|Applies To||RSA Security Analytics|
RSA Security Analytics Decoder
|Issue||How to migrate a custom parser from enVision to RSA Security Analytics.|
To migrate a custom parser from RSA enVision to an RSA Security Analytics decoder, follow the steps below.
1. From Envision, take a copy of the .ini and the .xml for the specific parser you would like to migrate from E:\nic\4100\SiteName\etc\devices
2. rename the .xml file to be in the following format:
3. In the Security Analytics Log Decoder, create a directory which reflects the parser name under /etc/netwitness/ng/envision/etc/devices
Note: Log Parser name can be a maximum of 19 characters and so this new directory name can only have up to 19 characters.
4. give recursive 755 permissions to the created directory as following:
chmod 755 -R /etc/netwitness/ng/envision/etc/devices/PARSERNAME
5. copy the .ini and the renamed .xml file to the directory created on step 3.
6. open the v20_PARSERNAMEmsg.xml file with a text editor such us "vi" and add the following:
just after this:
<?xml version="1.0" encoding="ISO8859-1"?>
save the v20_PARSERNAMEmsg.xml
7. restart the Log Decoder service:
8. Open the Security Analytics user interface and go to Administration --> Devices --> Log Decoder --> View --> Config
on the right hand side under Device Parsers Configuration you should now be able to see the migrated parser and enable it.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.
|Legacy Article ID||a66549|