000029593 - Cannot see file-specific source filename or other meta values after uploading log file in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029593
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI, Log Decoder
RSA Version/Condition: 10.4.0.x,
Platform: CentOS
O/S Version: EL6
IssueSecurity Analytics supports uploading Syslog-formatted log files through the Log Decoder.
The steps to do this are:
  1. In the Security Analytics UI, go to Administration >> Services, select a Log Decoder, and then select View >> System.
  2. On the Log Decoder System page, click Stop Capture..
  3. When the Upload a Log File button becomes active, click it.
  4. In the Upload Log File dialog box, browse to locate the log file you want to upload, check the Track Filename check box, and then click Upload.
  5. After the log file has finished uploading, on the Log Decoder System page, click Start Capture.
Once the system has processed the event meta, you can go to the Investigation module, point it at your upstream Concentrator, and view the newly created meta. One of the new meta values created should appear under the Source Filename (sourcefile) Meta key.
In the releases listed above, this functionality no longer works correctly.
CauseIn earlier Security Analytics releases, the log file itself was being assigned a timestamp that recorded when the file was uploaded.
In the current versions where this feature no longer works, the file is no longer being assigned a timestamp.
ResolutionEngineering ticket SACE-2869 is open and the issue is currently being investigated.
WorkaroundIn the Security Analytics UI, when looking for the uploaded data, if you enter a custom time frame that starts with 1969-12-31 21:00:00 and ends with 1970-01-01 00:00:00, you should see the file names listed and be able to drill-down on the events in that file.