Article Number | 000032069 |
Applies To | RSA Product Set: Security Analytics RSA Product/Service Type: Log Decoder RSA Version/Condition: 10.5.x Platform: CentOS O/S Version: 6 |
Issue | After upgrading to Security Analytics 10.5, logs similar to the example below are found in the /var/log/messages file on the Log Decoder appliance.
[Parse] [warning] Parser BITTORRENT version (10.3) does not match system version (10.5) [Parse] [warning] Parser FIX version (10.3) does not match system version (10.5) [Parse] [warning] Parser GNUTELLA version (10.3) does not match system version (10.5) [Parse] [warning] Parser IMAP version (10.3) does not match system version (10.5) [Parse] [warning] Parser MSRPC version (10.3) does not match system version (10.5) [Parse] [warning] Parser RDP version (10.3) does not match system version (10.5) [Parse] [warning] Parser TLSv1 version (10.3) does not match system version (10.5) [Parse] [warning] Parser SearchEngines version (10.3) does not match system version (10.5) |
Cause | The reason is that the value of nwversion in the /etc/netwitness/ng/parsers/NwFlex.parser file is set to 10.3 for each parser, as shown in the example below.
<parser name="IMAP" desc="Internet Message Access Protocol" service="143" nwversion="10.3"> |
Resolution | To resolve the issue, follow the steps below.
- Connect to the Log Decoder appliance via SSH as the root user.
- Issue the command below to search for parsers flagged as "10.3" for the nwversion value.
[root@logdecoder ~]# more /etc/netwitness/ng/parsers/NwFlex.parser | grep -i 10.3 <parser name="BITTORRENT" desc="BitTorrent File Sharing Protocol" service="6881" nwversion="10.3"> <parser name="FIX" desc="Financial Information eXchange Protocol" service="8082" nwversion="10.3"> <parser name="GNUTELLA" desc="Gnutella file sharing protocol" service="6346" nwversion="10.3"> <parser name="IMAP" desc="Internet Message Access Protocol" service="143" nwversion="10.3"> <parser name="MSRPC" desc="Microsoft Remote Procedure Call protocol" service="135" nwversion="10.3"> <parser name="RDP" desc="Remote Desktop Protocol" service="3389" nwversion="10.3"> <parser name="TLSv1" desc="TLSv1" nwversion="10.3" service="443"> <parser name="SearchEngines" desc="A parser that extracts search terms" service="80" nwversion="10.3"> - Edit the file with the vi editor.
[root@logdecoder ~]# vi /etc/netwitness/ng/parsers/NwFlex.parser - Change all the nwversion value in step 2 from 10.3 to 10.5.
- Restart the Log Decoder service.
[root@logdecoder ~]# restart nwlogdecoder If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance. |