000033892 - Windows Snare Agents Logs Are Not Parsing With Rquired Meta in RSA Security Analytics

Document created by RSA Customer Support Employee on Sep 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033892
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics Server
RSA Version/Condition: 10.4.x,10.5.x,10.6.x
Platform (Other): Windows SNARE Agent
IssueWindows Snare Agents Logs are not parsing properly and not able to view required meta.
           User-added image
CauseLog fields are not separated with "," delimiter
Aug 29 09:45:19 jumphost.rsabr.lab.emc.com MSWinEventLog 0 Security 7176 Mon Aug 29 09:45:18 2016 4689 
Microsoft-Windows-Security-Auditing WORKGROUP\JUMPHOST$ N/A Success Audit jumphost.rsabr.lab.emc.com Process Termination  
A process has exited. Subject: Security ID: S-1-5-18 Account Name: JUMPHOST$ Account Domain: WORKGROUP Logon ID: 0x3E7
Process Information: Process ID: 0x9f8 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Exit Status: 0x0 6943
ResolutionTo resolve the issue, follow the steps below:
1. Move attached registry(SNAREdelimiter.reg) file to Event source.
2. Merge the registry file with Event source.
           User-added image 
3.  Press Yes and Ok for the confirmation.
           User-added image
           User-added image
4. Restart snare services in services.msc .
5. Check the latest logs from Event source.
           User-added image