000012430 - When upgrading an RSANetWitness decoder from 9.0.x.x to 9.5.5.x  the NwFlex.parser file may not get replaced with the new version automatically

Document created by RSA Customer Support Employee on Jan 10, 2017Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000012430
Applies ToRSA NetWitness NextGen
RSA Netwitness NextGen 9.5
RSA NetWitness Decoder
IssueWhen upgrading an RSA NetWitness Decoder from 9.0.x.x to 9.5.5.x, the NwFlex.parser file may not get replaced with the new version automatically.  The errors may look similar to:

Parse    warning    Parser BITTORRENT version (9.0) does not match system version (9.5)
Parse    warning    Parser FIX version (9.0) does not match system version (9.5)
Parse    warning    Parser GNUTELLA version (9.0) does not match system version (9.5)
Parse    warning    Parser IMAP version (9.0) does not match system version (9.5)
Parse    warning    Parser MSRPC version (9.0) does not match system version (9.5)
Parse    warning    Parser RDP version (9.0) does not match system version (9.5)
Parse    warning    Parser TLSv1 version (9.0) does not match system version (9.5)
Parse    warning    Parser SearchEngines version (9.0) does not match system version (9.5)


When the Decoder service is restarted, the logs may show errors that several parsers failed to load due to wrong version.  If you see these errors take the following steps described below.
Resolution1. Connect to the Decoder via ssh and change to the /etc/netwitness/9.0/parsers directory with the following command: cd /etc/netwitness/9.0/parsers
You will see a file in the directory called NwFlex.parser_rpmnew
This is the latest version of the nwflex parser and needs to be used with 9.556

2. Rename the current NwFlex.parser to NwFlex.parser.old with the following command: mv NwFlex.parser NwFlex.parser.old

3. Then copy NwFlex.parser_rpmnew to NwFlex.parser with the following command: mv NwFlex.parser_rpmnew NwFlex.parser

4. In NetWitness Administrator, connect to the Decoder Service of the Decoder and click on the "Console" tab.

5. Issue the following command to reload the parser and clear any lingering issues: parsers reload
Legacy Article IDa58738

Attachments

    Outcomes