000029821 - Identify a Log Parser version that is installed on a RSA NetWitness Platform Log Decoder

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 6, 2019
Version 3Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000029821
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Log Decoder, Log Collector
RSA Version/Condition: 10.6.x, 11.x
Platform: CentOS
IssueHow to identify the version of a device's Log Parser that is installed on a NetWitness Log Decoder?
For a particular device is the latest Log Parser installed on the NetWitness Log Decoder?
Tasks
 
Resolution

To find the installed version of a device's Log Parser file on a NetWitness Log Decoder.


ssh login to the Log Decoder.

The installed device types on the Log Decoder are under the /etc/netwitness/ng/envision/etc/devices directory.
A separate sub-directory exists for each device type.

For example,
 

# ll /etc/netwitness/ng/envision/etc/devices |head
total 1184
drwxr-xr-x. 294 root root 12288 Jul 11  2017 .
drwxr-xr-x.   2 root root  4096 Aug 26  2018 accurev
drwxr-xr-x.   2 root root  4096 Aug 26  2018 actiancevantage
drwxr-xr-x.   2 root root  4096 Aug 26  2018 actividentity
drwxr-xr-x.   2 root root  4096 Aug 26  2018 aforecloudlink
drwxr-xr-x.   2 root root  4096 Aug 26  2018 airdefense
drwxr-xr-x.   2 root root  4096 Aug 26  2018 airmagnet
drwxr-xr-x.   2 root root  4096 Aug 26  2018 airtightmc
drwxr-xr-x.   2 root root  4096 Aug 26  2018 aix


To display the installed version of a device's Log Decoder parser file, look at the "xml=" and "revision=" values near the top of the device's .xml file.

For example this aix device, the parser .xml file has values of xml="117" and revision="107",
 

# head /etc/netwitness/ng/envision/etc/devices/aix/*xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<DEVICEMESSAGES>
<VERSION
        xml="117"
        checksum="44391d341c54c0f43bb5063c473c181e"
        revision="107"
        enVision="21050025"
        device="2.0" />

<HEADER



Compare the above-found version values with the latest available for download from RSA Live in the NetWitness UI.


In the NetWitness UI go to,
NetWitness 11.x: Configure, Live Content tab
NetWitness 10.6.x: Live > Search

Search for the device type name in the Keyword field, or select "Log Device" under Resource Types to see all Log Decoder device types.

The Description field of each device type shows "Parser Version:" and "Event Source Update:" values, and are the latest version available for deployment to the Log Decoder.

Compare "Parser Version:" with "xml=" and compare "Event Source Update:" with "revision=".

For example, RSA Live shows the aix Parser Version: 136, Event Source Update: 130
In this example the aix device parser could do with a parser file update to the latest available version.

User-added image

Attachments

    Outcomes