Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000032069 - Error message "Parser version (10.3) does not match system version (10.5)" in RSA Security Analytics 10.5

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support

on Apr 21, 2017

Version 2Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000032069
Applies To	RSA Product Set: Security Analytics RSA Product/Service Type: Log Decoder RSA Version/Condition: 10.5.x Platform: CentOS O/S Version: 6
Issue	After upgrading to Security Analytics 10.5, logs similar to the example below are found in the /var/log/messages file on the Log Decoder appliance. [Parse] [warning] Parser BITTORRENT version (10.3) does not match system version (10.5) [Parse] [warning] Parser FIX version (10.3) does not match system version (10.5) [Parse] [warning] Parser GNUTELLA version (10.3) does not match system version (10.5) [Parse] [warning] Parser IMAP version (10.3) does not match system version (10.5) [Parse] [warning] Parser MSRPC version (10.3) does not match system version (10.5) [Parse] [warning] Parser RDP version (10.3) does not match system version (10.5) [Parse] [warning] Parser TLSv1 version (10.3) does not match system version (10.5) [Parse] [warning] Parser SearchEngines version (10.3) does not match system version (10.5)
Cause	The reason is that the value of nwversion in the /etc/netwitness/ng/parsers/NwFlex.parser file is set to 10.3 for each parser, as shown in the example below. <parser name="IMAP" desc="Internet Message Access Protocol" service="143" nwversion="10.3">
Resolution	To resolve the issue, follow the steps below. Connect to the Log Decoder appliance via SSH as the root user. Issue the command below to search for parsers flagged as "10.3" for the nwversion value. [root@logdecoder ~]# more /etc/netwitness/ng/parsers/NwFlex.parser \| grep -i 10.3 <parser name="BITTORRENT" desc="BitTorrent File Sharing Protocol" service="6881" nwversion="10.3"> <parser name="FIX" desc="Financial Information eXchange Protocol" service="8082" nwversion="10.3"> <parser name="GNUTELLA" desc="Gnutella file sharing protocol" service="6346" nwversion="10.3"> <parser name="IMAP" desc="Internet Message Access Protocol" service="143" nwversion="10.3"> <parser name="MSRPC" desc="Microsoft Remote Procedure Call protocol" service="135" nwversion="10.3"> <parser name="RDP" desc="Remote Desktop Protocol" service="3389" nwversion="10.3"> <parser name="TLSv1" desc="TLSv1" nwversion="10.3" service="443"> <parser name="SearchEngines" desc="A parser that extracts search terms" service="80" nwversion="10.3"> Edit the file with the vi editor. [root@logdecoder ~]# vi /etc/netwitness/ng/parsers/NwFlex.parser Change all the nwversion value in step 2 from 10.3 to 10.5. Restart the Log Decoder service. [root@logdecoder ~]# restart nwlogdecoder If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

Attachments

Outcomes

0 Comments

Recommended Content