|Applies To||RSA Security Analytics|
RSA Security Analytics 10.3.4 and above
RSA Security Analytics Log Decoder
|Issue||How to direct the RSA Security Analytics Log Decoder to use a specific device parser when collecting logs from a given event source (10.3.4 and higher).|
This is done via the "Explore" view on the Log Decoder. Below are the steps to set this up.
1. Select "Explore" view for Log Decoder
2. Navigate to <LogDecoder>/decoder/parsers
3. Right-click "parsers" and select "Properties"
4. From the drop-down select "ipdevice"
This command takes the following parameters
Map Ip to Device type in log parsing. Take effect after parser reload
5. In the parameters field enter "op=edit entries=+192.168.183.123=aix reload=true"
6. Then type the following to confirm the entry "op=describe"
7. Now that device will be forced to use the "aix" parser
Parser names can be found by going to LogDecoder -> Config and the Device Parsers Configuration
All of this device to parser mapping is held in the following configuration file:
<DeviceEntry device="aix" ipv4="192.168.183.123"/>
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.
Further Sample Entries and Explanations
2. op=edit entries="-22.214.171.124=ciscoasa" Click Send.
3. op=edit entries="+ 2001:0db8:85a3:0000:0000:8a2e:0370:7353=vmware_esx_esxi" Click Send.
4. op=edit entries="+126.96.36.199,nwappliance20819=rhlinux +188.8.131.52,nwappliance3014=apache" Click Send.
5. op=edit entries="+RS214Server-2=rhlinux,apache" reload=true Click Send.
|Legacy Article ID||a67284|