000026758 - How to migrate a custom parser from enVision to RSA Security Analytics.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026758
Applies ToRSA Security Analytics
RSA Security Analytics Decoder
RSA enVision
IssueHow to migrate a custom parser from enVision to RSA Security Analytics.

To migrate a custom parser from RSA enVision to an RSA Security Analytics decoder, follow the steps below.


1. From Envision, take a copy of the .ini and the .xml for the specific parser you would like to migrate from E:\nic\4100\SiteName\etc\devices

2. rename the .xml file to be in the following format:


3. In the Security Analytics Log Decoder, create a directory which reflects the parser name under /etc/netwitness/ng/envision/etc/devices

Note: Log Parser name can be a maximum of 19 characters and so this new directory name can only have up to 19 characters.

4. give recursive 755 permissions to the created directory as following:

chmod 755 -R /etc/netwitness/ng/envision/etc/devices/PARSERNAME

5. copy the .ini and the renamed .xml file to the directory created on step 3.

6. open the v20_PARSERNAMEmsg.xml file with a text editor such us "vi" and add the following:

        device="2.0" />

just after this:

<?xml version="1.0" encoding="ISO8859-1"?>

save the v20_PARSERNAMEmsg.xml 

7. restart the Log Decoder service:

stop nwlogdecder

start nwlogdecoder

8. Open the Security Analytics user interface and go to Administration --> Devices --> Log Decoder --> View --> Config

on the right hand side under Device Parsers Configuration you should now be able to see the migrated parser and enable it.


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Legacy Article IDa66549