000026906 - How to direct the RSA Security Analytics Log Decoder to use a specific device parser when collecting logs from a given event source (10.3.4 and higher)

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026906
Applies ToRSA Security Analytics
RSA Security Analytics 10.3.4 and above
RSA Security Analytics Log Decoder
IssueHow to direct the RSA Security Analytics Log Decoder to use a specific device parser when collecting logs from a given event source (10.3.4 and higher).
Resolution

This is done via the "Explore" view on the Log Decoder. Below are the steps to set this up.


 


1.       Select "Explore" view for Log Decoder


2.       Navigate to <LogDecoder>/decoder/parsers


3.       Right-click "parsers" and select "Properties"


4.       From the drop-down select "ipdevice"


This command takes the following parameters


Map Ip to Device type in log parsing. Take effect after parser reload
security.roles: parsers.manage
parameters:
   op - <string, {enum-one:edit|describe}> The operation to performed(edit|describe).edit is editing the entries. describe is returning all exist ip2device entries.
   entries - <string, optional> The Ip entries. StringParam in format of '+/-ip=device'. + means adding or editing a map entry, - means delete a map entry
   reload - <bool, optional> Flag to reload parser after this command


5.       In the parameters field enter "op=edit entries=+192.168.183.123=aix reload=true"



6.       Then type the following to confirm the entry "op=describe"



7.       Now that device will be forced to use the "aix" parser


Parser names can be found by going to LogDecoder -> Config and the Device Parsers Configuration


 


All of this device to parser mapping is held in the following configuration file:


          /etc/netwitness/ng/envision/etc/devicetbl.xml


<IpAddressMap>


        <DeviceEntries>


                <DeviceEntry device="aix" ipv4="192.168.183.123"/>


        </DeviceEntries>


</IpAddressMap>


 


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Notes

Further Sample Entries and Explanations



1. op=edit entries="+101.5.245.9=ciscoasa +101.5.245.45=vmware_vcloud" Click Send.
This creates two different entries with different IPV4 values and device types.


2. op=edit entries="-101.5.245.9=ciscoasa" Click Send.
This removes an entry for a single IPV4 value and device type


3. op=edit entries="+ 2001:0db8:85a3:0000:0000:8a2e:0370:7353=vmware_esx_esxi" Click Send.
This creates a single entry for an IPV6 value and device type.


4. op=edit entries="+19.168.0.2,nwappliance20819=rhlinux +19.168.0.2,nwappliance3014=apache" Click Send.
This creates a entry for a single IPV4 value that has two device types. Each device type is sent to a different collector.


5. op=edit entries="+RS214Server-2=rhlinux,apache" reload=true Click Send.
This creates an entry for a single hostname with two different device types. This is the last example, so the parsers were reloaded.

Legacy Article IDa67284

Attachments

    Outcomes