000032069 - Error message "Parser version (10.3) does not match system version (10.5)" in RSA Security Analytics 10.5

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032069
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Log Decoder
RSA Version/Condition: 10.5.x
Platform: CentOS
O/S Version: 6
IssueAfter upgrading to Security Analytics 10.5, logs similar to the example below are found in the /var/log/messages file on the Log Decoder appliance.
[Parse] [warning] Parser BITTORRENT version (10.3) does not match system version (10.5) 
[Parse] [warning] Parser FIX version (10.3) does not match system version (10.5)
[Parse] [warning] Parser GNUTELLA version (10.3) does not match system version (10.5)
[Parse] [warning] Parser IMAP version (10.3) does not match system version (10.5)
[Parse] [warning] Parser MSRPC version (10.3) does not match system version (10.5)
[Parse] [warning] Parser RDP version (10.3) does not match system version (10.5)
[Parse] [warning] Parser TLSv1 version (10.3) does not match system version (10.5)
[Parse] [warning] Parser SearchEngines version (10.3) does not match system version (10.5)

 
CauseThe reason is that the value of nwversion in the /etc/netwitness/ng/parsers/NwFlex.parser file is set to 10.3 for each parser, as shown in the example below.
<parser name="IMAP" desc="Internet Message Access Protocol" service="143" nwversion="10.3">

 
ResolutionTo resolve the issue, follow the steps below.
  1. Connect to the Log Decoder appliance via SSH as the root user.
  2. Issue the command below to search for parsers flagged as "10.3" for the nwversion value.
    [root@logdecoder ~]# more /etc/netwitness/ng/parsers/NwFlex.parser | grep -i 10.3
    <parser name="BITTORRENT" desc="BitTorrent File Sharing Protocol" service="6881" nwversion="10.3">
      <parser name="FIX" desc="Financial Information eXchange Protocol" service="8082" nwversion="10.3">
      <parser name="GNUTELLA" desc="Gnutella file sharing protocol" service="6346" nwversion="10.3">
      <parser name="IMAP" desc="Internet Message Access Protocol" service="143" nwversion="10.3">
      <parser name="MSRPC" desc="Microsoft Remote Procedure Call protocol" service="135" nwversion="10.3">
      <parser name="RDP" desc="Remote Desktop Protocol" service="3389" nwversion="10.3">
      <parser name="TLSv1" desc="TLSv1" nwversion="10.3" service="443">
      <parser name="SearchEngines" desc="A parser that extracts search terms" service="80" nwversion="10.3">

  3. Edit the file with the vi editor.
    [root@logdecoder ~]# vi /etc/netwitness/ng/parsers/NwFlex.parser

  4. Change all the nwversion value in step 2 from 10.3 to 10.5.
  5. Restart the Log Decoder service.
    [root@logdecoder ~]# restart nwlogdecoder

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

Attachments

    Outcomes