000033151 - The event.time meta key is not parsing even raw log contains time details in RSA Security Analytics

Document created by RSA Customer Support Employee on Jul 3, 2016Last modified by RSA Customer Support on May 6, 2019
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000033151
Applies ToRSA Product Set: Security Analytics, RSA NetWitness Logs & Network
RSA Product/Service Type: Log Decoder, Log Collector
RSA Version/Condition: 10.3.x, 10.4.x, 10.5.x, 10.6.x
IssueSome raw log events consist of time details as "Apr 26 06:55:20". But the details are not reflecting in event.time meta value.
CauseThis is due to incomplete time details. Log Decoder expects time with Year, Date and Time to populate event.time meta value.

Since the log event time in "Apr 26 06:55:20" is missing Year details, the event.time will not be able to parse.
ResolutionThe parser is working as designed.  The format of the logs will need to be updated or use time (the time when the log is received on the log collector) instead of event.time. Additional date format functionality has been added in RSA Security Analytics version 10.6.5, please review Decoder and Log Decoder configuration guide pgs. 133-134.

WorkaroundRSA Security Analytics cannot extract event.time if time details are missing any of the Year, Date and Time values.
The workaround is to use the Log Collection time meta key for reporting or update the log format of the events.

Below is a sample for updating Linux event source to start logging with the right date format.
  1. Stop the rsyslog service.

    service rsyslog stop

  2. Edit the rsyslogd.conf file.

    vi /etc/rsyslogd.conf

  3. Add the parameter "RSYSLOG_FileFormat " at the end of the line below to look like the example below.

    **.info;mail.none;authpriv.none;cron.none /var/log/messages;RSYSLOG_FileFormat *

  4. Start the rsyslog service.

    service rsyslog start

The meta key should then be logging the right format.