Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000034252 - How to update parser using Live in RSA Netwitness

Document created by RSA Customer Support

on Jan 2, 2017•Last modified by RSA Customer Support

on Apr 21, 2017

Version 3Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000034252
Applies To	RSA Product Set: Security Analytics RSA Product/Service Type: SA Security Analytics Server RSA Version/Condition: 10.5.x, 10.6.x Platform: Linux O/S Version: CentOS Product Name: Netwitness for Logs and Packets
Issue	How to get the latest Event source parser using RSA Live.
Resolution	The steps below to be done on the SA GUI. 1- Login to SA GUI. 2- Go to Live -> Search 3- Type the parser name (or part of it) in the "Keywords" text box and click search 4- Choose the needed parser as shown below. 5- A new window will be opened for the parser with some important information about it, click "deploy" to start deploying the parser on your decoders. 6- Follow the on-screen steps by choosing the decoders where the parser should be deployed. 7- On the decoder, check similar logs in /var/log/messages to make sure that the parser is successfully loaded. ldecoder NwLogDecoder[14398]: [Parse] [audit] User admin (session 23129, 192.168.2.101:38974) has started uploading file 'rsadlp.envision' ldecoder NwLogDecoder[14398]: [Parse] [audit] User admin (session 23129, 192.168.2.101:38974) has finished uploading file 'rsadlp.envision' ldecoder NwLogDecoder[14398]: [LogParse] [info] File rsadlp content loaded

Attachments

Outcomes

0 Comments

Recommended Content

Incoming Links

Comment on 'Log Parser Improvements - Update (Jan 2017)'