Decoder: (For 10.5.1 or later) Configure a Log Decoder to Accept Protobuf

Document created by RSA Information Design and Development on Jul 26, 2016Last modified by RSA Information Design and Development on Sep 28, 2016
Version 4Show Document
  • View in full screen mode
 

There are occasions when you want to analyze log files that are in protobuf (Protocol Buffer) format.

To import a log file to a Log Decoder:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Log Decoder in the Service grid, and select  Actions menu cropped > View > Explore.

    The Explorer view for the Log Decoder is displayed.

  3. Navigate to event-processors/logdecoder/destinations/logdecoder/consumer/processors/
    tcpconnector/config

    Your screen should look similar to the following.

    protobufCfg01.png

  4. For the send-protobuf field, select false, and change the value to true.
  5. Navigate to event-processors/logdecoder/destinations/logdecoder/consumer/processors/tcpconnector/
    config/connector/channel/tcp
    and change the port value to 50202.
  6. Navigate to event-processors/logdecoder/destinations/logdecoder/consumer/processors/tcpconnector/
    config/connector/event
    and change the following parameters:

    • Clear the delimiter field
    • Change format to %text%

The log decoder is now configured to accept protobuf messages.

You are here: Additional Procedures > (For 10.5.1 or later) Configure a Log Decoder to Accept Protobuf

Attachments

    Outcomes