000033892 - Windows Snare Agents Logs Are Not Parsing With Rquired Meta in RSA Security Analytics

Document created by RSA Customer Support Employee on Sep 14, 2016Last modified by RSA Customer Support on May 3, 2019
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000033892
Applies ToRSA Product Set: NetWitness Logs & Packets
RSA Product/Service Type: SA Security Analytics Server
RSA Version/Condition: 10.4.x,10.5.x,10.6.x
Platform (Other): Windows SNARE Agent
IssueWindows Snare Agents Logs are not parsing properly and not able to view required meta.

           User-added image
CauseLog fields are not separated with "," delimiter

Aug 29 09:45:19 jumphost.rsabr.lab.emc.com MSWinEventLog 0 Security 7176 Mon Aug 29 09:45:18 2016 4689
Microsoft-Windows-Security-Auditing WORKGROUP\JUMPHOST$ N/A Success Audit jumphost.rsabr.lab.emc.com Process Termination  
A process has exited. Subject: Security ID: S-1-5-18 Account Name: JUMPHOST$ Account Domain: WORKGROUP Logon ID: 0x3E7
Process Information: Process ID: 0x9f8 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Exit Status: 0x0 6943
ResolutionTo resolve the issue, follow the steps below:
  1. Move attached registry(SNAREdelimiter.reg) file to Event source.
    User-added image 
  2. Merge the registry file with Event source.
  3. Press Yes and Ok for the confirmation.

    User-added image
    User-added image
  4. Restart snare services in services.msc .
  5. Check the latest logs from Event source.
    User-added image