000034252 - How to update a parser using RSA Live in RSA NetWitness

Document created by RSA Customer Support Employee on Jan 2, 2017Last modified by RSA Customer Support on Apr 17, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000034252
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 10.5.x, 10.6.x, 11.x
Platform: CentOS
O/S Version: 6, 7
TasksThe steps below will demonstrate how to deploy the latest version of a parser through RSA Live.
  1. Log in to the RSA NetWitness UI.
  2. In the menu in the upper left-hand corner of the UI, navigate to Live > Search.
  3. In the "Keywords" text box, type the parser name or part of the parser name, and then press "Search."
  4. Once the results appear, double click the parser name of your choice, as shown in the right side panel of the screenshot below.

    Step 4

  5. A new window will be opened for the parser containing details about the parser. Click "deploy" to begin deploying the parser on your decoders.
    Step 5
  6. Select the resource name and then select "Next."
    Step 6
  7. Select the services that you wish to deploy the parser to.
    Step 7
  8. Review the information on the review page and click "Deploy.":
    Step 8
  9. Watch for the deployment status and then press "Close" once it has deployed successfully.
    Step 9
  10. On the decoder, check similar logs in /var/log/messages to make sure that the parser is successfully loaded.

    ldecoder NwLogDecoder[14398]: [Parse] [audit] User admin (session 23129, has started uploading file 'rsadlp.envision'
    ldecoder NwLogDecoder[14398]: [Parse] [audit] User admin (session 23129, has finished uploading file 'rsadlp.envision'
    ldecoder NwLogDecoder[14398]: [LogParse] [info] File rsadlp content loaded