Article Number | 000033892 |
Applies To | RSA Product Set: NetWitness Logs & Packets RSA Product/Service Type: SA Security Analytics Server RSA Version/Condition: 10.4.x,10.5.x,10.6.x Platform (Other): Windows SNARE Agent |
Issue | Windows Snare Agents Logs are not parsing properly and not able to view required meta.
 |
Cause | Log fields are not separated with "," delimiter
Aug 29 09:45:19 jumphost.rsabr.lab.emc.com MSWinEventLog 0 Security 7176 Mon Aug 29 09:45:18 2016 4689 Microsoft-Windows-Security-Auditing WORKGROUP\JUMPHOST$ N/A Success Audit jumphost.rsabr.lab.emc.com Process Termination A process has exited. Subject: Security ID: S-1-5-18 Account Name: JUMPHOST$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process Information: Process ID: 0x9f8 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Exit Status: 0x0 6943
|
Resolution | To resolve the issue, follow the steps below:
- Move attached registry(SNAREdelimiter.reg) file to Event source.
- Merge the registry file with Event source.
- Press Yes and Ok for the confirmation.
  - Restart snare services in services.msc .
- Check the latest logs from Event source.

|