|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Log Decoder
RSA Version/Condition: 10.2.x, 10.3.x, 10.4.x
Platform (Other): CyberArk Syslog
O/S Version: EL5, EL6
|Issue||CyberArk Syslog messages display as "unidentified content" in RSA Security Analytics|
The /var/log/messages file displays error messages similar to the following:
Logs don't appear in the Investigation module, even as 'unknown'.
RSA Security Analytics Log Decoder very strictly adheres to RFC5424. The above error is due to the missing "Priority" field in the syslog packets. The error "unindentified content" is encountered if the first character of the log is not a '[' or '<'.
This issue may be resolved setting the dbparam.ini parameter in Cyber-Ark v7.10.0060 as follows:
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.
|Legacy Article ID||a65016|