000034252 - How to update parser using Live in RSA Netwitness

Document created by RSA Customer Support Employee on Jan 2, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034252
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics Server
RSA Version/Condition: 10.5.x, 10.6.x
Platform: Linux
O/S Version: CentOS
Product Name: Netwitness for Logs and Packets
IssueHow to get the latest Event source parser using RSA Live.
ResolutionThe steps below to be done on the SA GUI.
1- Login to SA GUI.
2-  Go to Live -> Search
3- Type the parser name (or part of it) in the "Keywords" text box and click search
4- Choose the needed parser as shown below.
5- A new window will be opened for the parser with some important information about it, click "deploy" to start deploying the parser on your decoders.
6- Follow the on-screen steps by choosing the decoders where the parser should be deployed.
7- On the decoder, check similar logs in /var/log/messages to make sure that the parser is successfully loaded.
 ldecoder NwLogDecoder[14398]: [Parse] [audit] User admin (session 23129, has started uploading file 'rsadlp.envision'
ldecoder NwLogDecoder[14398]: [Parse] [audit] User admin (session 23129, has finished uploading file 'rsadlp.envision'
ldecoder NwLogDecoder[14398]: [LogParse] [info] File rsadlp content loaded