This procedure is useful to see which log parsers have been downloaded and deployed from Live, and which of these are enabled.
You should only download and deploy the parsers you need for the following reasons:
- There is an impact on performance as you increase the number of deployed parsers.
- The more parsers you deploy, the more meta created, which impacts data retention
- Not having extra (unnecessary) log parsers deployed reduces the potential for misidentification of messages.
You must have previously deployed log parsers from Live. See Find and Deploy Live Resources in the Live Resource Management Guide for details.
To enable or disable an event source parser, or to view the status for each parser:
- In the Security Analytics menu, select Administration > Services.
- In the Services grid, select a Log Decoder, and from the Actions menu (), choose View > Config.
- In the Service Parsers Configuration panel, search for your event source.
- In the Config Value column, note the current status for your parser.
- If the parser is already selected, it is enabled.
- If the parser is not selected, it is currently disabled.
- Click Apply.
When you click Apply, note that all parsers are reloaded into Security Analytics.
The status for each log parser is updated, based on your selections.