| Article Number | 000033892 |
| Applies To | RSA Product Set: NetWitness Logs & Packets
RSA Product/Service Type: SA Security Analytics Server
RSA Version/Condition: 10.4.x,10.5.x,10.6.x
Platform (Other): Windows SNARE Agent
|
| Issue | Windows Snare Agents Logs are not parsing properly and not able to view required meta.
 |
| Cause | Log fields are not separated with "," delimiter
Aug 29 09:45:19 jumphost.rsabr.lab.emc.com MSWinEventLog 0 Security 7176 Mon Aug 29 09:45:18 2016 4689
Microsoft-Windows-Security-Auditing WORKGROUP\JUMPHOST$ N/A Success Audit jumphost.rsabr.lab.emc.com Process Termination
A process has exited. Subject: Security ID: S-1-5-18 Account Name: JUMPHOST$ Account Domain: WORKGROUP Logon ID: 0x3E7
Process Information: Process ID: 0x9f8 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Exit Status: 0x0 6943
|
| Resolution | To resolve the issue, follow the steps below:
- Move attached registry(SNAREdelimiter.reg) file to Event source.
 - Merge the registry file with Event source.
- Press Yes and Ok for the confirmation.
- Restart snare services in services.msc .
- Check the latest logs from Event source.
|
on Sep 14, 2016
