000031448 - How to detect a parser error based on a Log Decoder error event in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031448
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Log Decoder
RSA Version/Condition: 10.4.x, 10.5.x
Platform: CentOS
O/S Version: EL6
IssueIn the event of a syntax error when a custom change is made to device parser, errors appear in the in /var/log/messages file, similar to the sample below.
Oct  6 16:56:56 xxxx-xxxxx nw[3269]: [LogParse] [warning] Message parse failure in file ciscoiportwsa: Throw location unknown (consider using BOOST_THROW_EXCEPTION)Dynamic exception type: boost::exception_detail::clone_impl<boost::exception_detail::error_info_injector<boost::spirit::qi::expectation_failure<__gnu_cxx::__normal_iterator<char const*, std::string> > > >std::exception::what: boost::spirit::qi::expectation_failure[nw::envision::(anonymous namespace)::content_tag*] = <@domain:*URL($DOMAIN,url)><@web_domain:*URL($DOMAIN,url)><@web_root:*URL($ROOT,url)><@webpage:*URL($PAGE,url)><@:*SYSVAL($MSGID,$ID1)><@event_time:*EVNTTIME($MSG,'%D/%B/%W:%N:%U:%O',fld20)><@msg:*PARMVAL($MSG)> <saddr> { { "<fld1>\<c_username>@<fld2>" | <c_username> }@<fld1> | - } <fld2> [<fld20> <timezone>] "<web_method> <url> <version>" <resultcode> <rbytes> <action>:<fld4> <duration_string> <policyname> <<<fld17>,{ ns | <reputation_num> },<fld18>> <fld19>[nw::envision::(anonymous namespace)::expectation_failure_start_tag*] = { { "<fld1>\<c_username>@<fld2>" | <c_username> }@<fld1> | - } <fld2> [<fld20> <timezone>] "<web_method> <url> <version>" <resultcode> <rbytes> <action>:<fld4> <duration_string> <policyname> <<<fld17>,{ ns | <reputation_num> },<fld18>> <fld19>[nw::envision::id1_tag*] = CONNECT[nw::envision::id2_tag*] = CONNECT

This article describes how to rectify that condition.
ResolutionTo identify the fault, note the failure conditions highlighted below.
Oct  6 16:56:56 xxxx-xxxxx nw[3269]: [LogParse] [warning] Message parse failure in file ciscoiportwsa: Throw location unknown (consider using BOOST_THROW_EXCEPTION)Dynamic exception type: boost::exception_detail::clone_impl<boost::exception_detail::error_info_injector<boost::spirit::qi::expectation_failure<__gnu_cxx::__normal_iterator<char const*, std::string> > > >std::exception::what: boost::spirit::qi::expectation_failure[nw::envision::(anonymous namespace)::content_tag*] = <@domain:*URL($DOMAIN,url)><@web_domain:*URL($DOMAIN,url)><@web_root:*URL($ROOT,url)><@webpage:*URL($PAGE,url)><@:*SYSVAL($MSGID,$ID1)><@event_time:*EVNTTIME($MSG,'%D/%B/%W:%N:%U:%O',fld20)><@msg:*PARMVAL($MSG)> <saddr> { { "<fld1>\<c_username>@<fld2>" | <c_username> }@<fld1> | - } <fld2> [<fld20> <timezone>] "<web_method> <url> <version>" <resultcode> <rbytes> <action>:<fld4> <duration_string> <policyname> <<<fld17>,{ ns | <reputation_num> },<fld18>> <fld19>[nw::envision::(anonymous namespace)::expectation_failure_start_tag*] = { { "<fld1>\<c_username>@<fld2>" | <c_username> }@<fld1> | - } <fld2> [<fld20> <timezone>] "<web_method> <url> <version>" <resultcode> <rbytes> <action>:<fld4> <duration_string> <policyname> <<<fld17>,{ ns | <reputation_num> },<fld18>> <fld19>[nw::envision::id1_tag*] = CONNECT[nw::envision::id2_tag*] = CONNECT

 

The green tells you what parser experienced the failure. 
The yellow tells you what MESSAGE element id1 in which the failure occurred.
The turquoise gives you a brief boost reason for the failure.
The pink tells you the failure occurred in the MESSAGE element content attribute and continues to give you the value for the content attribute. 
The orange tells you where the failure started in the content attribute.
From here, we can quickly see that the syntax is not correct, and the light grey tells you the portal that is in question.


 

Attachments

    Outcomes