.

Enable a Log Parser

To enable an event source parser, or to ensure that it is already enabled:

  1. Depending on your version:

    • For NetWitness 11.x: Go to ADMIN > Services.
    • For Security Analytics 10.x: From the Security Analytics menu, select Administration > Services.
  2. In the Services grid, select a Log Decoder, and from the Actions menu (), choose View > Config
  3. In the Service Parsers Configuration panel, search for your event source.
  4. If the Config Value box for your parser is not already selected, select it. Alternatively, you can select Enable All to enable all of your event source parsers at once.

  5. Click Apply.

When you click Apply, note that all parsers are reloaded into RSA NetWitness.

Download RSA enVision Configuration File

The enVision Config File contains the table-map.xml, ipaddr.tab, and ecat.ini files.

  • table-map.xml is the RSA enVision variable to NetWitness meta key map
  • ipaddr.tab is the Configuration file for DIRCHK log parser function.
  • ecat.ini is the legacy event category ID to user friendly event category name map

To deploy the enVision Config File from Live:

  1. Browse Live for the Event Source Log Parsers that you need using RSA Log Device as the Resource Type.

    The Event Source Log Parsers available for adding and updating are displayed.

  2. Select the enVision Config File you want to deploy.
  3. In the Live Matching Resources toolbar, click Package Create.

    The system creates a ZIP archive and downloads it to your default local directory.

You can deploy the resources in the zip archive whenever you are ready, by selecting Deploy from the menu, and following the steps in the Deployment Wizard. For more details, see Deploy Resources Manually in the Live Services Management Guide.

Previous Topic:Procedures
You are here
Table of Contents > Content Development > Procedures > Log Parsers

Attachments

    Outcomes